Difference between revisions of "Configuring Scalix on https Ubuntu Gutsy"

From Scalix Wiki
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
= Configuring Scalix on https on Ubuntu 7.10 Server (Gutsy Gibbon) =
 
= Configuring Scalix on https on Ubuntu 7.10 Server (Gutsy Gibbon) =
  
As Ubuntu 7.10 is an unsupported platform there is currently no manual describing the configuration of Clamav (an advanced anti-virus solution) to be used with Scalix. As I managed to get Scalix it up and running and I already documented and shared this with the community ([http://www.scalix.com/wiki/index.php?title=Manual_Installation_Ubuntu_Gutsy here]), I thought it would be useful to share my experiences on making the Scalix webapplications accessible via https configuration as well.
+
As Ubuntu 7.10 is an unsupported platform there is currently no manual describing the configuration of Clamav (an advanced anti-virus solution) to be used with Scalix. As I managed to get Scalix it up and running and I already documented and shared this with the community ([http://www.scalix.com/wiki/index.php?title=Manual_Installation_Ubuntu_Gutsy here]), I thought it would be useful to share my experiences on making the Scalix web applications accessible via https configuration as well.
  
So below you'll find a how-to that describes the configuration of Apache and Tomcat to make the Scalix webapplications available via https on a Ubuntu 7.10 server.
+
So below you'll find a how-to that describes the configuration of Apache and Tomcat to make the Scalix web applications available via https on a Ubuntu 7.10 server.
  
Scalix comes with a few web applications like SWA (Saclix Web Access, the webmail client), the SAC (Scalix Administration Console, the administration panel) and  
+
Scalix comes with a few web applications like SWA (Saclix Web Access, the web mail client), the SAC (Scalix Administration Console, the administration panel) and SMWC (Scalix Mobile Web Client, the web client for smartphones, pda's and other mobile devices). To make sure your connection to these application is secure, you should make them accessible via https.
  
 
I used several sources of information on the web. I listed the ones I can remember at the end of the document under '''''Sources'''''.
 
I used several sources of information on the web. I listed the ones I can remember at the end of the document under '''''Sources'''''.
Line 25: Line 25:
  
  
== Install the Clamav software ==
+
== Enable mod_ssl for Apache ==
  
Clamav is Open Source Software available on the internet [http://www.clamav.net here]. nder Ubuntu we have a package available that can be installed directly with apt-get, but unfortunately the 'standard' package contains an outdated version. No worries, to get an actual version, we can use the repository available [https://launchpad.net/~ubuntu-clamav/+archive here]. To do so, add the following line to the file '''/etc/apt/sources.list''':
+
Apache2 comes with a module called '''mod_ssl''', this is the so-called SSL encryption module for the Apache web server. This makes it possible to secure the http traffic from and towards Apache by SSL encryption. To activate this module, use this command:
deb http://ppa.launchpad.net/ubuntu-clamav/ubuntu gutsy main
+
  sudo a2enmod ssl
Afterwards, run:
+
sudo apt-get update
+
At last, install the Clamav software using this command:
+
  sudo apt-get install clamav-base clamav clamav-daemon clamav-freshclam
+
  
 +
== Configure certificate ==
  
== Add clamav user to the Scalix group ==
+
To set up your secured server, you'll have to use the public key cryptography method to create a public and private key pair. In most cases, you send your certificate request (including your public key), a proof of your (company's) identity, and (of course) a payment to a Certificate Authority (CA), like Verisign. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.
  
For Clamav to be able to cooperate with Scalix, you should add the Clamav user ''clamav'' to the SCalix group ''Scalix''. Do this by editing '''/etc/group''' with your favorite editor, in this example ''vi'' is used, but feel free to use whatever editor you like. Edit the '''/etc/group''' file:
+
Alternatively, for example if you're using your server privately, you can create your own self-signed certificate. Note, However, self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection.
sudo vi /etc/group
+
To add the ''clamav'' user to the ''scalix'' group, add '''clamav''' to the line:
+
scalix:x:120:
+
This is what the result should look like:
+
scalix:x:120:clamav
+
  
 +
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server.
  
