Discussion:
Securing Kolab 16 on Centos 7 howto questions.
Winfried Ritsch
2016-02-23 22:12:00 UTC
Permalink
Hello,

I just set up a Kolab 16 on dedicated Centos 7.0 VM following mostly the installation guides and
it seems to work nicely, thanks for all the effort.

Before I go public I want to secure my setup

and trying to follow the HOWTO
https://docs.kolab.org/howtos/secure-kolab-server.html[1]
(this seems to be for kolab 3.4)
some questions arised what services to secure:

Securing

a) Services which need a dedicated Certificate (for TLS)
b) Services which use internal certificates (for eg. localhost)
c) Services using unsecure connections (for speed)

My vote:
All apache services for a)
Mail transport postfix for a)

Unkown:

Since now guam is a proxy to cyrus-imapd:

- Should proxy connection between cyrus and/or guam be secured ?

- Securing cyrus managesieve connection ?

- Manticore ?

- any other suggestion ?


thanks.

mfG
Winfried ritsch
--
-
Winfried Ritsch - Atelier Algorythmics
Mobil: ++43-664-2439369
http://algo.mur.at/ email: ritsch _at_ algo.mur.at
-

--------
[1] https://docs.kolab.org/howtos/secure-kolab-server.html
k***@use.startmail.com
2016-03-30 04:05:28 UTC
Permalink
Any guam developers on this list?

It appears that guam completely ignores chained certificates, e.g. free ones obtained from startssl.com, mentioned in a secure-kolab-server.html HOWTO

Seems like the only way to get around it quickly is to disable listener on 993 and use stunnel from 993 to 143.

Any other ideas?

Could I just remove guam and change imaps from 9993 to 993? What does guam do?

thanks,
Josh.
Post by Winfried Ritsch
Hello,
I just set up a Kolab 16 on dedicated Centos 7.0 VM following mostly the
installation guides and
it seems to work nicely, thanks for all the effort.
Before I go public I want to secure my setup
and trying to follow the HOWTO
https://docs.kolab.org/howtos/secure-kolab-server.html[1]
(this seems to be for kolab 3.4)
Securing
a) Services which need a dedicated Certificate (for TLS)
b) Services which use internal certificates (for eg. localhost)
c) Services using unsecure connections (for speed)
All apache services for a)
Mail transport postfix for a)
- Should proxy connection between cyrus and/or guam be secured ?
- Securing cyrus managesieve connection ?
- Manticore ?
- any other suggestion ?
thanks.
mfG
Winfried ritsch
--
-
Winfried Ritsch - Atelier Algorythmics
Mobil: ++43-664-2439369
http://algo.mur.at/ email: ritsch _at_ algo.mur.at
-
--------
[1] https://docs.kolab.org/howtos/secure-kolab-server.html
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Chris Fleming
2016-03-30 10:14:27 UTC
Permalink
Post by k***@use.startmail.com
Any guam developers on this list?
It appears that guam completely ignores chained certificates, e.g. free ones obtained from startssl.com, mentioned in a secure-kolab-server.html HOWTO
Seems like the only way to get around it quickly is to disable listener on 993 and use stunnel from 993 to 143.
Any other ideas?
Have to admit, I'm very tempted to bypass guam, as it's very crashy, but have currently compromised
on restarting it once a day... but I did managed to set ssl working.

As guam is written in erlang, the actual place to look for the configuration options is the
erlang documnetation:
http://erlang.org/doc/man/ssl.html

I am using letsencrypt and have the listener configuration below:


imap, [
{ port, 143 },
{ imap_server, imaps },
{
rules, [
{ filter_groupware, [] }
]
},
{
tls_config, [
{ certfile, "/etc/letsencrypt/live/server.name/cert.pem"},
{ keyfile, "/etc/letsencrypt/live/server.name/privkey.pem"},
{ cacertfile, "/etc/letsencrypt/live/server.name/chain.pem"}
]
}
]
Post by k***@use.startmail.com
Could I just remove guam and change imaps from 9993 to 993? What does guam do?
My understanding is that guam acts as smart filter, filtering out the groupware folders
from clients that don't use them. This is handy as it stops a user from deleting them.

