diff --git a/.gitignore b/.gitignore index f1051fe9b0c6a7b834fe87c4d562d2c79ec88bf2..dd7abe41bf256b903153426dbd41d28895f1fe87 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,4 @@ tmp/ docs/_build/ testsite/preseed_files/ -testsite/certs/ +testsite/tls/ diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 29ff6f1ef50cfccf4580d9d952ea3cf16a1af06c..817ac46610e2e0560d358f99851fb703890828d3 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -358,6 +358,7 @@ destination machine. The role implements the following: +* Deploys LDAP TLS private key and certificate. * Installs OpenLDAP server (package ``slapd``). * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels). * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with @@ -395,15 +396,13 @@ Parameters description and syntax. **tls_certificate** (string, mandatory) - Path to *X.509* certificate (on server itself) that should be used as server - certificate for TLS connections. The certificate file should be provided in - ``PEM`` format. If file does not exist, no TLS will be set-up. + Path to file on Ansible host that contains the X.509 certificate used for + TLS for LDAP service. The file will be copied to directory + ``/etc/ssl/certs/``. **tls_key** (string, mandatory) - Path to private key (on server itself) that should be used as server's - private key for TLS connections. The private key should correspond to - certificate listed in option ``tls_certificate``. The key file should be - provided in ``PEM`` format. If file does not exist, no TLS will be set-up. + Path to file on Ansible host that contains the private key used for TLS for + LDAP service. The file will be copied to directory ``/etc/ssl/private/``. **ssf** (number, mandatory) Minimum *Security Strength Factor* to require from all incoming @@ -449,8 +448,8 @@ Here is an example configuration for setting-up LDAP server: domain: "example.com" organization: "Example Corporation" log_level: 256 - tls_certificate: /etc/ssl/certs/ldap.example.com.pem - tls_key: /etc/ssl/private/ldap.example.com.pem + tls_certificate: ~/tls/ldap.example.com_ldap.pem + tls_key: ~/tls/ldap.example.com_ldap.key ssf: 128 ldap_permissions: @@ -502,6 +501,7 @@ destination machine. The role implements the following: * Sets-up the Prosody apt repository. +* Deploys XMPP TLS private key and certificate. * Installs Prosody. * Configures Prosody. @@ -530,15 +530,12 @@ Parameters (i.e. ``john.doe@example.com``). **prosody_tls_key** (string, mandatory) - Path to private key (on server itself) that should be used as server's private - key for TLS connections. The private key should correspond to certificate - listed in option ``prosody_tls_certificate``. The key file should be provided - in ``PEM`` format. + Path to file on Ansible host that contains the private key used for TLS for + XMPP service. The file will be copied to directory ``/etc/ssl/private/``. **prosody_tls_certificate** (string, mandatory) - Path to *X.509* certificate (on server itself) that should be used as server - certificate for TLS connections. The certificate file should be provided in - ``PEM`` format. + Path to file on Ansible host that contains the X.509 certificate used for TLS + for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``. **prosody_domains** (list, mandatory) List of domains that are served by this Prosody instance. Each item is a @@ -615,6 +612,7 @@ The role implements the following: * Installs rsync. * Adds the Wheezy backports repository. +* Deploys IMAP/SMTP TLS private keys and certificates. * Installs and configures Dovecot (from backports), Postfix, ClamAV, and ClamAV Milter. * Purges Exim4 configuration (just in case). @@ -681,19 +679,22 @@ Parameters GID of the user that owns all the mail files. **imap_tls_certificate** (string, mandatory) - Path to file that contains the X.509 certificate used for TLS for IMAP and - ManageSieve services. + Path to file on Ansible host that contains the X.509 certificate used for TLS + for IMAP and ManageSieve services. The file will be copied to directory + ``/etc/ssl/certs/``. **imap_tls_key** (string, mandatory) - Path to file that contains the private key used for TLS for IMAP and - ManageSieve services. + Path to file on Ansible host that contains the private key used for TLS for + IMAP and ManageSieve services. The file will be