msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

09 Mar 16 Testing SSL Connections with SSLyze, Nmap or OpenSSL

Introduction:
OpenSSL is a great tool to check SSL connections to servers. The difficulty here is when one want a full scan of all possible SSL Cyphers and protocols used by a server. That is where SSLyze comes in handy. This tool is a Python script which will scan the target host/port for SSL handshake and report what works/support and what not. Unfortunately this lovely tool is not included in the Ubuntu/Debian distributions, and this is where this post comes handy.

IMPORTANT: Besides executing all the tests below one thing very important (as noted in the This link) is to upgrade OpenSSL to the latest version as follows:
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

SSLyze

Installing the dependencies and tool
cd /root/bin
wget https://github.com/nabla-c0d3/sslyze/archive/0.13.4.tar.gz
tar fvxz 0.13.4.tar.gz
apt-get install python-pip python-dev
pip install nassl

Using SSLyze
python /root/bin/sslyze-0.13.4/sslyze_cli.py --regular www.itmatrix.eu:443

NMAP

Scanning the full server for weaknesses including weak SSL Versions using NMAP.
Note: This operation can take a long time to execute.
apt-get install nmap
nmap -sV -sC www.itmatrix.eu

OR better(for checking the HTTPS,SMTPS,IMAPS,POP3S)
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.itmatrix.eu

OpenSSL

Checking the SSL connection with OpenSSL
echo 'q' | openssl s_client -host www.itmatrix.eu -port 443
Note: In this above case since the SSLv2 support is normally disabled for OpenSSL in Debian/Ubuntu distributions, you will not be able to see if the server is supporting it. To overcome this and enable SSLv2 support(for your testing Linux) then follow the instructions in this site:
http://www.hackwhackandsmack.com/?p=46

NOTE:
For more information regarding protection against DROWN(SSLv2) or POODLE(SSLv3) attacks see:
https://drownattack.com
http://www.softwaresecured.com/2016/03/01/how-to-confirm-whether-you-are-vulnerable-to-the-drown-attack/
http://www.mogilowski.net/lang/de-de/2014/10/23/disabling-sslv3-for-poodle-on-debian/
https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29
https://zmap.io/sslv3/

20 Jan 14 Creating a XEN machine and Installing Group Office in Debian Wheezy

Introduction

In this Tutorial I will explain the steps I did to create a Xen Virtual Machine with minimal packages and then install the latest Group Office Web based Collaboration software. You’ll need to be fluent in Linux and Xen because I don’t explain much here.

Note: My hypervisor is Xen 4.0 in Debian Squeeze with xen-utils-4.0 package installed. I also use fictive domain(myserver.com) names and IP addresses just as example.

Creating the Xen Virtual Machine

This virtual machine will be created with the xen tools which bootstraps the creation of the VM.
Bootstrapping:
mkdir -p /virtual/xen/
cd /virtual/xen/
xen-create-image --dir=. --dist=wheezy --hostname=mail.myserver.com --size=20Gb --swap=2048Mb --ip=87.176.102.167 --gateway=87.176.102.254 --netmask=255.255.255.0 --memory=4096Mb --arch=amd64 --role=udev

Install the kernel and pyGrub
– Put the produced disk.img and swap.img in the proper path.
eg. in /virtual/xen/MAIL/
Mount the disk image in loop
mkdir /mnt/MAIL
mount /virtual/xen/MAIL/disk.img /mnt/MAIL -o loop,rw

Mount /sys, /proc, /dev and chroot to it
mount /proc /mnt/MAIL/proc -o bind
mount /sys /mnt/MAIL/sys -o bind
mount /dev /mnt/MAIL/dev -o bind
chroot /mnt/MAIL

Install the grub-legacy in VM
apt-get update
apt-get install grub-legacy linux-image-3.2.0-4-amd64 mc
mkdir /boot/grub
mcedit /boot/grub/menu.lst
CONTENT:
#----------------
default 0
timeout 2
#
title Debian GNU/Linux
root (hd0,0)
kernel /vmlinuz root=/dev/xvda1 ro
initrd /initrd.img
#
title Debian GNU/Linux (recovery mode)
root (hd0,0)
kernel /vmlinuz root=/dev/xvda1 ro single
initrd /initrd.img
#-------------

Leave chroot and unmount all.
exit
umount /mnt/MAIL/dev
umount /mnt/MAIL/sys
umount /mnt/MAIL/proc
umount /mnt/MAIL/

