HowTo : Secure all Kolab Services

Daniel Helgenberger daniel.helgenberger at m-box.de
Fri Apr 17 13:09:15 CEST 2015 

Hello Marc,

sorry, can't help in the context because I offen end up 'breaking' ldap,
too ;)

IMHO the default kolab setup after setup-kolab leaves you with a system
unfit for a DMZ / Public network. But I think Kolab was not intended to
be used in such networks.

But I have done this myself the last few days, a single server public
system. 
For a single server production setup securing LDAP is *absolutely* not
necessary, since everything uses localhost in your config.

I only would consider securing LDAP in a public network env. But IMHO it
is really a bad idea to setup LDAP queries over a non secure network.
Rather set up a ssh or openvpn tunnel to your ldap server(s).

On Fr, 2015-04-17 at 11:47 +0200, Marc Surchat wrote:
> Hi all,
> 
> I have a test lab with Kolab 3.4 Community installed on a centos 7 VM.
> 
> I became especially interested in how to secure my kolab-server and I was
> happy to find this How To :
> https://docs.kolab.org/howtos/secure-kolab-server.html
> 
> I could successfully implement SSL for cyrus impad, postfix and apache.
> Please note that you need to be carefull with copying the 'postconf -e'
> commands directly from wiki as there is a high risk of bad formatting
> issue. I can propose a correction (see below).
> 
> So everything went well up to this point : *389 Directory Server*
> 
> Seriously this part using 'ldapmodify' is awful. Be sure to note that there
> is a typo mistake at the line "nsTLS1 on", it should be "nsTLS1: on". Then
> I would advise using and .ldif in which you put all this configuration
> modifs. Then you can call it like this :
> 
> passwd=$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d '=' -f2- | sed -e
> 's/\s*//g')
> ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w "${passwd}"*
> -f /path/to/ldap.ldif*
My best guess, this step did break things. Why use sed for a single
password? Can you double check you used the correct passord here?

> 
> The reasons I am posting here are :
> (1) Security is important
> (2) This tutorial is a good start but it's outdated and filled with small
> mistakes
> (3) I couldn't make it work! and I'm afraid I broke my ldap setup :(

I think the security guide is quite good and someone put  a lot of
effort in it.
You are also quite right that is is outdated. I think we should gather
our prosalas in the list so things might get updated in the docs (its
open source anyway ;)


> 
> When I ran ldapmodify command (with or without .ldif file doesn't matter),
> I'm not quite sure but I think I got an error unable to find object (32) or
> something like this. And now that I'm trying it again, blocks by blocks, I
> get a different error.
> 
> modifying entry "cn=config"
> ldap_modify: Type or value exists (20)
> 
> 
> Any LDAP expert around ?
> 
> Thanks and best regards,
> Marc
> 
> correction for postfix config commands :
> 
> # postconf -e smtpd_use_tls=yes
> 
> # postconf -e smtpd_tls_key_file=/etc/pki/tls/private/kolab-server.lan.dreamlab.net.key.pem
> # postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/kolab-server.lan.dreamlab.net.cert.pem
> # postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/dreamlab.net.ca-chain.pem
> 
> # postconf -e smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'
> # postconf -e smtp_tls_protocols='!SSLv2,!SSLv3'
> # postconf -e smtpd_tls_mandatory_protocols='!SSLv3'
> # postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
> 
> # postconf -e smtpd_tls_mandatory_ciphers=high
> # postconf -e smtpd_tls_eecdh_grade=ultra
> # postconf -e tls_preempt_cipherlist=yes
> # postconf -e tls_high_cipherlist='EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

I ran into it too, there are spaces between the '=' in the last to
postconf commands. Also, the sed commands for ssl.conf do not work
anymore on EL7. 
Further, sed imap.conf has depreciated keywords. The section should be:

# sed -r -i \
      -e 's|^tls_cert_file:.*|tls_server_cert: /etc/pki/tls/certs/example.org.crt|g' \
      -e 's|^tls_key_file:.*|tls_server_key: /etc/pki/tls/private/example.org.key|g' \
      -e 's|^tls_ca_file:.*|tls_client_ca_file: /etc/pki/tls/certs/example.org.ca-chain.pem|g' \
      /etc/imapd.conf

But my config already had the new keywords.

One other major issue: SELinux. Here, the manually really should read:
'Set selinux to permissive and use audit2allow -a (-M) to setup the non
standard avc(s)'

By the way, it worked quite well.

Further, the firewall should also be mentioned in the security guide,
since the one in [1] is quite permissive and has port 465/tcp open -
witch is not used (any more in favor for submission?) it seems.

Using firewall-cmd, a one-liner could be:
for i in ssh http https pop3s imaps smtp; do \ 
	firewall-cmd --permanent --add-service=$i;\
done && \
firewall-cmd --permanent --add-port=587/tcp && \
firewall-cmd --reload

assuming you are running the public zone.

Further, sslscan is really great but not working very well with current
postfix (tarpit); it should be scraped and replaced by shomething like:
openssl s_client -showcerts -connect localhost:587 -starttls smtp


Cheers,
Daniel

[1] https://docs.kolab.org/installation-guide/preparing-the-system.html#system-firewall


> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

-- 
Daniel Helgenberger
m box bewegtbild GmbH

P: +49/30/2408781-22
F: +49/30/2408781-10

ACKERSTR. 19
D-10115 BERLIN


www.m-box.de  www.monkeymen.tv

Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767

More information about the users mailing list