Difference between revisions of "Configuring Scalix on https Ubuntu Gutsy"

From Scalix Wiki
Jump to: navigation, search
Line 7: Line 7:
 
= Configuring Scalix on https on Ubuntu 7.10 Server (Gutsy Gibbon) =
 
= Configuring Scalix on https on Ubuntu 7.10 Server (Gutsy Gibbon) =
  
As Ubuntu 7.10 is an unsupported platform there is currently no manual describing the configuration of Clamav (an advanced anti-virus solution) to be used with Scalix. As I managed to get Scalix it up and running and I already documented and shared this with the community ([http://www.scalix.com/wiki/index.php?title=Manual_Installation_Ubuntu_Gutsy here]), I thought it would be useful to share my experiences on making the Scalix webapplications accessible via https configuration as well.
+
As Ubuntu 7.10 is an unsupported platform there is currently no manual describing the configuration of Clamav (an advanced anti-virus solution) to be used with Scalix. As I managed to get Scalix it up and running and I already documented and shared this with the community ([http://www.scalix.com/wiki/index.php?title=Manual_Installation_Ubuntu_Gutsy here]), I thought it would be useful to share my experiences on making the Scalix web applications accessible via https configuration as well.
  
So below you'll find a how-to that describes the configuration of Apache and Tomcat to make the Scalix webapplications available via https on a Ubuntu 7.10 server.
+
So below you'll find a how-to that describes the configuration of Apache and Tomcat to make the Scalix web applications available via https on a Ubuntu 7.10 server.
  
Scalix comes with a few web applications like SWA (Saclix Web Access, the webmail client), the SAC (Scalix Administration Console, the administration panel) and  
+
Scalix comes with a few web applications like SWA (Saclix Web Access, the web mail client), the SAC (Scalix Administration Console, the administration panel) and SMWC (Scalix Mobile Web Client, the web client for smartphones, pda's and other mobile devices). To make sure your connection to these application is secure, you should make them accessible via https.
  
 
I used several sources of information on the web. I listed the ones I can remember at the end of the document under '''''Sources'''''.
 
I used several sources of information on the web. I listed the ones I can remember at the end of the document under '''''Sources'''''.
Line 25: Line 25:
  
  
== Install the Clamav software ==
+
== Enable mod_ssl for Apache ==
  
Clamav is Open Source Software available on the internet [http://www.clamav.net here]. nder Ubuntu we have a package available that can be installed directly with apt-get, but unfortunately the 'standard' package contains an outdated version. No worries, to get an actual version, we can use the repository available [https://launchpad.net/~ubuntu-clamav/+archive here]. To do so, add the following line to the file '''/etc/apt/sources.list''':
+
Apache2 comes with a module called '''mod_ssl''', this is the so-called SSL encryption module for the Apache web server. This makes it possible to secure the http traffic from and towards Apache by SSL encryption. To activate this module, use this command:
deb http://ppa.launchpad.net/ubuntu-clamav/ubuntu gutsy main
+
  sudo a2enmod ssl
Afterwards, run:
+
sudo apt-get update
+
At last, install the Clamav software using this command:
+
  sudo apt-get install clamav-base clamav clamav-daemon clamav-freshclam
+
  
 +
== Create certificate ==
  
== Add clamav user to the Scalix group ==
+
To set up your secured server, you'll have to use the public key cryptography method to create a public and private key pair. In most cases, you send your certificate request (including your public key), a proof of your (company's) identity, and (of course) a payment to a Certificate Authority (CA), like Verisign. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.
  
For Clamav to be able to cooperate with Scalix, you should add the Clamav user ''clamav'' to the SCalix group ''Scalix''. Do this by editing '''/etc/group''' with your favorite editor, in this example ''vi'' is used, but feel free to use whatever editor you like. Edit the '''/etc/group''' file:
+
Alternatively, for example if you're using your server privately, you can create your own self-signed certificate. Note, However, self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection.
sudo vi /etc/group
+
To add the ''clamav'' user to the ''scalix'' group, add '''clamav''' to the line:
+
scalix:x:120:
+
This is what the result should look like:
+
scalix:x:120:clamav
+
  
 +
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server.
  
== Configure Clamav ==
+
=== Generate Certificate Signing Request (CSR) ===
 +
To generate the Certificate Signing Request (CSR), you should create your own key. Use the following command from a to create the key:
 +
sudo openssl genrsa -des3 -out server.key 1024
 +
Now you'll be asked to enter a passphrase twice. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or special characters and not be based on a dictionary word. Remember your passphrase to be case-sensitive!
  
