From 7a562e807515506d7dca2f370f63057be7366c34 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 17 May 2016 20:35:37 +0200
Subject: roundube: Pin X.509 certificate for sieve.fripost.org:4190.

---
 .../roundcube/plugins/managesieve/config.inc.php   | 101 ---------------------
 roles/webmail/tasks/roundcube.yml                  |  10 +-
 .../plugins/managesieve/config.inc.php.j2          | 100 ++++++++++++++++++++
 3 files changed, 108 insertions(+), 103 deletions(-)
 delete mode 100644 roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php
 create mode 100644 roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2

(limited to 'roles/webmail')

diff --git a/roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php
deleted file mode 100644
index 9c9b3fc..0000000
--- a/roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php
+++ /dev/null
@@ -1,101 +0,0 @@
-<?php
-
-// managesieve server port. When empty the port will be determined automatically
-// using getservbyname() function, with 4190 as a fallback.
-$config['managesieve_port'] = 4190;
-
-// managesieve server address, default is localhost.
-// Replacement variables supported in host name:
-// %h - user's IMAP hostname
-// %n - http hostname ($_SERVER['SERVER_NAME'])
-// %d - domain (http hostname without the first part)
-// For example %n = mail.domain.tld, %d = domain.tld
-$config['managesieve_host'] = 'sieve.fripost.org';
-
-// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
-// or none. Optional, defaults to best method supported by server.
-$config['managesieve_auth_type'] = 'PLAIN';
-
-// Optional managesieve authentication identifier to be used as authorization proxy.
-// Authenticate as a different user but act on behalf of the logged in user.
-// Works with PLAIN and DIGEST-MD5 auth.
-$config['managesieve_auth_cid'] = null;
-
-// Optional managesieve authentication password to be used for imap_auth_cid
-$config['managesieve_auth_pw'] = null;
-
-// use or not TLS for managesieve server connection
-// Note: tls:// prefix in managesieve_host is also supported
-$config['managesieve_usetls'] = false;
-
-// Connection scket context options
-// See http://php.net/manual/en/context.ssl.php
-// The example below enables server certificate validation
-$config['managesieve_conn_options'] = array(
-  'ssl'         => array(
-     'verify_peer' => true,
-     'verify_depth' => 3,
-     'cafile' => '/etc/stunnel/certs/imap.fripost.org.pem',
-     'disable_compression' => true,
-     'ciphers' => 'EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL',
-   ),
- );
-
-// default contents of filters script (eg. default spam filter)
-$config['managesieve_default'] = '/etc/dovecot/sieve/global';
-
-// The name of the script which will be used when there's no user script
-$config['managesieve_script_name'] = 'managesieve';
-
-// Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
-// but some implementations does not covert UTF-8 to modified UTF-7.
-// Defaults to UTF7-IMAP
-$config['managesieve_mbox_encoding'] = 'UTF-8';
-
-// I need this because my dovecot (with listescape plugin) uses
-// ':' delimiter, but creates folders with dot delimiter
-$config['managesieve_replace_delimiter'] = '';
-
-// disabled sieve extensions (body, copy, date, editheader, encoded-character,
-// envelope, environment, ereject, fileinto, ihave, imap4flags, index,
-// mailbox, mboxmetadata, regex, reject, relational, servermetadata,
-// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
-// Note: not all extensions are implemented
-$config['managesieve_disabled_extensions'] = array();
-
-// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
-$config['managesieve_debug'] = false;
-
-// Enables features described in http://wiki.kolab.org/KEP:14
-$config['managesieve_kolab_master'] = false;
-
-// Script name extension used for scripts including. Dovecot uses '.sieve',
-// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
-$config['managesieve_filename_extension'] = '.sieve';
-
-// List of reserved script names (without extension).
-// Scripts listed here will be not presented to the user.
-$config['managesieve_filename_exceptions'] = array();
-
-// List of domains limiting destination emails in redirect action
-// If not empty, user will need to select domain from a list
-$config['managesieve_domains'] = array();
-
-// Enables separate management interface for vacation responses (out-of-office)
-// 0 - no separate section (default),
-// 1 - add Vacation section,
-// 2 - add Vacation section, but hide Filters section
-$config['managesieve_vacation'] = 0;
-
-// Default vacation interval (in days).
-// Note: If server supports vacation-seconds extension it is possible
-// to define interval in seconds here (as a string), e.g. "3600s".
-$config['managesieve_vacation_interval'] = 0;
-
-// Some servers require vacation :addresses to be filled with all
-// user addresses (aliases). This option enables automatic filling
-// of these on initial vacation form creation.
-$config['managesieve_vacation_addresses_init'] = false;
-
-// Supported methods of notify extension. Default: 'mailto'
-$config['managesieve_notify_methods'] = array('mailto');
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index eb04ba1..e416656 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -27,7 +27,6 @@
     - roundcube-plugins
     - php-net-sieve
     - php-net-ldap3
-    - php-mail-mimedecode
 
