<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><br></div><br><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hi Stuart,</div><div><br></div><div>Security is an elusive goal. The real difficulty is to present it in an easily understood form. From what I understand from Torsten and Jeroen who created the SElinux package one of the design goals is to be able to leave SElinux running. This in itself is a big win since SElinux prevents applications from being miss configured, but since it's hard to read the logs what most people do when they encounter a problem with there web or email process is to turn off the security for everything else.</div><div><i><b><br></b></i></div><div><i><b>mod_security</b></i> is the same, the logs are very detailed, but for a new person it's just not worth trying to understand whats wrong and how fix it. Once you figure out which rule you need to turn off most people can't judge if the rule is important or not. In other words, is the application broken or the rule just overreaching?</div><div><br></div><div>I left some things out from the update last night, <a href="https://docs.kolab.org/howtos/secure-kolab-server.html">https://docs.kolab.org/howtos/secure-kolab-server.html</a> is a good page, protect everything with encryption.</div><div>Don't open ports 119,143 and make sure you require TLS for port 389 access and allow it for port 25 but require it for relaying out bound emails. Make sure you support</div><div><br></div><div>I would like to play with <b>dogtag</b>, as client certificates is an very good way to tighten up access, but it's probably not low hanging fruit for everybody. </div><div><b>Fail2ban</b> is a good way to slow down brute force attacks and works very well for a range of logs ( web,imap,ssh ). </div><div><br></div><div>Jonte.</div><div><br></div><div><div>On 11/08/2014, at 4:47 AM, Stuart Naylor wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="font-family: Tahoma; font-size: 11px; "><div style="white-space: pre-wrap; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; text-indent: 0px; ">Jonte some great info there for this noob :)</div><p style="white-space: pre-wrap; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; text-indent: 0px; "> </p><div style="white-space: pre-wrap; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; text-indent: 0px; ">Being a noob I always get caught by security be it selinux, firewall or apache security.</div><div style="white-space: pre-wrap; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; text-indent: 0px; ">Would be great to have "setup-kolab-security" that does the security layer after you have a proven install.</div><p style="white-space: pre-wrap; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; text-indent: 0px; "> </p><div style="white-space: pre-wrap; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; text-indent: 0px; ">Stuart</div></span></blockquote></div><br></div></div><br></body></html>