<div dir="ltr"><div><div><div>Hi all,<br><br></div>I have a test lab with Kolab 3.4 Community installed on a centos 7 VM.<br><br></div>I became especially interested in how to secure my kolab-server and I was happy to find this How To : <a href="https://docs.kolab.org/howtos/secure-kolab-server.html">https://docs.kolab.org/howtos/secure-kolab-server.html</a><br><br></div><div>I could successfully implement SSL for cyrus impad, postfix and apache. Please note that you need to be carefull with copying the 'postconf -e' commands directly from wiki as there is a high risk of bad formatting issue. I can propose a correction (see below).<br><br></div><div>So everything went well up to this point : *389 Directory Server*<br><br></div><div>Seriously this part using 'ldapmodify' is awful. Be sure to note that there is a typo mistake at the line "nsTLS1 on", it should be "nsTLS1: on". Then I would advise using and .ldif in which you put all this configuration modifs. Then you can call it like this :<br><br>passwd=$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d '=' -f2- | sed -e 's/\s*//g')<br>ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w "${passwd}"<b> -f /path/to/ldap.ldif</b><br></div><div><br></div><div>The reasons I am posting here are :<br></div><div>(1) Security is important<br></div><div>(2) This tutorial is a good start but it's outdated and filled with small mistakes<br></div><div>(3) I couldn't make it work! and I'm afraid I broke my ldap setup :(<br><br></div><div>When I ran ldapmodify command (with or without .ldif file doesn't matter), I'm not quite sure but I think I got an error unable to find object (32) or something like this. And now that I'm trying it again, blocks by blocks, I get a different error.<br><br>modifying entry "cn=config"<br>ldap_modify: Type or value exists (20)<br><br><br></div><div>Any LDAP expert around ?<br></div><div><br></div><div>Thanks and best regards,<br></div><div>Marc<br></div><div><br></div><div>correction for postfix config commands :<br></div><div><pre># postconf -e smtpd_use_tls=yes
# postconf -e smtpd_tls_key_file=/etc/pki/tls/private/kolab-server.lan.dreamlab.net.key.pem
# postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/kolab-server.lan.dreamlab.net.cert.pem
# postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/dreamlab.net.ca-chain.pem
# postconf -e smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'
# postconf -e smtp_tls_protocols='!SSLv2,!SSLv3'
# postconf -e smtpd_tls_mandatory_protocols='!SSLv3'
# postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
# postconf -e smtpd_tls_mandatory_ciphers=high
# postconf -e smtpd_tls_eecdh_grade=ultra
# postconf -e tls_preempt_cipherlist=yes
# postconf -e tls_high_cipherlist='EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
</pre>
</div></div>