Kolab 3.2 - SASL unable to open Berkeley

Markus Bernhardt markus.bernhardt at me.com
Do Mai 15 11:13:25 CEST 2014


Hallo Uwe,

die Fehlermeldungen bezüglich SASL habe ich mir noch nicht angesehen.

Kannst Du mal bitte die folgenden Kommandos auf der Maschine absetzen:

SSL:
openssl s_client -showcerts -connect localhost:443
openssl s_client -showcerts -connect localhost:636
openssl s_client -showcerts -connect localhost:993
openssl s_client -showcerts -connect localhost:995

START TLS:
openssl s_client -showcerts -starttls smtp -connect localhost:25
openssl s_client -showcerts -starttls pop3 -connect localhost:110
openssl s_client -showcerts -starttls imap -connect localhost:143
openssl s_client -showcerts -starttls smtp -connect localhost:587

Du solltest überall die richtigen Zertifikate angezeigt bekommen.

Zusätzlich ist es übrigens eine gute Idee die verwendeten Ciphers zu härten.

---

Ich kopier Dir mal mein Installationsprotokoll ans Ende. Vielleicht hilft das ja. Wichtig dabei ist, dass wir intern Zertifikate unsere eigenen CA und nur für den extern erreichbaren SMTP (postfix) ein offizielles EssentailSSL Zertifikat von Comodo verwenden. Also nicht wundern.

Cheers,
Markus

Kolab mit SSL absichern

Gruppe ssl-cert

[root at mail ~]# groupadd ssl-cert

[root at mail ~]# usermod -a -G ssl-cert mail

[root at mail ~]# usermod -a -G ssl-cert postfix

[root at mail ~]# usermod -a -G ssl-cert cyrus

Install certs

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key /etc/pki/tls/private/

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt /etc/pki/tls/certs/

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Root\ CA/keys-renamed/SCMB-GmbH-Root-CA.crt /etc/pki/tls/certs/

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA.crt /etc/pki/tls/certs/

Build bundles

[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*.crt /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key > /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.bundle.pem

[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.*.crt > /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem

Fix rights

[root at mail ~]# chown root:ssl-cert /etc/pki/tls/private/SCMB-*

[root at mail ~]# chmod 440 /etc/pki/tls/private/SCMB-*

CA bundle

[root at mail ~]# cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.orig

[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.crt >> /etc/pki/tls/certs/ca-bundle.crt

Cyrus IMAPD

[root at mail ~]# sed -r -i -e 's|^tls_cert_file:.*|tls_cert_file: /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt|g' -e 's|^tls_key_file:.*|tls_key_file: /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key|g' -e 's|^tls_ca_file:.*|tls_ca_file: /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem|g' /etc/imapd.conf

[root at mail ~]# service cyrus-imapd restart

[root at mail ~]# openssl s_client -showcerts -connect localhost:993

Postfix

[root at mail ~]# postconf -e smtpd_tls_key_file=/etc/pki/tls/private/EssentialSSLCA-2-mail.scmb.de.key

[root at mail ~]# postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/EssentialSSLCA-2-mail.scmb.de.crt

[root at mail ~]# postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/EssentialSSLCA-2.chain.pem

[root at mail ~]# service postfix restart

Apache

[root at mail ~]# certutil -d /etc/httpd/alias -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet Certification Authority"

[root at mail ~]# certutil -d /etc/httpd/alias -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root Certification Authority"

[root at mail ~]# certutil -D -d /etc/httpd/alias -n "Server-Cert"

[root at mail ~]# openssl pkcs12 -export -in /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt -inkey /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo

[root at mail ~]# echo "foo" > /tmp/foo

[root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/httpd/alias -w /tmp/foo -k /dev/null

[root at mail ~]# rm /tmp/foo

[root at mail ~]# rm /tmp/example.p12

[root at mail ~]# certutil -L -d /etc/httpd/alias

[root at mail ~]# certutil -V -u V -d /etc/httpd/alias -n "Server-Cert"

[root at mail ~]# sed -i -e 's/8443/443/' /etc/httpd/conf.d/nss.conf

[root at mail ~]# cat >> /etc/httpd/conf/httpd.conf << EOF

 

