Securing Zarafa WebAccess with SSL

From Zarafa wiki

Jump to: navigation, search

The following steps will guide you through the process of creating a self-signed certificate in order to secure Zarafa WebAccess.

In environments where users are going to access WebAccess and you do not want them to receive a warning message using a self-signed certificate,

if this is the case then please follow the how to on requesting a certificate from a reseller.

Contents

Generating the certificate

Note: Please make sure that you login to the server as the root user while following this how-to. You can do this using the command: "sudo su" without quotes.

Note: This how has been written for Ubuntu 10.04, if used with another distro please keep in mind that the paths will likely be different.

Creating the directory to hold the certificate files.

# mkdir /etc/apache2/certs
# chmod 700 /etc/apache2/certs
# cd /etc/apache2/certs

Generating the key for the certificate.

Follow the wizard and answer the questions required (as prompted) to generate the certificate.

# openssl req -nodes -newkey rsa:2048 -keyout zarafa-ssl.key -out zarafa-ssl.csr

This creates two files. The file zarafa-ssl.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.

What you are about to enter is what is called a Distinguished Name or a DN.

For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: secure.domain.com
Email Address []:

Use the name of the webserver as Common Name (CN). If the domain name (Common Name) is domain.com append the domain to the hostname (use the fully qualified domain name).

The fields email address, optional company name and challenge password can be left blank for a webserver certificate.

When ordering a certificate, you will need the contents of the zarafa-ssl.csr file.

# cat /etc/apache2/certs/zarafa-ssl.key

Paste the contents of the file into order form on the website you are ordering from.

After receiving the certificate, follow the instructions given by your certificate reseller.

Self-signing the certificate

Skip this step if you are purchasing a certificate.

# openssl x509 -req -in zarafa-ssl.csr -signkey zarafa-ssl.key -out zarafa-ssl.crt -days 9999

Installing the certificate on Apache2 webserver

Enabling SSL Support

# a2enmod ssl

Enabling Zarafa WebAccess SSL

# vi /etc/apache2/sites-available/zarafa-webaccess

At the bottom of the file add:

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/certs/zarafa-ssl.crt
SSLCertificateKeyFile /etc/apache2/certs/zarafa-ssl.key
</VirtualHost>

Reload apache in order to apply the changes

# /etc/init.d/apache2 reload

Note: At this point you have the option to connect to WebAccess by both http and https. Secure connections are not forced!

Please continue reading to force to https access only.

Opening firewall ports

Remember to open port 443 on your router/firewall and direct it to your Zarafa server

Forcing HTTP connections to HTTPS

It's always good to force users to access things like webmail via https. This ensures all information between the user and the server is encrypted.

Enable the mod_rewrite module

# a2enmod rewrite

2. Edit the zarafa-webaccess apache2 configuration file (create a backup of the original first)

# vi /etc/apache2/sites-enabled/zarafa-webaccess

Add the following rules within the <Directory></Directory> tags, so it looks like this.

Of course, change secure.domain.com to your own domain.

...

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://secure.domain.com/webaccess/ [R]
</Directory>

Finally reload apache.

# /etc/init.d/apache2 reload

Test your login:

Navigate to http://yourserver/webaccess and it should automatically redirect you to https://yourserver/webaccess

Personal tools