From b29601e313e8d35ec7edee343c82ca71ed6a3a12 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 31 May 2015 04:02:00 +0200 Subject: Upgrade the webmail configuration from Wheezy to Jessie. --- .../files/etc/dovecot/conf.d/10-mail.conf | 21 +++++++++++---------- roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 22 ++++++++++++++-------- roles/IMAP-proxy/tasks/main.yml | 13 +++++++++++-- 3 files changed, 36 insertions(+), 20 deletions(-) (limited to 'roles/IMAP-proxy') diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf index 9c50531..e2225c3 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf @@ -146,13 +146,6 @@ mail_gid = imapproxy # never: Never use it (best performance, but crashes can lose data) #mail_fsync = optimized -# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches -# whenever needed. If you're using only a single mail server this isn't needed. -#mail_nfs_storage = no -# Mail index files also exist in NFS. Setting this to yes requires -# mmap_disable=yes and fsync_disable=no. -#mail_nfs_index = no - # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking # methods. NFS users: flock doesn't work, remember to change mmap_disable. @@ -165,14 +158,14 @@ mail_gid = imapproxy # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. -first_valid_uid = 1 +#first_valid_uid = 500 #last_valid_uid = 0 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. -first_valid_gid = 1 +#first_valid_gid = 1 #last_valid_gid = 0 # Maximum allowed length for mail keyword name. It's only forced when trying @@ -205,12 +198,16 @@ first_valid_gid = 1 # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = virtual +mail_plugins = virtual zlib ## ## Mailbox handling optimizations ## +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +mailbox_list_index = yes + # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. @@ -262,6 +259,10 @@ mail_plugins = virtual # broken size. The performance hit for enabling this is very small. #maildir_broken_filename_sizes = no +# Always move mails from new/ directory to cur/, even when the \Recent flags +# aren't being reset. +#maildir_empty_new = no + ## ## mbox-specific settings ## diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf index e77b557..f1c2a16 100644 --- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf +++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf @@ -39,24 +39,30 @@ socket = r:TCP_NODELAY=1 ; Authentication stuff needs to be configured to prevent MITM attacks verify = 4 -; Disable support for insecure SSLv2 protocol +; Disable support for insecure protocols options = NO_SSLv2 -; Workaround for Eudora bug -;options = DONT_INSERT_EMPTY_FRAGMENTS +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 ; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [imaps] -accept = localhost:993 +accept = localhost:143 connect = imap.fripost.org:993 CAfile = /etc/stunnel/certs/imap.fripost.org.pem -options = NO_SSLv3 -ciphers = ECDH+AES:DH+AES + +[ldaps] +accept = localhost:389 +connect = ldap.fripost.org:636 +CAfile = /etc/stunnel/certs/ldap.fripost.org.pem ; vim:ft=dosini diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index 41bb7a3..2ddba96 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -73,17 +73,26 @@ notify: - Restart stunnel +- name: Copy slapd's X.509 certificate + copy: src=certs/ldap/ldap.fripost.org.pem + dest=/etc/stunnel/certs/ldap.fripost.org.pem + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart stunnel + - name: Configure stunnel copy: src=etc/stunnel/stunnel.conf dest=/etc/stunnel/stunnel.conf owner=root group=root mode=0644 - register: r2 + register: r3 notify: - Restart stunnel - name: Start stunnel service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers -- cgit v1.2.3