Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Qmail-Squirrelmail-IMAP-SSL ...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Thu Dec 12, 2002 5:12 am    Post subject: Qmail-Squirrelmail-IMAP-SSL ... Reply with quote

from what i was told .. using IAMP-SSL with squirrelmail out of the box is impossible and not supported .. how true is this?

1. I have setup my imap according to the gentoo desktop guide.. i have a few problems however:

2. i cannot telnet to port 993 (imap-ssl port)

3. entering port 993 in the conf.pl (squirrelmail's config) stops me from sending or receiving any mail completly.

4. i am behind a firewall, so i hav emade sure that ports 143 & 143 are open to world and local ...

5. i can not connect remotely using the ssl (https://) using squirrelmail..

6. i can use ssl (https://) locally ...

QUESTIONS

1. is imapd and imapd-ssl supposed to be running at the same time?

2. why can i use impad-ssl port (993) in the conf.pl, i wan to use ssl for the squirrelmail UI?

3. are there other ports that i must open in order to use ssl?

4. why does the https:// work locally but not remotely?

5. what am i doing wrong here?

i thank anyone in advance for your help ..
Back to top
View user's profile Send private message
Rroet
Apprentice
Apprentice


Joined: 27 May 2002
Posts: 176
Location: The Hague, The Netherlands

PostPosted: Thu Dec 12, 2002 7:30 am    Post subject: Reply with quote

>offtopic<

I didn't get it working properly, I had trouble getting IMAP to work with qmail properly on virtual maildirs.

I switched to the Horde Framework and it's webmail.

I just use it with qmail-pop3d which works fine with virtual maildirs :) The fun part of qmail-pop3d/imp is that even though you read your webmail it stays waiting in the maildir for your mailclient to come pick it up on a later moment :) :)

>/offtopic<
_________________
Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here
Back to top
View user's profile Send private message
474
l33t
l33t


Joined: 19 Apr 2002
Posts: 714

PostPosted: Fri Dec 13, 2002 6:21 pm    Post subject: Reply with quote

I'm using Qmail/courier/squirrelmail and it works great. I'm making a guide about my whole server setup which I hope to submit some time. Anyway, although this reply is rushed I can answer a few questions right away:

1. is imapd and imapd-ssl supposed to be running at the same time?

It's perfectly safe. That will give you support for both simultaneously and is probably a good idea. It will be more optimal for programs such as squirrelmail to use a normal IMAP connection to talk to your courier daemon, but you should never allow regular IMAP from an external host. See below.

2. why can i use impad-ssl port (993) in the conf.pl, i wan to use ssl for the squirrelmail UI?

Right. Squirrelmail is delivered over Apache. You want external users to have to use https://myserver/squirrelmail outside. HTTP is provided by Apache not Squirrelmail, so the Squirrelmail configuration has nothing to do with how you access squirrelmail externally in this sense. You just need to edit your apache.conf / commonapache.conf to enable HTTPS (and, very importantly, disable normal HTTP) for the /squirrelmail directory. The simplest way to do this is to enable HTTPS globally, and disable HTTP globally. Let me know if you're not sure how.

The connection/program flow goes like this:

Remote host -> (HTTPS) -> Apache -> PHP/Squirrelmail script -> (IMAPS) -> Courier IMAP

and so, in reverse. If you look at that, you'll see that you don't really need IMAPS if Courier and Apache/PHP/Squirrelmail are on the same host, as I mentioned above. What's important is that the data is encrypted between the end-user's browser and Apache on your server. If Apache then communicates by loopback to your courier-imapd on the same machine not using SSL then that doesn't really matter. IMAPS will just slow it down a tiny bit. Of course, you might want people to be able to use regular email clients over IMAPS from outside, but that still doesn't mean that Squirrelmail must use it.

The exception is if courier-imapd and apache/squirrelmail are residing on physically different hosts and you can't trust the network that it crosses (e.g. it's on a LAN and you're worried someone will sniff the traffic).

3. are there other ports that i must open in order to use ssl?

Depends on what you are opening over SSL. SSL may just be SSL but there are standard port numbers to use depending on the protocol that's being tunnelled over SSL. E.g. https = 443, imaps = 993, ldaps = 636 ....
You can get the lowdown in /etc/services.

4. why does the https:// work locally but not remotely?

HTTP over SSL (https) uses port 443. Is that port blocked from external hosts perhaps? You only need to allow 443 from external hosts (and 993 if you want to provide support for normal email clients from remote locations).

5. what am i doing wrong here?

Hopefully the above will have helped enough to answer that ...

