CentOS6 & Kolab3.2 Fresh install

jonte+kolab at yojimbo.org jonte+kolab at yojimbo.org
Sun Aug 10 14:52:18 CEST 2014


Hi there,

I'm sort of new here and thought I would drop by and give an thumbs up for a very nicely run project. While I haven't really done much the project caught my eye about 6 month ago while looking for something suitable for an friend to run. Having used Roundcube Mail for a very long time it dropped by there and that's how I found this place.
For the first couple of months I just read the docs, then in may I tried building an test machine for the first time and ehmm nope that didn't work. Was the broken cyrus, so installing from the devel tree got the system running but it still lacked the resource management I saw in the docs but couldn't figure out why it wasn't working. 

Last week I had another look and wow 3.3 is in beta, here is the resource management... ehmm for CentOS that didn't work, Roundcube just didn't startup.  OH and the kolab-webadmin-3.2-5.el6.kolab_3.3.noarch.rpm is unsigned. oh well it's a beta.

So here are a few observation, but without running an actual machine in production of course, and yea it's CentOS

3.2 works very well with the default install, both the Cyrus imapd issue and the clamd.amavisd now installs without having to patch the setup script or using beta packages.
For some reason the documentation still say that selinux have to be turned off, this is possibly the case, but the https://github.com/kanarip/kolab-selinux got it almost right.
I turn on both 
/usr/sbin/setsebool -P httpd_can_sendmail on # Cyres etc most things email
/usr/sbin/setsebool -P httpd_can_network_connect on # Filters in Roundmail
As for the kolab.te file, it's slightly wrong probably due to the time since it was updated, I needed to change one line to add the initrc_t type. 
#============= cyrus_t ==============
allow cyrus_t initrc_t:unix_stream_socket connectto;
Finally I added mod_security, since its after all a web server, so the http application firewall seems to fit very nicely for an security conscious individual ( reads: paranoid ).
yum -y install mod_security mod_security_crs mod_security_crs-extras
You probably don't need extras, but I was playing around. Ah the pain. Anyway, 2 things really needs adjusted:

To enable active sync, find id 900012 in
/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
add: application/vnd.ms-sync.wbxm

Or you can add the following to the file /etc/httpd/conf.d/kolab-syncroton.conf
<LocationMatch "^/Microsoft-Server-ActiveSync">
  SecRuleRemoveById 960010
  SecRuleRemoveById 960017 
</LocationMatch>
For the WAP pages, you need to add the following to the file /etc/httpd/conf.d/kolab-webadmin.conf
<LocationMatch "^/kolab-webadmin/.*">
  SecRuleRemoveById 950007
  SecRuleRemoveById 960011
  SecRuleRemoveById 960015
  SecRuleRemoveById 960024
  SecRuleRemoveById 981173
  SecRuleRemoveById 981243
  SecRuleRemoveById 981245
  SecRuleRemoveById 981246
  SecRuleRemoveById 981257
</LocationMatch>
And now everything seems to work. If you're going to play around with mod_security, please know what your doing, it's an pain to figure out what's wrong. I cheated and used 
http://www.samhobbs.co.uk/2014/05/apache-modsecurity-whitelist-generator-script to track down which modules where venerable, and it would probably be best if the mechanism didn't trigger these alerts, but I'm not an developer so it's probably safe. 

In conclusion I'm looking forward to 3.3 with the resource module coming out of beta and being released. Keep up the good work and keep your SElinux enabled. 

Cheers,
     Jonte.
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20140810/a1b9ad89/attachment.html>


More information about the users mailing list