Kolab 3.2 - SASL unable to open Berkeley

IG BEB GmbH (Herr Treber) treber at beb-weimar.de
Do Mai 15 11:41:06 CEST 2014


Hallo Markus,
danke für die Info. War des Suchens Leid und bin
gerade an einer Neuinstallation.
Wollte Kolab erstmal im LAN nutzen und nicht nach außen
öffnen (außer die Ports für Mailempfang und -versandt).
Braucht man dafür eigene Zertifikate oder sind welche in der
Grundinstallation von Kolab vorhanden? Was sollte von deinen
Angaben installiert werden?
Steh da ein bissel auf dem Schlauch.

Uwe

Am 15.05.2014 11:13, schrieb Markus Bernhardt:
> Hallo Uwe,
>
> die Fehlermeldungen bezüglich SASL habe ich mir noch nicht angesehen.
>
> Kannst Du mal bitte die folgenden Kommandos auf der Maschine absetzen:
>
> SSL:
> openssl s_client -showcerts -connect localhost:443
> openssl s_client -showcerts -connect localhost:636
> openssl s_client -showcerts -connect localhost:993
> openssl s_client -showcerts -connect localhost:995
>
> START TLS:
> openssl s_client -showcerts -starttls smtp -connect localhost:25
> openssl s_client -showcerts -starttls pop3 -connect localhost:110
> openssl s_client -showcerts -starttls imap -connect localhost:143
> openssl s_client -showcerts -starttls smtp -connect localhost:587
>
> Du solltest überall die richtigen Zertifikate angezeigt bekommen.
>
> Zusätzlich ist es übrigens eine gute Idee die verwendeten Ciphers zu 
> härten.
>
> ---
>
> Ich kopier Dir mal mein Installationsprotokoll ans Ende. Vielleicht 
> hilft das ja. Wichtig dabei ist, dass wir intern Zertifikate unsere 
> eigenen CA und nur für den extern erreichbaren SMTP (postfix) ein 
> offizielles EssentailSSL Zertifikat von Comodo verwenden. Also nicht 
> wundern.
>
> Cheers,
> Markus
>
>
>   Kolab mit SSL absichern
>
>
>     Gruppe ssl-cert
>
> [root at mail ~]# groupadd ssl-cert
>
> [root at mail ~]# usermod -a -G ssl-cert mail
>
> [root at mail ~]# usermod -a -G ssl-cert postfix
>
> [root at mail ~]# usermod -a -G ssl-cert cyrus
>
>
>     Install certs
>
> [root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ 
> CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key 
> /etc/pki/tls/private/
>
> [root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ 
> CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt 
> /etc/pki/tls/certs/
>
> [root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Root\ 
> CA/keys-renamed/SCMB-GmbH-Root-CA.crt /etc/pki/tls/certs/
>
> [root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ 
> CA/keys-renamed/SCMB-GmbH-Intranet-CA.crt /etc/pki/tls/certs/
>
>
>     Build bundles
>
> [root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*.crt 
> /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key > 
> /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.bundle.pem
>
> [root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.*.crt > 
> /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem
>
>
>     Fix rights
>
> [root at mail ~]# chown root:ssl-cert /etc/pki/tls/private/SCMB-*
>
> [root at mail ~]# chmod 440 /etc/pki/tls/private/SCMB-*
>
>
>     CA bundle
>
> [root at mail ~]# cp /etc/pki/tls/certs/ca-bundle.crt 
> /etc/pki/tls/certs/ca-bundle.crt.orig
>
> [root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.crt >> 
> /etc/pki/tls/certs/ca-bundle.crt
>
>
>     Cyrus IMAPD
>
> [root at mail ~]# sed -r -i -e 's|^tls_cert_file:.*|tls_cert_file: 
> /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt|g' 
> -e 's|^tls_key_file:.*|tls_key_file: 
> /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key|g' -e 
> 's|^tls_ca_file:.*|tls_ca_file: 
> /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem|g' /etc/imapd.conf
>
> [root at mail ~]# service cyrus-imapd restart
>
> [root at mail ~]# openssl s_client -showcerts -connect localhost:993
>
>
>     Postfix
>
> [root at mail ~]# postconf -e 
> smtpd_tls_key_file=/etc/pki/tls/private/EssentialSSLCA-2-mail.scmb.de.key
>
> [root at mail ~]# postconf -e 
> smtpd_tls_cert_file=/etc/pki/tls/certs/EssentialSSLCA-2-mail.scmb.de.crt
>
> [root at mail ~]# postconf -e 
> smtpd_tls_CAfile=/etc/pki/tls/certs/EssentialSSLCA-2.chain.pem
>
> [root at mail ~]# service postfix restart