EDIT: A lot of daemons need to be explicitly configured to allow connections from anything other than localhost or the local subnet. I can't think of any such restraints here off the top of my head but bear that in mind too, concerning the inability to gain external HTTPS access. Apache has the ability to set permissions based on host addresses.

Also squirrelmail definitely does not do IMAPS. See http://www.squirrelmail.org/wiki/SquirrelMailIMAPS, probably for the reasons already stated. As they say you can use something like stunnel, but they warn about the overhead. If you really, really must have it you could also have a look at openvpn.
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Fri Dec 13, 2002 7:50 pm    Post subject: Reply with quote

kerframil OUTSTANDING! help.. thanks so much ..

i have been trying to get comfortable with apache as i really have no intentions on mastering it, but i would like to get going all i need and never touch it again :wink: ..

i have a better understanding of the IMAPS and IMAP, however ...

Quote:
Also squirrelmail definitely does not do IMAPS.

so no one REMOTELY can do a https://my.domain.com/webmail ? because squirrelmail does not support IMAPS ... thats understood ...

Quote:
It will be more optimal for programs such as squirrelmail to use a normal IMAP connection to talk to your courier daemon, but you should never allow regular IMAP from an external host. See below.

obviously because of squirrelmail, i can not force IMAPS to work with squirrelmail...ok ..

Quote:
Squirrelmail is delivered over Apache. You want external users to have to use https://myserver/squirrelmail outside. HTTP is provided by Apache not Squirrelmail, so the Squirrelmail configuration has nothing to do with how you access squirrelmail externally in this sense. You just need to edit your apache.conf / commonapache.conf to enable HTTPS (and, very importantly, disable normal HTTP) for the /squirrelmail directory. The simplest way to do this is to enable HTTPS globally, and disable HTTP globally. Let me know if you're not sure how.


a bit confused .. does squirrelmail allow https:// remotely? can you direct where i can edit the https to be forced remotely for squirrelmail?

Quote:
and so, in reverse. If you look at that, you'll see that you don't really need IMAPS if Courier and Apache/PHP/Squirrelmail are on the same host, as I mentioned above. What's important is that the data is encrypted between the end-user's browser and Apache on your server. If Apache then communicates by loopback to your courier-imapd on the same machine not using SSL then that doesn't really matter. IMAPS will just slow it down a tiny bit. Of course, you might want people to be able to use regular email clients over IMAPS from outside, but that still doesn't mean that Squirrelmail must use it.

The exception is if courier-imapd and apache/squirrelmail are residing on physically different hosts and you can't trust the network that it crosses (e.g. it's on a LAN and you're worried someone will sniff the traffic).

its all on the same ip, to the same box... the lan is in my home.. no insecurity here ..so there is no need for IMAPS using squirrelmail remotely?


if you can ... elaborate on how i can enable this https globally or remotely, etc .. as i stated am not too comfortable with apache just yet ..[/code]
Back to top
View user's profile Send private message
474
l33t
l33t


Joined: 19 Apr 2002
Posts: 714

PostPosted: Fri Dec 13, 2002 8:55 pm    Post subject: Reply with quote

OK, let's try and clarify a few things again. Let's start with an architectural overview of the system and the components that come in to play, because it might help. Sorry if it seems like a lecture, I'm sure you just want to get it up and running but here goes:

maildirs: Not a program obviously, but the format in which your mail items are actually stored on your hard disk. So the maildirs are effectively the database, if you like.
courier-imapd: Exposes your mail items from your maildirs "database" using the industry-standard IMAP protocol. Any IMAP-compilant program can access your mailbox as a result.
PHP: Pre-Hypertext Processor. A programming language/scripting engine optimised for emedding inside dynamic web pages.
php_mod: An Apache extension which embeds a PHP engine inside of Apache so that PHP code can be inserted inline into HTML.
Squirrelmail: a program which provides a web-interface for access to mailboxes. Expects to be able to talk to any IMAP server (in this case, courier) to "expose" your mailbox. Runs inside php_mod.

The really important thing you must understand is that Squirrelmail is not a web server/http daemon of any kind. Apache listens on port 80 (HTTP) and/or 443 (HTTPS) like any web server. Because you request a file with the .php extension Apache knows that, instead of just feeding the .php file back to you as if it were normal HTML, it must first pass it through mod_php. mod_php hooks the PHP code, and interprets it. What you actually want to see when it comes back to your browser is dynamically inserted at that point. It is then passed back to the Apache engine and subsequently back to your browser.

