summaryrefslogtreecommitdiffstats
path: root/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
blob: f1c2a16c5cf287cd7d0e6147afeafdc046185fc7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
; Remember also to update the logrotate configuration.
;chroot = /var/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
setuid = stunnel4
setgid = stunnel4

; PID is created inside the chroot jail
pid = /var/run/stunnel4/stunnel4.pid

; Debugging stuff (may useful for troubleshooting)
debug = 4
;output = /var/log/stunnel4/stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem
client = yes
socket = a:SO_BINDTODEVICE=lo

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Authentication stuff needs to be configured to prevent MITM attacks
verify = 4

; Disable support for insecure protocols
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

; These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

[imaps]
accept  = localhost:143
connect = imap.fripost.org:993
CAfile  = /etc/stunnel/certs/imap.fripost.org.pem

[ldaps]
accept  = localhost:389
connect = ldap.fripost.org:636
CAfile  = /etc/stunnel/certs/ldap.fripost.org.pem

; vim:ft=dosini