majic-ansible-roles Changeset

Changeset - 004a2ec1b5a9

Parent rev.

Child rev.

[Not reviewed]

0 7 0

Branko Majic (branko) - 10 months ago 2025-01-20 00:12:05
branko@majic.rs

MAR-230: Add support for TLSv1.3 to the mail_server role:

- Tests/support for older versions have already been dropped
previously.
- Document the specifics of TLSv1.3 cipher configuration.
- Update tests. The DH param test is now applicable only for the
mandatory parameter test servers.

7 files changed with 52 insertions and 32 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/mail_server/defaults/main.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/tests/test_default.py

roles/mail_server/molecule/default/tests/test_mandatory.py

roles/mail_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

 Release notes
 =============
 x.y.z
 -----
 Upgraded to Ansible 10.4.x. Dropped support for Debian 11
 (Bullseye). Minor fixes and improvements.
 **Breaking changes:**
 * All roles
   * Upgraded to Ansible 10.4.x.
   * Dropped support for Debian 11 (Bullseye).
   * ``passlib`` Python package is now (explicitly) required for using
     the roles.
 * ``ldap_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 * ``mail_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 * ``web_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 **New features/improvements**
 * ``backup_client`` role
   * Switched to using Paramiko + SFTP backend (instead of pexpect +
     SFTP), which should improve the backup performance.
 * ``ldap_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 * ``mail_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 * ``web_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 **Bug fixes:**
 * ``common`` role
   * Fixed permission errors with Python cache directories in the pip
     requirements upgrade checks virtual environment that can happen if
     the initial virtual environment set-up fails.
 .0.0
 -----
 Dropped support for Python 2.7 and Debian 10 Buster. Added support for
 Debian 12 Bookworm. Numerous minor improvements and fixes.
 **Breaking changes:**
 * All roles

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1148,61 +1148,69 @@ Parameters @@
   LDAP URL that should be used for connecting to the LDAP server for doing
   domain/user look-ups.
 **mail_ldap_tls_truststore** (string, mandatory)
   X.509 certificate chain used for issuing certificate for the LDAP service. The
   file will be stored in locations ``/etc/ssl/certs/mail_ldap_tls_truststore.pem``
   and ``/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem``.
 **mail_ldap_postfix_password** (string, mandatory)
   Password for authenticating the Postfix LDAP user.
 **mail_ldap_dovecot_password** (string, mandatory)
   Password for authenticating the Dovecot LDAP user.
 **mail_message_size_limit** (integer, optional, ``10240000``)
   Maximum size of message in bytes that the SMTP server should accept
   for incoming mails. If the mail message size exceeds the listed
   value, it will be rejected by the server. The size is also
   advertised as part of SMTP server capabilities (in response to the
   ``ehlo`` SMTP command).
 **mail_server_minimum_tls_protocol** (string, optional, ``"TLSv1.2"``)
   Minimum version of TLS protocol to allow when connecting to SMTP
   submission port or IMAP. Value should be compatible with Dovecot's
   ``ssl_protocols`` configuration option.
   ``ssl_protocols`` and ``smtpd_tls_mandatory_protocols``
   configuration options. Older versions of TLS protocol (TLSv1.1 and
   lower) are not fully supported by the role, and additional
   configuration is required on the server to weaken the OpenSSL
   security policies.
 **mail_server_smtp_additional_configuration** (string, optional, ``""``))
   Additional configuration directives to include in SMTP server main
   configuration file. Directives must be specifically compatible with
   Postfix, and are treated verbatim (multi-line string will suffice).
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This
   should be an OpenSSL-compatible cipher specification. Value should be
   compatible with Postfix configuration option ``tls_high_cipherlist`` and
   Dovecot configuration option ``ssl_cipher_list``. Default value allows only
   TLSv1.2 and strong PFS ciphers.
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP
   submission). This should be an OpenSSL-compatible cipher
   specification. Value should be compatible with Postfix configuration
   option ``tls_high_cipherlist`` and Dovecot configuration option
   ``ssl_cipher_list``. Default value allows TLSv1.2 with strong PFS
   ciphers and RSA private keys. Ciphers listed for use with TLSv1.3
   (``TLS_*`` ones) are mandated by relevant standards, and cannot be
   disabled if TLSv1.3 is enabled. The TLSv1.3 ciphers are included in
   this list for completeness' sake.
 **mail_user** (string, optional, ``vmail``)
   Name of the user that owns all the mail files.
 **mail_user_uid** (integer, optional, ``whatever OS picks``)
   UID of the user that owns all the mail files.
 **mail_user_gid** (integer, optional, ``whatever OS picks``)
   GID of the user that owns all the mail files.
 **imap_max_user_connections_per_ip** (integer, optional, ``10``)
   Maximum number of IMAP connections from a single IP for a single user. Default
   value can be considered rather low, since two devices (computer and phone)
   will easily reach it.
 **imap_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for IMAP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_imap.pem``.
 **imap_tls_key** (string, mandatory)
   Private key used for TLS for IMAP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_imap.key``.
 **local_mail_aliases** (dictionary, optional, ``{}``)

roles/mail_server/defaults/main.yml

➞

Show inline comments

 ---
 enable_backup: false
 mail_user: vmail
 imap_folder_separator: "/"
 smtp_rbl: []
 mail_postmaster: "postmaster@{{ ansible_domain }}"
 smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
 mail_server_minimum_tls_protocol: "TLSv1.2"
 # TLS_* ciphers are mandated by the TLSv1.3-related standards and
 # cannot be disabled when TLSv1.3 is enabled on the server.
 mail_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000
 mail_server_smtp_additional_configuration: ""