Squirrelmail executes PHP statements when the pages are triggered which connects by IMAP to your courier server so it is able to retrieve the mail items, authenticate you etc. It could have been done a different way, but IMAP it is.

Quote:
obviously because of squirrelmail, i can not force IMAPS to work with squirrelmail...ok ..

Well you can't get squirrelmail to talk to courier by IMAPS. It doesn't matter.

But on a different note (and going a little OT I now realise) that doesn't mean you can't run for example, Sylpheed on Linux or Outlook Express on Windows on a remote machine and make an IMAPS connection directly to your courier-imapd server running. That's what courier-imapd-ssl will allow you to do. Because you're using a real email client, Apache/Squirrelmail won't come in to it. courier-imapd-ssl will be dutifully listening on the correct port.

Quote:
so no one REMOTELY can do a https://my.domain.com/webmail ? because squirrelmail does not support IMAPS ... thats understood ...

:lol: Noooo, fortunately that isn't the case! As I said, Apache is the webserver. It is the one that listens on the https port. Whether the pages being reached are regular static .html files or PHP/Perl/Python/JSP/ASP scripted dynamic pages which are piped off in to a background engine (as Squirrelmail does) is immaterial. Apache can let you connect to anything it serves by HTTPS ... period. There are two sides to the connection, and you're confusing the second with the first - let's assume you're in the middle of a session and about to refresh your inbox:

1) You connect to https://my.domain.com/webmail. Apache listening on port 443 accepts. Page returned is a .php page (webmail.php in fact). Before the page was prepared, the file was syphoned through mod_php. The PHP code gets to run then. This is where the second step comes in ...

2) The PHP code establishes a connection using IMAP to the courier-imapd daemon. Courier-imapd returns the mail items. The PHP code deconstructs these items and inserts them into the HTML template so that Apache is then given back a stream of nice looking HTML.

At that point we bounce back to the first side again, and Apache passes the readily prepared page (which now doesn't contain any wierd PHP code) back to your browser ... sweet!

So basically (1) has almost nothing to do with (2). Does that make sense? And because the squirrelmail code is talking to the courier demon on the same physical machine, IMAP is fine and more efficient. Don't worry about Squirrelmail, if anything it's Apache that would be a greater suspect but first you should be 100% certain that your internal host is contactable from the outside at all ...

Now you can bring up a page from Apache via SSL locally (i.e from any host on the LAN including the server itself), right? But not from a remote host. OK, so you've definitely got SSL enabled and running. But is your server actually reachable? What internet connection device are you using and what hostname or IP address are you using to actually reach it from outside? Here's a little checklist:
  • What's your IP address?
  • How are you getting access to the net? Are you using some kind of dedicated router box that plugs into your LAN hub or is the device plugged straight into an ethernet card in your machine?
  • If you're trying to access your server from outside using a hostname then have you bought a domain and setup the DNS accordingly? Or are you using a dynamic DNS service?
  • Hopefully your internect connection device is hooked straight up to your server. If you're running iptables, are you sure you're not blocking the incoming connection?
  • If you're using an internet gateway which isn't actually connected directly to your server (as I do) then you need to tell that device to forward incoming connects to your server. And the device must perform NAT (network address translation) too.
  • As if things weren't getting complicated enough, some cable modems/DSL modems/ISP providers block all incoming traffic :-( in which case you're done for. I had this problem with a BT (British Telecom) DSL modem. Some configurations simply firewall off all incoming connections. I switched to Cable and everything was fine ...
  • To test this, try running a different network service and connecting to that instead. For example, you say https doesn't work from outside but what about http? Or ssh? Even ping should work if your setup is simple.


So basically the first thing to establish is that your server can be contacted at all. If it seems that you can, but Apache still won't respond on SSH then we should have a look at that more closely. Over to you ...
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Fri Dec 13, 2002 9:52 pm    Post subject: Reply with quote

EDIT: CORRECTION! I CAN HIT https://my.domain.com/webmail remotely i had to edit the commonapache.conf

Ok ... Thanks for the reply .. you have been a big assistance in the tackle with this here ..

Quote:
The really important thing you must understand is that Squirrelmail is not a web server/http daemon of any kind. Apache listens on port 80 (HTTP) and/or 443 (HTTPS) like any web server.

Ok .. i have set apache to listen on ports 80 & 443 .. these ports are also forwarded on my router to the webserver, so we are good there ...

Quote:

You connect to https://my.domain.com/webmail. Apache listening on port 443 accepts.

I can get to the address, i get the digital certificate thing i see the index.html.. but get a 404 page afterwards ...

I cant get to /webmail using https:// only http:// and i login just fine, and get mail, send, etc ... this is from WAN site (outside world)..

locally https://192.168.254.100/webmail produces the same 404 error ...
i have to use internal ip becaus erouter doesnt allow loop back ...

Quote:

IMAP is fine and more efficient. Don't worry about Squirrelmail, if anything it's Apache that would be a greater suspect but first you should be 100% certain that your internal host is contactable from the outside at all ...

Ok .. IMAP is fine, but using squirrelmail without 'https' is not correct? and am talking 'remotely' ... i think this is just not soaking up in my head and am running circles around myself for some reason ... :cry: ok ..

Quote:
Now you can bring up a page from Apache via SSL locally (i.e from any host on the LAN including the server itself), right?

yes i can.. but i get the 404 error ..

Quote:
OK, so you've definitely got SSL enabled and running. But is your server actually reachable? What internet connection device are you using and what hostname or IP address are you using to actually reach it from outside?

yes, my server is reachable ... i have a domain .. am using a dynamic host service.. its all working as should be ..

i can get my index.html using https://my.domain.com and i see the lock (secure connection) ... but when i try /webmail i get the 404 page ... that may be different then the problem :P

how can i enforce the https remotely for th e/webmail page? [/b]
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Fri Dec 13, 2002 10:03 pm    Post subject: Reply with quote

DOH!

please disregard the last thread ... i have solved the problem .. i needed to add the 'Alias' to the commonapache.conf .. which i had, but i commented it out because i was testing something out.. now ..

I want to force anything that goes to the /webmail to be under https:// right now .. i am logged in https://my.domain.com/webmail remotely sending and reading email .. this is secure correct? using ssl correct?

i have apache listening to 443 obviously .. but i remember you saying it had to be enabled in the .conf also .. i will search to set that up ...

so far am getting through this .. seems am making it more difficult then it really is, and you seem to think that am way behind.. But am not.. just that it seems so .. :D

its a situation that i always cause :wink:

thanks a bunch
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Sat Dec 14, 2002 2:45 pm    Post subject: Reply with quote

ok .. working through the problems .. i have everything working, however; i still can not figure how to force https: for /webmail ..

in my vhost-ssf.conf i have the following
Code:

## SSL Virtual Host Context
##

<VirtualHost mail.domain.com:443>

#  General setup for the virtual host
DocumentRoot /home/httpd/htdocs/squirrelmail
ServerName mail.domain.com
ServerAdmin root@domain.com
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

RewriteEngine On
RewriteOptions inherit

</VirtualHost>                                 

</IfModule>


i can get to https://mail.domain.com/webmail and log in successfully; read email, send email, etc....

i just want to force the https:// when viewing anything that is at /webmail ..

i have mail.domain set up as a virtual server also, so all that is set up ...

we are close to figuring this out, i thank you so much .. :wink:
Back to top
View user's profile Send private message
474
l33t
l33t


Joined: 19 Apr 2002
Posts: 714

PostPosted: Mon Dec 16, 2002 10:43 am    Post subject: Reply with quote

Quote:
so far am getting through this .. seems am making it more difficult then it really is, and you seem to think that am way behind.. But am not.. just that it seems so ..
Not at all, was just trying to cover all angles ... it's an interesting problem and I knew i wouldn't be able to access the forum over the weekend ... :-)

I'm going to have look at my own setup. I've got a very fresh install of Apache/Squirrelmail etc and I must admit I've only used Apache through an SSH connection (where it appears to be local to the server anyway, so I couldn't possible experience the same problem under those circumstances). I'm going to open up 443 on my firewall and see what happens.

BTW, https access will make things generally secure, all transit to the server is encrypted. But I think you can generate a certificate with a longer cipher length (e.g. longer than 128-bit) if you want to be more secure. Never use 40-bit ones. But I must confess I haven't looked at this so I will do ...
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Mon Dec 16, 2002 2:41 pm    Post subject: Reply with quote

Hi ..

