932
edits
Changes
m
*Perform a search on First, we will modify the roundcube application in order webserver to access use the website.encrypted connections the email servers are now providing<ol>*Either Download <li>Modify the roundcube configuration file so that the "zipped tarball" from their website from a direct link or use following parameters reflect the wget command to download directly from a download link (This part may take some effort depending encrypted settings on the Sourceforge website).mail servers:::*Extract the "zipped tarball" and rename the generated directory that contains download source code to: '''webmail$config['smtp_server']'''.::* Use the '''--no-same-owner$config['default_host']''' option when extracting the tar achive to ensure that the files do not keep the original owner (who will not exist on your system).::*Change the ownership of the '''temp$config['default_port']' and '''logs''' directories so they belong to apache.*This service needs to be able to write to several directories (:::'''tempNOTE:''' and '''logs''') that SELinux prevents write access The last <u>two</u> entries above refer to your IMAPS server</li><li>You may wish touse the configuration tool in your Roundcube installer after making those changes. If To do so, you are in a section that has SELinux set will need to add::* '''$config['enforcingenable_installer'] = true;''', run the following commands to let it know that apache should be allowed to write to files in those directoriesyour configuration file.<source lang="bash"/li>semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'restorecon -v -R /var/www/html/webmail</sourceli>::*If your machine does not have the semage commandNext, use yum to install test if the policycoreutilsroundcube webmail application is working by sending and receiving e-python package.*In the directory now named "webmail", there will be a file named '''INSTALL''' which will walk you through the rest of the Roundcube installationmail messages.<br /li><br /ol>Some installation tips to consider:
::* Be careful about copying & pasting the MySQL setup part: take time and pay attention to detail: do not try to "rush it".
::* You will need to install additional Apache modules including: '''php-xml''' and '''php-mbstring'''.
::* Don't forget to set the password in the roundcube configuration.
*Note Now that both of your IMAP and SMTP the webmail application is using an encrypted connection when communicating with the email servers are on different machines (i, it is time to encrypt the client's connection to the web server.e. not on vm1). Therefore, # First you will need to set generate a new certificate for apache on your vm1 machine by issuing the following options for Roundcubecommands:<source>mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm1.andrewsmith.ops.key 2048chmod 600 vm1.andrewsmith.ops.keyopenssl req -new -key vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.csropenssl x509 -req -days 365 -in vm1.andrewsmith.ops.csr -signkey vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.crtopenssl rsa -in vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.key.nopassmv vm1.andrewsmith.ops.key.nopass vm1.andrewsmith.ops.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650chmod 600 vm1.andrewsmith.ops.key cakey.pemcp vm1.andrewsmith.ops.key cakey.pem /etc/ssl/privatecp vm1.andrewsmith.ops.crt cacert.pem /etc/ssl/certs</source>
*You should be able #restart apache and modify your firewall to allow traffic to test the configuration in port 443.#Open a web-browser on your Roundcube installer after completing Step 3host and try to connect to https://vm1.<yourdomain>.ops/li><li>Try webmail::You should get a security exception similar to test if the roundcube webmail application is working by sending one's you saw with the email, and receiving efor the same reason (the site you are trying to contact has a self-mail messagessigned certificate). Add the exception and login to access your email.::Send an email to ensure everything is functioning properly.*
→Encryption Dovecot with Secure Socket layer (SSL): - fixing typo
==OBJECTIVE & PREPARATION==
{{Admon/important|Prerequistites|This lab depends on changes made in several previous labs. You must have successfully completed labs 3, 4a, 4b, and 5 6 in order to be able to do this lab.}}
Below is the same diagram that we referred to over the previous 2 email labs:
* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]
* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]
== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==
'''Perform the following steps:'''
#Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.orgops</u> with '''<u>your</u> domain name''':
<source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
cd /root/postfix-keys
openssl genrsa -des3 -out vm2.andrewsmith.orgops.key 2048chmod 600 vm2.andrewsmith.orgops.keyopenssl req -new -key vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm2.andrewsmith.orgops.csr -signkey vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.crtopenssl rsa -in vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.key.nopassmv vm2.andrewsmith.orgops.key.nopass vm2.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm2.andrewsmith.orgops.key cakey.pemcp vm2.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm2.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.orgops.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.orgops.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandom
'''Perform the following steps:'''
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.orgops''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').
# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
# Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:
<source lang="bash">mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm3.andrewsmith.orgops.key 2048chmod 600 vm3.andrewsmith.orgops.keyopenssl req -new -key vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm3.andrewsmith.orgops.csr -signkey vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.crtopenssl rsa -in vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.key.nopassmv vm3.andrewsmith.orgops.key.nopass vm3.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm3.andrewsmith.orgops.key cakey.pemcp vm3.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm3.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the same machine.
<ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''10-auth.conf''', <u>and</u> '''10-ssl.conf''' files and change the following settings (note: these parameters already exist in those files, just find them and set them to the correct value):</li></ol>
<source lang="bash">ssl = requiredssl_cert = <path_to_your_crt_filessl_key = <path_to_your_key_file
disable_plaintext_auth = yes
</source>
'''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book'''
== INVESTIGATION 2: INSTALL, CONFIGURE & RUN WEBMAIL APPLICATION (Roundcube Mail) TO USE ENCRYPTION ==
{|cellpadding="15" width="40%" align="right"
|}
In the investigation, we will simply install, configure and run modify the '''roundcube''' webmail applicationto make use of the encrypted connections the email servers provide, and to allow clients to connect to it using an encrypted connection ('''https''').
'''Perform the following steps on vm1:'''
::* '''$config['smtp_server']'''NOTE::* '''$config['default_host']''This process is identical to what you've done for the other two certificates.::* '''$config['default_port']'''#Install the mod_ssl package to allow apache to use ssl.
#Add the following parameters to the apache configuration file:::'''NOTE:''' The last <source>SSLEngine onSSLCertificateFile "<absolute path to the .crt file>"SSLCertificateKeyFile "<uabolute path to the .key file>two"</usource> entries above refer to your IMAP server
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
===Online Submission (Peter Callaghan's Classes only)===
Follow the instructions for lab 7 8 on moodleblackboard.
===In Class Submission(Murray Saul's Classes only)===
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::<span style="color:green;font-size:1.5em;">✓</span>Your webmail sending an email out
::<span style="color:green;font-size:1.5em;">✓</span>You receiving that mail on an exernal account
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck7labcheck8.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck7labcheck8.bash'''<br><br>set execute permission and run the shell script on your '''c7hosthost''' machine.
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
::<span style="color:green;font-size:1.5em;">✓</span>Completed Lab7 Lab8 log-book notes.
==EXPLORATION QUESTIONS==
