Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
infra
ansible-shared
communication
Commits
6857d1f6
Commit
6857d1f6
authored
Jul 19, 2019
by
Lars Beckers
Browse files
dovecot: preset-based tls config, new presets, buster compat
parent
9cf6caa4
Changes
7
Hide whitespace changes
Inline
Side-by-side
dovecot/defaults/main.yml
View file @
6857d1f6
...
...
@@ -14,9 +14,10 @@ dovecot_max_uid: 0
dovecot_tls_cert
:
/etc/ssl/private/fullchain.pem
dovecot_tls_key
:
/etc/ssl/private/privkey.pem
dovecot_tls_ca_dir
:
/etc/ssl/certs
dovecot_tls_ciphers
:
"
{{
tls_ciphers
}}"
dovecot_tls_dh_length
:
4096
dovecot_tls_protocols
:
'
TLSv1.1
TLSv1.2
!SSLv3'
# possible values: modern, intermediate, old, previous
# see also: https://ssl-config.mozilla.org/
dovecot_tls_configuration
:
'
previous'
dovecot_dsync
:
false
dovecot_dsync_tls
:
false
...
...
dovecot/tasks/main.yml
View file @
6857d1f6
---
-
name
:
"
include
tls
config
vars
(preset:
{{
dovecot_tls_configuration
}})"
include_vars
:
file
:
"
tls-{{
dovecot_tls_configuration
}}.yml"
tags
:
-
dovecot
-
mail
-
name
:
ensure all required dovecot packages are installed
apt
:
name
:
...
...
@@ -36,6 +43,20 @@
-
dovecot
-
mail
-
name
:
ensure dh params are available
copy
:
src
:
"
{{
dovecot_tls_dh_file
}}"
dest
:
/etc/dovecot/dh.pem
owner
:
root
group
:
root
mode
:
'
0644'
when
:
dovecot_tls_dh_file is string
notify
:
-
restart dovecot
tags
:
-
dovecot
-
mail
-
name
:
ensure there is a folder for global sieve scripts
file
:
dest
:
/var/lib/dovecot/sieve.d
...
...
dovecot/templates/conf.d/10-ssl.conf.j2
View file @
6857d1f6
...
...
@@ -42,18 +42,39 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
{% if ansible_distribution_major_version|int < 10 %}
# DH parameters length to use.
{% if dovecot_tls_dh_length %}
ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
{% else %}
#ssl_dh_parameters_length =
{% endif %}
{% else %}
# DH parameters to use.
{% if dovecot_tls_dh_file %}
ssl_dh = </etc/dovecot/dh.pem
{% else %}
#ssl_dh =
{% endif %}
{% endif %}
{% if ansible_distribution_major_version|int < 10 %}
# SSL protocols to use
ssl_protocols = {{ dovecot_tls_protocols }}
{% else %}
# Minimum TLS version to use
ssl_min_protocol = {{ dovecot_tls_min_protocol }}
{% endif %}
# SSL ciphers to use
#ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
{% if dovecot_tls_ciphers %}
ssl_cipher_list = {{ dovecot_tls_ciphers }}
{% else %}
#ssl_cipher_list =
{% endif %}
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers =
yes
ssl_prefer_server_ciphers =
{{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
...
...
dovecot/vars/tls-intermediate.yml
0 → 100644
View file @
6857d1f6
---
dovecot_tls_protocols
:
'
TLSv1.2
TLSv1.3'
dovecot_tls_min_protocol
:
'
TLSv1.2'
dovecot_tls_ciphers
:
'
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
dovecot_tls_dh_length
:
4096
# 2048
dovecot_tls_dh_file
:
ffdhe4096.txt
# ffdhe2048.txt
dovecot_tls_prefer_server_ciphers
:
false
dovecot/vars/tls-modern.yml
0 → 100644
View file @
6857d1f6
---
dovecot_tls_protocols
:
'
TLSv1.3'
dovecot_tls_min_protocol
:
'
TLSv1.3'
dovecot_tls_ciphers
:
null
dovecot_tls_dh_length
:
null
dovecot_tls_dh_file
:
null
dovecot_tls_prefer_server_ciphers
:
false
dovecot/vars/tls-old.yml
0 → 100644
View file @
6857d1f6
---
dovecot_tls_protocols
:
'
TLSv1
TLSv1.1
TLSv1.2
!SSLv3'
dovecot_tls_min_protocol
:
'
TLSv1'
dovecot_tls_ciphers
:
'
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
dovecot_tls_dh_length
:
2048
# 1024
dovecot_tls_dh_file
:
ffdhe2048.txt
# openssl dhparam 1024 > ffdhe1024.txt
dovecot_tls_prefer_server_ciphers
:
true
dovecot/vars/tls-previous.yml
0 → 100644
View file @
6857d1f6
---
dovecot_tls_protocols
:
'
TLSv1.1
TLSv1.2
!SSLv3'
dovecot_tls_min_protocol
:
'
TLSv1.1'
dovecot_tls_ciphers
:
"
{{
tls_ciphers
}}"
dovecot_tls_dh_length
:
4096
dovecot_tls_dh_file
:
ffdhe4096.txt
# ffdhe2048.txt
dovecot_tls_prefer_server_ciphers
:
true
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment