Currently client email is submitted via ssmtp (port 465).  This has been
deprecated for years.  The correct way to submit email is via
submission (port 587).

This patch adds port 587 as a second and the default way of submitting
email for delivery.  Port 465 remains open for backwards compatibility
with existing clients.

This is done to suppress warnings from ansible-lint.

This patch restores sovereign's configuration of opendmarc.

An earlier commit started transitioning opendmarc to use postgres, but
this was incomplete.  This patch reverts that change and uses mysql for
the reporting database.

Other changes:

* Do not maintain a copy of the database import schema.  A copy is
  included in the distribution in /usr/share/doc, so that is used
  instead.
* The configuration file is replaced with the distribution's sample
  configuration.  A second patch will restore the actual configuration.
  This will make the changes easier to see if the default configuraton
  file changes in future versions of opendmarc.

Make a clean distinction between Debian 7 and Debian 8.  Anticipate the
next Ubuntu LTS release (Xenial) that is planned for support.

Take changes to the tomcat6 default configuration and apply to tomcat7
configuration.  This was done by review of the diff between sovereign's
tomcat6 configuration and the default tomcat7 configuration.

The package solr installs and uses tomcat7.  Installing tomcat8 appears
to be a mistake for Debian Jessie.

Avoid using the Include directive.  Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.

resolves #453

Conflicts:
	roles/common/tasks/ufw.yml

This reverts commit 6b53da4bdc.

Using a different approach to maintain wheezy compatibility

resolves #453

Resolves #400.

Resolves #402.

Resolves #410.

 * fix mail_db_opendmarc_username/mail_db_opendmarc_password variable
   not found.
 * python-mysqldb package is required. Add it to opendmarc task.

For correct implementation of the fix for logjam attack (https://github.com/sovereign/sovereign/pull/372), state=latest is needed to grab sufficient version of Dovecot. If not then 37aa7e2cb5 doesn't work.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
Removes RC4 cipher. Fixes issue #341.
Also explicitly disabled SSLCompression and enables OCSP stapling.

We should put all these settings in
/etc/apache2/mods-enabled/ssl.conf
to avoid duplication...