Chris Green wrote:
It's me with still more questions (I'll stop soon I expect).
I'm aiming to provide a webmail server on my home Linux machine, probably with SquirrelMail, this is why I've been asking questions about IMAP servers, security, etc. I have SquirrelMail working already, very simple it was too, I was just asking about daemons etc. for information really.
After a little thought (and reading) I realise that the IMAP server doesn't have to be visible to the outside world if the only access is to be via SquirrelMail. I know it's possible (and intended even) that IMAP should be used by remote MUAs with IMAP capability but since I won't be doing that and neither will my other users I don't need to worry about the security implications of making IMAP (or POP3 for that matter) visible outside the LAN.
It means that making the web server visible to the outside world is where security matters though. Are there any other ways apart from full blown certificate based SSL/TSL to make an apache server a bit more secure? In particular is there a simple ways to encrypt passwords as they pass across the 'net?
The sort of level of security that ssh provides would be ideal, however expecting users to set up an ssh tunnel whenever they want to read their mail is probably a non-starter.
Why not just generate an SSL key for Apache? You only have to buy a certificate if you want the "error" message to go away. Visit https://webmail.mpcontracting.co.uk to see if the "error" is acceptable to your users.
Here's a good primer on the procedure - http://slacksite.com/apache/certificate.html
And here's the relevant exerpts from my httpd.conf:-
# # Bring in additional module-specific configurations # <IfModule mod_ssl.c> Include conf/ssl.conf </IfModule>
# # Use name-based virtual hosting. # NameVirtualHost *:80 NameVirtualHost *:443
And from ssl.conf (stripped of comments for brevity):-
<IfDefine SSL> Listen 443
AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin
<VirtualHost *:443>
DocumentRoot "/home/website/webmail/IlohaMail/source" ServerName webmail.mpcontracting.co.uk:443 ServerAdmin webmaster@mpcontracting.co.uk ErrorLog /usr/local/apache/logs/webmail_error_log TransferLog /usr/local/apache/logs/webmail_access_log DirectoryIndex index.php
SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
<Files ~ ".(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/local/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory>
SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>
</IfDefine>
Matt