Merge branch 'master' of chaos:git/wolfscloud

dovecot/templates/conf.d/10-ssl.conf.j2

@@ -46,10 +46,12 @@ ssl_key = <{{ ssl_key }}
 ssl_dh_parameters_length = 4096
 
 # SSL protocols to use
-ssl_protocols = !SSLv3
+ssl_protocols = TLSv1.1 TLSv1.2 !SSLv3
 
 # SSL ciphers to use
-ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
+#ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
+#Supported Ciphers downto Android 2.3
+ssl_cipher_list = {{ tls_ciphers }}
 
 # Prefer the server's order of ciphers over client's.
 ssl_prefer_server_ciphers = yes

postfix/handlers/main.yml

@@ -3,6 +3,9 @@
 - name: restart postfix
   service: name=postfix state=restarted
 
+- name: restart memcached
+  service: name=memcached state=restarted
+
 - name: postmap system
   command: postalias cdb:/etc/aliases
 

postfix/tasks/main.yml

@@ -35,6 +35,14 @@
     - postfix
     - mail
 
+- name: ensure memcached config is present
+  template: src=templates/memcached.conf.j2 dest=/etc/memcached.conf
+  notify:
+    - restart memcached
+  tags:
+    - postfix
+    - mail
+    
 - name: ensure system alias database is present
   template: src=templates/aliases.j2 dest=/etc/aliases
   notify:

postfix/templates/main.cf.j2

@@ -29,6 +29,15 @@ smtpd_tls_auth_only=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
+#ciphers supported downto android 2.3
+smtpd_tls_mandatory_protocols = !TLSv1 !SSLv2, !SSLv3
+smtpd_tls_protocols = !TLSv1 !SSLv2 !SSLv3
+smtpd_tls_mandatory_ciphers=high
+tls_high_cipherlist = {{ tls_ciphers }}
+smtpd_tls_eecdh_grade=ultra
+
+
+
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 smtpd_sasl_type = dovecot

postfix/templates/memcached.conf.j2

+# memcached default config file
+# 2003 - Jay Bonci <jaybonci@debian.org>
+# This configuration file is read by the start-memcached script provided as
+# part of the Debian GNU/Linux distribution.
+
+# Run memcached as a daemon. This command is implied, and is not needed for the
+# daemon to run. See the README.Debian that comes with this package for more
+# information.
+-d
+
+# Log memcached's output to /var/log/memcached
+logfile /var/log/memcached.log
+
+# Be verbose
+# -v
+
+# Be even more verbose (print client commands as well)
+# -vv
+
+# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
+# Note that the daemon will grow to this size, but does not start out holding this much
+# memory
+-m 64
+
+# Default connection port is 11211
+-p 11211
+
+# Run the daemon as root. The start-memcached will default to running as root if no
+# -u command is present in this config file
+-u memcache
+
+# Specify which IP address to listen on. The default is to listen on all IP addresses
+# This parameter is one of the only security measures that memcached has, so make sure
+# it's listening on a firewalled interface.
+-l {{ tinc_vpnip }}
+
+# Limit the number of simultaneous incoming connections. The daemon default is 1024
+# -c 1024
+
+# Lock down all paged memory. Consult with the README and homepage before you do this
+# -k
+
+# Return error when memory is exhausted (rather than removing items)
+# -M
+
+# Maximize core file limit
+# -r

postfix/templates/postscreen_cache.j2

@@ -4,7 +4,7 @@
 
 {% for partner in groups['mail'] %}
 {% if partner != ansible_hostname %}
-memcache = inet::{{hostvars[partner]["tinc_vpnip"]}}11211
+memcache = inet:{{hostvars[partner]["tinc_vpnip"]}}:11211
 {% endif %}
 {% endfor %}