Changeset - 2e340af74a96
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 4 years ago 2020-05-19 19:58:36
branko@majic.rs
MAR-153: Updated role reference documentation and release notes:

- Marks the change as breaking because it could mean older
client/servers cannot interoperate with the Majic Ansible Roles TLS
services any longer.
2 files changed with 32 insertions and 0 deletions:
docs/releasenotes.rst
24
docs/rolereference.rst
8
0 comments (0 inline, 0 general)
docs/releasenotes.rst
Show inline comments
 
@@ -17,12 +17,36 @@ Breaking changes:
 
  WSGI applications running on Python 2.7 remains.
 

			




	
	
	
		
 
* All roles

			




	
	
	
		
 

			




	
	
	
		
 
  * Support for Debian 8 Jessie has been dropped.

			




	
	
	
		
 

			




	
	
	
		
 
* ``mail_forwarder`` role

			




	
	
	
		
 

			




	
	
	
		
 
  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

			




	
	
	
		
 
    ciphers. This could introduce incompatibility with older

			




	
	
	
		
 
    clients/servers trying to connect to the SMTP server.

			




	
	
	
		
 

			




	
	
	
		
 
* ``mail_server`` role

			




	
	
	
		
 

			




	
	
	
		
 
  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

			




	
	
	
		
 
    ciphers. This could introduce incompatibility with older

			




	
	
	
		
 
    clients/servers trying to connect to the SMTP/IMAP server.

			




	
	
	
		
 

			




	
	
	
		
 
* ``web_server`` role

			




	
	
	
		
 

			




	
	
	
		
 
  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

			




	
	
	
		
 
    ciphers. This could introduce incompatibility with older clients

			




	
	
	
		
 
    trying to connect to the web server.

			




	
	
	
		
 

			




	
	
	
		
 
* ``xmpp_server`` role

			




	
	
	
		
 

			




	
	
	
		
 
  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

			




	
	
	
		
 
    ciphers. This could introduce incompatibility with older

			




	
	
	
		
 
    clients/servers trying to connect to the XMPP server.

			




	
	
	
		
 

			




	
	
	
		
 
Bug fixes:

			




	
	
	
		
 

			




	
	
	
		
 
* ``common`` role

			




	
	
	
		
 

			




	
	
	
		
 
  * Run apticron at least once during initial installation to avoid

			




	
	
	
		
 
    accidental locking later on during the same playbook run.

			




        

    


    
    

    

        

                

                    docs/rolereference.rst
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -848,12 +848,14 @@ Prosody is configured as follows:

			




	
	
	
		
 

			




	
	
	
		
 
* Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,

			




	
	
	
		
 
  version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.

			




	
	
	
		
 
* Self-registration is not allowed.

			




	
	
	
		
 
* TLS is configured. Legacy TLS is available on port 5223.

			




	
	
	
		
 
* Client-to-server communication requires encryption (TLS).

			




	
	
	
		
 
* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for

			




	
	
	
		
 
  incoming connections.

			




	
	
	
		
 
* Authentication is done via LDAP. For setting the LDAP TLS truststore, see

			




	
	
	
		
 
  :ref:`LDAP Client <ldap_client>`.

			




	
	
	
		
 
* Internal storage is used.

			




	
	
	
		
 
* For each domain specified, a dedicated conference/multi-user chat (MUC)

			




	
	
	
		
 
  service is set-up, with FQDN set to ``conference.DOMAIN``.

			




	
	
	
		
 
* For each domain specified, a dedicated file proxy service will be set-up, with

			




	
	
		
 
@@ -1011,12 +1013,14 @@ Deployed services are configured as follows:

			




	
	
	
		
 
  LDAP.

			




	
	
	
		
 
* Incoming and outgoing mail is scanned with ClamAV (via ClamAV

			




	
	
	
		
 
  Milter). Infected mails are rejected.

			




	
	
	
		
 
* Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir``

			




	
	
	
		
 
  format.

			




	
	
	
		
 
* TLS is required for user log-ins for both SMTP and IMAP.

			




	
	
	
		
 
* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for

			




	
	
	
		
 
  incoming connections.

			




	
	
	
		
 
* For user submission (SMTP), users must connect and authenticate over TCP

			




	
	
	
		
 
  port 587.

			




	
	
	
		
 
* Configures TLS versions and ciphers supported by Dovecot.

			




	
	
	
		
 
* Configures TLS versions and ciphers supported by Postfix on submission port

			




	
	
	
		
 
  (587). TLS configuration on port 25 is kept intact in order to maintain maximum

			




	
	
	
		
 
  interoperability with other servers.

			




	
	
		
 
@@ -1250,12 +1254,14 @@ Postfix is configured as follows:

			




	
	
	
		
 

			




	
	
	
		
 
* Local destinations are set-up.

			




	
	
	
		
 
* A relay host is set.

			




	
	
	
		
 
* TLS is enforced for relaying mails, with configurable truststore for server

			




	
	
	
		
 
  certificate verification if SMTP relay is used. If SMTP relay is not used

			




	
	
	
		
 
  (configured), no certificate verification is done.

			




	
	
	
		
 
* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for

			




	
	
	
		
 
  incoming connections.

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Role dependencies

			




	
	
	
		
 
~~~~~~~~~~~~~~~~~

			




	
	
	
		
 

			




	
	
	
		
 
Depends on the following roles:

			




	
	
		
 
@@ -1335,12 +1341,14 @@ web applications.

			




	
	
	
		
 
The role implements the following:

			




	
	
	
		
 

			




	
	
	
		
 
* Installs and configures nginx with a single, default vhost with a small static

			




	
	
	
		
 
  index page.

			




	
	
	
		
 
* Deploys the HTTPS TLS private key and certificate (for default vhost).

			




	
	
	
		
 
* Configures TLS versions and ciphers supported by Nginx.

			




	
	
	
		
 
* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for

			




	
	
	
		
 
  incoming connections.

			




	
	
	
		
 
* Configures firewall to allow incoming connections to the web server.

			




	
	
	
		
 
* Installs and configures virtualenv and virtualenvwrapper as a common base for

			




	
	
	
		
 
  Python apps.

			




	
	
	
		
 
* Installs and configures PHP FPM as a common base for PHP apps.

			




	
	
	
		
 

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.