Cheers
Chris
Post by k***@use.startmail.com
Post by Winfried Ritsch
Hello,
I just set up a Kolab 16 on dedicated Centos 7.0 VM following mostly the
installation guides and
it seems to work nicely, thanks for all the effort.
Before I go public I want to secure my setup
and trying to follow the HOWTO
https://docs.kolab.org/howtos/secure-kolab-server.html[1]
(this seems to be for kolab 3.4)
Securing
a) Services which need a dedicated Certificate (for TLS)
b) Services which use internal certificates (for eg. localhost)
c) Services using unsecure connections (for speed)
All apache services for a)
Mail transport postfix for a)
- Should proxy connection between cyrus and/or guam be secured ?
- Securing cyrus managesieve connection ?
- Manticore ?
- any other suggestion ?
thanks.
mfG
Winfried ritsch
--
-
Winfried Ritsch - Atelier Algorythmics
Mobil: ++43-664-2439369
http://algo.mur.at/ email: ritsch _at_ algo.mur.at
-
--------
[1] https://docs.kolab.org/howtos/secure-kolab-server.html
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
k***@use.startmail.com
2016-03-30 14:45:35 UTC
Permalink
Hi Chris,

Documentation did help a lot. I ended up with

tls_config, [
{ keyfile, "/etc/pki/tls/private/server.key" },
{ certfile, "/etc/pki/tls/certs/server-bundle.crt" },
{ cacertfile, "/etc/pki/tls/certs/server-bundle.crt" }
]

where server-bundle.crt is

cat server.crt 1_Intermediate.crt > server-bundle.crt

Since the same bundle is used in some other places and I wanted to minimize number of files to maintain.

The Securing Kolab HOWTO is a very good starting point but desperately needs an update.

Regards,
Josh.
Post by Chris Fleming
Post by k***@use.startmail.com
Any guam developers on this list?
It appears that guam completely ignores chained certificates, e.g. free
ones obtained from startssl.com, mentioned in a secure-kolab-server.html
HOWTO
Seems like the only way to get around it quickly is to disable listener
on 993 and use stunnel from 993 to 143.
Any other ideas?
Have to admit, I'm very tempted to bypass guam, as it's very crashy, but
have currently compromised
on restarting it once a day... but I did managed to set ssl working.
As guam is written in erlang, the actual place to look for the
configuration options is the
http://erlang.org/doc/man/ssl.html
imap, [
{ port, 143 },
{ imap_server, imaps },
{
rules, [
{ filter_groupware, [] }
]
},
{
tls_config, [
{ certfile, "/etc/letsencrypt/live/server.name/cert.pem"},
{ keyfile, "/etc/letsencrypt/live/server.name/privkey.pem"},
{ cacertfile, "/etc/letsencrypt/live/server.name/chain.pem"}
]
}
]
Post by k***@use.startmail.com
Could I just remove guam and change imaps from 9993 to 993? What does guam do?
My understanding is that guam acts as smart filter, filtering out the groupware folders
from clients that don't use them. This is handy as it stops a user from deleting them.
Cheers
Chris
Post by k***@use.startmail.com
On Tuesday, February 23, 2016 6:12 PM, Winfried Ritsch
Post by Winfried Ritsch
Hello,
I just set up a Kolab 16 on dedicated Centos 7.0 VM following mostly
the
Post by Winfried Ritsch
installation guides and
it seems to work nicely, thanks for all the effort.
Before I go public I want to secure my setup
and trying to follow the HOWTO
https://docs.kolab.org/howtos/secure-kolab-server.html[1]
(this seems to be for kolab 3.4)
Securing
a) Services which need a dedicated Certificate (for TLS)
b) Services which use internal certificates (for eg. localhost)
c) Services using unsecure connections (for speed)
All apache services for a)
Mail transport postfix for a)
- Should proxy connection between cyrus and/or guam be secured ?
- Securing cyrus managesieve connection ?
- Manticore ?
- any other suggestion ?
thanks.
mfG
Winfried ritsch
--
-
Winfried Ritsch - Atelier Algorythmics
Mobil: ++43-664-2439369
http://algo.mur.at/ email: ritsch _at_ algo.mur.at
-
--------
[1] https://docs.kolab.org/howtos/secure-kolab-server.html
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Timotheus Pokorra
2016-03-30 10:35:25 UTC
Permalink
Resending to the list because I realised that I only sent it to the OP...

Hello Josh,
Post by k***@use.startmail.com
Any guam developers on this list?
There are only 2 guam developers, Aaron and Jeroen, according to the
commit logs: https://cgit.kolab.org/guam/log/
Post by k***@use.startmail.com
It appears that guam completely ignores chained certificates, e.g. free ones obtained from startssl.com, mentioned in a secure-kolab-server.html HOWTO
I have not played with guam yet.
There have been discussions on this mailinglist before, or somewhere
else? I cannot find the ones I think I can remember.

see http://lists.kolab.org/pipermail/users/2016-February/020545.html
see also https://git.kolab.org/T1065
see also https://docs.kolab.org/about/guam/configuration.html
Post by k***@use.startmail.com
Could I just remove guam and change imaps from 9993 to 993? What does guam do?
Quoting from https://kolab.org/group-blog/2016/01/31/kolab-16-at-fosdem16/
"Take for example GUAM, our all-new, totally original, "IMAP-protocol
firewall". Guam allows you to, for example, access Kolab from any
client without having to see the special Kolab groupware folders, such
as calendars, todos, contacts, and so on. As Guam is configured
server-side, users do not have to do anything special on their
clients."

Hope this helps,
Timotheus
Loading...