diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 9c147a9d19eda065d5da70e23ad87915ae8391af..f2b867cfc0cd3c676d3d541d294b4f42abd3e489 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -14,9 +14,10 @@ dovecot_max_uid: 0 dovecot_tls_cert: /etc/ssl/private/fullchain.pem dovecot_tls_key: /etc/ssl/private/privkey.pem dovecot_tls_ca_dir: /etc/ssl/certs -dovecot_tls_ciphers: "{{ tls_ciphers }}" -dovecot_tls_dh_length: 4096 -dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3' + +# possible values: modern, intermediate, old, previous +# see also: https://ssl-config.mozilla.org/ +dovecot_tls_configuration: 'previous' dovecot_dsync: false dovecot_dsync_tls: false diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 9148c20fcb5f2256868b26504483622304783b32..0102bde55ddafc6eed05f92b4c7a2361266b7196 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -1,5 +1,12 @@ --- +- name: "include tls config vars (preset: {{ dovecot_tls_configuration }})" + include_vars: + file: "tls-{{ dovecot_tls_configuration }}.yml" + tags: + - dovecot + - mail + - name: ensure all required dovecot packages are installed apt: name: @@ -36,6 +43,20 @@ - dovecot - mail +- name: ensure dh params are available + copy: + src: "{{ dovecot_tls_dh_file }}" + dest: /etc/dovecot/dh.pem + owner: root + group: root + mode: '0644' + when: dovecot_tls_dh_file is string + notify: + - restart dovecot + tags: + - dovecot + - mail + - name: ensure there is a folder for global sieve scripts file: dest: /var/lib/dovecot/sieve.d diff --git a/dovecot/templates/conf.d/10-ssl.conf.j2 b/dovecot/templates/conf.d/10-ssl.conf.j2 index 54bfbc81f138c79f269f054d846e0d93db48611e..a46162095dd4b9774872b6305012efa02a492566 100644 --- a/dovecot/templates/conf.d/10-ssl.conf.j2 +++ b/dovecot/templates/conf.d/10-ssl.conf.j2 @@ -42,18 +42,39 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }} # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName +{% if ansible_distribution_major_version|int < 10 %} # DH parameters length to use. +{% if dovecot_tls_dh_length %} ssl_dh_parameters_length = {{ dovecot_tls_dh_length }} +{% else %} +#ssl_dh_parameters_length = +{% endif %} +{% else %} +# DH parameters to use. +{% if dovecot_tls_dh_file %} +ssl_dh = </etc/dovecot/dh.pem +{% else %} +#ssl_dh = +{% endif %} +{% endif %} +{% if ansible_distribution_major_version|int < 10 %} # SSL protocols to use ssl_protocols = {{ dovecot_tls_protocols }} +{% else %} +# Minimum TLS version to use +ssl_min_protocol = {{ dovecot_tls_min_protocol }} +{% endif %} # SSL ciphers to use -#ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1 +{% if dovecot_tls_ciphers %} ssl_cipher_list = {{ dovecot_tls_ciphers }} +{% else %} +#ssl_cipher_list = +{% endif %} # Prefer the server's order of ciphers over client's. -ssl_prefer_server_ciphers = yes +ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }} # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = diff --git a/dovecot/vars/tls-intermediate.yml b/dovecot/vars/tls-intermediate.yml new file mode 100644 index 0000000000000000000000000000000000000000..dcb1468abcf9e3fa43203779d4188905a0338c8a --- /dev/null +++ b/dovecot/vars/tls-intermediate.yml @@ -0,0 +1,8 @@ +--- + +dovecot_tls_protocols: 'TLSv1.2 TLSv1.3' +dovecot_tls_min_protocol: 'TLSv1.2' +dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' +dovecot_tls_dh_length: 4096 # 2048 +dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt +dovecot_tls_prefer_server_ciphers: false diff --git a/dovecot/vars/tls-modern.yml b/dovecot/vars/tls-modern.yml new file mode 100644 index 0000000000000000000000000000000000000000..ef71bddb98777422cf9a04a18b35128955dc6bbe --- /dev/null +++ b/dovecot/vars/tls-modern.yml @@ -0,0 +1,8 @@ +--- + +dovecot_tls_protocols: 'TLSv1.3' +dovecot_tls_min_protocol: 'TLSv1.3' +dovecot_tls_ciphers: null +dovecot_tls_dh_length: null +dovecot_tls_dh_file: null +dovecot_tls_prefer_server_ciphers: false diff --git a/dovecot/vars/tls-old.yml b/dovecot/vars/tls-old.yml new file mode 100644 index 0000000000000000000000000000000000000000..936012fb4b37051210f911087cb256db0bff2841 --- /dev/null +++ b/dovecot/vars/tls-old.yml @@ -0,0 +1,8 @@ +--- + +dovecot_tls_protocols: 'TLSv1 TLSv1.1 TLSv1.2 !SSLv3' +dovecot_tls_min_protocol: 'TLSv1' +dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA' +dovecot_tls_dh_length: 2048 # 1024 +dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt +dovecot_tls_prefer_server_ciphers: true diff --git a/dovecot/vars/tls-previous.yml b/dovecot/vars/tls-previous.yml new file mode 100644 index 0000000000000000000000000000000000000000..82d3f36845aee92078fafdd7c31e257fd7efdb02 --- /dev/null +++ b/dovecot/vars/tls-previous.yml @@ -0,0 +1,8 @@ +--- + +dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3' +dovecot_tls_min_protocol: 'TLSv1.1' +dovecot_tls_ciphers: "{{ tls_ciphers }}" +dovecot_tls_dh_length: 4096 +dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt +dovecot_tls_prefer_server_ciphers: true