* The role no longer officially supports older versions of TLS

    (TLSv1.1 and lower).

**New features/improvements**

* ``backup_client`` role

  * Switched to using Paramiko + SFTP backend (instead of pexpect +

    SFTP), which should improve the backup performance.

* ``ldap_server`` role

* ``mail_server`` role

* ``web_server`` role

* ``xmpp_server`` role

    communications.

**Bug fixes:**

* ``common`` role

  * Fixed permission errors with Python cache directories in the pip

    requirements upgrade checks virtual environment that can happen if

    the initial virtual environment set-up fails.

8.0.0

**xmpp_ldap_server** (string, mandatory)

  Fully qualified domain name, hostname, or IP address of the LDAP server used

  for user authentication and listing.

**xmpp_server_archive_expiration** (string, optional, ``never``)

  Expiration period for messages stored server-side using `XEP-0313:

  Message Archive Management

  <https://xmpp.org/extensions/xep-0313.html>`_. The value should be

  compatible with `Prosody mod_mam

  <https://prosody.im/doc/modules/mod_mam>`_ configuration option

  ``archive_expires_after``.

  TLS ciphers to enable on the XMPP server. This should be an

  OpenSSL-compatible cipher specification. Value should be compatible

  with Prosody's option ``ciphers`` normally defined within the

  ``ssl`` section of configuration file (see `official documentation

  <https://prosody.im/doc/advanced_ssl_config#ciphers>`_ for details).

**xmpp_server_tls_protocol** (string, optional, ``tlsv1_2+``)

  connections. The value specified should be compatible with Prosody's

  ``protocol`` option normally defined within the ``ssl`` section of

  configuration file (see `official documentation

  <https://prosody.im/doc/advanced_ssl_config#protocol>`__ for

  details). Older versions of TLS protocol (TLSv1.1 and lower) are not

  fully supported by the role, and additional configuration is

**xmpp_tls_certificate** (string, mandatory)

  X.509 certificate used for TLS for XMPP service. The file will be stored in

  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``.

**xmpp_tls_key** (string, mandatory)

  Private key used for TLS for XMPP service. The file will be stored in

  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``.

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

  Maximum size of message in bytes that the SMTP server should accept

  for incoming mails. If the mail message size exceeds the listed

  value, it will be rejected by the server. The size is also

  advertised as part of SMTP server capabilities (in response to the

  ``ehlo`` SMTP command).

**mail_server_minimum_tls_protocol** (string, optional, ``"TLSv1.2"``)

  Minimum version of TLS protocol to allow when connecting to SMTP

  submission port or IMAP. Value should be compatible with Dovecot's

  ``ssl_protocols`` and ``smtpd_tls_mandatory_protocols``

  configuration options. Older versions of TLS protocol (TLSv1.1 and

  lower) are not fully supported by the role, and additional

**mail_server_smtp_additional_configuration** (string, optional, ``""``))

  Additional configuration directives to include in SMTP server main

  configuration file. Directives must be specifically compatible with

  Postfix, and are treated verbatim (multi-line string will suffice).

  TLS ciphers to enable on the mail server (for IMAP and SMTP

  submission). This should be an OpenSSL-compatible cipher

  specification. Value should be compatible with Postfix configuration

  option ``tls_high_cipherlist`` and Dovecot configuration option

**mail_user** (string, optional, ``vmail``)

  Name of the user that owns all the mail files.

**mail_user_uid** (integer, optional, ``whatever OS picks``)

  UID of the user that owns all the mail files.

**mail_user_gid** (integer, optional, ``whatever OS picks``)

  GID of the user that owns all the mail files.

**imap_max_user_connections_per_ip** (integer, optional, ``10``)

  Maximum number of IMAP connections from a single IP for a single user. Default

  **text** (string, mandatory)

    Text to show in show in the strip at bottom.

**web_default_title** (string, optional, ``Welcome``)

  Title for the default web page shown to users (if no other vhosts were matched).

**web_default_message** (string, optional, ``You are attempting to access the web server using a wrong name or an IP address. Please check your URL.``)

  Message for the default web page shown to users (if no other vhosts were

  matched).

