Changes

← Older edit

OPS335 Lab 8 2018

39 bytes removed, 15:29, 2 September 2020

→‎COMPLETING THE LAB

==OBJECTIVE & PREPARATION==

{{Admon/important|Prerequistites|This lab depends on changes made in several previous labs. You must have successfully completed labs 3, 4a, 4b, and 5 6 in order to be able to do this lab.}}

Below is the same diagram that we referred to over the previous 2 email labs:

* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]

* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]

== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==

~~According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security),~~ '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.

Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today.

'''Perform the following steps:'''

#Let's start with the "sending" SMTP server we have '''on VM2'''. Run the following, replacing andrewsmith.ops with '''your domain name''':

<source ~~lang="bash"~~>mkdir -p /root/postfix-keys /etc/ssl/{private,certs}

cd /root/postfix-keys

openssl genrsa -des3 -out vm2.andrewsmith.ops.key 2048

#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.ops''' for an SMTP server, with no security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').

# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.

#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:

'''Perform the following steps:'''

# Let's start by generating a new certificate for Dovecot '''on your vm3 ''' machine by issuing the following commands:<source ~~lang="bash"~~>mkdir /etc/ssl/{private,certs}

openssl genrsa -des3 -out vm3.andrewsmith.ops.key 2048

chmod 600 vm3.andrewsmith.ops.key

<ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''10-auth.conf''', and '''10-ssl.conf''' files and change the following settings (note: these parameters already exist in those files, just find them and set them to the correct value):</li></ol>

<source ~~lang="bash"~~>ssl = requiredssl_cert = <path_to_your_crt_file>ssl_key = <path_to_your_key_file>

disable_plaintext_auth = yes

</source>

'''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book'''

== INVESTIGATION 2: ~~INSTALL,~~ CONFIGURE ~~& RUN~~ WEBMAIL ~~APPLICATION~~ (Roundcube Mail) TO USE ENCRYPTION ==

{|cellpadding="15" width="40%" align="right"

|}

In the investigation, we will ~~simply install, configure and run~~ modify the '''roundcube''' webmail applicationto make use of the encrypted connections the email servers provide, and to allow clients to connect to it using an encrypted connection ('''https''').

'''Perform the following steps on vm1:'''

~~#Perform a search on~~ First, we will modify the ~~roundcube application in order~~ webserver to ~~access the website.#Either Download the "zipped tarball" from their website from a direct link or~~ use the ~~wget command to download directly from a download link (This part may take some effort depending on the Sourceforge website).#Extract~~ encrypted connections the ~~"zipped tarball" and rename the generated directory that contains download source code to: '''webmail'''.::* Use the '''--no-same-owner''' option when extracting the tar achive to ensure that the files do not keep the original owner (who will not exist on your system).~~email servers are now providing<ol><li ~~value="4"~~>~~Change~~ Modify the ~~ownership of the '''temp''' and '''logs''' directories~~ roundcube configuration file so ~~they belong to apache.</li><li>This service needs to be able to write to several directories ('''temp''' and '''logs''') that SELinux prevents write access to. If you are in a section~~ that ~~has SELinux set to '''enforcing''', run~~ the following ~~commands to let it know that apache should be allowed to write to files in those directories.<source lang="bash">semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'restorecon -v -R /var/www/html/webmail</source></li></ol>::If your machine does not have~~ parameters reflect the ~~semage command, use yum to install the policycoreutils-python package.<ol><li value="6">In~~ encrypted settings on the ~~directory now named "webmail", there will be a file named '''INSTALL''' which will walk you through the rest of the Roundcube installation. Some installation tips to consider:::* Be careful about copying & pasting the MySQL setup part: take time and pay attention to detail: do not try to "rush it".::* You will need to install additional Apache modules including: '''php-xml''' and '''php-mbstring'''.::* Don't forget to set the password in the roundcube configuration.</li><li>Note that both of your IMAP and SMTP~~ mail servers ~~are on different machines (i.e. not on vm1). Therefore, you will need to set the following options for Roundcube~~:

::* '''$config['smtp_server']'''

::* '''$config['default_host']'''

::* '''$config['default_port']'''

:::'''NOTE:''' The last two entries above refer to your ~~IMAP~~ IMAPS server

</li>

<li>You ~~should be able~~ may wish to ~~test~~ use the configuration tool in your Roundcube installer after ~~completing Step 3~~making those changes. ~~Try~~ To do so, you will need to add::* '''$config['enable_installer'] = true;'''to your configuration file.</li><li>Next, test if the roundcube webmail application is working by sending and receiving e-mail messages.</li></ol> Now that the webmail application is using an encrypted connection when communicating with the email servers, it is time to encrypt the client's connection to the web server.# First you need to generate a new certificate for apache '''on your vm1''' machine by issuing the following commands:<source>mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm1.andrewsmith.ops.key 2048chmod 600 vm1.andrewsmith.ops.keyopenssl req -new -key vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.csropenssl x509 -req -days 365 -in vm1.andrewsmith.ops.csr -signkey vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.crtopenssl rsa -in vm1.andrewsmith.ops.key -out vm1.andrewsmith.ops.key.nopassmv vm1.andrewsmith.ops.key.nopass vm1.andrewsmith.ops.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650chmod 600 vm1.andrewsmith.ops.key cakey.pemcp vm1.andrewsmith.ops.key cakey.pem /etc/ssl/privatecp vm1.andrewsmith.ops.crt cacert.pem /etc/ssl/certs</source> ::'''NOTE:''' This process is identical to what you've done for the other two certificates.#Install the '''mod_ssl''' package to allow apache to use ssl. #Add the following parameters to the apache configuration file:<source>SSLEngine onSSLCertificateFile "absolute_path_to_the_.crt_file"SSLCertificateKeyFile "abolute_path_to_the_.key_file"</source> #Restart apache and modify your firewall to allow traffic to '''port 443'''.#Open a web-browser on your host and try to connect to https://vm1.<yourdomain>.ops/webmail::You should get a security exception similar to the one's you saw with the email, and for the same reason (the site you are trying to contact has a self-signed certificate). Add the exception and login to access your email.::Send an email to ensure everything is functioning properly.

{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}

==COMPLETING THE LAB==

~~In completing this lab you have gained experience...~~

~~'''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.'''~~

~~===Online Submission (Peter Callaghan's Classes only)===~~

~~Follow the instructions for lab 8 on moodle.~~

===Online Submission===Follow the instructions for lab 8 on blackboard.<!--===In Class Submission(Murray Saul's Classes only)===

'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''

::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.

::✓Completed Lab8 log-book notes.

-->

==EXPLORATION QUESTIONS==

Andrew

Bureaucrats, Administrators

1,234

edits

Changes

OPS335 Lab 8 2018

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools