Files
@ c063f27000b9
Branch filter:
Location: majic-ansible-roles/roles/xmpp_server/tasks/main.yml - annotation
c063f27000b9
4.3 KiB
text/x-yaml
MAR-175: Mail server should be opportunistic in using TLS when delivering mail to remove servers:
- Previously the mail server would only deliver mails over plaintext.
- Deploy a simple SMTP server on both client1/client2
machines. Servers are set-up to require/refuse the STARTTLS over
SMTP.
- Added tests for checking if STARTTLS is used when available for mail
delivery.
- Fixed the wrong configurtion (making sure the TLS security level is
properly set for Postfix).
- Previously the mail server would only deliver mails over plaintext.
- Deploy a simple SMTP server on both client1/client2
machines. Servers are set-up to require/refuse the STARTTLS over
SMTP.
- Added tests for checking if STARTTLS is used when available for mail
delivery.
- Fixed the wrong configurtion (making sure the TLS security level is
properly set for Postfix).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 | 2e1ff733350e 2e1ff733350e 2e1ff733350e e4a0f78340ef e4a0f78340ef 2e1ff733350e 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 2e1ff733350e 2e1ff733350e 2e1ff733350e 2e1ff733350e 2e1ff733350e 2e1ff733350e e4a0f78340ef 0162a880995b e4a0f78340ef b0e7faa211ae 114f02e67a4d 114f02e67a4d 0ad9410c243a e4a0f78340ef e4a0f78340ef 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 114f02e67a4d 0ad9410c243a 0ad9410c243a e4a0f78340ef cc7de990e9e4 2ada86e90026 cc7de990e9e4 cc7de990e9e4 0ad9410c243a 284ed92d40bb e4a0f78340ef e4a0f78340ef 2ada86e90026 e4a0f78340ef 284ed92d40bb 96e9f230a669 da031f975c67 da031f975c67 da031f975c67 da031f975c67 da031f975c67 e4a0f78340ef 0ad9410c243a 0ad9410c243a 96e9f230a669 96e9f230a669 da031f975c67 da031f975c67 da031f975c67 da031f975c67 da031f975c67 e4a0f78340ef 0ad9410c243a 0ad9410c243a 2e1ff733350e af834be42e8e c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 aa2802e42d9d e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef aa2802e42d9d 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 2e1ff733350e e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef 2e1ff733350e 2e1ff733350e e4a0f78340ef e4a0f78340ef e4a0f78340ef 2e1ff733350e 2e1ff733350e e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef 2e1ff733350e 2e1ff733350e da031f975c67 e4a0f78340ef e4a0f78340ef da031f975c67 da031f975c67 da031f975c67 2e1ff733350e 2e1ff733350e 2e1ff733350e a561d73e3242 e4a0f78340ef a561d73e3242 fcf5abdd3ad5 a561d73e3242 2e1ff733350e e4a0f78340ef e4a0f78340ef e4a0f78340ef eb9a1b525c77 eb9a1b525c77 e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef eb9a1b525c77 dbc3381e1ff3 7387caca37f3 7387caca37f3 7387caca37f3 fcf5abdd3ad5 7387caca37f3 7387caca37f3 | ---
- name: Install Python apt bindings
apt:
name: python-apt
- name: Add Debian backports repository for Debian Stretch
apt_repository:
repo: "deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main"
filename: "backports"
state: present
mode: 0644
when: "ansible_distribution_release == 'stretch'"
- name: Pin the lua-ldap package to backports repository for Debian Stretch
template:
src: "lua_ldap_backports_pin.j2"
dest: "/etc/apt/preferences.d/lua-ldap"
owner: root
group: root
mode: 0644
when: "ansible_distribution_release == 'stretch'"
- name: Add Prosody repository apt key
apt_key:
data: "{{ lookup('file', 'prosody-debian-packages.gpg') }}"
state: present
- name: Add Prosody repository
apt_repository:
repo: "deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"
state: present
# Stick to the 'latest' state to ensure we get pinned package
# installed in case of distribution upgrades.
- name: Install Lua LDAP library
apt:
name: lua-ldap
# [403] Package installs should not use latest
# The latest has to be used when upgrading existing systems to get
# the correct version of lua-ldap with support for Lua 5.2 from
# the backports repository.
state: latest # noqa 403
notify:
- Restart Prosody
- name: Install Prosody
apt:
name: "{{ xmpp_prosody_package }}"
state: present
notify:
- Restart Prosody
- name: Allow Prosody user to traverse the directory with TLS private keys
user:
name: prosody
append: true
groups: ssl-cert
- name: Deploy XMPP TLS private key
copy:
dest: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key"
content: "{{ xmpp_tls_key }}"
owner: root
group: prosody
mode: 0640
notify:
- Restart Prosody
- name: Deploy XMPP TLS certificate
copy:
dest: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem"
content: "{{ xmpp_tls_certificate }}"
owner: root
group: root
mode: 0644
notify:
- Restart Prosody
- name: Generate the XMPP server Diffie-Hellman parameter
openssl_dhparam:
owner: root
group: prosody
mode: 0640
path: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem"
size: 2048
notify:
- Restart Prosody
- name: Deploy configuration file for checking certificate validity via cron
copy:
content: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem"
dest: "/etc/check_certificate/{{ ansible_fqdn }}_xmpp.conf"
owner: root
group: root
mode: 0644
- name: Deploy script for validating Prosody certificate
copy:
src: "check_prosody_certificate.sh"
dest: "/usr/local/bin/check_prosody_certificate.sh"
owner: root
group: root
mode: 0755
- name: Set-up crontab task that runs the Prosody certificate checker script once a day
copy:
src: "cron_check_prosody_certificate"
dest: "/etc/cron.d/check_prosody_certificate"
owner: root
group: root
mode: 0644
- name: Set-up directory for storing additional Prosody modules
file:
path: "/usr/local/lib/prosody/modules/"
state: directory
owner: root
group: root
mode: 0755
- name: Deploy the Prosody mod_auth_ldap module
get_url:
url: "https://hg.prosody.im/prosody-modules/raw-file/tip/mod_auth_ldap/mod_auth_ldap.lua"
dest: "/usr/local/lib/prosody/modules/mod_auth_ldap.lua"
- name: Set-up file permissions for the Prosody mod_auth_ldap module
file:
dest: "/usr/local/lib/prosody/modules/mod_auth_ldap.lua"
owner: root
group: root
mode: 0644
- name: Deploy Prosody configuration file
template:
src: "prosody.cfg.lua.j2"
dest: "/etc/prosody/prosody.cfg.lua"
owner: root
group: prosody
mode: 0640
notify:
- Restart Prosody
- name: Enable Prosody service on boot (workaround for systemctl broken handling of SysV)
command: "rcconf -on prosody"
register: result
changed_when: not result.stderr
- name: Enable and start Prosody service
service:
name: prosody
state: started
- name: Deploy firewall configuration for XMPP server
copy:
src: "ferm_xmpp.conf"
dest: "/etc/ferm/conf.d/30-xmpp.conf"
owner: root
group: root
mode: 0640
notify:
- Restart ferm
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|