**web_server_tls_protocols** (list, optional, ``[ "TLSv1.2", "TLSv1.3" ]``)

  ``ssl_protocols``. Older versions of TLS protocol (TLSv1.1 and

  lower) are not fully supported by the role, and additional

**web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)

  TLS ciphers to enable on the web server. This should be an

  OpenSSL-compatible cipher specification. Value should be compatible

  with Nginx configuration option ``ssl_ciphers``. Default value

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

Role is compatible with the following distributions:

- Debian 12 (Bookworm)

Examples

~~~~~~~~

     swaks --to john.doe@example.com --server comms.example.com

     swaks --to jane.doe@example.com --server comms.example.com

  Of course, free feel to also test out the mail server using any mail client of

  your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for

  unauthenticated server-to-server mail deliveries.

  If you face issues with ISPs or hotels blocking the two ports listed above,

  you can also use alternative ports 26 (redirected to port 587) and 27

  (redirected to port 25).

  (you can override TLS versions/ciphers via role configuration). TLS

  configuration on port 25 has been left unchanged for maximum

  interoperability with other servers.

Setting-up mail relaying from web and backup servers

----------------------------------------------------

With the mail server set-up, the next thing to do would be to set-up the SMTP

server on web and backup servers to relay mails via the communications

server. This way we can make sure that mail that gets sent via local SMTP to

external addresses on those two servers goes through our anti-virus scanner.

---

enable_backup: false

mail_user: vmail

imap_folder_separator: "/"

smtp_rbl: []

mail_postmaster: "postmaster@{{ ansible_domain }}"

smtp_allow_relay_from: []

local_mail_aliases: {}

imap_max_user_connections_per_ip: 10

mail_server_minimum_tls_protocol: "TLSv1.2"

mail_server_tls_ciphers: "\

DHE-RSA-AES128-GCM-SHA256:\

DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-CHACHA20-POLY1305:\

ECDHE-RSA-AES128-GCM-SHA256:\

ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-CHACHA20-POLY1305:\

TLS_AES_128_GCM_SHA256:\

TLS_AES_256_GCM_SHA384:\

TLS_CHACHA20_POLY1305_SHA256:\

!aNULL:!MD5:!EXPORT"

mail_message_size_limit: 10240000

---

mail_ldap_base_dn: dc=local

mail_ldap_url: ldap://ldap-server/

mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"

mail_ldap_postfix_password: postfixpassword

mail_ldap_dovecot_password: dovecotpassword

mail_server_minimum_tls_protocol: TLSv1.3

mail_server_tls_ciphers: "\

ECDHE-RSA-CHACHA20-POLY1305:\

TLS_AES_128_GCM_SHA256:\

TLS_AES_256_GCM_SHA384:\

TLS_CHACHA20_POLY1305_SHA256:\

!aNULL:!MD5:!EXPORT"

mail_user: virtmail

mail_user_uid: 5000

mail_user_gid: 5000

imap_max_user_connections_per_ip: 2

imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.cert.pem') }}"

imap_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.key.pem') }}"

local_mail_aliases:

---

environment_indicator: null

web_default_title: "Welcome"

web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

web_server_tls_protocols:

  - "TLSv1.2"

  - "TLSv1.3"

web_server_tls_ciphers: "\

DHE-RSA-AES128-GCM-SHA256:\

DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-CHACHA20-POLY1305:\

ECDHE-RSA-AES128-GCM-SHA256:\

ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-CHACHA20-POLY1305:\

TLS_AES_128_GCM_SHA256:\

TLS_AES_256_GCM_SHA384:\

TLS_CHACHA20_POLY1305_SHA256:\

!aNULL:!MD5:!EXPORT"

  - mick.doe@domain3

xmpp_domains:

  - domain2

  - domain3

xmpp_ldap_base_dn: dc=local

xmpp_ldap_password: prosodypassword

xmpp_ldap_server: ldap-server

xmpp_server_archive_expiration: "1w"

xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.cert.pem') }}"

xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.key.pem') }}"

xmpp_server_tls_protocol: "tlsv1_3+"

# At least one non-TLSv1.3 cipher has to be included in order to

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# backup_client

enable_backup: true

backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release }}"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: backup-server

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"