HOWTO: Secure all Kolab Services

This HOWTO is based on Centos 6 with some notes for Debian 7.

The configuration on Debian(-based distributions) is similar, but the base path for the certifcates storage is different, and Debian already has a group called ssl-cert to which the user accounts for applications like Cyrus IMAP or Postfix are added by default.

On CentOS, this group is called mail.

Warning

This guide provides general information about how to enable ssl/tls and the majority of your kolab services. This guide is by no means 100% complete nor will it get’s updated everytime ciphers or protocols get deprecated.If you want to know more get deeper knowledge about securing a particular service please consult the corresponding software documentation or other projects that take care about hardening your server.

Example:

Prerequisites

Prepare your certificates! You’ll need your certificate, your key, the CA and intermediate CA certificates. This tutorial is based on the StartCom SSL CA. Feel free to use any other Certificate Authority to your liking.

In this case the certificate is a wildcard *.example.org certificate, which makes it easier to cover various hostnames (like smtp.example.org, imap.example.org and webmail.example.org).

  1. Copy your personal SSL certificates on your new Kolab server.

    On Debian the default location is /etc/ssl/ instead of /etc/pki/tls/.

    # scp example.org.key kolab.example.org:/etc/pki/tls/private/
# scp example.org.crt kolab.example.org:/etc/pki/tls/certs/

    On Debian: Make sure the files have the correct permissions: * /etc/ssl/private/example.org.key: owner root, group ssl-cert and mode 0640 * /etc/ssl/certs/example.org.crt: owner root, group root and mode 0666

  2. You should have obtained a CA certificate or CA certificate chain from your SSL certificate issuer.

    If you have not, obtain the root and chain certificates from your certification authority. Make sure the source of the certificate is verifiable and trusted.

    For example:

    # wget https://www.startssl.com/certs/ca.pem \
    -O /etc/pki/tls/certs/startcom-ca.pem

# wget https://www.startssl.com/certs/sub.class2.server.ca.pem \
    -O /etc/pki/tls/certs/startcom-sub.class2.server.ca.pem

  3. Lets build some bundle files we can use later

    # cat /etc/pki/tls/certs/example.org.crt \
      /etc/pki/tls/private/example.org.key \
      /etc/pki/tls/certs/startcom-sub.class2.server.ca.pem \
      /etc/pki/tls/certs/startcom-ca.pem \
      > /etc/pki/tls/private/example.org.bundle.pem

# cat /etc/pki/tls/certs/startcom-ca.pem \
      /etc/pki/tls/certs/startcom-sub.class2.server.ca.pem \
      > /etc/pki/tls/certs/example.org.ca-chain.pem

  4. Add an SSL group. Only members of this group should be able to access your private key, etc.

    On Debian the usergroup is not needed.

    # chmod 640 /etc/pki/tls/private/* \
    /etc/pki/tls/certs/*

# chown root:mail /etc/pki/tls/private/example.org.key

  5. Add the CA to system’s CA bundle.

    Other applications and scripts that want to communicate via SSL should point to the cabundle in case they want check if your own certificate is trusted.

    For RedHat/Centos based systems:

    # cp /etc/pki/tls/certs/startcom-ca.pem /etc/pki/ca-trust/source/anchors/startcom-ca.pem
# update-ca-trust

    On Debian based systems you’ve a different location/command, but the rest is the same.

    # cp /etc/ssl/certs/startcom-ca.pem /usr/local/share/ca-certificates/startcom-ca.crt
# update-ca-certificates

Applications

Cyrus IMAPD

  1. Configure SSL certificates

    Cyris 2.5 (Kolab 3.2+):

    # sed -r -i \
      -e 's|^tls_server_cert.*|tls_server_cert /etc/pki/tls/certs/example.org.crt|g' \
      -e 's|^tls_server_key.*|tls_server_key /etc/pki/tls/private/example.org.key|g' \
      -e 's|^tls_server_ca_file.*|tls_server_ca_file /etc/pki/tls/certs/example.org.ca-chain.pem|g' \
      /etc/imapd.conf

    Cyrus 2.4 (Kolab 3.0 + 3.1):

    # sed -r -i \
      -e 's|^tls_cert_file:.*|tls_cert_file: /etc/pki/tls/certs/example.org.crt|g' \
      -e 's|^tls_key_file:.*|tls_key_file: /etc/pki/tls/private/example.org.key|g' \
      -e 's|^tls_ca_file:.*|tls_ca_file: /etc/pki/tls/certs/example.org.ca-chain.pem|g' \
      /etc/imapd.conf

    On Debian: Change the paths according to the Debian file structure (replace /etc/pki/tls with /etc/ssl. Make sure that the user cyrus is part of the ssl-certs group.

