majic-ansible-roles Changeset

Changeset - 1a2f50dfce57

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 8 years ago 2016-01-24 16:16:42
branko@majic.rs

MAR-49: Reworded role reference info about TLS hardening a bit. Implemented TLS hardening for the mail server role (Dovecot only, Postfix would require some additional work for service separation).

2 files changed with 7 insertions and 6 deletions:

docs/rolereference.rst

roles/mail_server/templates/99-local.conf.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -449,8 +449,7 @@ destination machine. @@
 The role implements the following:
 * Deploys LDAP TLS private key and certificate.
 * Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
   older clients may have problems connecting.
 * Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with
@@ @@ -655,8 +654,6 @@ The role implements the following: @@
 * Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
 * Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
   older clients may have problems connecting.
 * Configures firewall to allow incoming connections to the XMPP server.
 Prosody is configured as follows:
@@ @@ -665,6 +662,7 @@ Prosody is configured as follows: @@
   version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.
 * Self-registration is not allowed.
 * TLS is configured. Legacy TLS is available on port 5223.
 * TLS configuration is hardened, allowing only TLSv1.2 and PFS ciphers.
 * Client-to-server communication requires encryption (TLS).
 * Authentication is done via LDAP. For setting the LDAP TLS truststore, see
   :ref:`LDAP Client <ldap_client>`.
@@ @@ -788,6 +786,8 @@ Deployed services are configured as follows: @@
 * Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir``
   format.
 * TLS is required for user log-ins for both SMTP and IMAP.
 * TLS configuration is hardened for Dovecot, allowing only TLSv1.2 and PFS
   ciphers.
 * RBL's are used for combating spam (if any is specified in configuration, see
   below).
@@ @@ -1014,8 +1014,7 @@ The role implements the following: @@
 * Installs and configures nginx with a single, default vhost with a small static
   index page.
 * Deploys the HTTPS TLS private key and certificate (for default vhost).
 * Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
   older web browsers may have problems connecting.
 * Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
 * Configures firewall to allow incoming connections to the web server.
 * Installs and configures virtualenv and virtualenvwrapper as a common base for
   Python apps.

roles/mail_server/templates/99-local.conf.j2

➞

Show inline comments

@@ @@ -31,6 +31,8 @@ service auth { @@
 # TLS configuration.
 ssl_cert = </etc/ssl/certs/{{ imap_tls_certificate | basename }}
 ssl_key = </etc/ssl/private/{{ imap_tls_key | basename }}
 ssl_protocols = TLSv1.2
 ssl_cipher_list = DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT
 ssl = required
 # Mail delivery.

0 comments (0 inline, 0 general)