Scalix Forums


http://www.scalix.com/forums/

How I did it: Centos 5.0, SMB Authentication, Forced SSL

http://www.scalix.com/forums/viewtopic.php?f=5&t=9392

Page 1 of 1

How I did it: Centos 5.0, SMB Authentication, Forced SSL

Posted: Thu Nov 22, 2007 12:55 am
by kbrault
Install Centos 5.0 - minimal, no firewall, no selinux, Dynamic IP with IP reservation on DNS server

yum -y update; reboot; exit

yum install -y compat-libstdc++-296 cyrus-sasl-md5 cyrus-sasl-plain elinks httpd java man mod_ssl nano pam_smb perl postgresql-server sendmail-cf tk wget which; reboot; exit

nano /etc/hosts
127.0.0.1 localhost
192.168.1.1 dnshost.domain.tld dnshost #note, this is NOT the local host name

chkconfig postgresql on
chkconfig httpd on

Turn off firewall and selinux:
/usr/bin/system-config-securitylevel-tui

reboot; exit

mkdir rpm
cd rpm
wget http://downloads.scalix.com/.community/ ... -intel.tgz
tar -xzvf *tgz
rm -f *tgz
cd scalix-11.2.0-GA
/root/rpm/scalix-11.2.0-GA/scalix-installer --override=rhel5


Remote Authentication:

nano /etc/pam_smb.conf
DOMAIN
DNSHOST
DNSHOST.DOMAIN.TLD

cp /var/opt/scalix/XX/s/sys/pam.d/ual.remote /var/opt/scalix/sx/XX/sys/pam.d/ual.remote.old
cp /var/opt/scalix/XX/s/sys/pam.d/ual.local /var/opt/scalix/XX/s/sys/pam.d/ual.local.old
cp /var/opt/scalix/XX/s/sys/pam.d/smtpd.auth /var/opt/scalix/XX/s/sys/pam.d/smtpd.auth.old
cp /var/opt/scalix/XX/s/sys/pam.d/omslapdeng /var/opt/scalix/XX/s/sys/pam.d/omslapdeng.old
cp /var/opt/scalix/XX/s/sys/pam.d/pop3 /var/opt/scalix/XX/s/sys/pam.d/pop3.old

Change these files:

nano /var/opt/scalix/XX/s/sys/pam.d/ual.remote
nano /var/opt/scalix/XX/s/sys/pam.d/ual.local
nano /var/opt/scalix/XX/s/sys/pam.d/smtpd.auth
nano /var/opt/scalix/XX/s/sys/pam.d/omslapdeng
nano /var/opt/scalix/XX/s/sys/pam.d/pop3

To have this:

auth required om_om2authid
auth sufficient /lib/security/pam_smb_auth.so debug nolocal
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth


Force SSL Web access:

cp /etc/opt/scalix-tomcat/connector/jk/instance-XX.conf /etc/opt/scalix-tomcat/connector/jk/instance-XX.conf.old
nano /etc/opt/scalix-tomcat/connector/jk/instance-XX.conf
replace the VirualHost section,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/jk/app-XX.*.conf
</VirtualHost>

with,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/jk/app-XX.*.conf
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>

cp /etc/opt/scalix-tomcat/connector/ajp/instance-XX.conf /etc/opt/scalix-tomcat/connector/ajp/instance-XX.conf.old
nano /etc/opt/scalix-tomcat/connector/ajp/instance-XX.conf
replace the VirualHost section,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/ajp/app-XX.*.conf
</VirtualHost>

with,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/ajp/app-XX.*.conf
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>


reboot; exit

Posted: Fri Dec 07, 2007 3:47 pm
by japerlman84
Awesome guide, I really appreciate you taking the time to post it. I do have on question though.

When I switched over to force SSL over Webmail I can no longer access webmail or the admin console, just shows up as a 404. If i put the orig configs back in it works again.

Any ideas?

Posted: Fri Dec 07, 2007 10:17 pm
by freebs
I had this same problem running Scalix on Suse Enterprise 9.

Depending on your distro, the locations may be different for your ssl config, but here's my (working) solution. Replace <....> with your server details.

In /etc/apache/vhosts.d/vhost-ssl.conf

Code: Select all

<VirtualHost _default_:443>
        ServerName <FQDN>:443
        ServerAdmin <EMAIL>@<DOMAIN>
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
        SSLEngine On
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl.crt/<FQDN>.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/<FQDN>.key
</VirtualHost>


In /etc/opt/scalix-tomcat/connector/ajp/instance-<HOST>.conf

Code: Select all

<VirtualHost <FQDN>:443>
        #Pretty sure this Vhost section isn't needed, yet to test
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/apache2/ssl.crt/<FQDN>.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/<FQDN>.key
        Include /etc/opt/scalix-tomcat/connector/jk/app-<HOST>.*.conf
</VirtualHost>
<VirtualHost *:80>
  Include /etc/opt/scalix-tomcat/connector/ajp/app-<HOST>.*.conf
  <LocationMatch "^/sac/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
  <LocationMatch "^/webmail/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
</VirtualHost>




In /etc/opt/scalix-tomcat/connector/jk/instance-<HOST>.conf

Code: Select all

<VirtualHost <FQDN>:443>
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/apache2/ssl.crt/<FQDN>.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/<FQDN>.key
        Include /etc/opt/scalix-tomcat/connector/jk/app-<HOST>.*.conf
</VirtualHost>

<VirtualHost *:80>
  Include /etc/opt/scalix-tomcat/connector/jk/app-<HOST>.*.conf
  <LocationMatch "^/sac/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
  <LocationMatch "^/webmail/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
</VirtualHost>
.....additional entries for JkWorker.Properties etc

Posted: Sun Dec 09, 2007 5:07 pm
by joako
Here's another way. Personally I like my way better :)

All in httpd.conf



Then for the SSL host we just add these lines:

[qupte]#Scalix Mobile
Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.m.conf
#SWA -- Scalix Web Access
Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.webmail.conf
#SAC -- Scalix Administation Console
Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.sac.conf
#Include /etc/opt/scalix-tomcat/connector/jk/app-web03.*.conf
#Include /opt/scalix/global/httpd/scalix-web-client.conf
#Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.*.conf
Include /opt/scalix/global/httpd/scalix-web-client.conf
[/quote]

Each to his own I suppose. I also prefer to put my entire apache2 config into a single httpd.conf file.

Posted: Mon Dec 10, 2007 6:01 am
by freebs
Hey thanks for the input, have to admit, the 'solution' I put in place was probably less than ideal but it worked so I didn't try to tweak it much after that.

I think I might go back and review my setup and follow a similar model to yours, it's simplified which is always easier to maintain.

PS The multiple files is a bit of a Suse thing. I work with both RH and Suse which can do one's head in sometimes as RH has just one generally.

Posted: Mon Dec 10, 2007 1:54 pm
by kool_kid
Thanks i was able to force ssl with this tut.
All times are UTC-04:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/