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

 ---
 mail_ldap_base_dn: dc=local
 mail_ldap_url: ldap://ldap-server/
 mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
 mail_server_minimum_tls_protocol: TLSv1.1
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
 mail_server_minimum_tls_protocol: TLSv1.3
 mail_server_tls_ciphers: "\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 mail_user: virtmail
 mail_user_uid: 5000
 mail_user_gid: 5000
 imap_max_user_connections_per_ip: 2
 imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.cert.pem') }}"
 imap_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.key.pem') }}"
 local_mail_aliases:
   root: "john.doe@domain1"
 smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.cert.pem') }}"
 smtp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.key.pem') }}"
 imap_folder_separator: "."
 smtp_rbl:
   - bl.spamcop.net
   - zen.spamhaus.org
 mail_postmaster: "webmaster@parameters-optional"
 smtp_allow_relay_from:
   - "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"
 mail_message_size_limit: 20480001
 mail_server_smtp_additional_configuration: |
   mail_name = MySMTP
   smtp_skip_5xx_greeting = no
 # Variables dependant on distribution release.

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -421,59 +421,48 @@ def test_smtp_server_uses_correct_dh_parameters(host): @@
     assert used_dhparam == expected_dhparam
 def test_imap_server_dh_parameter_file(host):
     """
     Tests if the Diffie-Hellman parameter file has been generated
     correctly.
     """
     hostname = host.run('hostname').stdout.strip()
     dhparam_file_path = '/etc/ssl/private/%s_imap.dh.pem' % hostname
     with host.sudo():
         dhparam_file = host.file(dhparam_file_path)
         assert dhparam_file.is_file
         assert dhparam_file.user == 'root'
         assert dhparam_file.group == 'root'
         assert dhparam_file.mode == 0o640
         dhparam_info = host.run("openssl dhparam -noout -text -in %s", dhparam_file_path)
         assert "DH Parameters: (2048 bit)" in dhparam_info.stdout
 def test_imap_server_uses_correct_dh_parameters(host):
     """
     Tests if the IMAP server uses correct Diffie-Hellman parameters.
     """
     connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=imap --port 143 "
                           "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")
     assert " - Using prime: 2048 bits" in connection.stdout
 def test_imap_and_smtp_tls_files(host):
     """
     Tests if IMAP and SMTP TLS private keys and certificates have been
     deployed correctly.
     """
     hostname = host.run('hostname').stdout.strip()
     with host.sudo():
         tls_file = host.file('/etc/ssl/private/%s_smtp.key' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
         assert tls_file.content_string == open("tests/data/x509/server/%s_smtp.key.pem" % hostname, "r").read().rstrip()
         tls_file = host.file('/etc/ssl/certs/%s_smtp.pem' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
         assert tls_file.content_string == open("tests/data/x509/server/%s_smtp.cert.pem" % hostname, "r").read().rstrip()

roles/mail_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
     report_root = ElementTree.fromstring(report_content)
     tls_versions = []
     tls_ciphers = set()
     for child in report_root.findall("./host/ports/port/script/table"):
         tls_versions.append(child.attrib['key'])
     for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
     assert tls_ciphers == expected_tls_ciphers
 def test_imap_server_uses_correct_dh_parameters(host):
     """
     Tests if the IMAP server uses correct Diffie-Hellman parameters.
     """
     connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=imap --port 143 "
                           "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")
     assert " - Using prime: 2048 bits" in connection.stdout
 def test_dovecot_postmaster(host):
     """
     Tests if Dovecot postmaster has been correctly configured.
     """
     with host.sudo():
         config = host.run("doveadm config")
         assert config.rc == 0
         assert "  postmaster_address = postmaster@" in config.stdout
 def test_imap_max_user_connections_per_ip(host):
     """
     Tests if Dovecot per-user connection limit has been set-up correctly.
     """
     with host.sudo():
         config = host.run("doveadm config")
         assert config.rc == 0
         assert "  mail_max_userip_connections = 10" in config.stdout

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -104,62 +104,53 @@ def test_mail_owner(host): @@
     group = host.group("virtmail")
     assert group.exists
     assert group.gid == 5000
     user = host.user("virtmail")
     assert user.exists
     assert user.uid == 5000
     assert user.home == "/var/virtmail"
     assert user.group == "virtmail"
     assert user.groups == ["virtmail"]
 @pytest.mark.parametrize("port", [
 ,
 ,
 ,
 ])
 def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     IMAP and SMTP submission.
     """
-    expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
     expected_tls_versions = ["TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
     report_root = ElementTree.fromstring(report_content)
     tls_versions = []
     tls_ciphers = set()
     for child in report_root.findall("./host/ports/port/script/table"):
         tls_versions.append(child.attrib['key'])
     for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
     assert tls_ciphers == expected_tls_ciphers

0 comments (0 inline, 0 general)