From f026e3a166e9b153ad58d170b0d52030cfb10934 Mon Sep 17 00:00:00 2001 From: Tunui Franken Date: Sat, 1 Feb 2025 22:06:10 +0100 Subject: [PATCH] [mailserver] Disable plain imap (143) --- .../files/nftables/input.d/imap-imaps.conf | 1 - roles/mailserver_dovecot/tasks/main.yml | 21 +++++++++++++------ .../templates/nftables/input.d/imaps.conf.j2 | 3 +++ .../nftables/input.d/managesieve.conf.j2} | 2 ++ 4 files changed, 20 insertions(+), 7 deletions(-) delete mode 100644 roles/mailserver_dovecot/files/nftables/input.d/imap-imaps.conf create mode 100644 roles/mailserver_dovecot/templates/nftables/input.d/imaps.conf.j2 rename roles/mailserver_dovecot/{files/nftables/input.d/managesieve.conf => templates/nftables/input.d/managesieve.conf.j2} (70%) diff --git a/roles/mailserver_dovecot/files/nftables/input.d/imap-imaps.conf b/roles/mailserver_dovecot/files/nftables/input.d/imap-imaps.conf deleted file mode 100644 index 9e70423..0000000 --- a/roles/mailserver_dovecot/files/nftables/input.d/imap-imaps.conf +++ /dev/null @@ -1 +0,0 @@ -tcp dport {143, 993} accept comment "Allow IMAP/IMAPS from all" diff --git a/roles/mailserver_dovecot/tasks/main.yml b/roles/mailserver_dovecot/tasks/main.yml index 9fa3f76..07b7ca4 100644 --- a/roles/mailserver_dovecot/tasks/main.yml +++ b/roles/mailserver_dovecot/tasks/main.yml @@ -60,6 +60,15 @@ group: vmail recurse: true +- name: Disable plain imap inet_listener + become: true + ansible.builtin.lineinfile: + path: /etc/dovecot/conf.d/10-master.conf + regexp: '^\s*#?port = 143' + line: ' port = 0' + insertafter: ' inet_listener imap {' + notify: Reload dovecot service + - name: Add login to auth_mechanisms become: true ansible.builtin.lineinfile: @@ -321,18 +330,18 @@ - spam - ham -- name: Allow incoming IMAP/IMAPS +- name: Allow incoming IMAPS become: true - ansible.builtin.copy: - src: nftables/input.d/imap-imaps.conf - dest: /etc/nftables/input.d/imap-imaps.conf + ansible.builtin.template: + src: nftables/input.d/imaps.conf.j2 + dest: /etc/nftables/input.d/imaps.conf mode: 0640 notify: Reload nftables service - name: Allow incoming ManageSieve become: true - ansible.builtin.copy: - src: nftables/input.d/managesieve.conf + ansible.builtin.template: + src: nftables/input.d/managesieve.conf.j2 dest: /etc/nftables/input.d/managesieve.conf mode: 0640 notify: Reload nftables service diff --git a/roles/mailserver_dovecot/templates/nftables/input.d/imaps.conf.j2 b/roles/mailserver_dovecot/templates/nftables/input.d/imaps.conf.j2 new file mode 100644 index 0000000..fd2bd1e --- /dev/null +++ b/roles/mailserver_dovecot/templates/nftables/input.d/imaps.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +tcp dport 993 accept comment "Allow IMAPS from all" diff --git a/roles/mailserver_dovecot/files/nftables/input.d/managesieve.conf b/roles/mailserver_dovecot/templates/nftables/input.d/managesieve.conf.j2 similarity index 70% rename from roles/mailserver_dovecot/files/nftables/input.d/managesieve.conf rename to roles/mailserver_dovecot/templates/nftables/input.d/managesieve.conf.j2 index ff7da44..ada466f 100644 --- a/roles/mailserver_dovecot/files/nftables/input.d/managesieve.conf +++ b/roles/mailserver_dovecot/templates/nftables/input.d/managesieve.conf.j2 @@ -1 +1,3 @@ +# {{ ansible_managed }} + tcp dport 4190 accept comment "Allow ManageSieve from all"