=== Create ruleset ===
+
You can also run your ssl-secured web server without a passphrase. This is convenient because you then you won't need to enter the passphrase every time you (re)start your secure web server. On the other hand it is less secure and therefor it's not recommended. To create a CSR without a passphrase, omit the '''-des3''' parameter in the command while creating the key, like this:
To create a ruleset which controls the virus protection of the Scalix server, create a file in the directory '''/var/opt/scalix/<instance>/s/rules/''' called '''ALL-ROUTES.VIR'''. This file should contain the following two lines:
+
sudo openssl genrsa -out server.key 1024
<pre>
+
VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=ndninfo.txt
+
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="A virus was found in your message. It was successfully cleaned and sent to the recipient. However we highly recommend that you install or update your virus protection software and scan your computer for viruses."
+
</pre>
+
  
=== Create non-delivery notification ===
+
Now you have created a key, you can create a CSR, do this by running the following command:
Next create a non-delivery notification, a text file with the message to be sent if a virus was found. This file should be called '''ndninfo.txt''' and should be created in the folder '''/var/opt/scalix/<instance>/s/rules/'''. This '''ndninfo.txt''' file should contain this text:
+
sudo openssl req -new -key server.key -out server.csr
<pre>
+
Text = A virus was detected in your message and could not be cleaned, therefore it was not delivered. We highly recommend that you install or update you virus protection software.
+
</pre>
+
  
=== Configure mapper script ===
+
If applicable it will ask you to enter the passphrase. Next, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the '''server.csr''' file. If you want to create a CA-signed certificate, you can submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate.  
Next, you'll have to set up the mapper script. The file '''omvscan.map''' is the virus scanning mapper script
+
that links Scalix and the Clamav virus scanning application. So let's copy the example script to our rules folder '''/var/opt/scalix/<instance>/s/rules/''':
+
sudo cp /opt/scalix/examples/general/omvscan.map /var/opt/scalix/<instance>/s/rules/
+
Now, change the ownership and the permission of the file '''/var/opt/scalix/<instance>/s/rules/omvscan.map''' by invoking these commands:
+
<pre>
+
sudo chown root:root /var/opt/scalix/<instance>/s/rules/omvscan.map
+
sudo chmod 555 /var/opt/scalix/<instance>/s/rules/omvscan.map
+
</pre>
+
  
 +
If you're willing to create a self-signed certificate using this CSR, please use the following command to sign the certificate:
 +
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  
== Start Clamav ==
+
If applicable it will ask you to enter the passphrase again. Next, your certificate will be created and it will be stored in the '''server.crt''' file.
  
First let's start the Clamav service and the freshclam (virus database updater), do so using the following commands:
 
  
<pre>
 
sudo /etc/init.d/clamav-daemon start
 
sudo /etc/init.d/clamav-freshclam start
 
</pre>
 
 
 
== Restart Scalix and check the configuration ==
 
To check if Scalix and Clamav work together properly, let's turn up the audit logging level for the Scalix services and send a few test mails containing viruses. If everything is all right, reduce the logging level again and enjoy. Let's start:
 
 
Turn up the audit logging for service router to 13:
 
sudo /opt/scalix/bin/omconfaud router 13
 
 
Turn up the debug logging for service router to 15:
 
sudo /opt/scalix/bin/omconflvl router 15
 
 
Restart the service router, first stop it:
 
sudo /opt/scalix/bin/omoff -d 0 rtr
 
And next start it again:
 
sudo /opt/scalix/bin/omon rtr
 
 
Now check if the virus scanner works, send yourself a few mail messages containing some test viruses. You can find safe, innocent test viruses to be used with Clamav in the Clamav source tarball. This tarball can be found on the Clamav website ([http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.92.tar.gz here]). After unpacking the '''clamav-0.92.tar.gz''' file, you can find the test viruses (named clam-v2.rar, clam-v3.rar, clam.cab, clam.exe, clam.exe.bz2 and clam.zip) in the test folder.
 
 
If everything works as expected, you should receive a message that your e-mail messages could not be delivered because it contains virus infected files. Further you should be able to find out what happened when looking into the '''/var/opt/scalix/s2/s/logs/omvscan.log''' log file. Please do so using:
 
tail -400 /var/opt/scalix/<instance>/s/logs/omvscan.log
 
 
This should show you some lines that look like those below:
 
<pre>
 
2008-02-03 23:21:00:PID=30089:############## start /var/opt/scalix/<instance>/s/tmp/clamav.log.30089
 
2008-02-03 23:21:00:PID=30089:/var/opt/scalix/<instance>/s/data/000001e/0001uqq: ClamAV-Test-File FOUND
 
2008-02-03 23:21:00:PID=30089:
 
2008-02-03 23:21:00:PID=30089:----------- SCAN SUMMARY -----------
 
2008-02-03 23:21:00:PID=30089:Infected files: 1
 
2008-02-03 23:21:00:PID=30089:Time: 0.026 sec (0 m 0 s)
 
2008-02-03 23:21:00:PID=30089:############## end /var/opt/scalix/<instance>/s/tmp/clamav.log.30089
 
</pre>
 
 
Once you're sure that Clamav is working properly together with Scalix, you can reduce the log levels again.
 