== Configure Clamav ==
+
=== Generate Certificate Signing Request (CSR) ===
 +
To generate the Certificate Signing Request (CSR), you should create your own key. Use the following command from a to create the key:
 +
sudo openssl genrsa -des3 -out server.key 1024
 +
Now you'll be asked to enter a passphrase twice. For best security, it should at least contain eight characters, include numbers and/or special characters and not be based on a dictionary word. Remember your passphrase to be case-sensitive!
  
=== Create ruleset ===
+
You can also run your ssl-secured web server without a passphrase. This is convenient because you then you won't need to enter the passphrase every time you (re)start your secure web server. On the other hand it is less secure and therefor it's not recommended. To create a CSR without a passphrase, omit the '''-des3''' parameter in the command while creating the key, like this:
To create a ruleset which controls the virus protection of the Scalix server, create a file in the directory '''/var/opt/scalix/<instance>/s/rules/''' called '''ALL-ROUTES.VIR'''. This file should contain the following two lines:
+
sudo openssl genrsa -out server.key 1024
<pre>
+
VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=ndninfo.txt
+
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="A virus was found in your message. It was successfully cleaned and sent to the recipient. However we highly recommend that you install or update your virus protection software and scan your computer for viruses."
+
</pre>
+
  
=== Create non-delivery notification ===
+
Now you have created a key, you can create a CSR, do this by running the following command:
Next create a non-delivery notification, a text file with the message to be sent if a virus was found. This file should be called '''ndninfo.txt''' and should be created in the folder '''/var/opt/scalix/<instance>/s/rules/'''. This '''ndninfo.txt''' file should contain this text:
+
sudo openssl req -new -key server.key -out server.csr
<pre>
+
Text = A virus was detected in your message and could not be cleaned, therefore it was not delivered. We highly recommend that you install or update you virus protection software.
+
</pre>
+
  
=== Configure mapper script ===
+
If applicable it will ask you to enter the passphrase. Next, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the '''server.csr''' file. If you want to create a CA-signed certificate, you can submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate.
Next, you'll have to set up the mapper script. The file '''omvscan.map''' is the virus scanning mapper script
+
that links Scalix and the Clamav virus scanning application. So let's copy the example script to our rules folder '''/var/opt/scalix/<instance>/s/rules/''':
+
sudo cp /opt/scalix/examples/general/omvscan.map /var/opt/scalix/<instance>/s/rules/
+
Now, change the ownership and the permission of the file '''/var/opt/scalix/<instance>/s/rules/omvscan.map''' by invoking these commands:
+
<pre>
+
sudo chown root:root /var/opt/scalix/<instance>/s/rules/omvscan.map
+
sudo chmod 555 /var/opt/scalix/<instance>/s/rules/omvscan.map
+
</pre>
+
  
 +
As soon as you receive the signed certificate continue with installing the certificate. If you're planning to use a self-signed certificate, continue with the next step.
  
== Start Clamav ==
+
=== Create self-signed certificate ===
 +
If you're willing to create a self-signed certificate using this CSR, please use the following command to sign the certificate:
 +
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  
First let's start the Clamav service and the freshclam (virus database updater), do so using the following commands:
+
If applicable it will ask you to enter the passphrase again. Next, your certificate will be created and it will be stored in the '''server.crt''' file.
  
<pre>
+
=== Install certificate ===
sudo /etc/init.d/clamav-daemon start
+
You should install the key file '''server.key''' and certificate file '''server.crt''' or the certificate file issued by your CA by running following commands:
sudo /etc/init.d/clamav-freshclam start
+
sudo cp server.crt /etc/ssl/certs
</pre>
+
sudo cp server.key /etc/ssl/private
  
  
== Restart Scalix and check the configuration ==
+
== Configure Apache SSL support ==
To check if Scalix and Clamav work together properly, let's turn up the audit logging level for the Scalix services and send a few test mails containing viruses. If everything is all right, reduce the logging level again and enjoy. Let's start:
+
As the the default Apache configuration on Ubuntu does not support SSL, you'll have to change the (default) Apache configuration file '''/etc/apache2/sites-available/default'''. Add the following lines to this file, in the ''VirtualHost'' section, under the ''DocumentRoot'' line:
  
Turn up the audit logging for service router to 13:
+
<pre>
sudo /opt/scalix/bin/omconfaud router 13
+
SSLEngine on
  
Turn up the debug logging for service router to 15:
+
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
sudo /opt/scalix/bin/omconflvl router 15
+
  
