How I did it: Centos 5.0, SMB Authentication, Forced SSL

Discuss installation of Scalix software

Moderators: ScalixSupport, admin

kbrault
Posts: 12
Joined: Tue Nov 13, 2007 12:08 am

How I did it: Centos 5.0, SMB Authentication, Forced SSL

Postby kbrault » Thu Nov 22, 2007 12:55 am

Install Centos 5.0 - minimal, no firewall, no selinux, Dynamic IP with IP reservation on DNS server

yum -y update; reboot; exit

yum install -y compat-libstdc++-296 cyrus-sasl-md5 cyrus-sasl-plain elinks httpd java man mod_ssl nano pam_smb perl postgresql-server sendmail-cf tk wget which; reboot; exit

nano /etc/hosts
127.0.0.1 localhost
192.168.1.1 dnshost.domain.tld dnshost #note, this is NOT the local host name

chkconfig postgresql on
chkconfig httpd on

Turn off firewall and selinux:
/usr/bin/system-config-securitylevel-tui

reboot; exit

mkdir rpm
cd rpm
wget http://downloads.scalix.com/.community/ ... -intel.tgz
tar -xzvf *tgz
rm -f *tgz
cd scalix-11.2.0-GA
/root/rpm/scalix-11.2.0-GA/scalix-installer --override=rhel5


Remote Authentication:

nano /etc/pam_smb.conf
DOMAIN
DNSHOST
DNSHOST.DOMAIN.TLD

cp /var/opt/scalix/XX/s/sys/pam.d/ual.remote /var/opt/scalix/sx/XX/sys/pam.d/ual.remote.old
cp /var/opt/scalix/XX/s/sys/pam.d/ual.local /var/opt/scalix/XX/s/sys/pam.d/ual.local.old
cp /var/opt/scalix/XX/s/sys/pam.d/smtpd.auth /var/opt/scalix/XX/s/sys/pam.d/smtpd.auth.old
cp /var/opt/scalix/XX/s/sys/pam.d/omslapdeng /var/opt/scalix/XX/s/sys/pam.d/omslapdeng.old
cp /var/opt/scalix/XX/s/sys/pam.d/pop3 /var/opt/scalix/XX/s/sys/pam.d/pop3.old

Change these files:

nano /var/opt/scalix/XX/s/sys/pam.d/ual.remote
nano /var/opt/scalix/XX/s/sys/pam.d/ual.local
nano /var/opt/scalix/XX/s/sys/pam.d/smtpd.auth
nano /var/opt/scalix/XX/s/sys/pam.d/omslapdeng
nano /var/opt/scalix/XX/s/sys/pam.d/pop3

To have this:

auth required om_om2authid
auth sufficient /lib/security/pam_smb_auth.so debug nolocal
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth


Force SSL Web access:

cp /etc/opt/scalix-tomcat/connector/jk/instance-XX.conf /etc/opt/scalix-tomcat/connector/jk/instance-XX.conf.old
nano /etc/opt/scalix-tomcat/connector/jk/instance-XX.conf
replace the VirualHost section,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/jk/app-XX.*.conf
</VirtualHost>

with,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/jk/app-XX.*.conf
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>

cp /etc/opt/scalix-tomcat/connector/ajp/instance-XX.conf /etc/opt/scalix-tomcat/connector/ajp/instance-XX.conf.old
nano /etc/opt/scalix-tomcat/connector/ajp/instance-XX.conf
replace the VirualHost section,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/ajp/app-XX.*.conf
</VirtualHost>

with,

<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/ajp/app-XX.*.conf
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>


reboot; exit

japerlman84
Posts: 12
Joined: Fri Dec 07, 2007 3:45 pm

Postby japerlman84 » Fri Dec 07, 2007 3:47 pm

Awesome guide, I really appreciate you taking the time to post it. I do have on question though.

When I switched over to force SSL over Webmail I can no longer access webmail or the admin console, just shows up as a 404. If i put the orig configs back in it works again.

Any ideas?

freebs

Postby freebs » Fri Dec 07, 2007 10:17 pm

I had this same problem running Scalix on Suse Enterprise 9.

Depending on your distro, the locations may be different for your ssl config, but here's my (working) solution. Replace <....> with your server details.

In /etc/apache/vhosts.d/vhost-ssl.conf

Code: Select all

<VirtualHost _default_:443>
        ServerName <FQDN>:443
        ServerAdmin <EMAIL>@<DOMAIN>
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
        SSLEngine On
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl.crt/<FQDN>.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/<FQDN>.key
</VirtualHost>


In /etc/opt/scalix-tomcat/connector/ajp/instance-<HOST>.conf

Code: Select all

<VirtualHost <FQDN>:443>
        #Pretty sure this Vhost section isn't needed, yet to test
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/apache2/ssl.crt/<FQDN>.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/<FQDN>.key
        Include /etc/opt/scalix-tomcat/connector/jk/app-<HOST>.*.conf
</VirtualHost>
<VirtualHost *:80>
  Include /etc/opt/scalix-tomcat/connector/ajp/app-<HOST>.*.conf
  <LocationMatch "^/sac/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
  <LocationMatch "^/webmail/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
</VirtualHost>




In /etc/opt/scalix-tomcat/connector/jk/instance-<HOST>.conf

Code: Select all

<VirtualHost <FQDN>:443>
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/apache2/ssl.crt/<FQDN>.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/<FQDN>.key
        Include /etc/opt/scalix-tomcat/connector/jk/app-<HOST>.*.conf
</VirtualHost>

<VirtualHost *:80>
  Include /etc/opt/scalix-tomcat/connector/jk/app-<HOST>.*.conf
  <LocationMatch "^/sac/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
  <LocationMatch "^/webmail/*">
    RewriteEngine on
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
  </LocationMatch>
</VirtualHost>
.....additional entries for JkWorker.Properties etc

joako
Posts: 308
Joined: Tue May 08, 2007 10:45 pm

Postby joako » Sun Dec 09, 2007 5:07 pm

Here's another way. Personally I like my way better :)

All in httpd.conf



Then for the SSL host we just add these lines:

[qupte]#Scalix Mobile
Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.m.conf
#SWA -- Scalix Web Access
Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.webmail.conf
#SAC -- Scalix Administation Console
Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.sac.conf
#Include /etc/opt/scalix-tomcat/connector/jk/app-web03.*.conf
#Include /opt/scalix/global/httpd/scalix-web-client.conf
#Include /etc/opt/scalix-tomcat/connector/ajp/app-web03.*.conf
Include /opt/scalix/global/httpd/scalix-web-client.conf
[/quote]

Each to his own I suppose. I also prefer to put my entire apache2 config into a single httpd.conf file.

freebs

Postby freebs » Mon Dec 10, 2007 6:01 am

Hey thanks for the input, have to admit, the 'solution' I put in place was probably less than ideal but it worked so I didn't try to tweak it much after that.

I think I might go back and review my setup and follow a similar model to yours, it's simplified which is always easier to maintain.

PS The multiple files is a bit of a Suse thing. I work with both RH and Suse which can do one's head in sometimes as RH has just one generally.

kool_kid
Posts: 179
Joined: Wed Dec 05, 2007 7:27 am

Postby kool_kid » Mon Dec 10, 2007 1:54 pm

Thanks i was able to force ssl with this tut.


Return to “Installation”



Who is online

Users browsing this forum: No registered users and 0 guests