Files
@ 8d272d91d3d2
Branch filter:
Location: majic-ansible-roles/roles/mail_server/templates/99-local.conf.j2 - annotation
8d272d91d3d2
1.3 KiB
text/plain
MAR-165: Deploy Diffie-Helman parameters for LDAP server in the ldap_server role:
- Not relevant for Debian Strech because of a bug in the OpenLDAP
version it ships with.
- This should allow use of DHE ciphers with LDAP server.
- Generated DH parameters only help pick one of the parameters from
RFC-7919 (based on the size of generated ones).
- Make the cipher test lists distro-specific due to differences
between supported algorithms in respective GnuTLS versions.
- Not relevant for Debian Strech because of a bug in the OpenLDAP
version it ships with.
- This should allow use of DHE ciphers with LDAP server.
- Generated DH parameters only help pick one of the parameters from
RFC-7919 (based on the size of generated ones).
- Make the cipher test lists distro-specific due to differences
between supported algorithms in respective GnuTLS versions.
107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 1b50bc1cc817 107417b217e0 107417b217e0 107417b217e0 1b50bc1cc817 98d0bcf75e46 98d0bcf75e46 98d0bcf75e46 98d0bcf75e46 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 18cd76ec050d 18cd76ec050d 069c78425a29 4e121413ca5c 069c78425a29 069c78425a29 069c78425a29 069c78425a29 069c78425a29 f79cc0281c7c f344ed6181a9 107417b217e0 107417b217e0 107417b217e0 107417b217e0 107417b217e0 1bdb64307968 107417b217e0 111e954e826d 111e954e826d 111e954e826d 111e954e826d 111e954e826d | # Authentication configuration.
auth_mechanisms = plain login
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
default_fields = uid={{ mail_user }} gid={{ mail_user }} home=/var/{{ mail_user}}/%d/%n
}
# Mail storage configuration.
mail_location = maildir:/var/{{ mail_user}}/%d/%n/Maildir
namespace inbox {
inbox = yes
separator = {{ imap_folder_separator }}
}
# Communication with other services.
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
# TLS configuration.
ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
{% if ansible_distribution_release == "stretch" %}
ssl_dh_parameters_length = 2048
{% elif ansible_distribution_release == "buster" %}
ssl_dh=</etc/ssl/private/{{ inventory_hostname }}_imap.dh.pem
{% else %}
{{ unsupported_distribution_release }}
{% endif %}
ssl_protocols = {{ mail_server_tls_protocols | join(' ') }}
ssl_cipher_list = {{ mail_server_tls_ciphers }}
ssl = required
# Mail delivery.
protocol lda {
mail_plugins = $mail_plugins sieve
postmaster_address = {{ mail_postmaster }}
}
# IMAP configuration.
protocol imap {
mail_max_userip_connections = {{ imap_max_user_connections_per_ip }}
}
|