summaryrefslogtreecommitdiffstats
path: root/roles/webmail/files/etc/stunnel/ldap.conf
blob: 1a60a4f36b203ec12ddff09ced624d92ec0905f2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; setuid()/setgid() to the specified user/group in daemon mode
setuid = stunnel4
setgid = stunnel4

; PID is created inside the chroot jail
pid =
foreground = yes

; Only log messages at severity warning (4) and higher
debug = 4

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem
client = yes
socket = a:SO_BINDTODEVICE=lo

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Prevent MITM attacks
verify = 4

; Disable support for insecure protocols
;options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

options = NO_COMPRESSION

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; Select permitted SSL ciphers
ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

[ldaps]
accept  = localhost:389
connect = ldap.fripost.org:636
CAfile  = /etc/stunnel/certs/ldap.pem

; vim:ft=dosini