Restart the service router, first stop it:
+
SSLCertificateFile /etc/ssl/certs/server.crt
sudo /opt/scalix/bin/omoff -d 0 rtr
+
SSLCertificateKeyFile /etc/ssl/private/server.key
And next start it again:
+
sudo /opt/scalix/bin/omon rtr
+
 
+
Now check if the virus scanner works, send yourself a few mail messages containing some test viruses. You can find safe, innocent test viruses to be used with Clamav in the Clamav source tarball. This tarball can be found on the Clamav website ([http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.92.tar.gz here]). After unpacking the '''clamav-0.92.tar.gz''' file, you can find the test viruses (named clam-v2.rar, clam-v3.rar, clam.cab, clam.exe, clam.exe.bz2 and clam.zip) in the test folder.
+
 
+
If everything works as expected, you should receive a message that your e-mail messages could not be delivered because it contains virus infected files. Further you should be able to find out what happened when looking into the '''/var/opt/scalix/s2/s/logs/omvscan.log''' log file. Please do so using:
+
tail -400 /var/opt/scalix/<instance>/s/logs/omvscan.log
+
 
+
This should show you some lines that look like those below:
+
<pre>
+
2008-02-03 23:21:00:PID=30089:############## start /var/opt/scalix/<instance>/s/tmp/clamav.log.30089
+
2008-02-03 23:21:00:PID=30089:/var/opt/scalix/<instance>/s/data/000001e/0001uqq: ClamAV-Test-File FOUND
+
2008-02-03 23:21:00:PID=30089:
+
2008-02-03 23:21:00:PID=30089:----------- SCAN SUMMARY -----------
+
2008-02-03 23:21:00:PID=30089:Infected files: 1
+
2008-02-03 23:21:00:PID=30089:Time: 0.026 sec (0 m 0 s)
+
2008-02-03 23:21:00:PID=30089:############## end /var/opt/scalix/<instance>/s/tmp/clamav.log.30089
+
 
</pre>
 
</pre>
  
Once you're sure that Clamav is working properly together with Scalix, you can reduce the log levels again.
 
  
Turn back the audit logging for service router to 7:  
+
== Restart Apache and check configuration ==
  sudo /opt/scalix/bin/omconfaud router 7
+
Afterwards restart apache using:
 +
  sudo /etc/init.d/apache2 restart
  
Turn back the debug logging for service router to 7:
+
If applicable, you should enter the passphrase when you start your secured web server.
sudo /opt/scalix/bin/omconflvl router 7
+
  
Restart the service router, first stop it:
+
Now check if no errors pop up. This can easily be done by the command:
  sudo /opt/scalix/bin/omoff -d 0 rtr
+
  tail -400 /var/log/apache2/error.log
And next start it again:
+
sudo /opt/scalix/bin/omon rtr
+
  
 
If there's something wrong, have a look at the log files and look for the exact error message and fix the problem. If everything is all right, then you're done: congratulations!
 
If there's something wrong, have a look at the log files and look for the exact error message and fix the problem. If everything is all right, then you're done: congratulations!
 +
 +
Now you should be able to reach the Scalix web applications over https:
 +
* SAC (Scalix Admin Console): https://server.mydomain.com/sac
 +
* SWA (Scalix Web Access): https://server.mydomain.com/webmail
 +
* SMWC (Scalix Mobile Web Client): https://server.mydomain.com/m
  
  
Line 130: Line 98:
  
 
* http://www.scalix.com/wiki/index.php?title=Scalix_with_https
 
* http://www.scalix.com/wiki/index.php?title=Scalix_with_https
 +
* https://help.ubuntu.com/7.10/server/C/httpd.html
  
  

Latest revision as of 15:34, 4 February 2008

Important Note

Please note that these manual installation instructions should only be used on Ubuntu distributions, such as Ubuntu Gutsy Gibbon 7.10 server, the distribution the document was written for. If you install Scalix on an unsupported platform, this invalidates your ability to receive Scalix support. Thank you for your understanding and compliance.

This document might be inaccurate and under construction. Do not trust this document.


