HowTo : Secure all Kolab Services

Marc Surchat surchat at gmail.com
Fri Apr 17 11:47:00 CEST 2015


Hi all,

I have a test lab with Kolab 3.4 Community installed on a centos 7 VM.

I became especially interested in how to secure my kolab-server and I was
happy to find this How To :
https://docs.kolab.org/howtos/secure-kolab-server.html

I could successfully implement SSL for cyrus impad, postfix and apache.
Please note that you need to be carefull with copying the 'postconf -e'
commands directly from wiki as there is a high risk of bad formatting
issue. I can propose a correction (see below).

So everything went well up to this point : *389 Directory Server*

Seriously this part using 'ldapmodify' is awful. Be sure to note that there
is a typo mistake at the line "nsTLS1 on", it should be "nsTLS1: on". Then
I would advise using and .ldif in which you put all this configuration
modifs. Then you can call it like this :

passwd=$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d '=' -f2- | sed -e
's/\s*//g')
ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w "${passwd}"*
-f /path/to/ldap.ldif*

The reasons I am posting here are :
(1) Security is important
(2) This tutorial is a good start but it's outdated and filled with small
mistakes
(3) I couldn't make it work! and I'm afraid I broke my ldap setup :(

When I ran ldapmodify command (with or without .ldif file doesn't matter),
I'm not quite sure but I think I got an error unable to find object (32) or
something like this. And now that I'm trying it again, blocks by blocks, I
get a different error.

modifying entry "cn=config"
ldap_modify: Type or value exists (20)


Any LDAP expert around ?

Thanks and best regards,
Marc

correction for postfix config commands :

# postconf -e smtpd_use_tls=yes

# postconf -e smtpd_tls_key_file=/etc/pki/tls/private/kolab-server.lan.dreamlab.net.key.pem
# postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/kolab-server.lan.dreamlab.net.cert.pem
# postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/dreamlab.net.ca-chain.pem

# postconf -e smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'
# postconf -e smtp_tls_protocols='!SSLv2,!SSLv3'
# postconf -e smtpd_tls_mandatory_protocols='!SSLv3'
# postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'

# postconf -e smtpd_tls_mandatory_ciphers=high
# postconf -e smtpd_tls_eecdh_grade=ultra
# postconf -e tls_preempt_cipherlist=yes
# postconf -e tls_high_cipherlist='EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20150417/d5591d83/attachment.html>


More information about the users mailing list