1,234
edits
Changes
→COMPLETING THE LAB
==OBJECTIVE & PREPARATION==
{{Admon/important|Prerequistites|This lab depends on changes made in several previous labs. You must have successfully completed labs 3, 4a, 4b, and 5 6 in order to be able to do this lab.}}
Below is the same diagram that we referred to over the previous 2 email labs:
* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]
* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]
== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==
Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today.
'''Perform the following steps:'''
#Let's start with the "sending" SMTP server we have '''on VM2'''. Run the following, replacing <u>andrewsmith.ops</u> with '''<u>your</u> domain name''':
<source>mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.ops''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').
# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
'''Perform the following steps:'''
# Let's start by generating a new certificate for Dovecot '''on your vm3 ''' machine by issuing the following commands:
<source>mkdir /etc/ssl/{private,certs}
openssl genrsa -des3 -out vm3.andrewsmith.ops.key 2048
<source>ssl = required
ssl_cert = <path_to_your_crt_file>ssl_key = <path_to_your_key_file>
disable_plaintext_auth = yes
</source>
Now that the webmail application is using an encrypted connection when communicating with the email servers, it is time to encrypt the client's connection to the web server.
# First you need to generate a new certificate for apache '''on your vm1 ''' machine by issuing the following commands:
<source>mkdir /etc/ssl/{private,certs}
openssl genrsa -des3 -out vm1.andrewsmith.ops.key 2048
::'''NOTE:''' This process is identical to what you've done for the other two certificates.
#Install the '''mod_ssl ''' package to allow apache to use ssl.
#Add the following parameters to the apache configuration file:
<source>
SSLEngine on
SSLCertificateFile "<absolute path to the absolute_path_to_the_.crt file>crt_file"SSLCertificateKeyFile "<abolute path to the abolute_path_to_the_.key file>key_file"
</source>
#restart Restart apache and modify your firewall to allow traffic to '''port 443'''.
#Open a web-browser on your host and try to connect to https://vm1.<yourdomain>.ops/webmail
::You should get a security exception similar to the one's you saw with the email, and for the same reason (the site you are trying to contact has a self-signed certificate). Add the exception and login to access your email.
==COMPLETING THE LAB==
Follow the instructions for lab 8 on blackboard.
<!--
===In Class Submission (Murray Saul's Classes only)===
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
::<span style="color:green;font-size:1.5em;">✓</span>Completed Lab8 log-book notes.
-->
==EXPLORATION QUESTIONS==