Configuring Scalix on https on Ubuntu 7.10 Server (Gutsy Gibbon)

As Ubuntu 7.10 is an unsupported platform there is currently no manual describing the configuration of Clamav (an advanced anti-virus solution) to be used with Scalix. As I managed to get Scalix it up and running and I already documented and shared this with the community (here), I thought it would be useful to share my experiences on making the Scalix web applications accessible via https configuration as well.

So below you'll find a how-to that describes the configuration of Apache and Tomcat to make the Scalix web applications available via https on a Ubuntu 7.10 server.

Scalix comes with a few web applications like SWA (Saclix Web Access, the web mail client), the SAC (Scalix Administration Console, the administration panel) and SMWC (Scalix Mobile Web Client, the web client for smartphones, pda's and other mobile devices). To make sure your connection to these application is secure, you should make them accessible via https.

I used several sources of information on the web. I listed the ones I can remember at the end of the document under Sources.


Applicable Environments

These Installation instructions have been tested with

  • Scalix CE 11.3.0
  • Ubuntu 7.10 Server (Gutsy Gibbon)

They might not apply unmodified to any other version of Scalix or Ubuntu.


Enable mod_ssl for Apache

Apache2 comes with a module called mod_ssl, this is the so-called SSL encryption module for the Apache web server. This makes it possible to secure the http traffic from and towards Apache by SSL encryption. To activate this module, use this command: 

sudo a2enmod ssl

Configure certificate

To set up your secured server, you'll have to use the public key cryptography method to create a public and private key pair. In most cases, you send your certificate request (including your public key), a proof of your (company's) identity, and (of course) a payment to a Certificate Authority (CA), like Verisign. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.

Alternatively, for example if you're using your server privately, you can create your own self-signed certificate. Note, However, self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection.

Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server.

Generate Certificate Signing Request (CSR)

To generate the Certificate Signing Request (CSR), you should create your own key. Use the following command from a to create the key: 

sudo openssl genrsa -des3 -out server.key 1024

Now you'll be asked to enter a passphrase twice. For best security, it should at least contain eight characters, include numbers and/or special characters and not be based on a dictionary word. Remember your passphrase to be case-sensitive!

You can also run your ssl-secured web server without a passphrase. This is convenient because you then you won't need to enter the passphrase every time you (re)start your secure web server. On the other hand it is less secure and therefor it's not recommended. To create a CSR without a passphrase, omit the -des3 parameter in the command while creating the key, like this: 

sudo openssl genrsa -out server.key 1024

Now you have created a key, you can create a CSR, do this by running the following command: 

sudo openssl req -new -key server.key -out server.csr

If applicable it will ask you to enter the passphrase. Next, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. If you want to create a CA-signed certificate, you can submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate.

As soon as you receive the signed certificate continue with installing the certificate. If you're planning to use a self-signed certificate, continue with the next step.

Create self-signed certificate

If you're willing to create a self-signed certificate using this CSR, please use the following command to sign the certificate: 

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

If applicable it will ask you to enter the passphrase again. Next, your certificate will be created and it will be stored in the server.crt file.

Install certificate

You should install the key file server.key and certificate file server.crt or the certificate file issued by your CA by running following commands: 

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private


Configure Apache SSL support

As the the default Apache configuration on Ubuntu does not support SSL, you'll have to change the (default) Apache configuration file /etc/apache2/sites-available/default. Add the following lines to this file, in the VirtualHost section, under the DocumentRoot line: 

SSLEngine on

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key


Restart Apache and check configuration

Afterwards restart apache using: 

sudo /etc/init.d/apache2 restart

If applicable, you should enter the passphrase when you start your secured web server.

Now check if no errors pop up. This can easily be done by the command: 

tail -400 /var/log/apache2/error.log

If there's something wrong, have a look at the log files and look for the exact error message and fix the problem. If everything is all right, then you're done: congratulations!

Now you should be able to reach the Scalix web applications over https:


Sources


The author

The origin for this document was written by Max Wiertz. As a Scalix newbie, I invested a lot of work in getting Scalix together with https to work for me on Ubuntu. I felt like sharing this with all of you, so you can probably take advantage of it.

If you have any questions, remarks, comments or suggestions regarding this document, do not hesitate to contact me by e-mail: mailto:max_DOT_wiertz_AT_gmail_DOT_com.

Retrieved from "https://www.scalix.com/wiki/index.php?title=Configuring_Scalix_on_https_Ubuntu_Gutsy&oldid=3950"