From 73b2a602ee85706b2a1797632142058c6253ea5d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 22 May 2016 18:02:37 +0200 Subject: dovecot: also listen on the virtual IP dedicated to IPSec. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection. --- roles/IMAP/files/etc/dovecot/conf.d/10-master.conf | 138 -------------------- roles/IMAP/tasks/imap.yml | 21 +++- .../templates/etc/dovecot/conf.d/10-master.conf.j2 | 139 +++++++++++++++++++++ 3 files changed, 154 insertions(+), 144 deletions(-) delete mode 100644 roles/IMAP/files/etc/dovecot/conf.d/10-master.conf create mode 100644 roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 (limited to 'roles/IMAP') diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf deleted file mode 100644 index 9fcc549..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf +++ /dev/null @@ -1,138 +0,0 @@ -#default_process_limit = 100 -#default_client_limit = 1000 - -# Default VSZ (virtual memory size) limit for service processes. This is mainly -# intended to catch and kill processes that leak memory before they eat up -# everything. -#default_vsz_limit = 256M - -# Login user is internally used by login processes. This is the most untrusted -# user in Dovecot system. It shouldn't have access to anything at all. -#default_login_user = dovenull - -# Internal user is used by unprivileged processes. It should be separate from -# login user, so that login processes can't disturb other processes. -#default_internal_user = dovecot - -service imap-login { - inet_listener imap { - port = 0 - } - inet_listener imaps { - #port = 993 - #ssl = yes - } - - # Number of connections to handle before starting a new process. Typically - # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 - # is faster. - #service_count = 1 - - # Max. number of IMAP processes (logins) - process_limit = 256 - - # Number of processes to always keep waiting for more connections. - process_min_avail = 4 - - # If you set service_count=0, you probably need to grow this. - #vsz_limit = $default_vsz_limit -} - -service pop3-login { - inet_listener pop3 { - #port = 110 - } - inet_listener pop3s { - #port = 995 - #ssl = yes - } -} - -service lmtp { - user = vmail - - unix_listener /var/spool/postfix-mda/private/dovecot-lmtpd { - group = postfix - user = postfix - mode = 0600 - } - - # Create inet listener only if you can't use the above UNIX socket - #inet_listener lmtp { - # Avoid making LMTP visible for the entire internet - #address = - #port = - #} - - # Number of processes to always keep waiting for more connections. - process_min_avail = 4 -} - -service imap { - # Most of the memory goes to mmap()ing files. You may need to increase this - # limit if you have huge mailboxes. - #vsz_limit = $default_vsz_limit - - # Max. number of IMAP processes (connections) - #process_limit = 1024 -} - -service pop3 { - # Max. number of POP3 processes (connections) - #process_limit = 1024 -} - -service auth { - # auth_socket_path points to this userdb socket by default. It's typically - # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have - # full permissions to this socket are able to get a list of all usernames and - # get the results of everyone's userdb lookups. - # - # The default 0666 mode allows anyone to connect to the socket, but the - # userdb lookups will succeed only if the userdb returns an "uid" field that - # matches the caller process's UID. Also if caller's uid or gid matches the - # socket's uid or gid the lookup succeeds. Anything else causes a failure. - # - # To give the caller full permissions to lookup all users, set the mode to - # something else than 0666 and Dovecot lets the kernel enforce the - # permissions (e.g. 0777 allows everyone full permissions). - unix_listener auth-userdb { - mode = 0600 - user = vmail - group = root - } - - # Postfix smtp-auth - unix_listener /var/spool/postfix-msa/private/dovecot-auth { - group = postfix - user = postfix - mode = 0600 - } - - # Auth process is run as this user. - #user = $default_internal_user -} - -service auth-worker { - # Auth worker process is run as root by default, so that it can access - # /etc/shadow. If this isn't necessary, the user should be changed to - # $default_internal_user. - user = $default_internal_user -} - -service dict { - # If dict proxy is used, mail processes should have access to its socket. - # For example: mode=0660, group=vmail and global mail_access_groups=vmail - unix_listener dict { - #mode = 0600 - #user = - #group = - } -} - -service stats { - fifo_listener stats-mail { - user = vmail - mode = 0600 - } -} diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index 39dc573..a596c42 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -96,7 +96,6 @@ - conf.d/10-auth.conf - conf.d/10-logging.conf - conf.d/10-mail.conf - - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf - conf.d/20-imap.conf @@ -109,23 +108,33 @@ notify: - Restart Dovecot +- name: Configure Dovecot (2) + template: src=etc/dovecot/{{ item }}.j2 + dest=/etc/dovecot/{{ item }} + owner=root group=root + mode=0644 + register: r2 + with_items: + - conf.d/10-master.conf + notify: + - Restart Dovecot + - name: Tell Dovecot we have a remote IMAP proxy - # XXX: we should have an automatic lookup here lineinfile: dest=/etc/dovecot/dovecot.conf regexp='^(\s*#)?\s*login_trusted_networks\s*=' - line='login_trusted_networks = 171.25.193.76/32' + line="login_trusted_networks = {{ ipsec_subnet }}" state=present create=yes owner=root group=root mode=0644 - register: r2 - when: "'IMAP' in group_names and 'webmail' not in group_names" + register: r3 + when: "groups.all | length > 1" notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 new file mode 100644 index 0000000..4969550 --- /dev/null +++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 @@ -0,0 +1,139 @@ +#default_process_limit = 100 +#default_client_limit = 1000 + +# Default VSZ (virtual memory size) limit for service processes. This is mainly +# intended to catch and kill processes that leak memory before they eat up +# everything. +#default_vsz_limit = 256M + +# Login user is internally used by login processes. This is the most untrusted +# user in Dovecot system. It shouldn't have access to anything at all. +#default_login_user = dovenull + +# Internal user is used by unprivileged processes. It should be separate from +# login user, so that login processes can't disturb other processes. +#default_internal_user = dovecot + +service imap-login { + inet_listener imap { + address = {{ ipsec[inventory_hostname_short] }} + port = 143 + } + inet_listener imaps { + #port = 993 + #ssl = yes + } + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. + #service_count = 1 + + # Max. number of IMAP processes (logins) + process_limit = 256 + + # Number of processes to always keep waiting for more connections. + process_min_avail = 4 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = $default_vsz_limit +} + +service pop3-login { + inet_listener pop3 { + #port = 110 + } + inet_listener pop3s { + #port = 995 + #ssl = yes + } +} + +service lmtp { + user = vmail + + unix_listener /var/spool/postfix-mda/private/dovecot-lmtpd { + group = postfix + user = postfix + mode = 0600 + } + + # Create inet listener only if you can't use the above UNIX socket + #inet_listener lmtp { + # Avoid making LMTP visible for the entire internet + #address = + #port = + #} + + # Number of processes to always keep waiting for more connections. + process_min_avail = 4 +} + +service imap { + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +} + +service pop3 { + # Max. number of POP3 processes (connections) + #process_limit = 1024 +} + +service auth { + # auth_socket_path points to this userdb socket by default. It's typically + # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have + # full permissions to this socket are able to get a list of all usernames and + # get the results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but the + # userdb lookups will succeed only if the userdb returns an "uid" field that + # matches the caller process's UID. Also if caller's uid or gid matches the + # socket's uid or gid the lookup succeeds. Anything else causes a failure. + # + # To give the caller full permissions to lookup all users, set the mode to + # something else than 0666 and Dovecot lets the kernel enforce the + # permissions (e.g. 0777 allows everyone full permissions). + unix_listener auth-userdb { + mode = 0600 + user = vmail + group = root + } + + # Postfix smtp-auth + unix_listener /var/spool/postfix-msa/private/dovecot-auth { + group = postfix + user = postfix + mode = 0600 + } + + # Auth process is run as this user. + #user = $default_internal_user +} + +service auth-worker { + # Auth worker process is run as root by default, so that it can access + # /etc/shadow. If this isn't necessary, the user should be changed to + # $default_internal_user. + user = $default_internal_user +} + +service dict { + # If dict proxy is used, mail processes should have access to its socket. + # For example: mode=0660, group=vmail and global mail_access_groups=vmail + unix_listener dict { + #mode = 0600 + #user = + #group = + } +} + +service stats { + fifo_listener stats-mail { + user = vmail + mode = 0600 + } +} -- cgit v1.2.3