Adjust the VM xen configuration(/etc/xen/mail.server.com.cfg) as follows:
Replace the older kernel and initrd lines in the Xen DOMu configuration file as follows:
Example:
REPLACE:
kernel = '/boot/vmlinuz-2.6.32-5-xen-amd64'
ramdisk = '/boot/initrd.img-2.6.32-5-xen-amd64'
WITH:
bootloader = '/usr/lib/xen-default/bin/pygrub'

Adjust the paths of the disks properly:
Example:
disk = [
'file:/virtual/xen/MAIL/disk.img,xvda2,w',
'file:/virtual/xen/MAIL/disk.swp,xvda1,w',
]

Test the pyGRUB configuration with the VM disk
Note: A GRUB menu should appear for a few seconds and then disappear with an error message. Ignore the error message. Most important is that the Grub menu appears.
/usr/lib/xen-default/bin/pygrub /virtual/xen/MAIL/disk.img
Start the VM
The Grub menu should appear and start booting.
xm create /etc/xen/mail.server.com.cfg -c

Installing Group-Office


Login as root and configure APT with the Group Office repositories
(REF: https://www.group-office.com/wiki/Installing_on_Debian_or_Ubuntu)
apt-get update, apt-get upgrade
echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ fivezero main" | tee -a /etc/apt/sources.list
gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44
gpg --export --armor 01F1AE44 | apt-key add -
apt-get update

Install Group Office
apt-get install groupoffice-mailserver postfix postfix-mysql dovecot-mysql dovecot-managesieved dovecot-sieve dovecot-lmtpd rsync mc
– Setting root password to MySQL server.
– Setting the domain name.

Note from Group Office before start of installation.
After installation is completed launch your browser and go to http://localhost/groupoffice/
or replace localhost with the hostname / IP of this machine.
The default login is username: admin and password: admin.
Enjoy Group-Office!

Setting root password to MySQL server:
Setting MySQL password of user:groupoffice-com DB groupofficecom :

Now some undesired installation features messages will appear:

[FAIL] Clamav signatures not found in /var/lib/clamav ... failed!
[FAIL] Please retrieve them using freshclam ... failed!
[FAIL] Then run '/etc/init.d/clamav-daemon start' ... failed!

To fix that:
apt-get -f install
freshclam
/etc/init.d/clamav-daemon start

All looking good now,
In Browser, try to login with your ‘admin’ password at:
http://mail.myserver.com/groupoffice

HINT about domains:
If you configure more domains in the admin web interface under ‘Email Domains’ menu item and try to create new users, only the original domain is offered to select as possible mailboxes for the new users. The newly configured domains are not listed. To remedy to that, you need to enter all of the domains this system may use into both GroupOffice and Amavis the configuration file:
IN /etc/groupoffice/config.php
$config['serverclient_domains']='domain1.com,domain2.com';

IN /etc/amavis/conf.d/05-domain_id
@local_domains_acl = ( ".$mydomain" , "domain1.com", "domain2.com")

Recommendation:
In order to raise your mail server’s general acceptance from large mailing servers like AOL, GMX, Yahoo, etc. it is recommended to:
– Configure your domain in DNS concerning the SPF1 and SPF2
– Configure in your mail server and DNS to send DKIM token.
See DKIM installation at: http://tipstricks.itmatrix.eu/?p=1494 for DKIM installation.
– Configure Postfix to use RBL SPAM filtering(see instructions below)

SPAM Reduction


This server is already providing some anti-spam protection but in some cases extra filter might need to be installed.

Add some more RBL SPAM Filtering

Note: In my mail server, almost every day about 800 to 2000 Spams are blocked using the RBL filtering method. So I do recommend it since its also quite simple as well.
Edit your Postfix main configuration file /etc/postfix/main.cf and replace the existing configuration with the following one. It contains the same configuration as the original except it adds to the list of RBL servers.
Postfix RBL settings:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rhsbl_sender dsn.fc-ignorant.org,
check_recipient_access hash:/etc/postfix/spam_rec_addr,
check_client_access hash:/etc/postfix/rbl_whitelist,
reject_rbl_client abuse.rfc-ignorant.org,
reject_rbl_client blackholes.brainerd.net,
reject_rbl_client bl.deadbeef.com,
reject_rbl_client dnsbl.antispam.or.id,
reject_rbl_client korea.services.net,
reject_rbl_client l1.spews.dnsbl.sorbs.net,
reject_rbl_client l2.spews.dnsbl.sorbs.net,
reject_rbl_client postmaster.rfc-ignorant.org,
reject_rbl_client query.bondedsender.org,
reject_rbl_client relays.bl.kundenserver.de,
reject_rbl_client relays.nether.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client spamguard.leadmon.net,
reject_rbl_client tr.countries.nerd.dk,
reject_rbl_client unsure.nether.net,
reject_rbl_client whois.rfc-ignorant.org,
reject_rbl_client l1.bbfh.ext.sorbs.net,
reject_rbl_client l2.bbfh.ext.sorbs.net,
reject_rbl_client psbl.surriel.com,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client cbl.abuseat.org,
permit

