From b441dd4a7c3ce72008968d324a12e5c342d164a3 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 9 Jul 2016 23:46:21 +0200
Subject: Route SMTP traffic from the webmail through IPsec.

---
 .../plugins/managesieve/config.inc.php.j2          |  2 +-
 roles/webmail/templates/etc/stunnel/smtp.conf.j2   | 58 ----------------------
 2 files changed, 1 insertion(+), 59 deletions(-)
 delete mode 100644 roles/webmail/templates/etc/stunnel/smtp.conf.j2

(limited to 'roles/webmail/templates')

diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
index dcaca06..66af466 100644
--- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
+++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
@@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190;
 // %n - http hostname ($_SERVER['SERVER_NAME'])
 // %d - domain (http hostname without the first part)
 // For example %n = mail.domain.tld, %d = domain.tld
-$config['managesieve_host'] = '{{ ipsec[imapsvr.inventory_hostname_short] }}';
+$config['managesieve_host'] = '{{ imapsvr_addr | ipaddr }}';
 
 // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
 // or none. Optional, defaults to best method supported by server.
diff --git a/roles/webmail/templates/etc/stunnel/smtp.conf.j2 b/roles/webmail/templates/etc/stunnel/smtp.conf.j2
deleted file mode 100644
index ba38bfa..0000000
--- a/roles/webmail/templates/etc/stunnel/smtp.conf.j2
+++ /dev/null
@@ -1,58 +0,0 @@
-; **************************************************************************
-; * Global options                                                         *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections  *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-key  = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode)               *
-; **************************************************************************
-
-[smtp]
-accept   = localhost:2525
-connect  = outgoing.fripost.org:{{ postfix_instance.out.port }}
-CAfile   = /etc/stunnel/certs/smtp.pem
-protocol = smtp
-
-; vim:ft=dosini
-- 
cgit v1.2.3