Just had a quick read, it seems to update certs for e-mail and TLS but unsure what those certs are used for in clearos.

Thank you very much, yes this helped a lot!
Did you look into /etc/pki/ca-trust/ ? There are a few Readmes ... looks promising to me, what do you think

Ray

After alot of testing, researching I've been able to get the following done:

* Get webconfig to use SSL certificates
* Get httpd to use SSL certificates (This includes webapp/webaccess)
* Get zarafa to use SSL certificates (Outlook zarafa, gateway for imap & iCal)
* Get postfix to use SSL certificates for SMTP secure

Below is what I did (This is assuming you have the crt file and key already)


Apache

Once they give you the new csr do the following


cp /location/of/domain.crt /etc/pki/tls/certs/domain.crt
mv /location/of/domain.key /etc/pki/tls/certs/domain.key


We then need to edit the ssl.conf file in httpd

vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/certs/domain.key


Then

service httpd restart


ClearOS Webconfig


We need to edit a file in clearos.

vi /usr/clearos/sandbox/httpd/conf.d/framework.conf
SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/certs/domain.key

Restart clearos webconfig

service webconfig restart

Zarafa Secure


First we need to convert the files into a pem and then move into zarafa

cat /etc/pki/tls/certs/domain.crt /etc/pki/tls/certs/domain.key > domain.pem
mv /etc/pki/tls/certs/domain.pem /etc/zarafa/ssl/
cp -a /etc/pki/tls/certs/domain.crt /etc/zarafa/ssl


Now we make changes to ical/server/gateway

vi /etc/zarafa/server.cfg
# Listen for SSL connections on this port
server_ssl_port = 237

# Required Server certificate, contains the certificate and the private key parts

server_ssl_key_file = /etc/zarafa/ssl/domain.pem

# Password of Server certificate
server_ssl_key_pass =

# Required Certificate Authority of server
server_ssl_ca_file = /etc/zarafa/ssl/domain.crt

# Path with CA certificates, e.g. /etc/ssl/certs
server_ssl_ca_path = /etc/zarafa/ssl/

# Accept SSLv2 only connections. Normally v3 connections are used.
server_ssl_enable_v2 = no

# Path of SSL Public keys of clients
sslkeys_path = /etc/zarafa/sslkeys

Then restart service

service zarafa-server restart


Now gateway

vi /etc/zarafa/gateway.cfg

# File with RSA key for SSL
ssl_private_key_file = /etc/zarafa/ssl/domain.pem

#File with certificate for SSL
ssl_certificate_file = /etc/zarafa/ssl/domain.crt


Finally ical

vi /etc/zarafa/ical.cfg
# ICAL SSL SETTINGS FOR INCOMING CONNECTIONS

# File with RSA key for SSL
ssl_private_key_file = /etc/zarafa/ssl/domain.pem

# File with certificate for SSL
ssl_certificate_file = /etc/zarafa/ssl/domain.crt


Restart both services

service zarafa-gateway restart
service zarafa-ical restart

Be sure to enable secure imap and secure ical in the gateway.cfg and ical.cfg



Postfix


Very simple change over for this

vi /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/domain.crt
smtpd_tls_key_file = /etc/pki/tls/certs/domain.key
smtpd_tls_loglevel = 2

Restart postfix

service postfix restart

When a client is connecting via outlook/thunderbird for SMTP it's SSL not TLS and port 465

I hope this helps everybody that's trying to set up signed SSL certificates on clearos in the interim of 7.0 (hopefully being on there).

I've got apache to have ssl certificates on clearos now using some tutorials on the web.

Only need to do the following now

* Get zarafa to use SSL certificates from CA
* ClearOS to use CA (ideal but not required(

It's weird because I've looked at /usr/clearos/sandbox/etc/httpd.conf.d/ssl.conf and nothign points to self signed certificates so where does clearos webconfig get it's generated certificates from so I can set it to use CA certs.

Peter,
Thanks for adding this to the ticket, do you know of any guides that could help me do this now? Is it simular to adding certificates to centos/rhel in that sense so I can google it and add them?

Hi James,

Yes, this topic should be more of a priority! I have added the issue in the tracker:

http://tracker.clearfoundation.com/view.php?id=1891

The target version is ClearOS 7.0.0, but that's more of a wish than a promise.

I didn't want to bump this up but rather do this then create a new thread.

It's becoming more important now that we start having signed ssl certificates. Is there an easy way on clearos 6 to install a trusted signed ca-cert or at least a howto on how to do this?

A "yum --enablerepo" kind of thing...

when you mean manual will it at least be in the repository or do we have to grab files and update?

We'll be supporting a manual upgrade to 7.1.x for now. There are some potential upgrade gotchas going from 7.0.x to 7.1.x, so automatic updating is not possible.

Thanks peter, looks like we'll wait for 6.4 to come out and when zarafa gets updated should be ready to go I guess. Will you be updating to the latest zarafa 7.1.x?

They are on a SMB license from zarafa from back in the days of 5.2 before you had it so we have to go to them regarding that but I'll wait to raise a ticket with them after you guys upgrade zarafa.

Thanks for the TLS postfix tips, I'll try and look into the normal port 25 authentication I'm sure there should be some easy way of taking away plain authentication anyway that or just disabling it and make users use 465 instead.

*edit*

It seems you posted much faster then I can! Thanks for making that ticket I'll update and let you know how I get on. Just to clarify with signed certificates when we get them we can't do that in the web interface that has to be done via terminal?

It would be good idea to have weak ciphers disabled by default. That feature request is now in the tracker

* they are complaining about port 993 not being secure enough
* zarafa port 237 being not secure enough (will raise a ticket with zarafa support)

This looks relevant :-)
https://jira.zarafa.com/browse/ZCP-11212

If you have purchased Zarafa Small Business / Professional through ClearCenter, please raise the ticket with ClearCenter support first. We'll escalate it if necessary.

* smtp authentication (will look into this)

The following "Server-side cipher controls" for Postfix looks good:
http://www.postfix.org/TLS_README.html#server_cipher

Just got some results back from the latest security matrix.

Thanks to your apache edit I was able to get them to stop complaining about it so thanks alot peter.

Three main issues now:

* they are complaining about port 993 not being secure enough
* smtp authentication (will look into this)
* zarafa port 237 being not secure enough (will raise a ticket with zarafa support)

Maybe you can shed some light on the 993? Description:

Title: SSL server accepts weak ciphers Impact: A remote attacker with the ability to sniff network
traffic could decrypt an encrypted session. Resolution: For Apache mod_ssl web servers, use the
[http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite] SSLCipherSuite directive in the
configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers,
disable SSLv2 and any weak ciphers as described in Microsoft knowledge base articles
[http://support.microsoft.com/kb/187498] 187498 and [http://support.microsoft.com/kb/245030]
245030. For other types of web servers, consult the web server documentation. Risk Factor:
Medium/ CVSS2 Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

That's Postfix. I'm sure there's a way to remove the "PLAIN/LOGIN" methods, but I don't know how off the top of my head.

Unfortunately not it's asking that it be updated to specified versions.

We have taken the flag off apache so that shouldn't be a problem. However it is complaining about smtp allowing logins using clear text and not encryption.

Is that something we can change with clearos/postfix or is that a zarafa issue?

More detailed information:

Description: SMTP Service Cleartext Login Permitted Synopsis: The remote mail server allows
cleartext logins. Impact: The remote host is running an SMTP server that advertises that it allows
cleartext logins over unencrypted connections. An attacker may be able to uncover user names
and passwords by sniffing traffic to the server if a less secure authentication mechanism (i.e.
LOGIN or PLAIN) is used. See also : http://tools.ietf.org/html/rfc4422
http://tools.ietf.org/html/rfc4954 Data Received: The SMTP server advertises the following SASL
methods over an unencrypted channel : All supported methods : PLAIN, LOGIN Cleartext methods
: PLAIN, LOGIN Resolution: Configure the service to support less secure authentication
mechanisms only over an encrrypted channel. Risk Factor: Medium/ CVSS2 Base Score: 4.0
AV:N/AC:H/Au:N/C:P/I:N/A:N

With the upstream updates would it only stop updates from httpd in the future or mostly everything? If it's mostly everything I will have to tell them it's a no go.

