[Kolab-devel] Suggested documentation changes

Matthias Busch catwiesel at gmx.net
Tue Sep 27 15:21:23 CEST 2016 

Good day,

I hope I am correct here. I do have a few suggestions concerning the 
Kolab Documentation, especially the SSL/TLS part at 
https://docs.kolab.org/howtos/secure-kolab-server.html

You may have heard of LetsEncrypt, a free SSL Cert service sponsored by 
reputable people like the EFF
You may also have heard of the coming sh*tstorm concerning Mozilla, 
wosign and startcom (StartSSL).

Today I migrated my Kolab from StartSSL to LetsEncrypt - and it was less 
painfull then expected.

Oh, please read the last part at optional even if the 
startssl/letsencrypt stuff is not relevant!

So I have a few suggestions:
- instead of using startssl certs, use letsencrypt certs

- we may even include a very basic "how to get the certs"
see: https://certbot.eff.org (1x wget, 1x chmod, 1x certbot-auto, 1x 
adding to cron)
I had to use './certbot-auto certonly --webroot -w /var/www/ -d 
www.domain.tld -d domain.tld' since my Apache (Debian7) doesn't like 
graceful reloads

- building bundles is not required for letsencrypt
- I diddnt have to add the CA to the CA bundle

- Under applications everything seems ok. However, since the certs in 
.../live are only a link to .../archive, this is where the services need 
to be able to read the certs (especially cyrus did give me trouble)

- kolab components: okay too

- which file goes where is pretty self evident with letsencrypt:
# ls /etc/letsencrypt/live/www.domain.tld/
cert.pem       chain.pem      fullchain.pem  privkey.pem

cert.pem --> cert-file
privkey.pem --> key-file
chain.pem --> ca-file/chain
fullchain.pem --> diddnt need it


- optional:
please add the  /etc/roundcubemail/managesieve.inc.php change
$config['managesieve_usetls'] = true;
(instead of default: false)

has nothing to do with where the certs are from. this has been bugging 
me for the better part of two years and could not get sieve to work, 
even with the user lists help. stumbled upon that by accident today...

I actually would be willing to do some grunt work (and I believe with 
this mail all the important info is out there), but I will never be able 
to write a real presentable documentation or use such fancy sed commands.

More information about the devel mailing list