Securing Kolab 16 on Centos 7 howto questions - plus GUAM is broken

kolab.user at use.startmail.com kolab.user at use.startmail.com
Wed Mar 30 16:45:35 CEST 2016


Hi Chris,

Documentation did help a lot. I ended up with

tls_config, [
    { keyfile, "/etc/pki/tls/private/server.key" },
    { certfile, "/etc/pki/tls/certs/server-bundle.crt" },
    { cacertfile, "/etc/pki/tls/certs/server-bundle.crt" }
]

where server-bundle.crt is

cat server.crt 1_Intermediate.crt > server-bundle.crt

Since the same bundle is used in some other places and I wanted to minimize number of files to maintain.

The Securing Kolab HOWTO is a very good starting point but desperately needs an update.

Regards,
Josh.

On Wednesday, March 30, 2016 6:14 AM, Chris Fleming <me at chrisfleming.org> wrote:
> On Wed, Mar 30, 2016 at 12:05:28AM -0400, kolab.user at use.startmail.com
> wrote:
>> Any guam developers on this list?
>>
>> It appears that guam completely ignores chained certificates, e.g. free
>> ones obtained from startssl.com, mentioned in a secure-kolab-server.html
>> HOWTO
>>
>> Seems like the only way to get around it quickly is to disable listener
>> on 993 and use stunnel from 993 to 143.
>>
>> Any other ideas?
> 
> Have to admit, I'm very tempted to bypass guam, as it's very crashy, but
> have currently compromised
> on restarting it once a day... but I did managed to set ssl working.
> 
> As guam is written in erlang, the actual place to look for the
> configuration options is the
> erlang documnetation:
> http://erlang.org/doc/man/ssl.html
> 
> I am using letsencrypt and have the listener configuration below:
> 
> 
> 	imap, [
> 		{ port, 143 },
> 		{ imap_server, imaps },
> 		{
> 			rules, [
> 				{ filter_groupware, [] }
> 			]
> 		},
> 		{
> 			tls_config, [
> 				{ certfile, "/etc/letsencrypt/live/server.name/cert.pem"},
> 				{  keyfile, "/etc/letsencrypt/live/server.name/privkey.pem"},
> 				{  cacertfile, "/etc/letsencrypt/live/server.name/chain.pem"}
> 			]
> 		}
> 	]
> 
>>
>> Could I just remove guam and change imaps from 9993 to 993? What does
>> guam do?
> 
> My understanding is that guam acts as smart filter, filtering out the
> groupware folders
> from clients that don't use them. This is handy as it stops a user from
> deleting them.
> 
> Cheers
> Chris
> 
>> On Tuesday, February 23, 2016 6:12 PM, Winfried Ritsch
>> <ritsch at algo.mur.at> wrote:
>> > Hello,
>> >
>> > I just set up a Kolab 16 on dedicated Centos 7.0  VM following mostly
>> the
>> > installation guides and
>> > it seems to work nicely, thanks for all the effort.
>> >
>> > Before I go public I want to secure my setup
>> >
>> > and trying to follow the HOWTO
>> >  https://docs.kolab.org/howtos/secure-kolab-server.html[1]
>> >  (this seems to be for kolab 3.4)
>> > some questions arised what services to secure:
>> >
>> > Securing
>> >
>> >   a) Services which need a dedicated Certificate (for TLS)
>> >   b) Services which use internal certificates (for eg. localhost)
>> >   c) Services using unsecure connections (for speed)
>> >
>> > My vote:
>> >  All apache services  for a)
>> >  Mail transport postfix for a)
>> >
>> > Unkown:
>> >
>> > Since now guam is a proxy to cyrus-imapd:
>> >
>> > - Should proxy connection between cyrus and/or guam be secured ?
>> >
>> > - Securing cyrus managesieve connection ?
>> >
>> > - Manticore ?
>> >
>> > - any other suggestion ?
>> >
>> >
>> > thanks.
>> >
>> > mfG
>> >  Winfried ritsch
>> >
>> > --
>> > -
>> >  Winfried Ritsch - Atelier Algorythmics
>> >  Mobil: ++43-664-2439369
>> >  http://algo.mur.at/  email: ritsch _at_ algo.mur.at
>> > -
>> >
>> > --------
>> > [1] https://docs.kolab.org/howtos/secure-kolab-server.html
>> > _______________________________________________
>> > users mailing list
>> > users at lists.kolab.org
>> > https://lists.kolab.org/mailman/listinfo/users
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users


More information about the users mailing list