copied to directory + ``/etc/ssl/private/``. **smtp_tls_certificate** (string, mandatory) - Path to file that contains the X.509 certificate used for TLS for SMTP - service. + Path to file on Ansible host that contains the X.509 certificate used for TLS + for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``. **smtp_tls_key** (string, mandatory) - Path to file that contains the private key used for TLS for SMTP service. + Path to file on Ansible host that contains the private key used for TLS for + SMTP service. The file will be copied to directory ``/etc/ssl/private/``. **imap_folder_separator** (string, mandatory) Character used for separating the IMAP folders when clients are requesting @@ -732,10 +733,10 @@ Here is an example configuration for setting-up XMPP server using Prosody: mail_user_uid: 5000 mail_user_gid: 5000 - imap_tls_certificate: /etc/ssl/certs/mail.example.com_imap.pem - imap_tls_key: /etc/ssl/private/mail.example.com_imap.pem - smtp_tls_certificate: /etc/ssl/certs/mail.example.com_smtp.pem - smtp_tls_key: /etc/ssl/private/mail.example.com_smtp.pem + imap_tls_certificate: ~/tls/mail.example.com_imap.pem + imap_tls_key: ~/tls/mail.example.com_imap.key + smtp_tls_certificate: ~/tls/mail.example.com_smtp.pem + smtp_tls_key: ~/tls/mail.example.com_smtp.key imap_folder_separator: / smtp_rbl: - bl.spamcop.net diff --git a/docs/testsite.rst b/docs/testsite.rst index 0f3d142119cd033b81f1b4e2e12167925c2846aa..0aaafa6f1b8004717d32624a817af498043d9c60 100644 --- a/docs/testsite.rst +++ b/docs/testsite.rst @@ -38,22 +38,46 @@ site.yml In order to deploy the test site, the following steps would normally be taken: -1. Generate the preseed files: +1. Create TLS private keys (relative to top level directory): + + - ``testsite/tls/mail.example.com_imap.key`` + - ``testsite/tls/mail.example.com_smtp.key`` + - ``testsite/tls/xmpp.example.com_xmpp.key`` + - ``testsite/tls/ldap.example.com_ldap.key`` + +2. Issue TLS certificates corresponding to the generated TLS private keys (make + sure to use correct FQDN for DNS subject alternative name): + + - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should + be ``mail.example.com``) + - ``testsite/tls/mail.example.com_smtp.pem`` (subject alternative name should + be ``mail.example.com``) + - ``testsite/tls/xmpp.example.com_xmpp.pem`` (subject alternative name should + be ``xmpp.example.com``) + - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should + be ``ldap.example.com``) + +3. Create ``PEM`` truststore file which contains all CA certificates that form + CA chain for the issued end entity certificates from previous step at + location ``testsite/tls/example_ca_chain.crt``. It is very important to + include the CA chain used for LDAP server. + +4. Generate the preseed files: .. code-block:: shell ansible-playbook playbooks/preseed.yml -2. Install all servers using the generated preseed files. +5. Install all servers using the generated preseed files. -3. Invoke the ``bootstrap.yml`` playbook for every server, one by one. For +6. Invoke the ``bootstrap.yml`` playbook for every server, one by one. For example: .. code-block:: shell ansible-playbook -k -e server=ldap.example.com playbooks/bootstrap.yml -4. Finally, apply configuration on all servers: +7. Finally, apply configuration on all servers: .. code-block:: shell @@ -68,45 +92,6 @@ The playbooks and configurations for test site make a couple of assumptions: ``admin``. The SSH key stored in it will be read from location ``~/.ssh/id_rsa`` (i.e. from home directory of user running the Ansible commands). -* The TLS truststore can be found in location ``certs/example_ca_chain.crt`` - relative to the ``testsite`` sub-directory. - -Additionally, some manual steps may be required to have a fully functioning -system: - -* On ``ldap.example.com``, you should manually install the TLS private key and - certificate ing locations ``/etc/ssl/private/ldap.example.com.pem`` - (*root:ldap, 640*) and ``/etc/ssl/certs/ldap.example.com.pem`` (*root:root, - 644*), respectively. After that, re-run the ``site.yml`` playbook in order to - re-configure OpenLDAP server to use it. - -* On ``xmpp.example.com``: - - * Create TLS private key for XMPP in location - ``/etc/ssl/private/xmpp.example.com.pem`` (*root:prosody, 640*). - * Create TLS certificate for XMPP in location - ``/etc/ssl/certs/xmpp.example.com.pem`` (*root:root, 644*). - * After all files are in place, re-run the ``site.yml`` playbook in order to - restart necessary services etc. - -* On ``mail.example.com``, you should manually install the TLS private key and - certificate in locations ``/etc/ssl/private/mail.example.com.pem`` - (*root:ldap, 640*) and ``/etc/ssl/certs/mail.example.com.pem`` (*root:root, - 644*), respectively. After that, restart the servics ``dovecot`` and - ``postfix``. - -* On ``mail.example.com``: - - * Create TLS private key for SMTP in location - ``/etc/ssl/private/mail.example.com_smtp.pem`` (*root:openldap, 640*). - * Create TLS certificate for SMTP in location - ``/etc/ssl/certs/mail.example.com_smtp.pem`` (*root:root, 644*). - * Create TLS private key for IMAP in location - ``/etc/ssl/private/mail.example.com_imap.pem`` (*root:openldap, 640*). - * Create TLS certificate for IMAP in location - ``/etc/ssl/certs/mail.example.com_imap.pem`` (*root:root, 644*). - * After all files are in place, re-run the ``site.yml`` playbook in order to - restart necessary services etc. For more details on how the playbooks and configuration have been implemented, feel free to browse the test site files (in directory ``testsite``). diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index fb9bc2b94be7da8badcfe7bb25bec06f8032ff6e..28defc0b871232f068d2907e25e3028f2d257119 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -1,5 +1,13 @@ --- +- name: Deploy LDAP TLS private key + copy: dest="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}" src="{{ ldap_server_config.tls_key }}" + mode=640 owner=root group=openldap + +- name: Deploy LDAP TLS certificate + copy: dest="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" src="{{ ldap_server_config.tls_certificate }}" + mode=644 owner=root group=root + - name: Set domain for slapd debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_config.domain }}" @@ -26,17 +34,8 @@ - name: Change log level for slapd ldap_entry: dn=cn=config state=replaceattributes olcLogLevel="{{ ldap_server_config.log_level }}" -- name: Check if TLS private key is available - stat: path="{{ ldap_server_config.tls_key }}" - register: tls_key - -- name: Check if TLS certificate is available - stat: path="{{ ldap_server_config.tls_key }}" - register: tls_certificate - - name: Configure TLS for slapd - ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="{{ ldap_server_config.tls_certificate }}" olcTLSCertificateKeyFile="{{ ldap_server_config.tls_key }}" - when: tls_key.stat.exists and tls_certificate.stat.exists + ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}" notify: - Restart slapd diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml index 2a4b460ee6b05815c74dec270175adb131d0b58c..3ead0aace852d402d436900ecd8a87ddd638f825 100644 --- a/roles/mail_server/tasks/main.yml +++ b/roles/mail_server/tasks/main.yml @@ -6,6 +6,26 @@ - name: Add backports repository apt_repository: repo="deb http://http.debian.net/debian wheezy-backports main" state=present +- name: Deploy SMTP TLS private key + copy: dest="/etc/ssl/private/{{ smtp_tls_key | basename }}" src="{{ smtp_tls_key }}" + mode=640 owner=root group=root + +- name: Deploy SMTP TLS certificate + copy: dest="/etc/ssl/certs/{{ smtp_tls_certificate | basename }}" src="{{ smtp_tls_certificate }}" + mode=644 owner=root group=root + +- name: Deploy IMAP TLS private key + copy: dest="/etc/ssl/private/{{ imap_tls_key | basename }}" src="{{ imap_tls_key }}" + mode=640 owner=root group=root + notify: + - Restart Postfix + +- name: Deploy IMAP TLS certificate + copy: dest="/etc/ssl/certs/{{ imap_tls_certificate | basename }}" src="{{ imap_tls_certificate }}" + mode=644 owner=root group=root + notify: + - Restart Dovecot + - name: Install Dovecot packages apt: name="{{ item }}" state=installed default_release="wheezy-backports" with_items: diff --git a/roles/mail_server/templates/99-local.conf.j2 b/roles/mail_server/templates/99-local.conf.j2 index 24a87460b40049b5eea0bb1ecd041c3282c90309..f52834b4a3371f2ef83a175107298061f0245b53 100644 --- a/roles/mail_server/templates/99-local.conf.j2 +++ b/roles/mail_server/templates/99-local.conf.j2 @@ -29,8 +29,8 @@ service auth { } # TLS configuration. -ssl_cert = <{{ imap_tls_certificate }} -ssl_key = <{{ imap_tls_key }} +ssl_cert =