From b29601e313e8d35ec7edee343c82ca71ed6a3a12 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 31 May 2015 04:02:00 +0200
Subject: Upgrade the webmail configuration from Wheezy to Jessie.

---
 .../files/etc/dovecot/conf.d/10-mail.conf          | 21 +++++++++++----------
 roles/IMAP-proxy/files/etc/stunnel/stunnel.conf    | 22 ++++++++++++++--------
 roles/IMAP-proxy/tasks/main.yml                    | 13 +++++++++++--
 .../files/etc/nginx/sites-available/roundcube      |  1 +
 roles/webmail/tasks/roundcube.yml                  |  2 +-
 roles/webmail/templates/etc/postfix/main.cf.j2     |  7 ++++---
 6 files changed, 42 insertions(+), 24 deletions(-)

(limited to 'roles')

diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
index 9c50531..e2225c3 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
@@ -146,13 +146,6 @@ mail_gid = imapproxy
 #   never: Never use it (best performance, but crashes can lose data)
 #mail_fsync = optimized
 
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
 # Locking method for index files. Alternatives are fcntl, flock and dotlock.
 # Dotlocking uses some tricks which may create more disk I/O than other locking
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
@@ -165,14 +158,14 @@ mail_gid = imapproxy
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
 #last_valid_uid = 0
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-first_valid_gid = 1
+#first_valid_gid = 1
 #last_valid_gid = 0
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
@@ -205,12 +198,16 @@ first_valid_gid = 1
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = virtual
+mail_plugins = virtual zlib
 
 ##
 ## Mailbox handling optimizations
 ##
 
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
 # the cost of more disk reads.
@@ -262,6 +259,10 @@ mail_plugins = virtual
 # broken size. The performance hit for enabling this is very small.
 #maildir_broken_filename_sizes = no
 
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
 ##
 ## mbox-specific settings
 ##
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
index e77b557..f1c2a16 100644
--- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -39,24 +39,30 @@ socket = r:TCP_NODELAY=1
 ; Authentication stuff needs to be configured to prevent MITM attacks
 verify = 4
 
-; Disable support for insecure SSLv2 protocol
+; Disable support for insecure protocols
 options = NO_SSLv2
-; Workaround for Eudora bug
-;options = DONT_INSERT_EMPTY_FRAGMENTS
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
 
 ; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
 ; **************************************************************************
 
 [imaps]
-accept  = localhost:993
+accept  = localhost:143
 connect = imap.fripost.org:993
 CAfile  = /etc/stunnel/certs/imap.fripost.org.pem
-options = NO_SSLv3
-ciphers = ECDH+AES:DH+AES
+
+[ldaps]
+accept  = localhost:389
+connect = ldap.fripost.org:636
+CAfile  = /etc/stunnel/certs/ldap.fripost.org.pem
 
 ; vim:ft=dosini
diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml
index 41bb7a3..2ddba96 100644
--- a/roles/IMAP-proxy/tasks/main.yml
+++ b/roles/IMAP-proxy/tasks/main.yml
@@ -73,17 +73,26 @@
   notify:
     - Restart stunnel
 
+- name: Copy slapd's X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/stunnel/certs/ldap.fripost.org.pem
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel
+
 - name: Configure stunnel
   copy: src=etc/stunnel/stunnel.conf
         dest=/etc/stunnel/stunnel.conf
         owner=root group=root
         mode=0644
-  register: r2
+  register: r3
   notify:
     - Restart stunnel
 
 - name: Start stunnel
   service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 5bff410..8251841 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -47,6 +47,7 @@ server {
     error_log   /var/log/nginx/roundcube.error.log info;
 
     index index.php;
+    client_max_body_size 64m;
     location = /index.php {
         include fastcgi/php;
         include fastcgi/php-ssl;
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 558f062..ebe93c8 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -33,7 +33,7 @@
     - { var: default_port,           value: "143"         }
     - { var: imap_auth_type,         value: "'plain'"     }
     - { var: imap_cache,             value: "null"        }
-    - { var: messages_cache,         value: "FALSE"       }
+    - { var: messages_cache,         value: "null"        }
     # SMTP
     - { var: smtp_server,            value: "'localhost'" }
     - { var: smtp_port,              value: "2580"        }
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index 048302a..9d535c6 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -91,12 +91,13 @@ smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
 
+smtpd_relay_restrictions =
+    permit_mynetworks
+    reject
+
 smtpd_recipient_restrictions =
-    # RFC requirements
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
-    permit_mynetworks
-    reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
-- 
cgit v1.2.3