<VirtualHost _default_:80>

    RewriteEngine On

    RewriteRule ^(.*)$ https://%{HTTP_HOST}\$1 [R=301,L]

</VirtualHost>

EOF

[root at mail ~]# service httpd restart

[root at mail ~]# openssl s_client -showcerts -connect localhost:443

389 Directory Server

[root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet Certification Authority"

[root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root Certification Authority"

[root at mail ~]# openssl pkcs12 -export -in /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt -inkey /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo

[root at mail ~]# echo "foo" > /tmp/foo

[root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/dirsrv/slapd-mail/ -w /tmp/foo -k /dev/null

[root at mail ~]# rm /tmp/foo

[root at mail ~]# rm /tmp/example.p12

[root at mail ~]# certutil -L -d /etc/dirsrv/slapd-mail/

[root at mail ~]# ldapmodify -x -h localhost -p 389     -D "cn=Directory Manager" -W

Enter LDAP Password:

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: on

-

replace: nsSSLClientAuth

nsSSLClientAuth: allowed

-

add: nsSSL3Ciphers

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,

 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,

 +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,

 +tls_rsa_export1024_with_des_cbc_sha

 

dn: cn=config

changetype: modify

add: nsslapd-security

nsslapd-security: on

-

replace: nsslapd-ssl-check-hostname

nsslapd-ssl-check-hostname: off

-

replace: nsslapd-secureport

nsslapd-secureport: 636

 

dn: cn=RSA,cn=encryption,cn=config

changetype: add

objectclass: top

objectclass: nsEncryptionModule

cn: RSA

nsSSLPersonalitySSL: Server-Cert

nsSSLToken: internal (software)

nsSSLActivation: on

 

[root at mail ~]# openssl s_client -showcerts -connect localhost:636

[root at mail ~]# ldapsearch -x -H ldap://localhost -b "cn=kolab,cn=config" -D "cn=Directory Manager" -W

Harden SSL Ciphers

[root at mail ~]# grep NSSCipherSuite /etc/httpd/conf.d/nss.conf

NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,-ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,-ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,-ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha

 

[root at mail ~]# service httpd restart

[root at mail ~]# sslscan --no-failed localhost:443

 

[root at mail ~]# ldapmodify -x -h localhost -p 389     -D "cn=Directory Manager" -W

Enter LDAP Password:

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: off

-

replace: nsSSL2

nsSSL2: off

-

replace: nsSSL3Ciphers

nsSSL3Ciphers: -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha

[root at mail ~]# service dirsrv restart

[root at mail ~]# sslscan --no-failed localhost:636

 

[root at mail ~]# grep tls_cipher /etc/imapd.conf

tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

[root at mail ~]# service cyrus-imapd restart

[root at mail ~]# sslscan --no-failed localhost:993

Kolab CLI

[root at mail ~]# sed -r -i -e '/api_url/d' -e "s#\[kolab_wap\]#[kolab_wap]\napi_url = https://mail.intranet.scmb.de/kolab-webadmin/api#g" /etc/kolab/kolab.conf

Roundcube

[root at mail ~]# sed -i -e '/kolab_ssl/d' /etc/roundcubemail/libkolab.inc.php

[root at mail ~]# sed -i -e 's/http:/https:/' /etc/roundcubemail/kolab_files.inc.php

[root at mail ~]# sed -i -e '/^?>/d' /etc/roundcubemail/config.inc.php

[root at mail ~]# cat >> /etc/roundcubemail/config.inc.php << EOF

\$config['kolab_http_request'] = array(

        'ssl_verify_peer'       => true,

        'ssl_verify_host'       => true,

        'ssl_cafile'            => '/etc/pki/tls/certs/ca-bundle.crt'

);

EOF

[root at mail ~]# cat >> /etc/roundcubemail/config.inc.php << EOF\$config['calendar_caldav_url']             = "https://mail.intranet.scmb.de/iRony/calendars/%u/%i";

\$config['kolab_addressbook_carddav_url']   = 'https://mail.intranet.scmb.de/iRony/addressbooks/%u/%i';

EOF

 

Fix indenting and php close tag at the end of /etc/roundcubemail/config.inc.php!

 

ipTables

[root at mail ~]# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dpo