From 05d59141d1115cafb663305d680a930f089b4851 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 28 May 2016 13:49:48 +0200
Subject: Roundcube: route IMAP and managesieve traffic through IPSec.

---
 roles/webmail/tasks/roundcube.yml                    | 12 ++++++------
 .../roundcube/plugins/managesieve/config.inc.php.j2  | 20 ++++++++++----------
 2 files changed, 16 insertions(+), 16 deletions(-)

(limited to 'roles')

diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 3d56af7..998026c 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -49,12 +49,12 @@
     # IMAP
     #   WARNING: After hostname change update of mail_host column in users
     #   table is required to match old user data records with the new host.
-    - { var: default_host,           value: "'localhost'" }
-    - { var: default_port,           value: "143"         }
-    - { var: imap_auth_type,         value: "'PLAIN'"     }
-    - { var: imap_cache,             value: "null"        }
-    - { var: imap_timeout,           value: "180"         }
-    - { var: messages_cache,         value: "false"       }
+    - { var: default_host,           value: "'{{ ipsec[imapsvr.inventory_hostname_short] }}'" }
+    - { var: default_port,           value: "143"                                             }
+    - { var: imap_auth_type,         value: "'PLAIN'"                                         }
+    - { var: imap_cache,             value: "null"                                            }
+    - { var: imap_timeout,           value: "180"                                             }
+    - { var: messages_cache,         value: "false"                                           }
     # SMTP
     - { var: smtp_server,            value: "'localhost'" }
     - { var: smtp_port,              value: "2525"        }
diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
index 6ad7343..dcaca06 100644
--- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
+++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
@@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190;
 // %n - http hostname ($_SERVER['SERVER_NAME'])
 // %d - domain (http hostname without the first part)
 // For example %n = mail.domain.tld, %d = domain.tld
-$config['managesieve_host'] = 'sieve.fripost.org';
+$config['managesieve_host'] = '{{ ipsec[imapsvr.inventory_hostname_short] }}';
 
 // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
 // or none. Optional, defaults to best method supported by server.
@@ -26,19 +26,19 @@ $config['managesieve_auth_pw'] = null;
 
 // use or not TLS for managesieve server connection
 // Note: tls:// prefix in managesieve_host is also supported
-$config['managesieve_usetls'] = true;
+$config['managesieve_usetls'] = false;
 
 // Connection scket context options
 // See http://php.net/manual/en/context.ssl.php
 // The example below enables server certificate validation
-$config['managesieve_conn_options'] = array(
-  'ssl'         => array(
-     'verify_peer' => true,
-     'disable_compression' => true,
-     'ciphers' => 'EECDH+AES!MEDIUM!LOW!EXP!aNULL!eNULL',
-     'peer_fingerprint' => array('sha1' => '{{ lookup('pipe', 'openssl x509 -in certs/public/imap.fripost.org.pem -noout -fingerprint -sha1 | sed "s/[^=]*=\s*//" | tr -d :') }}'),
-   ),
- );
+//$config['managesieve_conn_options'] = array(
+//  'ssl'         => array(
+//     'verify_peer'  => true,
+//     'verify_depth' => 3,
+//     'cafile'       => '/etc/openssl/certs/ca.crt',
+//   ),
+// );
+$config['managesieve_conn_options'] = null;
 
 // default contents of filters script (eg. default spam filter)
 $config['managesieve_default'] = '/etc/dovecot/sieve/global';
-- 
cgit v1.2.3