>
>
>     Apache
>
> [root at mail ~]# certutil -d /etc/httpd/alias -A  -t "CT,," -i 
> /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet 
> Certification Authority"
>
> [root at mail ~]# certutil -d /etc/httpd/alias -A  -t "CT,," -i 
> /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root 
> Certification Authority"
>
> [root at mail ~]# certutil -D -d /etc/httpd/alias -n "Server-Cert"
>
> [root at mail ~]# openssl pkcs12 -export -in 
> /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt 
> -inkey 
> /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key 
> -out /tmp/example.p12 -name Server-Cert -passout pass:foo
>
> [root at mail ~]# echo "foo" > /tmp/foo
>
> [root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/httpd/alias -w 
> /tmp/foo -k /dev/null
>
> [root at mail ~]# rm /tmp/foo
>
> [root at mail ~]# rm /tmp/example.p12
>
> [root at mail ~]# certutil -L -d /etc/httpd/alias
>
> [root at mail ~]# certutil -V -u V -d /etc/httpd/alias -n "Server-Cert"
>
> [root at mail ~]# sed -i -e 's/8443/443/' /etc/httpd/conf.d/nss.conf
>
> [root at mail ~]# cat >> /etc/httpd/conf/httpd.conf << EOF
>
> <VirtualHost _default_:80>
>
>     RewriteEngine On
>
>     RewriteRule ^(.*)$ https://%{HTTP_HOST}\$1 
> <https://%%7BHTTP_HOST%7D%5C$1> [R=301,L]
>
> </VirtualHost>
>
> EOF
>
> [root at mail ~]# service httpd restart
>
> [root at mail ~]# openssl s_client -showcerts -connect localhost:443
>
>
>     389 Directory Server
>
> [root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A  -t "CT,," -i 
> /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet 
> Certification Authority"
>
> [root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A  -t "CT,," -i 
> /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root 
> Certification Authority"
>
> [root at mail ~]# openssl pkcs12 -export -in 
> /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt 
> -inkey 
> /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key 
> -out /tmp/example.p12 -name Server-Cert -passout pass:foo
>
> [root at mail ~]# echo "foo" > /tmp/foo
>
> [root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/dirsrv/slapd-mail/ 
> -w /tmp/foo -k /dev/null
>
> [root at mail ~]# rm /tmp/foo
>
> [root at mail ~]# rm /tmp/example.p12
>
> [root at mail ~]# certutil -L -d /etc/dirsrv/slapd-mail/
>
> [root at mail ~]# ldapmodify -x -h localhost -p 389     -D "cn=Directory 
> Manager" -W
>
> Enter LDAP Password:
>
> dn: cn=encryption,cn=config
>
> changetype: modify
>
> replace: nsSSL3
>
> nsSSL3: on
>
> -
>
> replace: nsSSLClientAuth
>
> nsSSLClientAuth: allowed
>
> -
>
> add: nsSSL3Ciphers
>
> nsSSL3Ciphers: 
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>
>  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
>
>  +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
>
>  +tls_rsa_export1024_with_des_cbc_sha
>
> dn: cn=config
>
> changetype: modify
>
> add: nsslapd-security
>
> nsslapd-security: on
>
> -
>
> replace: nsslapd-ssl-check-hostname
>
> nsslapd-ssl-check-hostname: off
>
> -
>
> replace: nsslapd-secureport
>
> nsslapd-secureport: 636
>
> dn: cn=RSA,cn=encryption,cn=config
>
> changetype: add
>
> objectclass: top
>
> objectclass: nsEncryptionModule
>
> cn: RSA
>
> nsSSLPersonalitySSL: Server-Cert
>
> nsSSLToken: internal (software)
>
> nsSSLActivation: on
>
> [root at mail ~]# openssl s_client -showcerts -connect localhost:636
>
> [root at mail ~]# ldapsearch -x -H ldap://localhost -b 
> "cn=kolab,cn=config" -D "cn=Directory Manager" -W
>
>
>     Harden SSL Ciphers
>
> [root at mail ~]# grep NSSCipherSuite /etc/httpd/conf.d/nss.conf
>
> NSSCipherSuite 
> -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,-ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,-ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,-ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
>
> [root at mail ~]# service httpd restart
>
> [root at mail ~]# sslscan --no-failed localhost:443
>
> [root at mail ~]# ldapmodify -x -h localhost -p 389     -D "cn=Directory 
> Manager" -W
>
> Enter LDAP Password:
>
> dn: cn=encryption,cn=config
>
> changetype: modify
>
> replace: nsSSL3
>
> nsSSL3: off
>
> -
&