From de4859456f1de54540c96ad97f62858dd089a980 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 1 Jul 2014 23:02:45 +0200 Subject: Replace IPSec tunnels by app-level ephemeral TLS sessions. For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. --- roles/webmail/tasks/roundcube.yml | 2 ++ roles/webmail/templates/etc/postfix/main.cf.j2 | 20 +++++++++++--------- .../roundcube/plugins/managesieve/config.inc.php.j2 | 2 +- 3 files changed, 14 insertions(+), 10 deletions(-) (limited to 'roles/webmail') diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 2085974..feb38ee 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -89,6 +89,8 @@ failed_when: r1.rc > 1 notify: - Restart Nginx + tags: + - genkey - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 index b070881..595f618 100644 --- a/roles/webmail/templates/etc/postfix/main.cf.j2 +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -40,7 +40,7 @@ local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + -# Forward everything to our internal mailhub +# Forward everything to our internal outgoing proxy {% if 'out' in group_names %} relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} @@ -48,6 +48,7 @@ relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = + # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times @@ -55,17 +56,18 @@ smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s -# Pass the mail to the antivirus -#content_filter = amavisfeed:unix:public/amavisfeed-antivirus - -# Tunnel everything through IPSec -smtp_tls_security_level = none {% if 'out' in group_names %} -smtp_bind_address = 127.0.0.1 +smtp_tls_security_level = none +smtp_bind_address = 127.0.0.1 {% else %} -smtp_bind_address = 172.16.0.1 +smtp_tls_security_level = encrypt +smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem +smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy +smtp_tls_fingerprint_digest = sha256 {% endif %} -smtpd_tls_security_level = none +smtpd_tls_security_level = none strict_rfc821_envelopes = yes diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 index c716ddc..d88a09a 100644 --- a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 @@ -26,7 +26,7 @@ $rcmail_config['managesieve_auth_pw'] = null; // use or not TLS for managesieve server connection // it's because I've problems with TLS and dovecot's managesieve plugin // and it's not needed on localhost -$rcmail_config['managesieve_usetls'] = FALSE; +$rcmail_config['managesieve_usetls'] = TRUE; // default contents of filters script (eg. default spam filter) $rcmail_config['managesieve_default'] = '/etc/dovecot/sieve/global'; -- cgit v1.2.3