Is it possible to force every user to send mail using ssl?
Is it possible? I dunno, maybe
Would this be reasonable?
Probably not
Too many things rely on email being available without authentication. Cron, for example. Also, any PHP app that uses the mail() function would likely break (which is quite a bunch of them).
And plus, it doesn’t prevent an attacker from hijacking an app that does authenticate, and using that to send out their spam.
I think the simpler and more scalable way of solving that is to just keep your system security updates recent, and make sure that web apps running on your server are all up to date as well
-Eric
I understand what you say.
Just another thought.
Is it possible to limit the amount of sending mail to external servers, let’s say 100/hour, for every user (but ‘newsletter’ user)?
Would it be possible to, at least, drastically slow down possible junk deliveries?
I check a report I receive each 12 hours with added or changed file in /home /etc /usr and /tmp so I can detect scripts hijackers may put in here.
I think that in the worst case one thousand of spam mails would be sent during this period instead of several thousands until I discover the harmful script.
What do you think?
Thanks for your time Eric.
Another related question.
Squirrelmail was installed before Virtualmin installation so it isn’t listed in virtual hosts.
I also want to force users to login with ssl.
Lot of forums I’ve read mention a file ssl.conf I do not have in /etc/httpd/conf.d
I made a try using the same crt and key files as SSL for SMTP
I changed 80 by 443 and added the ssl module
<VirtualHost *:443>
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SetEnvIf User-Agent ".MSIE." nokeepalive ssl-unclean-shutdown
</IfModule>
…
and restarted httpd
Going to https://mail.domain.com I got error 404
Is there something missing/wrong?
Thanks again!
Regarding SSL – it’s hard to say what the exact problem is, since now you have a variety of Virtualmin and non-Virtualmin created VirtualHosts.
But, you may be missing a ServerName in that config. Also, using a * in the VirtualHost config can cause trouble, you’d probably be better off explicitely setting an IP address.
ServerName exist but I didn’t post it.
I’m not strong on this issues.
Tell me please if I am right.
In Virtualmin Apache Networking and Protocols ...:80
Listen on addresses and ports
All – 80 (Listen *:80)
All – 443 (Listen *:443)
Virtual host for squirrelmail
<VirtualHost ...:443>
ServerName mail.domain.com
ServerAdmin me@gmail.com
ServerAlias …lot of them…
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem
SetEnvIf User-Agent ".MSIE." nokeepalive ssl-unclean-shutdown
</IfModule>
DocumentRoot /usr/share/squirrelmail
ErrorLog /home/squirrelmail/logs/error_log
CustomLog /home/squirrelmail/logs/access_log common
</VirtualHost>
From FFox at https://mail.domain.com Data Transfer Interrupted
The connection to mail.domain.com was interrupted while the page was loading.
The browser connected successfully, but the connection was interrupted while transferring information. Please try again.
I suspect for something about certificate. Must it be public?
What do you think?
Thank you.
First, anywhere you see *:80 or *:443, I’d change it to x.y.z.q:80 and x.y.z.q:443 – using your IP address rather than a *. That includes the “Listen” sections mentioned above.
Second, it looks like you have two SSLCertificateFile lines mentioned above. I see both:
Yes, I had substituted all * before the ports but listenings (VMin put them in that way)
How can I set it (t.x.y.z) by default in Virtualmin?
I mean <virtualhost t.x.y.z:80> instead of *:80
From httpd/error_log (this is when restarting apache)
[Fri May 29 15:36:00 2009] [notice] caught SIGTERM, shutting down
[Fri May 29 15:36:01 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 29 15:36:01 2009] [notice] Digest: generating secret for digest authentication …
[Fri May 29 15:36:01 2009] [notice] Digest: done
[Fri May 29 15:36:01 2009] [notice] Apache/2.2.9 (Unix) PHP/5.2.6 configured – resuming normal operations
And from the mail.domain.com (squirrelmail) error log these irrelevant records
[Thu May 28 16:01:19 2009] [error] [client 190.64.58.204] File does not exist: /usr/share/squirrelmail/favicon.ico
[Fri May 29 07:33:27 2009] [error] [client 216.129.119.44] File does not exist: /usr/share/squirrelmail/robots.txt
Mmmm. I don’t see ssl module loaded in httpd.conf
Apache 2.2.9 seems to not have this module
I only found
/usr/libexec/webmin/apache/mod_ssl.pl
/usr/lib/libssl.a
/usr/lib/libssl.so
/usr/lib/libssl3.so
/lib/libssl.so.0.9.8b
/lib/libssl.so.6
Thanks.
Well, I have installed mod_ssl from webmin.
The things are getting worse, well, different at least. I had to comment out Listen 443 because of
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
A new virtual host was created ‘Processes all requests not handled by other virtual servers.’
over port 443 that causes overlapping Starting httpd: [Fri May 29 18:30:51 2009] [warn] default VirtualHost overlap on port 443, the first has precedence
After restarting Apache, error_log of mail.domain.com displays twice.
[Fri May 29 19:52:49 2009] [warn] RSA server certificate CommonName (CN) mail.domain.com' does NOT match server name!? [Fri May 29 19:52:49 2009] [warn] RSA server certificate CommonName (CN) mail.domain.com’ does NOT match server name!?
I created new cert & key for exactly mail.domain.com
I don’t get these errors anymore but I still cannot connect to ssl
Help please!
Moving the things from httpd.conf to the new ssl.conf,
here its content
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Moving the things from httpd.conf to the new ssl.conf,
here its content
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