    Bonus:

    You can get bonus points to disable weak ciphers like so:

    # Cyrus 2.5 (imapd.conf)
tls_ciphers: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

# Cyrus 2.4 (imapd.conf)
tls_ciphers_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

  2. Restart and verify

    # service cyrus-imapd restart
# sslscan --no-failed localhost:993
# openssl s_client -showcerts -connect localhost:993

Postfix

  1. Configure SSL certificates

    # postconf -e smtpd_tls_key_file=/etc/pki/tls/private/example.org.key
# postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/example.org.crt
# postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/example.org.ca-chain.pem
# postconf -e smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'
# postconf -e smtp_tls_protocols='!SSLv2,!SSLv3'
# postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
# postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
# postconf -e smtpd_tls_mandatory_ciphers=high
# postconf -e smtpd_tls_eecdh_grade=ultra
# postconf -e tls_preempt_cipherlist=yes
# postconf -e tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

    On Debian: Change the paths according to the Debian file structure (replace /etc/pki/tls with /etc/ssl. Make sure that the user postfix is part of the ssl-certs group.

  2. Restart

    # service postfix restart
# sslscan --starttls --no-failed localhost:587

Apache2

Apache offers 2 modules that provide SSL support.

The wildly used mod_ssl and mod_nss. Since mod_nss was already installed and loaded through some dependency I’ll cover this.

mod_ssl

This is the prefered way and it’s easier to work with.

  1. Install mod_ssl

    # yum install mod_ssl

  2. Set your ssl certificates

    # sed -i -e 's/^SSLCertificateFile.*/SSLCertificateFile /etc/pki/tls/certs/example.org.crt/' /etc/httpd/conf.d/ssl.conf
# sed -i -e 's/^SSLCertificateKeyFile.*/SSLCertificateKeyFile /etc/pki/tls/private/example.org.key/' /etc/httpd/conf.d/ssl.conf
# sed -i -e 's/^#?SSLCertificateChainFile.*/SSLCertificateChainFile /etc/pki/tls/certs/example.org.ca-chain.pem/' /etc/httpd/conf.d/ssl.conf

  3. Fine tune your ssl/tls ciphers and protocols

    # sed -i -e 's/^SSLProtocol.*/SSLProtocol All -SSLv2 -SSLv3/' /etc/httpd/conf.d/ssl.conf
# sed -i -e "s/^SSLProtocol/SSLHonorCipherOrder on\nSSLProtocol/" /etc/httpd/conf.d/ssl.conf
# sed -i -e 's/^SSLCipherSuite.*/SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"/' /etc/httpd/conf.d/ssl.conf

  4. Create a vhost for http (:80) to redirect everything to https

    # cat >> /etc/httpd/conf/httpd.conf << EOF

<VirtualHost _default_:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
EOF

  5. Restart and verify

    # service httpd restart
# openssl s_client -showcerts -connect localhost:443

mod_nss

This is an alternative to mod_ssl.

  1. Import your CA into NSS Cert Database for Apache

    # certutil -d /etc/httpd/alias -A  -t "CT,," \
    -n "StartCom Certification Authority" \
    -i /etc/pki/tls/certs/startcom-ca.pem

  2. Convert and import your personal certificate into NSS DB

    # openssl pkcs12 -export \
    -in /etc/pki/tls/certs/example.org.crt \
    -inkey /etc/pki/tls/private/example.org.key \
    -out /tmp/example.p12 -name Server-Cert -passout pass:foo

# echo "foo" > /tmp/foo
# pk12util -i /tmp/example.p12 -d /etc/httpd/alias -w /tmp/foo -k /dev/null
# rm /tmp/foo
# rm /tmp/example.p12

  3. You should now be able to see all the imported certificates

    # certutil -L -d /etc/httpd/alias
# certutil -V -u V -d /etc/httpd/alias -n "Server-Cert"

  4. Move mod_nss from port 8443 to 443 and configure the certificate that mod_nss should use.

    # sed -i -e 's/8443/443/' /etc/httpd/conf.d/nss.conf
# sed -i -e 's/NSSNickname.*/NSSNickname Server-Cert/' \
    /etc/httpd/conf.d/nss.conf

  5. Create a vhost for http (:80) to redirect everything to https

    # cat >> /etc/httpd/conf/httpd.conf << EOF

<VirtualHost _default_:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
EOF

  6. Restart and verify

    # service httpd restart
# openssl s_client -showcerts -connect localhost:443

389 Directory Server

Note

Unless you want to make your LDAP Service available to other services on other servers you can safely skip this section. There’s no need to enable SSL/TLS if you only use LDAP on localhost.

