From 6857d1f606042c3b707076c913a7ebe2b7c5e238 Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Fri, 19 Jul 2019 17:02:58 +0200
Subject: [PATCH] dovecot: preset-based tls config, new presets, buster compat
---
dovecot/defaults/main.yml | 7 ++++---
dovecot/tasks/main.yml | 21 +++++++++++++++++++++
dovecot/templates/conf.d/10-ssl.conf.j2 | 25 +++++++++++++++++++++++--
dovecot/vars/tls-intermediate.yml | 8 ++++++++
dovecot/vars/tls-modern.yml | 8 ++++++++
dovecot/vars/tls-old.yml | 8 ++++++++
dovecot/vars/tls-previous.yml | 8 ++++++++
7 files changed, 80 insertions(+), 5 deletions(-)
create mode 100644 dovecot/vars/tls-intermediate.yml
create mode 100644 dovecot/vars/tls-modern.yml
create mode 100644 dovecot/vars/tls-old.yml
create mode 100644 dovecot/vars/tls-previous.yml
diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml
index 9c147a9..f2b867c 100644
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@@ -14,9 +14,10 @@ dovecot_max_uid: 0
dovecot_tls_cert: /etc/ssl/private/fullchain.pem
dovecot_tls_key: /etc/ssl/private/privkey.pem
dovecot_tls_ca_dir: /etc/ssl/certs
-dovecot_tls_ciphers: "{{ tls_ciphers }}"
-dovecot_tls_dh_length: 4096
-dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
+
+# possible values: modern, intermediate, old, previous
+# see also: https://ssl-config.mozilla.org/
+dovecot_tls_configuration: 'previous'
dovecot_dsync: false
dovecot_dsync_tls: false
diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index 9148c20..0102bde 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -1,5 +1,12 @@
---
+- name: "include tls config vars (preset: {{ dovecot_tls_configuration }})"
+ include_vars:
+ file: "tls-{{ dovecot_tls_configuration }}.yml"
+ tags:
+ - dovecot
+ - mail
+
- name: ensure all required dovecot packages are installed
apt:
name:
@@ -36,6 +43,20 @@
- dovecot
- mail
+- name: ensure dh params are available
+ copy:
+ src: "{{ dovecot_tls_dh_file }}"
+ dest: /etc/dovecot/dh.pem
+ owner: root
+ group: root
+ mode: '0644'
+ when: dovecot_tls_dh_file is string
+ notify:
+ - restart dovecot
+ tags:
+ - dovecot
+ - mail
+
- name: ensure there is a folder for global sieve scripts
file:
dest: /var/lib/dovecot/sieve.d
diff --git a/dovecot/templates/conf.d/10-ssl.conf.j2 b/dovecot/templates/conf.d/10-ssl.conf.j2
index 54bfbc8..a461620 100644
--- a/dovecot/templates/conf.d/10-ssl.conf.j2
+++ b/dovecot/templates/conf.d/10-ssl.conf.j2
@@ -42,18 +42,39 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
+{% if ansible_distribution_major_version|int < 10 %}
# DH parameters length to use.
+{% if dovecot_tls_dh_length %}
ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
+{% else %}
+#ssl_dh_parameters_length =
+{% endif %}
+{% else %}
+# DH parameters to use.
+{% if dovecot_tls_dh_file %}
+ssl_dh = </etc/dovecot/dh.pem
+{% else %}
+#ssl_dh =
+{% endif %}
+{% endif %}
+{% if ansible_distribution_major_version|int < 10 %}
# SSL protocols to use
ssl_protocols = {{ dovecot_tls_protocols }}
+{% else %}
+# Minimum TLS version to use
+ssl_min_protocol = {{ dovecot_tls_min_protocol }}
+{% endif %}
# SSL ciphers to use
-#ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
+{% if dovecot_tls_ciphers %}
ssl_cipher_list = {{ dovecot_tls_ciphers }}
+{% else %}
+#ssl_cipher_list =
+{% endif %}
# Prefer the server's order of ciphers over client's.
-ssl_prefer_server_ciphers = yes
+ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
diff --git a/dovecot/vars/tls-intermediate.yml b/dovecot/vars/tls-intermediate.yml
new file mode 100644
index 0000000..dcb1468
--- /dev/null
+++ b/dovecot/vars/tls-intermediate.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1.2 TLSv1.3'
+dovecot_tls_min_protocol: 'TLSv1.2'
+dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+dovecot_tls_dh_length: 4096 # 2048
+dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
+dovecot_tls_prefer_server_ciphers: false
diff --git a/dovecot/vars/tls-modern.yml b/dovecot/vars/tls-modern.yml
new file mode 100644
index 0000000..ef71bdd
--- /dev/null
+++ b/dovecot/vars/tls-modern.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1.3'
+dovecot_tls_min_protocol: 'TLSv1.3'
+dovecot_tls_ciphers: null
+dovecot_tls_dh_length: null
+dovecot_tls_dh_file: null
+dovecot_tls_prefer_server_ciphers: false
diff --git a/dovecot/vars/tls-old.yml b/dovecot/vars/tls-old.yml
new file mode 100644
index 0000000..936012f
--- /dev/null
+++ b/dovecot/vars/tls-old.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1 TLSv1.1 TLSv1.2 !SSLv3'
+dovecot_tls_min_protocol: 'TLSv1'
+dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
+dovecot_tls_dh_length: 2048 # 1024
+dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt
+dovecot_tls_prefer_server_ciphers: true
diff --git a/dovecot/vars/tls-previous.yml b/dovecot/vars/tls-previous.yml
new file mode 100644
index 0000000..82d3f36
--- /dev/null
+++ b/dovecot/vars/tls-previous.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
+dovecot_tls_min_protocol: 'TLSv1.1'
+dovecot_tls_ciphers: "{{ tls_ciphers }}"
+dovecot_tls_dh_length: 4096
+dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
+dovecot_tls_prefer_server_ciphers: true
--
GitLab