Skip to content

Instantly share code, notes, and snippets.

Last active December 25, 2015 16:49
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dhoffend/7008915 to your computer and use it in GitHub Desktop.
Save dhoffend/7008915 to your computer and use it in GitHub Desktop.
Simple SSL Configuration for Kolab 3.1

Simple SSL Configuration for Kolab 3.1

Newer Version in official docs

Please check the new ssl documentation in the docs:


This howto is based on Centos 6.4. The configuration on Debian is similar, just the path for the certifcates is a different and that Debian already has a group called ssl-cert where applications like cyrus or postfix are added.


Prepare your certificates! you'll need your certificate, your key, the CA and intermediate CA certificates. This tutorial is based on the StartCom SSL CA. Feel free to use any other CA to your liking.

In this case the certificate is a wildcard * certificate, which makes it easier to cover various hostnames (like

Transfer your personal ssl cert


Download root and chain certificates from your provider.

wget --no-check-certificate -O /etc/pki/tls/private/startcom-ca.pem
wget --no-check-certificate -O /etc/pki/tls/private/

Lets build some bundle files we can use later

cat /etc/pki/tls/private/ \
    /etc/pki/tls/private/ \
    /etc/pki/tls/private/ \
    /etc/pki/tls/private/startcom-ca.pem \
    > /etc/pki/tls/private/

cat /etc/pki/tls/private/startcom-ca.pem \
    /etc/pki/tls/private/ \
    > /etc/pki/tls/private/

Add a ssl group. Only members of this group are able to access your private key.

groupadd ssl
chmod 640 /etc/pki/tls/private/*
chown root:ssl /etc/pki/tls/private/*

Add you CA to cabundle. Other tools that verify should have access to your CA, to make sure the SSL Cert you used is valid.

cat /etc/pki/tls/private/startcom-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt


Allow cyrus user to access the ssl certificate

usermod -G saslauth,ssl cyrus

Configure ssl certificates

sed -r -i \
    -e 's|^tls_cert_file:.*|tls_cert_file: /etc/pki/tls/private/|g' \
    -e 's|^tls_key_file:.*|tls_key_file: /etc/pki/tls/private/|g' \
    -e 's|^tls_ca_file:.*|tls_ca_file: /etc/pki/tls/private/|g' \

Restart and verify

service cyrus-imapd restart
openssl s_client -showcerts -connect localhost:993


Allow postfix user to access the ssl certificate

usermod -G mail,ssl postfix

Configure SSL certificates

postconf -e smtpd_tls_key_file=/etc/pki/tls/private/
postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/
postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/


service postfix restart


Apache offers 2 modules that provide SSL support. The wildly used mod_ssl and mod_nss. Since mod_nss was already installed and loaded through some dependency I'll cover this. Feel free to use mod_ssl.


I configures mod_nss because it was already installed. If you prefer mod_ssl nobody stops you.

Import your CA into NSS Cert Database for Apache

certutil -d /etc/httpd/alias -A  -t "CT,," -n "StartCom Certification Authority" -i /etc/pki/tls/private/startcom-ca.pem

Convert and import your personal certificate into NSS DB

openssl pkcs12 -export -in /etc/ssl/private/ -inkey /etc/ssl/private/ -out /tmp/example.p12 -name Server-Cert -passout pass:foo
echo "foo" > /tmp/foo
pk12util -i /tmp/example.p12 -d /etc/httpd/alias -w /tmp/foo -k /dev/null
rm /tmp/foo
rm /tmp/example.p12

You should now be able to see all the imported certificates

certutil -L -d /etc/httpd/alias
certutil -V -u V -d /etc/httpd/alias -n "Server-Cert"

Configure mod_nss to do the ssl stuff

sed -i -e 's/8443/443/' /etc/httpd/conf.d/nss.conf
sed -i -e 's/NSSNickname.*/NSSNickname Server-Cert/' /etc/httpd/conf.d/nss.conf

Create a vhost for http (:80) to redirect everything to https

echo '

<VirtualHost _default_:80>
        RewriteEngine On
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
' >> /etc/httpd/conf/httpd.conf

Create a redirect / -> /rouncdubemail/ for the ssl host

sed -i -e 's/<\/VirtualHost>/\tRedirectMatch ^\/$ \/roundcubemail\/\n<\/VirtualHost>/' /etc/httpd/conf.d/nss.conf

Restart and verify

service httpd restart
openssl s_client -showcerts -connect localhost:443

Kolab Backend

With the HTTP Service configured to force ssl communication you must add/update your kolab-cli api url.

sed -r -i \
    -e '/api_url/d' \
    -e "s#\[kolab_wap\]#[kolab_wap]\napi_url =" \

Kolab webclient

set correct ssl parameters for HTTP_Request2


$config['kolab_http_request'] = array(
        'ssl_verify_peer'       => true,
        'ssl_verify_host'       => true,
        'ssl_cafile'            => '/etc/pki/tls/certs/ca-bundle.crt'

change kolab_files to work with ssl

sed -i -e 's/http:/https:/' /etc/roundcubemail/

389ds (LDAP Server)

If you really want/need you can also add SSL support to your LDAP Server

First you must import your PEM File into the certutil certificate store (identical to apache with mod_nss)

certutil -d /etc/dirsrv/slapd-kolab/ -A  -t "CT,," -n "StartCom Certification Authority" -i /etc/pki/tls/private/startcom-ca.pem
openssl pkcs12 -export -in /etc/ssl/private/ -inkey /etc/ssl/private/ -out /tmp/example.p12 -name Server-Cert -passout pass:foo
echo "foo" > /tmp/foo
pk12util -i /tmp/example.p12 -d /etc/dirsrv/slapd-kolab/ -w /tmp/foo -k /dev/null
rm /tmp/foo
rm /tmp/example.p12

Since all the configuration for 389ds is being done live, changing and adding ssl support will require some LDAP commands to modify the server configuration.

ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w "$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3-)" << EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
replace: nsslapd-secureport
nsslapd-secureport: 636

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on

Now you can restart the service and test the new ssl support of your ldap server

service dirsrv restart

You can test if your ldaps is configured correctly either via openssl s_client or just making a query via ldapsearch

# non-ssl
ldapsearch -x -H ldap:// -b "cn=kolab,cn=config" -D "cn=Directory Manager" -w "$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3-)"

# ssl
 ldapsearch -x -H ldaps:// -b "cn=kolab,cn=config" -D "cn=Directory Manager" -w "$(grep ^bind_pw /etc/kolab/kolab.conf | cut -d ' ' -f3-)"

-- Have fun Daniel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment