1,234
edits
Changes
→COMPLETING THE LAB
==OBJECTIVE & PREPARATION==
{{Admon/important|Prerequistites|This lab depends on changes made in several previous labs. You must have successfully completed labs 3, 4a, 4b, and 5 6 in order to be able to do this lab.}}
Below is the same diagram that we referred to over the previous 2 email labs:
* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]
* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]
== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==
Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today.
'''Perform the following steps:'''
#Let's start with the "sending" SMTP server we have '''on VM2'''. Run the following, replacing <u>andrewsmith.orgops</u> with '''<u>your</u> domain name''':
<source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
cd /root/postfix-keys
openssl genrsa -des3 -out vm2.andrewsmith.orgops.key 2048chmod 600 vm2.andrewsmith.orgops.keyopenssl req -new -key vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm2.andrewsmith.orgops.csr -signkey vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.crtopenssl rsa -in vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.key.nopassmv vm2.andrewsmith.orgops.key.nopass vm2.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm2.andrewsmith.orgops.key cakey.pemcp vm2.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm2.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.orgops.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.orgops.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandom
'''Perform the following steps:'''
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.orgops''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
'''Perform the following steps:'''
# Let's start by generating a new certificate for Dovecot '''on your vm3 ''' machine by issuing the following commands:<source lang="bash">mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm3.andrewsmith.orgops.key 2048chmod 600 vm3.andrewsmith.orgops.keyopenssl req -new -key vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm3.andrewsmith.orgops.csr -signkey vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.crtopenssl rsa -in vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.key.nopassmv vm3.andrewsmith.orgops.key.nopass vm3.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm3.andrewsmith.orgops.key cakey.pemcp vm3.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm3.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the same machine.
<ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''10-auth.conf''', <u>and</u> '''10-ssl.conf''' files and change the following settings (note: these parameters already exist in those files, just find them and set them to the correct value):</li></ol>
<source lang="bash">ssl = requiredssl_cert = <path_to_your_crt_filessl_key = <path_to_your_key_file
disable_plaintext_auth = yes
</source>
'''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book'''
== INVESTIGATION 2: INSTALL, CONFIGURE & RUN WEBMAIL APPLICATION (Roundcube Mail) TO USE ENCRYPTION ==
{|cellpadding="15" width="40%" align="right"
|}
In the investigation, we will simply install, configure and run modify the '''roundcube''' webmail applicationto make use of the encrypted connections the email servers provide, and to allow clients to connect to it using an encrypted connection ('''https''').
'''Perform the following steps on vm1:'''
::* '''$config['smtp_server']''':NOTE:* '''$config['default_host']''This process is identical to what you've done for the other two certificates.::* ''#Install the '$config['default_port']mod_ssl'''package to allow apache to use ssl.
#Add the following parameters to the apache configuration file:::'''NOTE:''' The last <usource>twoSSLEngine onSSLCertificateFile "absolute_path_to_the_.crt_file"SSLCertificateKeyFile "abolute_path_to_the_.key_file"</usource> entries above refer to your IMAP server
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
==COMPLETING THE LAB==
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::<span style="color:green;font-size:1.5em;">✓</span>Your webmail sending an email out
::<span style="color:green;font-size:1.5em;">✓</span>You receiving that mail on an exernal account
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck8.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck8.bash'''<br><br>set execute permission and run the shell script on your '''c7hosthost''' machine.
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
::<span style="color:green;font-size:1.5em;">✓</span>Completed Lab8 log-book notes.
-->
==EXPLORATION QUESTIONS==