majic-ansible-roles Changeset

Changeset - f344ed6181a9

Parent rev.

Child rev.

[Not reviewed]

1 4 1

Branko Majic (branko) - 7 years ago 2017-02-11 21:21:46
branko@majic.rs

MAR-90: Fixed small typo in documentation for ldap_server role. Added configuration parameters for the mail_server role for specifying TLS protocols and ciphers.

5 files changed with 29 insertions and 13 deletions:

docs/rolereference.rst

roles/mail_server/defaults/main.yml

roles/mail_server/tasks/main.yml

roles/mail_server/templates/99-local.conf.j2

roles/mail_server/templates/master.cf.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -647,7 +647,8 @@ Parameters @@
   TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible
   cipher specification that should also include what TLS protocol versions
   should be used. Value should be compatible with OpenLDAP server option
   ``olcTLSCipherSuite``. Default value only TLSv1.2 and strong PFS ciphers.
   ``olcTLSCipherSuite``. Default value allows only TLSv1.2 and strong PFS
   ciphers.
 Examples
@@ @@ -875,11 +876,10 @@ Deployed services are configured as follows: @@
 * TLS is required for user log-ins for both SMTP and IMAP.
 * For user submission (SMTP), users must connect and authenticate over TCP
   port 587.
 * TLS configuration is hardened for Dovecot, allowing only TLSv1.2 and PFS
   ciphers.
 * TLS configuration is hardened for Postfix on submission port 587, allowing
   only TLSv1.2 and PFS ciphers. No TLS hardening is performed on port 25 in
   order to maintain maximum interoperability.
 * Configures TLS versions and ciphers supported by Dovecot.
 * Configures TLS versions and ciphers supported by Postfix on submission port
   (587). TLS configuration on port 25 is kept intact in order to maintain maximum
   interoperability with other servers.
 * RBL's are used for combating spam (if any is specified in configuration, see
   below).
 * Postfix is configured to deliver undeliverable bounces to postmaster. This
@@ @@ -969,6 +969,19 @@ Parameters @@
 **mail_ldap_dovecot_password** (string, mandatory)
   Password for authenticating the Dovecot LDAP user.
 **mail_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
   List of TLS protocols the mail server should support. Each value specified
   should be compatible with Postfix configuration option
   ``smtpd_tls_mandatory_protocols`` and Dovecot configuration option
   ``ssl_protocols``.
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This
   should be an OpenSSL-compatible cipher specification. Value should be
   compatible with Postfix configuration option ``tls_high_cipherlist`` and
   Dovecot configuration option ``ssl_cipher_list``. Default value allows only
   TLSv1.2 and strong PFS ciphers.
 **mail_user** (string, optional, ``vmail``)
   Name of the user that owns all the mail files.

roles/mail_server/defaults/main.yml

➞

Show inline comments

@@ @@ -12,4 +12,7 @@ smtp_rbl: [] @@
 mail_postmaster: "postmaster@{{ ansible_domain }}"
 smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
@@ \ No newline at end of file @@
 imap_max_user_connections_per_ip: 10
 mail_server_tls_protocols:
   - "TLSv1.2"
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT"
@@ \ No newline at end of file @@

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -128,8 +128,8 @@ @@
     - Restart Dovecot
 - name: Deploy Postifx master process configuration
   copy: src="master.cf" dest="/etc/postfix/master.cf"
         owner=root group=root mode=644
   template: src="master.cf.j2" dest="/etc/postfix/master.cf"
             owner=root group=root mode=644
   notify:
     - Restart Postfix

roles/mail_server/templates/99-local.conf.j2

➞

Show inline comments

@@ @@ -31,8 +31,8 @@ service auth { @@
 # TLS configuration.
 ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
 ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
 ssl_protocols = TLSv1.2
 ssl_cipher_list = DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT
 ssl_protocols = {{ mail_server_tls_protocols | join(',') }}
 ssl_cipher_list = {{ mail_server_tls_ciphers }}
 ssl = required
 # Mail delivery.

roles/mail_server/templates/master.cf.j2

➞

Show inline comments

@@ @@ -131,7 +131,7 @@ submission inet n - - - - smtpd @@
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-  -o smtpd_tls_mandatory_protocols=TLSv1.2
+  -o smtpd_tls_mandatory_protocols={{ mail_server_tls_protocols | join(',') }}
   -o smtpd_tls_mandatory_ciphers=high
-  -o tls_high_cipherlist=DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT
+  -o tls_high_cipherlist={{ mail_server_tls_ciphers }}
   -o syslog_name=postfix/submission

0 comments (0 inline, 0 general)