If you’ve more question please refer the the documentation of the 389 directory server.

Enable SSL/TLS

  1. First you must import your PEM File into the certutil certificate store (identical to Apache with mod_nss)

    # certutil -d /etc/dirsrv/slapd-$(hostname -s)/ -A  -t "CT,," \
    -n "StartCom Certification Authority" \
    -i /etc/pki/tls/certs/startcom-ca.pem

# openssl pkcs12 -export \
    -in /etc/pki/tls/certs/example.org.crt \
    -inkey /etc/pki/tls/private/example.org.key \
    -out /tmp/example.p12 -name Server-Cert -passout pass:foo

# echo "foo" > /tmp/foo
# pk12util -i /tmp/example.p12 -d /etc/dirsrv/slapd-$(hostname -s)/ \
    -w /tmp/foo -k /dev/null
# rm /tmp/foo
# rm /tmp/example.p12

  2. Enable SSL Support

    Since all the configuration for 389ds is being done live, changing and adding SSL support will require some LDAP commands to modify the server configuration.

    # passwd=$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d '=' -f2- | sed -e 's/\s*//g')
# ldapmodify -x -h localhost -p 389 \
    -D "cn=Directory Manager" -w "${passwd}" << EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsTLS1
nsTLS1: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
-
replace: nsslapd-secureport
nsslapd-secureport: 636

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

  3. Next, restart the LDAP service:

    # service dirsrv restart
# openssl s_client -connect localhost:636

  4. You can test if your LDAP over SSL is configured correctly via the openssl s_client -connect localhost:636 command, or just making a query using ldapsearch:

    Test non-SSL connection

    # ldapsearch -x -H ldap://kolab.example.org \
    -b "cn=kolab,cn=config" -D "cn=Directory Manager" \
    -w "${passwd}"

    Test SSL connection

    # ldapsearch -x -H ldaps://kolab.example.org \
    -b "cn=kolab,cn=config" -D "cn=Directory Manager" \
    -w "${passwd}"

Kolab Components

kolab-cli

With the HTTP Service configured to force SSL communication you must add/update your kolab-cli API url.

# sed -r -i \
      -e '/api_url/d' \
      -e "s#\[kolab_wap\]#[kolab_wap]\napi_url = https://kolab.example.org/kolab-webadmin/api#g" \
      /etc/kolab/kolab.conf

Roundcube/Plugins

Set correct SSL parameters for HTTP_Request2. This will ensure the kolab_files plugin and Chwala can talk over HTTPS.

  1. Change freebusy API url in the libkolab plugin configuration:

    # sed -i -e 's/http:/https:/' /etc/roundcubemail/libkolab.inc.php

  2. Change Chwala API url in the kolab_files plugin configuration:

    # sed -i -e 's/http:/https:/' /etc/roundcubemail/kolab_files.inc.php

  3. Lets remove the php-close tag line as a quick hack to make it easier for us to extend the /etc/roundcubemail/config.inc.php:

    # sed -i -e '/^?>/d' /etc/roundcubemail/config.inc.php

  4. Tell the webclient the SSL iRony URLs for CalDAV and CardDAV:

    # cat >> /etc/roundcubemail/config.inc.php << EOF
# caldav/webdav
\$config['calendar_caldav_url']             = "https://%h/iRony/calendars/%u/%i";
\$config['kolab_addressbook_carddav_url']   = 'https://%h/iRony/addressbooks/%u/%i';
EOF

  5. Additionaly, you can redirect all http traffic to https:

    # cat >> /etc/roundcubemail/config.inc.php << EOF
# Force https redirect for http requests
\$config['force_https'] = true;
EOF

  6. Optional: Switch to verified ssl connections

    This will enable the ssl-verification for internal api calls between kolab php components (like roundcube <> chwala). If you care about this you’re free to do so, but don’t forget the parts of python/kolab.conf as well.

    Usually these calls are internal (on localhost) and therefore don’t really need to to trust the ssl endpoint.

    1. Remove old-style SSL configuration parameters

      # sed -i -e '/kolab_ssl/d' /etc/roundcubemail/libkolab.inc.php

    2. Enable SSL verification against our extended CA bundle.

      # cat >> /etc/roundcubemail/config.inc.php << EOF
\$config['kolab_http_request'] = array(
        'ssl_verify_peer'       => true,
        'ssl_verify_host'       => true,
        'ssl_cafile'            => '/etc/pki/tls/certs/ca-bundle.crt'
);
EOF