Make a clean distinction between Debian 7 and Debian 8.  Anticipate the
next Ubuntu LTS release (Xenial) that is planned for support.

Take changes to the tomcat6 default configuration and apply to tomcat7
configuration.  This was done by review of the diff between sovereign's
tomcat6 configuration and the default tomcat7 configuration.

The package solr installs and uses tomcat7.  Installing tomcat8 appears
to be a mistake for Debian Jessie.

Avoid using the Include directive.  Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.

resolves #453

Conflicts:
	roles/common/tasks/ufw.yml

This reverts commit 6b53da4bdc.

Using a different approach to maintain wheezy compatibility

Resolves #400.

Resolves #402.

Resolves #410.

 * fix mail_db_opendmarc_username/mail_db_opendmarc_password variable
   not found.
 * python-mysqldb package is required. Add it to opendmarc task.

For correct implementation of the fix for logjam attack (https://github.com/sovereign/sovereign/pull/372), state=latest is needed to grab sufficient version of Dovecot. If not then 37aa7e2cb5 doesn't work.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
Removes RC4 cipher. Fixes issue #341.
Also explicitly disabled SSLCompression and enables OCSP stapling.

We should put all these settings in
/etc/apache2/mods-enabled/ssl.conf
to avoid duplication...

(on Debian Jessie, Ubuntu Trusty or older distributions such as
Debian Wheezy and Ubuntu Precise).

relates to pull request #372

Resolves #363.

Addresses #362.

ahbl is no longer being maintained and has been configured to return a
positive value for every host.  This means I get a cron warning every
day reporting that my mailserver is in ircbl.ahbl.org and
dnsbl.ahbl.org.

lukecyca/check-rbl#1 has removed ahbl from the blacklists that it
checks.  This just pulls in that change.

Unfortunately, ansible's get_url won't update files which have been
downloaded already unless you set force=yes, which will cause ansible to
pull down the file from github on every single run, which isn't really
acceptable.  I have filed ansible/ansible-modules-core#625 to ask that
get_url redownload if and only if the sha256sum differs.  In the
meantime, you have to manually delete /opt/check-rbl.pl before rerunning
ansible to pull in the update.  However, at least this will work fine
for new installs.

Related to #338 (though I don't know if it truly fixes it).

to mitigate POODLE vulnerability

Postfix: Disable SSLv2 and SSLv3 for 'mandatory SSL' mode connections to completely mitigate the POODLE issue.

Disable SSLv3 in Dovecot imap server to avoid POODLE vulnerability