It will very likely only impact the httpd and mod_ssl updates (mod_ssl is part of the httpd source code).

Here are a couple of changes that you can make that might prevent the scanner from doing version detection. You can hide the version information coming from Apache by changing the ServerTokens parameter in /etc/httpd/conf/httpd.conf:

ServerTokens Prod

Similarly for PHP, the expose_php parameter should be changed in /etc/php.ini:

expose_php = Off

Restart the web server after making the changes:

# service httpd restart

A web page request will no longer get presented with version information:

Default HTTP header:



  HTTP/1.1 200 OK

  Date: Wed, 30 Jan 2013 00:32:56 GMT

  Server: Apache/2.2.15 (ClearOS Core)

  X-Powered-By: PHP/5.3.3

  Content-Length: 5

  Connection: close

  Content-Type: text/html; charset=UTF-8



Version-stripped HTTP header:



  HTTP/1.1 200 OK

  Date: Wed, 30 Jan 2013 00:35:54 GMT

  Server: Apache

  Content-Length: 5

  Connection: close

  Content-Type: text/html; charset=UTF-8

By the way, both of these configuration changes are defaults for the webconfig engine so no changes are required on that front. Though we want to be as close to upstream as possible, I think I'll update the Web Server app so that these two changes are made by default on install.

The scan is for every open port on the router it scans what service is running and if the service is too old it needs to be updated or if there are fixes they need to be patched.

If the scanning company is just asking for verification that the software is patched, then that can be verified by matching the version available in the upstream errata @ https://rhn.redhat.com/errata/rhel-server-6-errata.html The last httpd update is version 2.2.15 -- the details are here.

I too am not really a fan of these security scans the amount of work we tried to do to get ssh, ssl etc upgraded on 5.2 because it was too old for them too broke our test vm which was a bit annoying.

You are probably right about the port 81 I just find it convenient without using tunneling the port via ssh but that's the lazy side in me so I think for the best I will just disable it.

I'm not a fan of upgrading apache either outside of the yum repo I find it a bit absurd but my clients hands are tied due to them needing this to keep using the system .

With the upstream updates would it only stop updates from httpd in the future or mostly everything? If it's mostly everything I will have to tell them it's a no go.

*edit*

The scan is for every open port on the router it scans what service is running and if the service is too old it needs to be updated or if there are fixes they need to be patched.

I'm assuming this scan was for the main web server and not webconfig (port 81)? For webconfig scans, I recommend disabling access at the firewall and either:

- Using VPN to access webconfig, or
- Adding custom firewall rules for restricting webconfig access to particular static IP addresses

along with apache being to old

These security scans are becoming more and more problematic :angry: The concept of Backporting seems to missing in most of these scans even though it's super important for enterprises. It would be a shame to go through the trouble of "upgrading" just to pass a somewhat flawed security test. In many ways, the upgrade will make the system less secure since all the Upstream Security Updates will no longer function.

It's tempting to provide a custom patch for Apache to fake out these scans. Lame, but I don't see a way past the backporting issue. Hmmmm.

Hi peter,
Thanks for your reply. It's actually both my client upgraded to 6.3 as they have to comply with a security matrix scan and 5.2 was using some old tech although upgraded it's complaining about self signed certificates along with apache being to old (I can upgrade that manually so it's not too bad).

If you have some type of howto's that you might think of that could help towards setting this up that would be great.

Hi James,

That User Guide doc was old and is now more up-to-date (still needs work). In ClearOS 6, the Certificate Manager is used by OpenVPN and Webconfig. There are no other hooks to other systems (including Zarafa) yet. All the changes generated by this app happen in /etc/pki/CA -- that's where you will find:

- The Certificate Authority
- The default System Certificate (used by Webconfig, but potentially other apps)
- User certificates

Are you implementing an HTTPS site? Or are you implementing a 3rd party CA for Zarafa mail?