IT_Architect
Verified User
- Joined
- Feb 27, 2006
- Messages
- 1,091
Why do we need it?
With the ubiquitous nature of mobile devices in the hands of non-technical users, they are at risk of them compromising their log in credentials at at poorly implemented or old technology hotspots. This translates into a problem for the hosting company when their credentials get into the hands of the spammers, the server gets blacklisted, and everyone else on the server are holding hosting company responsible for the service interruption. Moreover, every time such an event occurs, it requires hours of time to determine if the problem is due to a bad form on their site or by compromised credentials, and responding as necessary to the data center and spam lists to return the server to full usability.
The cert strategy:
1. Use the server's snake oil cert.
2. Buy a low cost cert from a CA
I went with number number two. However, I encourage the user to use their own domain as usual in their E-mail clients, and then against the warning, install the cert. The advantage is you can move their domain to a different server, and the users won't have to change their E-mail client settings. They would simply need to accept the certificate again. If they were to use the name of the server's cert, if you move them to another server, every device in the company would need to have their E-mail clients edited to reflect the new E-mail server. Where the problem comes in some software will only allow the cert to work for a day, or until you reboot. Then they have to re-accept. Instead of getting annoyed every day, they can edit the mail server in their E-mail client to reflect the name of the CA server cert.
The changes:
Secure Web Mail (http)
Credit goes to zEitEr for this one. Add near the bottom of the /etc/httpd/conf/extra/httpd-includes.conf the following:
- Restart Apache
Secure Dovecot (POP3 & IMAP)
- ssh in as root
- cd /etc/dovecot
- cp dovecot.conf dovecot.conf.ssl
- Edit /etc/dovecot.conf.ssl
- Change:
to
- mv dovecot.conf dovecot.conf.orig
- cp dovecot.conf.ssl dovecot.conf
- Restart dovecot
Secure Exim (SMTP)
SpamBlocker 4.5.3+, put the #Change Begin to #Change End code into this file
and no need to edit the exim.conf directly.
OR
older SpamBlocker.exim.conf.2.1.1-release 05-Jun-2007. Open /etc/exim.conf and find the following block of code:
and place this directly below it:
The code that should show directly below this is:
- Restart Exim
Other:
The # Change Begin and # Change End comments simply highlight your changes for when it becomes advantageous to move to a newer version of the configs. If you find any errors or omissions, let me know, and I'll correct them.
With the ubiquitous nature of mobile devices in the hands of non-technical users, they are at risk of them compromising their log in credentials at at poorly implemented or old technology hotspots. This translates into a problem for the hosting company when their credentials get into the hands of the spammers, the server gets blacklisted, and everyone else on the server are holding hosting company responsible for the service interruption. Moreover, every time such an event occurs, it requires hours of time to determine if the problem is due to a bad form on their site or by compromised credentials, and responding as necessary to the data center and spam lists to return the server to full usability.
The cert strategy:
1. Use the server's snake oil cert.
2. Buy a low cost cert from a CA
I went with number number two. However, I encourage the user to use their own domain as usual in their E-mail clients, and then against the warning, install the cert. The advantage is you can move their domain to a different server, and the users won't have to change their E-mail client settings. They would simply need to accept the certificate again. If they were to use the name of the server's cert, if you move them to another server, every device in the company would need to have their E-mail clients edited to reflect the new E-mail server. Where the problem comes in some software will only allow the cert to work for a day, or until you reboot. Then they have to re-accept. Instead of getting annoyed every day, they can edit the mail server in their E-mail client to reflect the name of the CA server cert.
The changes:
Secure Web Mail (http)
Credit goes to zEitEr for this one. Add near the bottom of the /etc/httpd/conf/extra/httpd-includes.conf the following:
Code:
################################################################################
# Mod_Rewrite
################################################################################
<location /phpMyAdmin>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</location>
<location /webmail>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</location>
<location /squirrelmail>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</location>
<location /roundcube>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</location>
<location /atmail>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</location>
Secure Dovecot (POP3 & IMAP)
- ssh in as root
- cd /etc/dovecot
- cp dovecot.conf dovecot.conf.ssl
- Edit /etc/dovecot.conf.ssl
- Change:
Code:
disable_plaintext_auth = no
Code:
## Begin Change
disable_plaintext_auth = yes
## End Change
- cp dovecot.conf.ssl dovecot.conf
- Restart dovecot
Secure Exim (SMTP)
SpamBlocker 4.5.3+, put the #Change Begin to #Change End code into this file
Code:
/etc/exim.acl_check_recipient.mid.conf
OR
older SpamBlocker.exim.conf.2.1.1-release 05-Jun-2007. Open /etc/exim.conf and find the following block of code:
Code:
# to block certain well known exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
Code:
[B]# Change Begin[/B]
# Prevents unencrypted mail submission.
drop
!encrypted = *
authenticated = *
message = Your connection must be encrypted.
log_message = Connection from \
[$sender_host_address]($authenticated_id) was \
not encrypted.
# Change End
Code:
# to restrict port 587 to authenticated users only
# see also daemon_smtp_ports above
accept hosts = +auth_relay_hosts
condition = ${if eq {$interface_port}{587} {yes}{no}}
endpass
message = relay not permitted, authentication required
authenticated = *
Other:
The # Change Begin and # Change End comments simply highlight your changes for when it becomes advantageous to move to a newer version of the configs. If you find any errors or omissions, let me know, and I'll correct them.
Last edited: