Securing Kolab 16 on Centos 7 howto questions - plus GUAM is broken
kolab.user at use.startmail.com
kolab.user at use.startmail.com
Wed Mar 30 16:45:35 CEST 2016
Hi Chris,
Documentation did help a lot. I ended up with
tls_config, [
{ keyfile, "/etc/pki/tls/private/server.key" },
{ certfile, "/etc/pki/tls/certs/server-bundle.crt" },
{ cacertfile, "/etc/pki/tls/certs/server-bundle.crt" }
]
where server-bundle.crt is
cat server.crt 1_Intermediate.crt > server-bundle.crt
Since the same bundle is used in some other places and I wanted to minimize number of files to maintain.
The Securing Kolab HOWTO is a very good starting point but desperately needs an update.
Regards,
Josh.
On Wednesday, March 30, 2016 6:14 AM, Chris Fleming <me at chrisfleming.org> wrote:
> On Wed, Mar 30, 2016 at 12:05:28AM -0400, kolab.user at use.startmail.com
> wrote:
>> Any guam developers on this list?
>>
>> It appears that guam completely ignores chained certificates, e.g. free
>> ones obtained from startssl.com, mentioned in a secure-kolab-server.html
>> HOWTO
>>
>> Seems like the only way to get around it quickly is to disable listener
>> on 993 and use stunnel from 993 to 143.
>>
>> Any other ideas?
>
> Have to admit, I'm very tempted to bypass guam, as it's very crashy, but
> have currently compromised
> on restarting it once a day... but I did managed to set ssl working.
>
> As guam is written in erlang, the actual place to look for the
> configuration options is the
> erlang documnetation:
> http://erlang.org/doc/man/ssl.html
>
> I am using letsencrypt and have the listener configuration below:
>
>
> imap, [
> { port, 143 },
> { imap_server, imaps },
> {
> rules, [
> { filter_groupware, [] }
> ]
> },
> {
> tls_config, [
> { certfile, "/etc/letsencrypt/live/server.name/cert.pem"},
> { keyfile, "/etc/letsencrypt/live/server.name/privkey.pem"},
> { cacertfile, "/etc/letsencrypt/live/server.name/chain.pem"}
> ]
> }
> ]
>
>>
>> Could I just remove guam and change imaps from 9993 to 993? What does
>> guam do?
>
> My understanding is that guam acts as smart filter, filtering out the
> groupware folders
> from clients that don't use them. This is handy as it stops a user from
> deleting them.
>
> Cheers
> Chris
>
>> On Tuesday, February 23, 2016 6:12 PM, Winfried Ritsch
>> <ritsch at algo.mur.at> wrote:
>> > Hello,
>> >
>> > I just set up a Kolab 16 on dedicated Centos 7.0 VM following mostly
>> the
>> > installation guides and
>> > it seems to work nicely, thanks for all the effort.
>> >
>> > Before I go public I want to secure my setup
>> >
>> > and trying to follow the HOWTO
>> > https://docs.kolab.org/howtos/secure-kolab-server.html[1]
>> > (this seems to be for kolab 3.4)
>> > some questions arised what services to secure:
>> >
>> > Securing
>> >
>> > a) Services which need a dedicated Certificate (for TLS)
>> > b) Services which use internal certificates (for eg. localhost)
>> > c) Services using unsecure connections (for speed)
>> >
>> > My vote:
>> > All apache services for a)
>> > Mail transport postfix for a)
>> >
>> > Unkown:
>> >
>> > Since now guam is a proxy to cyrus-imapd:
>> >
>> > - Should proxy connection between cyrus and/or guam be secured ?
>> >
>> > - Securing cyrus managesieve connection ?
>> >
>> > - Manticore ?
>> >
>> > - any other suggestion ?
>> >
>> >
>> > thanks.
>> >
>> > mfG
>> > Winfried ritsch
>> >
>> > --
>> > -
>> > Winfried Ritsch - Atelier Algorythmics
>> > Mobil: ++43-664-2439369
>> > http://algo.mur.at/ email: ritsch _at_ algo.mur.at
>> > -
>> >
>> > --------
>> > [1] https://docs.kolab.org/howtos/secure-kolab-server.html
>> > _______________________________________________
>> > users mailing list
>> > users at lists.kolab.org
>> > https://lists.kolab.org/mailman/listinfo/users
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
More information about the users
mailing list