Simple SSL Configuration for Kolab 3.1

kolab-31-ssl.md

Simple SSL Configuration for Kolab 3.1

Newer Version in official docs

Please check the new ssl documentation in the docs: http://docs.kolab.org/howtos/secure-kolab-server.html

Intro

This howto is based on Centos 6.4. The configuration on Debian is similar, just the path for the certifcates is a different and that Debian already has a group called ssl-cert where applications like cyrus or postfix are added.

Prerequirements

Prepare your certificates! you'll need your certificate, your key, the CA and intermediate CA certificates. This tutorial is based on the StartCom SSL CA. Feel free to use any other CA to your liking.

In this case the certificate is a wildcard *.example.org certificate, which makes it easier to cover various hostnames (like smtp.example.org imap.example.org webmail.example.org).

Transfer your personal ssl cert

scp example.org.key kolab.example.org:/etc/pki/tls/private/
scp example.org.crt kolab.example.org:/etc/pki/tls/private/

Download root and chain certificates from your provider.

wget --no-check-certificate https://www.startssl.com/certs/ca.pem -O /etc/pki/tls/private/startcom-ca.pem
wget --no-check-certificate https://www.startssl.com/certs/sub.class2.server.ca.pem -O /etc/pki/tls/private/startcom-sub.class2.server.ca.pem

Lets build some bundle files we can use later

cat /etc/pki/tls/private/example.org.crt \
    /etc/pki/tls/private/example.org.key \
    /etc/pki/tls/private/startcom-sub.class2.server.ca.pem \
    /etc/pki/tls/private/startcom-ca.pem \
    > /etc/pki/tls/private/example.org.bundle.pem

cat /etc/pki/tls/private/startcom-ca.pem \
    /etc/pki/tls/private/startcom-sub.class2.server.ca.pem \
    > /etc/pki/tls/private/example.org.ca-chain.pem

Add a ssl group. Only members of this group are able to access your private key.

groupadd ssl
chmod 640 /etc/pki/tls/private/*
chown root:ssl /etc/pki/tls/private/*

Add you CA to cabundle. Other tools that verify should have access to your CA, to make sure the SSL Cert you used is valid.

cat /etc/pki/tls/private/startcom-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt

Cyrus

Allow cyrus user to access the ssl certificate

usermod -G saslauth,ssl cyrus

Configure ssl certificates

sed -r -i \
    -e 's|^tls_cert_file:.*|tls_cert_file: /etc/pki/tls/private/example.org.crt|g' \
    -e 's|^tls_key_file:.*|tls_key_file: /etc/pki/tls/private/example.org.key|g' \
    -e 's|^tls_ca_file:.*|tls_ca_file: /etc/pki/tls/private/example.org.ca-chain.pem|g' \
    /etc/imapd.conf   

Restart and verify

service cyrus-imapd restart
openssl s_client -showcerts -connect localhost:993

Postfix

Allow postfix user to access the ssl certificate

usermod -G mail,ssl postfix

Configure SSL certificates

postconf -e smtpd_tls_key_file=/etc/pki/tls/private/example.org.key
postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/example.org.crt
postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/example.org.ca-chain.pem

Restart

service postfix restart

Apache

Apache offers 2 modules that provide SSL support. The wildly used mod_ssl and mod_nss. Since mod_nss was already installed and loaded through some dependency I'll cover this. Feel free to use mod_ssl.

mod_nss

I configures mod_nss because it was already installed. If you prefer mod_ssl nobody stops you.

Import your CA into NSS Cert Database for Apache

certutil -d /etc/httpd/alias -A  -t "CT,," -n "StartCom Certification Authority" -i /etc/pki/tls/private/startcom-ca.pem

Convert and import your personal certificate into NSS DB

openssl pkcs12 -export -in /etc/ssl/private/example.org.crt -inkey /etc/ssl/private/example.org.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo
echo "foo" > /tmp/foo
pk12util -i /tmp/example.p12 -d /etc/httpd/alias -w /tmp/foo -k /dev/null
rm /tmp/foo
rm /tmp/example.p12

You should now be able to see all the imported certificates

certutil -L -d /etc/httpd/alias
certutil -V -u V -d /etc/httpd/alias -n "Server-Cert"

Configure mod_nss to do the ssl stuff

sed -i -e 's/8443/443/' /etc/httpd/conf.d/nss.conf
sed -i -e 's/NSSNickname.*/NSSNickname Server-Cert/' /etc/httpd/conf.d/nss.conf

Create a vhost for http (:80) to redirect everything to https

echo '

<VirtualHost _default_:80>
        RewriteEngine On
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
' >> /etc/httpd/conf/httpd.conf

Create a redirect / -> /rouncdubemail/ for the ssl host

sed -i -e 's/<\/VirtualHost>/\tRedirectMatch ^\/$ \/roundcubemail\/\n<\/VirtualHost>/' /etc/httpd/conf.d/nss.conf

Restart and verify

service httpd restart
openssl s_client -showcerts -connect localhost:443

Kolab Backend

With the HTTP Service configured to force ssl communication you must add/update your kolab-cli api url.

sed -r -i \
    -e '/api_url/d' \
    -e "s#\[kolab_wap\]#[kolab_wap]\napi_url = https://kolab.example.org/kolab-webadmin/api#g" \
    /etc/kolab/kolab.conf

Kolab webclient

set correct ssl parameters for HTTP_Request2

/etc/roundcubemail/config.inc.php

$config['kolab_http_request'] = array(
        'ssl_verify_peer'       => true,
        'ssl_verify_host'       => true,
        'ssl_cafile'            => '/etc/pki/tls/certs/ca-bundle.crt'
);

change kolab_files to work with ssl

sed -i -e 's/http:/https:/' /etc/roundcubemail/kolab_files.inc.php

389ds (LDAP Server)

If you really want/need you can also add SSL support to your LDAP Server

First you must import your PEM File into the certutil certificate store (identical to apache with mod_nss)

certutil -d /etc/dirsrv/slapd-kolab/ -A  -t "CT,," -n "StartCom Certification Authority" -i /etc/pki/tls/private/startcom-ca.pem
openssl pkcs12 -export -in /etc/ssl/private/example.org.crt -inkey /etc/ssl/private/example.org.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo
echo "foo" > /tmp/foo
pk12util -i /tmp/example.p12 -d /etc/dirsrv/slapd-kolab/ -w /tmp/foo -k /dev/null
rm /tmp/foo
rm /tmp/example.p12

Since all the configuration for 389ds is being done live, changing and adding ssl support will require some LDAP commands to modify the server configuration.

ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w "$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3-)" << EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
 +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
 +tls_rsa_export1024_with_des_cbc_sha

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
-
replace: nsslapd-secureport
nsslapd-secureport: 636

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

Now you can restart the service and test the new ssl support of your ldap server

service dirsrv restart

You can test if your ldaps is configured correctly either via openssl s_client or just making a query via ldapsearch

# non-ssl
ldapsearch -x -H ldap://kolab.example.org -b "cn=kolab,cn=config" -D "cn=Directory Manager" -w "$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3-)"

# ssl
 ldapsearch -x -H ldaps://kolab.example.org -b "cn=kolab,cn=config" -D "cn=Directory Manager" -w "$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3-)"

-- Have fun Daniel