Securing Kolab 16 on Centos 7 howto questions - plus GUAM is broken

Chris Fleming me at chrisfleming.org
Wed Mar 30 12:14:27 CEST 2016


On Wed, Mar 30, 2016 at 12:05:28AM -0400, kolab.user at use.startmail.com wrote:
> Any guam developers on this list?
> 
> It appears that guam completely ignores chained certificates, e.g. free ones obtained from startssl.com, mentioned in a secure-kolab-server.html HOWTO
> 
> Seems like the only way to get around it quickly is to disable listener on 993 and use stunnel from 993 to 143.
> 
> Any other ideas?

Have to admit, I'm very tempted to bypass guam, as it's very crashy, but have currently compromised
on restarting it once a day... but I did managed to set ssl working. 

As guam is written in erlang, the actual place to look for the configuration options is the
erlang documnetation:
http://erlang.org/doc/man/ssl.html

I am using letsencrypt and have the listener configuration below:


	imap, [
		{ port, 143 },
		{ imap_server, imaps },
		{
			rules, [
				{ filter_groupware, [] }
			]
		},
		{
			tls_config, [
				{ certfile, "/etc/letsencrypt/live/server.name/cert.pem"},
				{  keyfile, "/etc/letsencrypt/live/server.name/privkey.pem"},
				{  cacertfile, "/etc/letsencrypt/live/server.name/chain.pem"}
			]
		}
	]

> 
> Could I just remove guam and change imaps from 9993 to 993? What does guam do?

My understanding is that guam acts as smart filter, filtering out the groupware folders
from clients that don't use them. This is handy as it stops a user from deleting them.

Cheers
Chris 

> On Tuesday, February 23, 2016 6:12 PM, Winfried Ritsch <ritsch at algo.mur.at> wrote:
> > Hello,
> > 
> > I just set up a Kolab 16 on dedicated Centos 7.0  VM following mostly the
> > installation guides and
> > it seems to work nicely, thanks for all the effort.
> > 
> > Before I go public I want to secure my setup
> > 
> > and trying to follow the HOWTO
> >  https://docs.kolab.org/howtos/secure-kolab-server.html[1]
> >  (this seems to be for kolab 3.4)
> > some questions arised what services to secure:
> > 
> > Securing
> > 
> >   a) Services which need a dedicated Certificate (for TLS)
> >   b) Services which use internal certificates (for eg. localhost)
> >   c) Services using unsecure connections (for speed)
> > 
> > My vote:
> >  All apache services  for a)
> >  Mail transport postfix for a)
> > 
> > Unkown:
> > 
> > Since now guam is a proxy to cyrus-imapd:
> > 
> > - Should proxy connection between cyrus and/or guam be secured ?
> > 
> > - Securing cyrus managesieve connection ?
> > 
> > - Manticore ?
> > 
> > - any other suggestion ?
> > 
> > 
> > thanks.
> > 
> > mfG
> >  Winfried ritsch
> > 
> > --
> > -
> >  Winfried Ritsch - Atelier Algorythmics
> >  Mobil: ++43-664-2439369
> >  http://algo.mur.at/  email: ritsch _at_ algo.mur.at
> > -
> > 
> > --------
> > [1] https://docs.kolab.org/howtos/secure-kolab-server.html
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users


More information about the users mailing list