 
Turn back the audit logging for service router to 7:
 
sudo /opt/scalix/bin/omconfaud router 7
 
 
Turn back the debug logging for service router to 7:
 
sudo /opt/scalix/bin/omconflvl router 7
 
 
Restart the service router, first stop it:
 
sudo /opt/scalix/bin/omoff -d 0 rtr
 
And next start it again:
 
sudo /opt/scalix/bin/omon rtr
 
  
 
If there's something wrong, have a look at the log files and look for the exact error message and fix the problem. If everything is all right, then you're done: congratulations!
 
If there's something wrong, have a look at the log files and look for the exact error message and fix the problem. If everything is all right, then you're done: congratulations!
Line 130: Line 64:
  
 
* http://www.scalix.com/wiki/index.php?title=Scalix_with_https
 
* http://www.scalix.com/wiki/index.php?title=Scalix_with_https
 +
* https://help.ubuntu.com/7.10/server/C/httpd.html
  
  

Revision as of 13:52, 4 February 2008

Important Note

Please note that these manual installation instructions should only be used on Ubuntu distributions, such as Ubuntu Gutsy Gibbon 7.10 server, the distribution the document was written for. If you install Scalix on an unsupported platform, this invalidates your ability to receive Scalix support. Thank you for your understanding and compliance.

This document might be inaccurate and under construction. Do not trust this document.


Configuring Scalix on https on Ubuntu 7.10 Server (Gutsy Gibbon)

As Ubuntu 7.10 is an unsupported platform there is currently no manual describing the configuration of Clamav (an advanced anti-virus solution) to be used with Scalix. As I managed to get Scalix it up and running and I already documented and shared this with the community (here), I thought it would be useful to share my experiences on making the Scalix web applications accessible via https configuration as well.

So below you'll find a how-to that describes the configuration of Apache and Tomcat to make the Scalix web applications available via https on a Ubuntu 7.10 server.

Scalix comes with a few web applications like SWA (Saclix Web Access, the web mail client), the SAC (Scalix Administration Console, the administration panel) and SMWC (Scalix Mobile Web Client, the web client for smartphones, pda's and other mobile devices). To make sure your connection to these application is secure, you should make them accessible via https.

I used several sources of information on the web. I listed the ones I can remember at the end of the document under Sources.


Applicable Environments

These Installation instructions have been tested with

  • Scalix CE 11.3.0
  • Ubuntu 7.10 Server (Gutsy Gibbon)

They might not apply unmodified to any other version of Scalix or Ubuntu.


Enable mod_ssl for Apache

Apache2 comes with a module called mod_ssl, this is the so-called SSL encryption module for the Apache web server. This makes it possible to secure the http traffic from and towards Apache by SSL encryption. To activate this module, use this command: 

sudo a2enmod ssl

Create certificate

To set up your secured server, you'll have to use the public key cryptography method to create a public and private key pair. In most cases, you send your certificate request (including your public key), a proof of your (company's) identity, and (of course) a payment to a Certificate Authority (CA), like Verisign. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.

Alternatively, for example if you're using your server privately, you can create your own self-signed certificate. Note, However, self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection.

Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server.

Generate Certificate Signing Request (CSR)

To generate the Certificate Signing Request (CSR), you should create your own key. Use the following command from a to create the key: 

sudo openssl genrsa -des3 -out server.key 1024

Now you'll be asked to enter a passphrase twice. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or special characters and not be based on a dictionary word. Remember your passphrase to be case-sensitive!

You can also run your ssl-secured web server without a passphrase. This is convenient because you then you won't need to enter the passphrase every time you (re)start your secure web server. On the other hand it is less secure and therefor it's not recommended. To create a CSR without a passphrase, omit the -des3 parameter in the command while creating the key, like this: 

sudo openssl genrsa -out server.key 1024

Now you have created a key, you can create a CSR, do this by running the following command: 

sudo openssl req -new -key server.key -out server.csr

If applicable it will ask you to enter the passphrase. Next, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. If you want to create a CA-signed certificate, you can submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate.

If you're willing to create a self-signed certificate using this CSR, please use the following command to sign the certificate: 

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

If applicable it will ask you to enter the passphrase again. Next, your certificate will be created and it will be stored in the server.crt file.


If there's something wrong, have a look at the log files and look for the exact error message and fix the problem. If everything is all right, then you're done: congratulations!


Sources


The author

The origin for this document was written by Max Wiertz. As a Scalix newbie, I invested a lot of work in getting Scalix together with https to work for me on Ubuntu. I felt like sharing this with all of you, so you can probably take advantage of it.

If you have any questions, remarks, comments or suggestions regarding this document, do not hesitate to contact me by e-mail: mailto:max_DOT_wiertz_AT_gmail_DOT_com.

Retrieved from "https://www.scalix.com/wiki/index.php?title=Configuring_Scalix_on_https_Ubuntu_Gutsy&oldid=3938"