# Allows to add a SPAM blacklist if needed (/etc/postfix/spam_addr)
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
check_sender_access hash:/etc/postfix/spam_addr
permit

# Allows to set regex rules to refuse certain know SPAM content in (/etc/postfix/spam_body_regex)
body_checks = regexp:/etc/postfix/spam_body_regex

Raising server delivery acceptance rate with DKIM

Ref: See instruction in http://tipstricks.itmatrix.eu/?p=1494

Raising security with TLS mail delivery

Ref: http://tipstricks.itmatrix.eu/?p=855
This feature allows postfix to send emails to remote mail servers using TLS encryption if the remote email server does support TLS transport otherwise clear text as usual.

Edit the file: /etc/postfix/main.cf and at the end enter the following:
smtp_tls_security_level = may

OPTIONAL: Enable DKIM verification in Amavis

This verification will warn you if a mail has been received which failed the DKIM verification.
Edit the file /etc/amavis/conf.d/60-groupoffice_defaults
Add the following line:
# Activating warnings for failed DKIM checked emails
$enable_dkim_verification = 1;

OPTIONAL: Enable the addition of ‘*****SPAM*****’ in header of suspicious emails.

Edit the file: /etc/amavis/conf.d/60-groupoffice_defaults
Add the following line:
$sa_spam_subject_tag = '***SPAM*** ';
You can then use this extra Subject tag to filter your mails and send them automatically in another directory like in ‘Spam’ directory.

OPTIONAL: Enable the Bayes Spam and Ham learning


For this we need to feed Spamassassin some Spam(Bad) and Ham(good) emails.
In this above configuration file the path of the files where Spamassassin learns is set to /home/spamd which doesn’t exist.
I don’t quite know how SA will discern the difference between Ham and spam So I’m doing it another way.
In order to feed it some spam mails each user should contribute to it as follows:
– The users create two new mail folder called exactly ‘Spam’ and ‘Ok’
– Then each time the user receives a definite SPAM email that is NOT tagged *****SPAM*****, he drops the email into his ‘Spam’ folder and forget about it.
– Each time he sees that a good mail has been erroneously tagged *****SPAM***** he drops a COPY a copy of the email into his ‘Ok’ folder and forgets about it.
The following configurations will ensure the following:
– The emails gathered in user’s ‘Spam’ and ‘Ok’ directories will be harvested by a cron job and be added automatically to /home/SA/spam(BAD) or /home/SA/ham(Good) directories respectively for sa-learn to learn from them.

We will create the directories and assign full access to the user ‘spamd’
mkdir -p /home/SA/spam
mkdir -p /home/SA/ham
chown spamd: /home/SA/spam /home/SA/ham

– SpamAssassin will regularly learn from it and offer a continuous increasing accuracy in detecting spams.
System cron job to harvest each day the user’s Spam mails and feed SA learning directory:
0 0 * * * /root/bin/SA-learn.sh

Creating the script:
touch /root/bin/SA-Learn.sh
chmod 755 /root/bin/SA-Learn.sh
Content of script /root/bin/SA-Learn.sh
#!/bin/bash
# make sure the lock file can be written in /home/spamd/
mkdir -p /home/spamd
chown -R spamd: /home/spamd
#
# Purpose: Feeds SA to learn the SPAM emails and GOOD emails
# Harvest the SPAM emails from users and deposit them in spam directory
for spamdir in $(find /home/vmail/ -type d -name '.Spam') ; do rsync -au $spamdir/cur/ /home/SA/spam/; done
#
# Harvest the HAM emails from users and deposit them in ham directory
for hamdir in $(find /home/vmail/ -type d -name '.Ham') ; do rsync -au $hamdir/cur/ /home/SA/ham/; done
#
# Now tell SA to learn from them
/usr/bin/sa-learn --spam -u spamd --dir /home/SA/spam/* -D
/usr/bin/sa-learn --ham -u spamd --dir /home/SA/ham/* -D
#
# Then deleted the mails it learned from to prevent relearning the same thing and accumulating old mails
rm -r /home/SA/spam/* /home/SA/ham/*
# We let the users delete their own spam and ham mails.
# eof

IMPORTANT: In order for the spam filtering/Dovecot sieve to work you have to make sure that the following line is disabled or not present in /etc/postfix/main.cf
#transport_maps = proxy:mysql:/etc/postfix/mysql_virtual_transports.cf
If present and enabled this above line overwrites the setting of transport agent and prevents postfix from using ‘dovecot’ as local transport by using ‘virtual’ instead. It’s been fixed in the GroupOffice version 5.0.44.

