Kolab 3.4 Secure Installation

Franz Skale i.bin at dah.am
Sat Mar 28 15:11:45 CET 2015 


Hi,
do a /usr/lib/ssl/misc/c_info of your server cert.
Then check the CA who signed the cert, and then chain it to the server cert.
Also check your imapd logfile /var/log/imapd.log for tls problems.
By now, I run all my kolab services in debug mode.
So you could give it a try and tweak:

File:/etc/default/kolab-server
FLAGS="-l debug -d 9"

/etc/default/wallace
FLAGS="-l debug"

/etc/default/cyrus-imapd
Uncomment:
#CYRUS_VERBOSE=1




Rgds.

Franz

Am 28.03.15 um 14:17 schrieb Josh Janszen:
> Thanks for your help with this issue. Roundcube is set for tls and
> port 143, I will leave it that way because its local.
>
> I may be having issues which files to use for the bundled cert. My CA
> gave me these files, do i need to use all of them?
>
> AddTrustExternalCARoot.crt
> COMODORSADomainValidationSecureServerCA.crt
> COMODORSAAddTrustCA.crt
>
>
> On Sat, Mar 28, 2015 at 6:16 AM, Franz Skale <i.bin at dah.am
> <mailto:i.bin at dah.am>> wrote:
>
>
>
>     Hi Josh,
>     it's not a SSL cipher problem.
>     Check your default_host configuration in
>     /etc/roundcubemail/config.inc.php.
>     Use TLS or SSL as option.
>     Like:
>     // IMAP Server Settings port 143 tls.
>     $config['default_host'] = 'tls://localhost';
>
>     Or use SSL:
>
>     // IMAP Server Settings port 143 tls.
>     $config['default_host'] = 'ssl://localhost:993';
>
>     Check, that your cyrus installation works using openssl client:
>
>     openssl s_client -showcerts -connect localhost:143 -starttls imap
>
>     Check the output certs and the tls handshake.
>
>     Like:
>     New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>     Server public key is 4096 bit
>     Secure Renegotiation IS supported
>     Compression: NONE
>     Expansion: NONE
>     SSL-Session:
>         Protocol  : TLSv1.2
>         Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>         Session-ID:
>     DA74F33938A5C2B82237AAC500BE66C8CA796191BB3583E73408C769322ED54F
>         Session-ID-ctx:
>         Master-Key:
>     90A0E4123162ECC9BAF2D8F05341F8CDECE3AF08330888833E4293CAF06977531354C1E99742F529537A82ABF0545258
>         Key-Arg   : None
>         PSK identity: None
>         PSK identity hint: None
>
>
>     Try a login using your credentials:
>
>     . login <username> <password>
>
>     If all is OK use ". logout" to logout from imap.
>
>     If there's a problem with tls or ssl, check your cyrus ssl
>     configuration:
>
>     tls_server_cert: /etc/ssl/certs/mail.example.com.crt
>     tls_server_key: /etc/ssl/private/mail.example.com.key
>
>     Be sure to add the ca bundle to the cert chain, when the imap
>     client refuses to accept the ssl connection.
>
>     cat  server.pem bundle.pem > /etc/ssl/certs/mail.example.com.crt
>
>     Try and report back
>
>     Rgds.
>
>     Franz
>
>
>
>
>
>     Am 28.03.15 um 01:13 schrieb Josh Janszen:
>>     Hi,
>>
>>     I recently installed Kolab 3.4 on a clean system. I then made my
>>     way to the secure kolab server document. I followed all the steps
>>     and verified all services are running normally but when I got
>>     down to the Kolab components and followed the steps everything
>>     completed without error but now when I try to log into roundcube
>>     I get this error "Connection to storage server failed." and my
>>     log files show;
>>
>>     [27-Mar-2015 20:10:50] PHP Warning:  fgets(): SSL operation
>>     failed with code 1. OpenSSL Error message$
>>     error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>>     in
>>     /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap_generic.php
>>     on line 200
>>
>>     I have a feeling something with the last few steps is causing
>>     issue or because of the strictness of the allowed ciphers in the
>>     previous steps
>>
>>     https://docs.kolab.org/howtos/secure-kolab-server.html
>>
>>     Any help would be greatly appreciated,
>>     Josh
>>
>>
>>     _______________________________________________
>>     users mailing list
>>     users at lists.kolab.org <mailto:users at lists.kolab.org>
>>     https://lists.kolab.org/mailman/listinfo/users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20150328/2a0aa1f4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4254 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.kolab.org/pipermail/users/attachments/20150328/2a0aa1f4/attachment.p7s>

More information about the users mailing list