From 2b308feeeaf36017e4255c2685b7a5609b290957 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 1 Jun 2015 18:42:43 +0200 Subject: =?UTF-8?q?stunnel.conf=20=E2=86=92=20imap.conf?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/IMAP-proxy/files/etc/stunnel/imap.conf | 59 +++++++++++++++++++++ roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 68 ------------------------- 2 files changed, 59 insertions(+), 68 deletions(-) create mode 100644 roles/IMAP-proxy/files/etc/stunnel/imap.conf delete mode 100644 roles/IMAP-proxy/files/etc/stunnel/stunnel.conf (limited to 'roles/IMAP-proxy/files') diff --git a/roles/IMAP-proxy/files/etc/stunnel/imap.conf b/roles/IMAP-proxy/files/etc/stunnel/imap.conf new file mode 100644 index 0000000..af29023 --- /dev/null +++ b/roles/IMAP-proxy/files/etc/stunnel/imap.conf @@ -0,0 +1,59 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; setuid()/setgid() to the specified user/group in daemon mode +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/imap.pid + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +;cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verify = 4 + +; Disable support for insecure protocols +options = NO_SSLv2 +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 + +; These options provide additional security at some performance degradation +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +; Select permitted SSL ciphers +ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[imaps] +accept = localhost:143 +connect = imap.fripost.org:993 +CAfile = /etc/stunnel/certs/imap.fripost.org.pem + +[ldaps] +accept = localhost:389 +connect = ldap.fripost.org:636 +CAfile = /etc/stunnel/certs/ldap.fripost.org.pem + +; vim:ft=dosini diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf deleted file mode 100644 index f1c2a16..0000000 --- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf +++ /dev/null @@ -1,68 +0,0 @@ -; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012 -; Some options used here may be inadequate for your particular configuration -; This sample file does *not* represent stunnel.conf defaults -; Please consult the manual for detailed description of available options - -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; A copy of some devices and system files is needed within the chroot jail -; Chroot conflicts with configuration file reload and many other features -; Remember also to update the logrotate configuration. -;chroot = /var/lib/stunnel4/ -; Chroot jail can be escaped if setuid option is not used -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = /var/run/stunnel4/stunnel4.pid - -; Debugging stuff (may useful for troubleshooting) -debug = 4 -;output = /var/log/stunnel4/stunnel.log - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -;cert = /etc/stunnel/mail.pem -;key = /etc/stunnel/mail.pem -client = yes -socket = a:SO_BINDTODEVICE=lo - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Authentication stuff needs to be configured to prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[imaps] -accept = localhost:143 -connect = imap.fripost.org:993 -CAfile = /etc/stunnel/certs/imap.fripost.org.pem - -[ldaps] -accept = localhost:389 -connect = ldap.fripost.org:636 -CAfile = /etc/stunnel/certs/ldap.fripost.org.pem - -; vim:ft=dosini -- cgit v1.2.3