Enabling DNS White List (DNSWL) in Postfix


Resources: http://www.dnswl.org
DNSWL.org provides a Whitelist of known legitimate email servers to reduce the chances of false positives while spam filtering. To enable it edit the file /etc/postfix/main.cf and add the following line right before the postgrey line as follows:
smtpd_recipient_restrictions =
......
permit_dnswl_client list.dnswl.org,
(postgrey line below)
check_policy_service inet:127.0.0.1:10023,
permit

OPTIONAL:
To force using TLS for delivering to selected destinations and fail sending the mail if the destination server doesn’t support it.
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
Content of /etc/postfix/tls_policy
example.com encrypt
.example.com encrypt

Hash the list:
postmap /etc/postfix/tls_policy

Allowing roaming SMTP use with SASL authentication

NOTE: Because the users’ credentials are stored in GroupOffice MySQL database we need to do the special authentication chain via dovecot which is configured to read Group Office database and its users data:
Configure SASL authentication
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_type = dovecot'
postconf -e 'smtpd_sasl_path = private/auth'

Edit the file /etc/dovecot/conf.d/10-master.conf and enter inside the section ‘service auth {‘ insert the following lines as follows:

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}

PROBLEM: After I upgraded GroupOffice to version 5.0.55 I was no more capable to login my mail accounts.
See solution in http://www.dovecot.org/list/dovecot/2012-June/066444.html
The /var/log/mail.log said:
..... inbox=yes namespace missing
The solution is:
Edit the file /etc/dovecot/conf.d/15-mailboxes.conf and right under the line:
namespace inbox {
Insert the line
inbox=yes

Raising the SMTP security with TLS encryption

This generates a self-signed certificate. It is strongly recommended to buy a proper CA signed certificate for that purpose especially if your mail clients are not very computer literates. The security warning messages appearing in their mail clients because of self-signed certificates might scare them and lose trust in your service.
Generating the self-signed certificate:
mkdir -p /etc/ssl/mailserver/
cd /etc/ssl/mailserver/
openssl genrsa 1024 > mail-key.pem
chmod 400 mail-key.pem
openssl req -new -x509 -nodes -sha1 -days 365 -key mail-key.pem > mail-cert.pem

Enter the information required for the self signed certificate.
IMPORTANT: Enter your host name when ‘Common Name’ is asked.
Configuring postfix for TLS
Run the commands:
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/mailserver/mail-cert.pem'
postconf -e 'smtpd_tls_key_file = /etc/ssl/mailserver/mail-key.pem'
postconf -e 'smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_tls_loglevel = 0'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e '#smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem'

IMPORTANT NOTE: The intermediate CA and Key of certificate MUST be included in the certificate file (CRT) if you dont specify it in smtpd_tls_CAfile and smtpd_tls_key_file.

You must also make sure the “permit_sasl_authenticated” is present in the “smtpd_recipient_restrictions” configuration option. Edit this option in /etc/postfix/main.cf and add it right after “permit_mynetworks”.

Edit the file /etc/postfix/master.cf and add the following lines:
# Added to allow postfix to also listen to port 587(submission) well as port 465(smtps)
587 inet n - - - - smtpd
465 inet n - - - - smtpd

Adding extra postfix server security


Recommendation for better security by OpenVAS
postconf -e 'disable_vrfy_command=yes'

Restart postfix and dovecot

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

APACHE2 Configuration

Configuring Redirection of ALL HTTP requests to HTTPS

Commands:
a2enmod ssl rewrite
a2ensite default-ssl

Edit the file: /etc/apache2/sites-available/default-ssl
and add the following lines at the very end after </IfModule>.
# Redirecting all HTTP to HTTPs
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
</IfModule>

Edit the file: /etc/apache2/sites-available/default
and add the following lines after LogLevel warn.
# Redirecting all HTTP to HTTPs
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
</IfModule>

