Securing Zarafa WebAccess with SSL
From Zarafa wiki
The following steps will guide you through the process of creating a self-signed certificate in order to secure Zarafa WebAccess.
In environments where users are going to access WebAccess and you do not want them to receive a warning message using a self-signed certificate,
if this is the case then please follow the how to on requesting a certificate from a reseller.
Contents |
Generating the certificate
Note: Please make sure that you login to the server as the root user while following this how-to. You can do this using the command: "sudo su" without quotes.
Note: This how has been written for Ubuntu 10.04, if used with another distro please keep in mind that the paths will likely be different.
Creating the directory to hold the certificate files.
# mkdir /etc/apache2/certs # chmod 700 /etc/apache2/certs # cd /etc/apache2/certs
Generating the key for the certificate.
Follow the wizard and answer the questions required (as prompted) to generate the certificate.
# openssl req -nodes -newkey rsa:2048 -keyout zarafa-ssl.key -out zarafa-ssl.csr
This creates two files. The file zarafa-ssl.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.
In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).
You will now be asked to enter details to be entered into your CSR.
What you are about to enter is what is called a Distinguished Name or a DN.
For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]: GB State or Province Name (full name) [Some-State]: Yorks Locality Name (eg, city) []: York Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd Organizational Unit Name (eg, section) []: IT Common Name (eg, YOUR name) []: secure.domain.com Email Address []:
Use the name of the webserver as Common Name (CN). If the domain name (Common Name) is domain.com append the domain to the hostname (use the fully qualified domain name).
The fields email address, optional company name and challenge password can be left blank for a webserver certificate.
When ordering a certificate, you will need the contents of the zarafa-ssl.csr file.
# cat /etc/apache2/certs/zarafa-ssl.key
Paste the contents of the file into order form on the website you are ordering from.
After receiving the certificate, follow the instructions given by your certificate reseller.
Self-signing the certificate
Skip this step if you are purchasing a certificate.
# openssl x509 -req -in zarafa-ssl.csr -signkey zarafa-ssl.key -out zarafa-ssl.crt -days 9999
Installing the certificate on Apache2 webserver
Enabling SSL Support
# a2enmod ssl
Enabling Zarafa WebAccess SSL
# vi /etc/apache2/sites-available/zarafa-webaccess
At the bottom of the file add:
<VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/apache2/certs/zarafa-ssl.crt SSLCertificateKeyFile /etc/apache2/certs/zarafa-ssl.key </VirtualHost>
Reload apache in order to apply the changes
# /etc/init.d/apache2 reload
Note: At this point you have the option to connect to WebAccess by both http and https. Secure connections are not forced!
Please continue reading to force to https access only.
Opening firewall ports
Remember to open port 443 on your router/firewall and direct it to your Zarafa server
Forcing HTTP connections to HTTPS
It's always good to force users to access things like webmail via https. This ensures all information between the user and the server is encrypted.
Enable the mod_rewrite module
# a2enmod rewrite
2. Edit the zarafa-webaccess apache2 configuration file (create a backup of the original first)
# vi /etc/apache2/sites-enabled/zarafa-webaccess
Add the following rules within the <Directory></Directory> tags, so it looks like this.
Of course, change secure.domain.com to your own domain.
...
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://secure.domain.com/webaccess/ [R]
</Directory>
Finally reload apache.
# /etc/init.d/apache2 reload
Test your login:
Navigate to http://yourserver/webaccess and it should automatically redirect you to https://yourserver/webaccess