 - name: Copy fripost's logo
   copy: src=usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png
@@ -97,9 +96,16 @@
   with_items:
     - additional_message_headers
     - jqueryui
-    - managesieve
     - password
 
+- name: Configure Roundcube plugins (2)
+  template: src=etc/roundcube/plugins/{{ item }}/config.inc.php.j2
+            dest=/etc/roundcube/plugins/{{ item }}/config.inc.php
+            owner=root group=root
+            mode=0644
+  with_items:
+    - managesieve
+
 - name: Start php5-fpm
   service: name=php5-fpm state=started
 
diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
new file mode 100644
index 0000000..6ad7343
--- /dev/null
+++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
@@ -0,0 +1,100 @@
+<?php
+
+// managesieve server port. When empty the port will be determined automatically
+// using getservbyname() function, with 4190 as a fallback.
+$config['managesieve_port'] = 4190;
+
+// managesieve server address, default is localhost.
+// Replacement variables supported in host name:
+// %h - user's IMAP hostname
+// %n - http hostname ($_SERVER['SERVER_NAME'])
+// %d - domain (http hostname without the first part)
+// For example %n = mail.domain.tld, %d = domain.tld
+$config['managesieve_host'] = 'sieve.fripost.org';
+
+// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
+// or none. Optional, defaults to best method supported by server.
+$config['managesieve_auth_type'] = 'PLAIN';
+
+// Optional managesieve authentication identifier to be used as authorization proxy.
+// Authenticate as a different user but act on behalf of the logged in user.
+// Works with PLAIN and DIGEST-MD5 auth.
+$config['managesieve_auth_cid'] = null;
+
+// Optional managesieve authentication password to be used for imap_auth_cid
+$config['managesieve_auth_pw'] = null;
+
+// use or not TLS for managesieve server connection
+// Note: tls:// prefix in managesieve_host is also supported
+$config['managesieve_usetls'] = true;
+
+// Connection scket context options
+// See http://php.net/manual/en/context.ssl.php
+// The example below enables server certificate validation
+$config['managesieve_conn_options'] = array(
+  'ssl'         => array(
+     'verify_peer' => true,
+     'disable_compression' => true,
+     'ciphers' => 'EECDH+AES!MEDIUM!LOW!EXP!aNULL!eNULL',
+     'peer_fingerprint' => array('sha1' => '{{ lookup('pipe', 'openssl x509 -in certs/public/imap.fripost.org.pem -noout -fingerprint -sha1 | sed "s/[^=]*=\s*//" | tr -d :') }}'),
+   ),
+ );
+
+// default contents of filters script (eg. default spam filter)
+$config['managesieve_default'] = '/etc/dovecot/sieve/global';
+
+// The name of the script which will be used when there's no user script
+$config['managesieve_script_name'] = 'managesieve';
+
+// Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
+// but some implementations does not covert UTF-8 to modified UTF-7.
+// Defaults to UTF7-IMAP
+$config['managesieve_mbox_encoding'] = 'UTF-8';
+
+// I need this because my dovecot (with listescape plugin) uses
+// ':' delimiter, but creates folders with dot delimiter
+$config['managesieve_replace_delimiter'] = '';
+
+// disabled sieve extensions (body, copy, date, editheader, encoded-character,
+// envelope, environment, ereject, fileinto, ihave, imap4flags, index,
+// mailbox, mboxmetadata, regex, reject, relational, servermetadata,
+// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
+// Note: not all extensions are implemented
+$config['managesieve_disabled_extensions'] = array();
+
+// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
+$config['managesieve_debug'] = false;
+
+// Enables features described in http://wiki.kolab.org/KEP:14
+$config['managesieve_kolab_master'] = false;
+
+// Script name extension used for scripts including. Dovecot uses '.sieve',
+// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
+$config['managesieve_filename_extension'] = '.sieve';
+
+// List of reserved script names (without extension).
+// Scripts listed here will be not presented to the user.
+$config['managesieve_filename_exceptions'] = array();
+
+// List of domains limiting destination emails in redirect action
+// If not empty, user will need to select domain from a list
+$config['managesieve_domains'] = array();
+
+// Enables separate management interface for vacation responses (out-of-office)
+// 0 - no separate section (default),
+// 1 - add Vacation section,
+// 2 - add Vacation section, but hide Filters section
+$config['managesieve_vacation'] = 0;
+
+// Default vacation interval (in days).
+// Note: If server supports vacation-seconds extension it is possible
+// to define interval in seconds here (as a string), e.g. "3600s".
+$config['managesieve_vacation_interval'] = 0;
+
+// Some servers require vacation :addresses to be filled with all
+// user addresses (aliases). This option enables automatic filling
+// of these on initial vacation form creation.
+$config['managesieve_vacation_addresses_init'] = false;
+
+// Supported methods of notify extension. Default: 'mailto'
+$config['managesieve_notify_methods'] = array('mailto');
-- 
cgit v1.2.3