It's me with still more questions (I'll stop soon I expect).
I'm aiming to provide a webmail server on my home Linux machine, probably with SquirrelMail, this is why I've been asking questions about IMAP servers, security, etc. I have SquirrelMail working already, very simple it was too, I was just asking about daemons etc. for information really.
After a little thought (and reading) I realise that the IMAP server doesn't have to be visible to the outside world if the only access is to be via SquirrelMail. I know it's possible (and intended even) that IMAP should be used by remote MUAs with IMAP capability but since I won't be doing that and neither will my other users I don't need to worry about the security implications of making IMAP (or POP3 for that matter) visible outside the LAN.
It means that making the web server visible to the outside world is where security matters though. Are there any other ways apart from full blown certificate based SSL/TSL to make an apache server a bit more secure? In particular is there a simple ways to encrypt passwords as they pass across the 'net?
The sort of level of security that ssh provides would be ideal, however expecting users to set up an ssh tunnel whenever they want to read their mail is probably a non-starter.
Chris Green wrote:
It's me with still more questions (I'll stop soon I expect).
I'm aiming to provide a webmail server on my home Linux machine, probably with SquirrelMail, this is why I've been asking questions about IMAP servers, security, etc. I have SquirrelMail working already, very simple it was too, I was just asking about daemons etc. for information really.
After a little thought (and reading) I realise that the IMAP server doesn't have to be visible to the outside world if the only access is to be via SquirrelMail. I know it's possible (and intended even) that IMAP should be used by remote MUAs with IMAP capability but since I won't be doing that and neither will my other users I don't need to worry about the security implications of making IMAP (or POP3 for that matter) visible outside the LAN.
It means that making the web server visible to the outside world is where security matters though. Are there any other ways apart from full blown certificate based SSL/TSL to make an apache server a bit more secure? In particular is there a simple ways to encrypt passwords as they pass across the 'net?
The sort of level of security that ssh provides would be ideal, however expecting users to set up an ssh tunnel whenever they want to read their mail is probably a non-starter.
Why not just generate an SSL key for Apache? You only have to buy a certificate if you want the "error" message to go away. Visit https://webmail.mpcontracting.co.uk to see if the "error" is acceptable to your users.
Here's a good primer on the procedure - http://slacksite.com/apache/certificate.html
And here's the relevant exerpts from my httpd.conf:-
# # Bring in additional module-specific configurations # <IfModule mod_ssl.c> Include conf/ssl.conf </IfModule>
# # Use name-based virtual hosting. # NameVirtualHost *:80 NameVirtualHost *:443
And from ssl.conf (stripped of comments for brevity):-
<IfDefine SSL> Listen 443
AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin
<VirtualHost *:443>
DocumentRoot "/home/website/webmail/IlohaMail/source" ServerName webmail.mpcontracting.co.uk:443 ServerAdmin webmaster@mpcontracting.co.uk ErrorLog /usr/local/apache/logs/webmail_error_log TransferLog /usr/local/apache/logs/webmail_access_log DirectoryIndex index.php
SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
<Files ~ ".(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/local/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory>
SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>
</IfDefine>
Matt
On Tue, May 24, 2005 at 01:55:39PM +0100, Matt Parker wrote:
Chris Green wrote:
The sort of level of security that ssh provides would be ideal, however expecting users to set up an ssh tunnel whenever they want to read their mail is probably a non-starter.
Why not just generate an SSL key for Apache? You only have to buy a certificate if you want the "error" message to go away. Visit https://webmail.mpcontracting.co.uk to see if the "error" is acceptable to your users.
Yes, that's OK, we already get that when using the webmail on the site that hosts isbd.co.uk (since there's not a certificate for isbd.co.uk).
Here's a good primer on the procedure - http://slacksite.com/apache/certificate.html
I had looked at this before but one thing isn't clear - does the client have to do anything at all for this to work? If not then I'm confused about how SSL works, I thought the client had to provide a key of some sort.
Thanks for the http.conf changes, they don't look too onerous though I get bad feelings about what happens when I upgrade my Linux box and have to migrate all the customisation.
Chris Green chris@areti.co.uk wrote:
Thanks for the http.conf changes, they don't look too onerous though I get bad feelings about what happens when I upgrade my Linux box and have to migrate all the customisation.
Put it in another file and Include it into your apache configuration. Sometimes you will get bitten by incompatibilities, but it's usually just a one-line change. You might use something like cfengine to make that change stick, despite upgrades overwriting it.
-
Chris Green -
Matt Parker -
MJ Ray