932
edits
Changes
m
#Perform a search on First, we will modify the roundcube application in order webserver to access the website.#Either Download the "zipped tarball" from their website from a direct link or use the wget command to download directly from a download link (This part may take some effort depending on the Sourceforge website).#Extract encrypted connections the "zipped tarball" and rename the generated directory that contains download source code to: '''webmail'''.::* Use the '''--no-same-owner''' option when extracting the tar achive to ensure that the files do not keep the original owner (who will not exist on your system).email servers are now providing<ol><li value="4">Change Modify the ownership of the '''temp''' and '''logs''' directories roundcube configuration file so they belong to apache.</li><li>This service needs to be able to write to several directories ('''temp''' and '''logs''') that SELinux prevents write access to. If you are in a section that has SELinux set to '''enforcing''', run the following commands to let it know that apache should be allowed to write to files in those directories.<source lang="bash">semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'restorecon -v -R /var/www/html/webmail</source></li></ol>::If your machine does not have parameters reflect the semage command, use yum to install the policycoreutils-python package.<ol><li value="6">In encrypted settings on the directory now named "webmail", there will be a file named '''INSTALL''' which will walk you through the rest of the Roundcube installation.<br /><br />Some installation tips to consider: ::* Be careful about copying & pasting the MySQL setup part: take time and pay attention to detail: do not try to "rush it".::* You will need to install additional Apache modules including: '''php-xml''' and '''php-mbstring'''.::* Don't forget to set the password in the roundcube configuration.</li><li>Note that both of your IMAP and SMTP mail servers are on different machines (i.e. not on vm1). Therefore, you will need to set the following options for Roundcube:
→Encryption Dovecot with Secure Socket layer (SSL): - fixing typo
==OBJECTIVE & PREPARATION==
{{Admon/important|Prerequistites|This lab depends on changes made in several previous labs. You must have successfully completed labs 3, 4a, 4b, and 5 6 in order to be able to do this lab.}}
Below is the same diagram that we referred to over the previous 2 email labs:
* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]
* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]
== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==
'''Perform the following steps:'''
#Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.orgops</u> with '''<u>your</u> domain name''':
<source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
cd /root/postfix-keys
openssl genrsa -des3 -out vm2.andrewsmith.orgops.key 2048chmod 600 vm2.andrewsmith.orgops.keyopenssl req -new -key vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm2.andrewsmith.orgops.csr -signkey vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.crtopenssl rsa -in vm2.andrewsmith.orgops.key -out vm2.andrewsmith.orgops.key.nopassmv vm2.andrewsmith.orgops.key.nopass vm2.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm2.andrewsmith.orgops.key cakey.pemcp vm2.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm2.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.orgops.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.orgops.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandom
'''Perform the following steps:'''
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.orgops''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').
# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
# Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:
<source lang="bash">mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm3.andrewsmith.orgops.key 2048chmod 600 vm3.andrewsmith.orgops.keyopenssl req -new -key vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.csropenssl x509 -req -days 365 -in vm3.andrewsmith.orgops.csr -signkey vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.crtopenssl rsa -in vm3.andrewsmith.orgops.key -out vm3.andrewsmith.orgops.key.nopassmv vm3.andrewsmith.orgops.key.nopass vm3.andrewsmith.orgops.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm3.andrewsmith.orgops.key cakey.pemcp vm3.andrewsmith.orgops.key cakey.pem /etc/ssl/privatecp vm3.andrewsmith.orgops.crt cacert.pem /etc/ssl/certs</source>
::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the same machine.
<ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''10-auth.conf''', <u>and</u> '''10-ssl.conf''' files and change the following settings (note: these parameters already exist in those files, just find them and set them to the correct value):</li></ol>
<source lang="bash">ssl = requiredssl_cert = <path_to_your_crt_file>ssl_key = <path_to_your_key_file>
disable_plaintext_auth = yes
</source>
'''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book'''
== INVESTIGATION 2: INSTALL, CONFIGURE & RUN WEBMAIL APPLICATION (Roundcube Mail) TO USE ENCRYPTION ==
{|cellpadding="15" width="40%" align="right"
|}
In the investigation, we will simply install, configure and run modify the '''roundcube''' webmail applicationto make use of the encrypted connections the email servers provide, and to allow clients to connect to it using an encrypted connection ('''https''').
'''Perform the following steps on vm1:'''
::* '''$config['smtp_server']'''
::* '''$config['default_host']'''
::* '''$config['default_port']'''
:::'''NOTE:''' The last <u>two</u> entries above refer to your IMAP IMAPS server
</li>
<li>You should be able may wish to test use the configuration tool in your Roundcube installer after completing Step 3making those changes. Try To do so, you will need to add::* '''$config['enable_installer'] = true;'''to your configuration file.</li><li>Next, test if the roundcube webmail application is working by sending and receiving e-mail messages.</li></ol> Now that the webmail application is using an encrypted connection when communicating with the email servers, it is time to encrypt the client's connection to the web server.# First you need to generate a new certificate for apache on your vm1 machine by issuing the following commands:<source>mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm1.andrewsmith.ops.key 2048chmod 600 vm1.andrewsmith.ops.keyopenssl req -new -key vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.csropenssl x509 -req -days 365 -in vm1.andrewsmith.ops.csr -signkey vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.crtopenssl rsa -in vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.key.nopassmv vm1.andrewsmith.ops.key.nopass vm1.andrewsmith.ops.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650chmod 600 vm1.andrewsmith.ops.key cakey.pemcp vm1.andrewsmith.ops.key cakey.pem /etc/ssl/privatecp vm1.andrewsmith.ops.crt cacert.pem /etc/ssl/certs</source> ::'''NOTE:''' This process is identical to what you've done for the other two certificates.#Install the mod_ssl package to allow apache to use ssl. #Add the following parameters to the apache configuration file:<source>SSLEngine onSSLCertificateFile "<absolute path to the .crt file>"SSLCertificateKeyFile "<abolute path to the .key file>"</source> #restart apache and modify your firewall to allow traffic to port 443.#Open a web-browser on your host and try to connect to https://vm1.<yourdomain>.ops/webmail::You should get a security exception similar to the one's you saw with the email, and for the same reason (the site you are trying to contact has a self-signed certificate). Add the exception and login to access your email.::Send an email to ensure everything is functioning properly.
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
===Online Submission (Peter Callaghan's Classes only)===
Follow the instructions for lab 7 8 on moodleblackboard.
===In Class Submission(Murray Saul's Classes only)===
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::<span style="color:green;font-size:1.5em;">✓</span>Your webmail sending an email out
::<span style="color:green;font-size:1.5em;">✓</span>You receiving that mail on an exernal account
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck7labcheck8.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck7labcheck8.bash'''<br><br>set execute permission and run the shell script on your '''c7hosthost''' machine.
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
::<span style="color:green;font-size:1.5em;">✓</span>Completed Lab7 Lab8 log-book notes.
==EXPLORATION QUESTIONS==