Installing separate WebMail Interfaces

Configuration of RoundCube and Apache

Install Roundcube WebMail interface
apt-get install roundcube roundcube-plugins roundcube-plugins-extra
Prepare configuration for Roundcube and Apache
Edit file: /etc/roundcube/apache.conf
Uncomment the following 2 lines as follows:
Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
Alias /roundcube /var/lib/roundcube

Configuration of Squirrelmail and Apache

Installing Squirrelmail WebMail interface
apt-get install squirrelmail squirrelmail-decode
ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail

Optional:
For changing configuration of squirrelmail, run the command:
/usr/sbin/squirrelmail-configure

ADD authentication security to admin sites

Edit the file /etc/apache2/sites-available/default-ssl
and add the following lines at the very end:
# Authentication for private areas
<LocationMatch (/awstats|/awstats-icon|/mailgraph|/queuegraph|/phpmyadmin)>
AuthName "Private Area"
AuthType Basic
AuthUserFile /etc/apache2/web.auth
Require valid-user
</LocationMatch>

Run:
touch /etc/apache2/web.auth
For each admin user you need to create a password with this command
htpasswd /etc/apache2/web.auth <username>

Installing AWSTATS, MAILGRAPH and QUEUEGRAPH for Mail stats

As default Awstats creates a full new report at: 03:10 Hrs each day
it also refreshes the data every 10 minutes.

Installation:
apt-get install awstats mailgraph queuegraph
chown www-data. /var/lib/awstats
chmod o+r /var/log/mail.log

Edit /etc/awstats/awstats.local
Add the following lines:
# You can overrides config directives here.
# This is particularly useful for users with several configs for
# different virtual servers, who want to reuse common parameters.
# Also, this file is not updated with each new upstream release.
LogFile="perl /usr/share/doc/awstats/examples/maillogconvert.pl standard < /var/log/mail.log |"
LogType=M
LogFormat="%time2 %email %email_r %host %host_r %method %url %code %bytesd"
LevelForBrowsersDetection=0
LevelForOSDetection=0
LevelForRefererAnalyze=0
LevelForRobotsDetection=0
LevelForWormsDetection=0
LevelForSearchEnginesDetection=0
LevelForFileTypesDetection=0
ShowMenu=1
ShowSummary=HB
ShowMonthStats=HB
ShowDaysOfMonthStats=HB
ShowDaysOfWeekStats=HB
ShowHoursStats=HB
ShowDomainsStats=0
ShowHostsStats=HBL
ShowAuthenticatedUsers=0
ShowRobotsStats=0
ShowEMailSenders=HBML
ShowEMailReceivers=HBML
ShowSessionsStats=0
ShowPagesStats=0
ShowFileTypesStats=0
ShowFileSizesStats=0
ShowBrowsersStats=0
ShowOSStats=0
ShowOriginStats=0
ShowKeyphrasesStats=0
ShowKeywordsStats=0
ShowMiscStats=0
ShowHTTPErrorsStats=0
ShowSMTPErrorsStats=1
SiteDomain=mail.myserver.com
LoadPlugin="geoipfree"

Create the a Apache configuration file: /etc/apache2/conf.d/awstats
and add this following content:
# Configuration for email-AWSTATS, MAILGRAPH and QUEUEGRAPH
Alias /awstats /usr/lib/cgi-bin/
Alias /awstats-icon/ /usr/share/awstats/icon/
Alias /mailgraph /usr/lib/cgi-bin/mailgraph.cgi
Alias /queuegraph /usr/lib/cgi-bin/queuegraph.cgi
Alias /queuegraph.cgi /usr/lib/cgi-bin/queuegraph.cgi
#
<Directory /usr/lib/cgi-bin/>
Options +execCGI
AddHandler cgi-script .pl .cgi
DirectoryIndex awstats.pl
</Directory>

Restart Apache service

service apache2 restart

List of URLs for this mail server:

Group Office https://mail.myserver.com/groupoffice
Roundcube Webmail https://mail.myserver.com/roundcube
Squirrelmail Webmail https://mail.myserver.com/squirrelmail
Mail stats(Awstats) https://mail.myserver.com/awstats
Mail traffic graph https://mail.myserver.com/mailgraph
Mail queues graph https://mail.myserver.com/queuegraph

Group Office forum and wikis addresses

https://www.group-office.com/
https://www.group-office.com/forum/
https://www.group-office.com/wiki/
https://www.group-office.com/wiki/Mailserver