Disable Scalix on port 80 (only secure logins)

[joaster]

Hi,

I like to disable the Scalix logins on port 80, to make sure users will login on port 443.

However, only Scalix should not listen on port 80 since the website should be accessible on port 80.Therefor shutting down port 80 in apache or iptables is not an option.

Anyone who can help me out here?

Joost

[florian]

I can't give you full instructions right now, but the best basic idea is to change the interaction of Apache with Tomcat through mod_jk.

Currently our installation sets up mod_jk to forward requests to all Scalix URLs (i.e. /webmail, /sac, /res, /caa and /webcal) to tomcat, independent on how they come in.

As SSL port :443 is a separate virtual host from Apache's point of view, the configuration can be moved from a global config to a per-host configuration.

Note that you will need to keep at least /caa and /res open for http, otherwise Scalix Admin Console will stop to function.

Hope this helps for an idea - maybe there is a Apache czar out here that can quickly hack together config file samples; every time I have to configure apache, I really envy it's flexibility but somehow drown in the possibilities.....

cheers,
Florian.

[dkelly]

Take a look at http://www.scalix.com/community/viewtopic.php?t=1568&highlight=rewriterule

Cheers

Dave

[joaster]

Thanks for the quick responses,

This morning I added the code supplied by Dave's link and it works like a charm.

Is it an idea to put this solution in the knowlegde base (howto)? This is really a security fix that makes working via the web interface more secure.

Regards,
Joost.

[florian]

sure. believe we already have a knowledgebase article on the wiki on apache in http://www.scalix.com/wiki/index.php?ti ... Tos/Apache.

What about you add this to the article - the wiki is freely editable by all registered users...

Thanks in Advance.
Florian.

[joaster]

Florian,

The howto you refer to is more about apache and tomcat. What about creating a Security Howto with information about hardening your Scalix server.

1. Force to use https
2. Change SMTP greeting => is already a howto on it's own
3. Change POP greeting
4. Change IMAP greeting
5. Change Apache information
6. Overview of ports in use by Scalix and which can be firewalled
etc.

I don't see how i can create the howto, but I can write about the first and 6th point above.

Regards,
Joost.

[florian]

Hi,

sure - if you want to summarize it that way? An initial security how-to could be created on the Wiki and, if there are other documents around, at least centralize the links. Additional stuff could be added, such as running tomcat as non-root, iptables firewalling, setting up stunnel or the use of SELinux in a controlled way.

Maybe you want to give this a start - just add it to the HowTos-section at www.scalix.com/wiki

However, looking at your list below, unfortunately 3 and 4 cannot be done today - I'll add enhancement requests for that. I don't really understand what you mean by 5.

Cheers,
Florian.

[dkelly]

You can change the IMAP server greeting by setting the general.cfg tweak IMAP_GREETING.

There is no equivalent for the POP server.

Cheers

Dave

[florian]

wow, one never stops learning.

Florian

[jcaudell]

#5

from the apache faq: http://httpd.apache.org/docs/1.3/misc/F ... rverheader

Couldnt find equivalent info in the 2.0 faq. In short, you could recompile Apache. so probably not worth it.

How can I change the information that Apache returns about itself in the headers?

When a client connects to Apache, part of the information returned in the headers is the name "Apache" Additional information that can be sent is the version number, such as "1.3.26", the operating system, and a list of non-standard modules you have installed.

For example:

Server: Apache/1.3.26 (Unix) mod_perl/1.26

Frequently, people want to remove this information, under the mistaken understanding that this will make the system more secure. This is probably not the case, as the same exploits will likely be attempted regardless of the header information you provide.

There are, however, two answers to this question: the correct answer, and the answer that you are probably looking for.

The correct answer to this question is that you should use the ServerTokens directive to alter the quantity of information which is passed in the headers. Setting this directive to Prod will pass the least possible amount of information:

Server: Apache

The answer you are probably looking for is how to make Apache lie about what what it is, ie send something like:

Server: Bob's Happy HTTPd Server

In order to do this, you will need to modify the Apache source code and rebuild Apache. This is not advised, as it is almost certain not to provide you with the added security you think that you are gaining. The exact method of doing this is left as an exercise for the reader, as we are not keen on helping you do something that is intrinsically a bad idea.

[/code]

[joaster]

This week I will try to start the Security howto, but I first have to gather some extra information. For example about hardening the IMAP daemon.

Standard IMAP session:

Code: Select all

$ telnet mail 143

Trying 192.168.100.11...
Connected to mail.yourdomain.net (192.168.100.11).
Escape character is '^]'.
* OK Scalix IMAP server 10.0.1.3 ready on mail.yourdomain.net
a1 logout
* BYE Scalix IMAP Server logging out
a1 OK LOGOUT completed
Connection closed by foreign host.

As you can see both the greeting and goodbye line reveal sensative information.
You can change the greeting by setting the IMAP_GREETING tag in general.cfg, e.g. by adding "IMAP_GREETING=IMAPd" to the file.

Question #1: how to restart only the imap daemon after changing the file?

Custom IMAP session:

Code: Select all

$ telnet mail 143

Trying 192.168.100.11...
Connected to mail.yourdomain.net (192.168.100.11).
Escape character is '^]'.
* OK IMAPd
a1 logout
* BYE Scalix IMAP Server logging out
a1 OK LOGOUT completed
Connection closed by foreign host.

Question #2: how to change the goodbye line, this still reveals the Scalix server (happily not the version number)?

Regards,
Joost

[ScalixSupport]

To restart just the imap process use:

omoff -d0 -w imap
omon imap.

You can use omoff and omon for most scalix processes. Please see the man pages.

It is not currently possible to configure the exit text. An enhancement request has been entered.

Regards,
Don

[joaster]

I can proudly announce that today I have started the Scalix Security How-To (see http://www.scalix.com/wiki/index.php?title=HowTos/ScalixSecurity)

When working on the Apache hardening section, I found out that the login screens of Webmail and SAC contain their version numbers.

Any idea how to get rid of those?

Regards,
Joost