From 17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 5 Jun 2016 17:30:00 +0200 Subject: Use stunnel to secure the connection from the webmail to ldap.fripost.org. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting. --- roles/webmail/files/etc/stunnel/ldap.conf | 57 +++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 roles/webmail/files/etc/stunnel/ldap.conf (limited to 'roles/webmail/files/etc') diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf new file mode 100644 index 0000000..1149bce --- /dev/null +++ b/roles/webmail/files/etc/stunnel/ldap.conf @@ -0,0 +1,57 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; setuid()/setgid() to the specified user/group in daemon mode +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = +foreground = yes + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +;cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verify = 4 + +; Disable support for insecure protocols +options = NO_SSLv2 +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 + +options = NO_COMPRESSION + +; These options provide additional security at some performance degradation +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +; Select permitted SSL ciphers +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[ldaps] +accept = localhost:389 +connect = ldap.fripost.org:636 +CAfile = /etc/stunnel/certs/ldap.pem + +; vim:ft=dosini -- cgit v1.2.3