From 7a5cc5032b036f110a19b899cfc264065b473ed1 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 2 Jul 2014 17:54:24 +0200 Subject: Use stunnel to secure the connection from the IMAP proxy to the IMAP server. The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does. --- .../files/etc/dovecot/conf.d/20-imapc.conf | 4 +- .../files/etc/dovecot/conf.d/auth-imap.conf.ext | 2 +- roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 57 ++++++++++++++++++++++ roles/IMAP-proxy/handlers/main.yml | 3 ++ roles/IMAP-proxy/tasks/main.yml | 46 +++++++++++++++++ 5 files changed, 109 insertions(+), 3 deletions(-) create mode 100644 roles/IMAP-proxy/files/etc/stunnel/stunnel.conf (limited to 'roles/IMAP-proxy') diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf index 242762e..ea39a32 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf @@ -4,8 +4,8 @@ # http://wiki2.dovecot.org/HowTo/ImapcProxy # http://wiki2.dovecot.org/Migration/Dsync -imapc_host = imap.fripost.org -imapc_port = 143 +imapc_host = localhost +imapc_port = 993 # Read multiple mails in parallel, improves performance mail_prefetch_count = 20 diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext index e292092..7ab096f 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext @@ -4,7 +4,7 @@ passdb { driver = imap - args = host=imap.fripost.org port=143 + args = host=localhost port=993 default_fields = userdb_imapc_password=%w } diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf new file mode 100644 index 0000000..026bc30 --- /dev/null +++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf @@ -0,0 +1,57 @@ +; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012 +; Some options used here may be inadequate for your particular configuration +; This sample file does *not* represent stunnel.conf defaults +; Please consult the manual for detailed description of available options + +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; A copy of some devices and system files is needed within the chroot jail +; Chroot conflicts with configuration file reload and many other features +; Remember also to update the logrotate configuration. +;chroot = /var/lib/stunnel4/ +; Chroot jail can be escaped if setuid option is not used +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/stunnel4.pid + +; Debugging stuff (may useful for troubleshooting) +debug = 4 +;output = /var/log/stunnel4/stunnel.log + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +;cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Authentication stuff needs to be configured to prevent MITM attacks +verify = 4 + +; Disable support for insecure SSLv2 protocol +options = NO_SSLv2 +; Workaround for Eudora bug +;options = DONT_INSERT_EMPTY_FRAGMENTS + +; These options provide additional security at some performance degradation +;options = SINGLE_ECDH_USE +;options = SINGLE_DH_USE + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[imaps] +accept = localhost:993 +connect = imap.fripost.org:993 +CAfile = /etc/stunnel/certs/imap.fripost.org.pem +ciphers = ECDH+AES:DH+AES + +; vim:ft=dosini diff --git a/roles/IMAP-proxy/handlers/main.yml b/roles/IMAP-proxy/handlers/main.yml index 45f817d..5249a7e 100644 --- a/roles/IMAP-proxy/handlers/main.yml +++ b/roles/IMAP-proxy/handlers/main.yml @@ -1,3 +1,6 @@ --- +- name: Restart stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted + - name: Restart Dovecot service: name=dovecot state=restarted diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index bb6e5be..73a0dee 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -40,3 +40,49 @@ when: not r.changed - meta: flush_handlers + + +- name: Install stunnel + apt: pkg=stunnel4 + +- name: Auto-enable stunnel + lineinfile: dest=/etc/default/stunnel4 + regexp='^(\s*#)?\s*ENABLED=' + line='ENABLED=1' + owner=root group=root + mode=0644 + +- name: Create /etc/stunnel/certs + file: path=/etc/stunnel/certs + state=directory + owner=root group=root + mode=0755 + +- name: Copy Dovecot's X.509 certificate + # XXX: it's unfortunate that we have to store the whole CA chain... + # for some reason stunnel's level 4 "verify" (CA chain and only verify + # peer certificate) doesn't always work: + # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html + assemble: src=certs/dovecot + remote_src=no + dest=/etc/stunnel/certs/imap.fripost.org.pem + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart stunnel + +- name: Configure stunnel + copy: src=etc/stunnel/stunnel.conf + dest=/etc/stunnel/stunnel.conf + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart stunnel + +- name: Start stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started + when: not (r1.changed or r2.changed) + +- meta: flush_handlers -- cgit v1.2.3