Thanks for the reply ..

yes that seems to be my only problem now .. to force https:// .. no one seems to know how to get it workig (atleast those whom i have asked) ...

thanks for any help you provide and advise...
Back to top
View user's profile Send private message
burzmali
Apprentice
Apprentice


Joined: 18 Apr 2002
Posts: 238
Location: ca

PostPosted: Mon Dec 16, 2002 7:20 pm    Post subject: Reply with quote

to force https move the squirrelmail dir out of htdocs up one dir and edit you apache config files accordingly. so squirrelmail should be in /home/httpd/squirrelmail and you ssl virtual hosts file should look like this:
Code:

## SSL Virtual Host Context
##

<VirtualHost mail.domain.com:443>

#  General setup for the virtual host
DocumentRoot /home/httpd/squirrelmail
ServerName mail.domain.com
ServerAdmin root@domain.com
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

RewriteEngine On
RewriteOptions inherit

</VirtualHost>                                 

</IfModule>


you might want to change your server name to something more useful, also. by having squirrelmail inside the htdocs dir you are allowing everyone that can reach htdocs over http to also reach squirrelmail by http. hope this helps. good luck.
_________________
burzmali
www.burzmali.net
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Tue Dec 17, 2002 4:45 pm    Post subject: Reply with quote

ok .. i would just like to paste this here ...

does this look correct

Code:

NameVirtualHost *

<VirtualHost *:80>
DocumentRoot /home/httpd/htdocs
ServerName mail.pcnetsources.com
ServerAlias www.pcnetsources.com
ErrorLog logs/www-error_log
CustomLog logs/www-access_log
<Directory "/home/httpd/htdocs/">
                AllowOverride None
                Options none
                Order allow,deny
                Allow from all
                DirectoryIndex index.html
        </Directory>
Alias /webmail /home/httpd/squirrelmail/
<Directory "/home/httpd/squirrelmail/">
                AllowOverride None
                Options none
                Order allow,deny
                Allow from all
                DirectoryIndex index.php
</Directory>
Alias /webmail /home/httpd/squirrelmail/
<Directory "/home/httpd/squirrelmail/">
                AllowOverride None
                Options none
                Order allow,deny
                Allow from all
                DirectoryIndex index.php
        </Directory>
</VirtualHost>

########################################################
## SSL Virtual Host Context
#####################################################

<VirtualHost *>
#General setup for the virtual host
DocumentRoot /home/httpd/squirrelmail
ServerName mail.pcnetsources.com
ServerAdmin postmaster@pcnetsources.com
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
        <Directory "/home/httpd/squirrelmail/">
                AllowOverride None
                Options none
               Order allow,deny
                Allow from all
       </Directory>

DirectoryIndex index.php

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

RewriteEngine On
RewriteOptions inherit

</VirtualHost>


as you see it there is my apache.conf virtualhost section ...

i have apache listening on ports '80 & 443'

with this setup i can only get to 'www.pcnetsources.com'
when i try www.pcnetsources.com/webmail .. i get 'PAGE CAN NOT BE DISPLAYED' error ...

i have ssl and php running i have verified this ...

locally .. for some reason i can not do
Code:

lynx http://localhost


i get this error
Code:
lynx http://localhost

Looking up localhost
Making HTTP connection to localhost
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://localhost/


i was able to before, now for some reason i cant .. when i was able to .. i checked that php was working and that ssl was working... i am not running IPCHAINS or IPTABLES

....

where is my error?

thanks for all of your extremely superb help ..
Back to top
View user's profile Send private message
burzmali
Apprentice
Apprentice


Joined: 18 Apr 2002
Posts: 238
Location: ca

PostPosted: Tue Dec 17, 2002 8:07 pm    Post subject: Reply with quote

try this: ( i don't know if it will work )
Code:

NameVirtualHost *

<VirtualHost *:80>
DocumentRoot /home/httpd/htdocs
ServerName www.pcnetsources.com
ServerAlias www.pcnetsources.com
ErrorLog logs/www-error_log
CustomLog logs/www-access_log
<Directory "/home/httpd/htdocs/">
                AllowOverride None
                Options none
                Order allow,deny
                Allow from all
                DirectoryIndex index.html
</Directory>
</VirtualHost>

########################################################
## SSL Virtual Host Context
#####################################################

<VirtualHost *:443>
#General setup for the virtual host
DocumentRoot /home/httpd/squirrelmail
ServerName mail.pcnetsources.com
ServerAdmin postmaster@pcnetsources.com
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
        <Directory "/home/httpd/squirrelmail/">
                AllowOverride None
                Options none
               Order allow,deny
                Allow from all
       </Directory>

DirectoryIndex index.php

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

RewriteEngine On
RewriteOptions inherit

</VirtualHost>


your mail will be accessed by https://mail.pcnetsources.com ( i think ).
this is mostly me guessing so good luck
_________________
burzmali
www.burzmali.net
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Tue Dec 17, 2002 9:19 pm    Post subject: Reply with quote

Well it did not work .. but appreciate the effort

i guess i will let this lay dead for now, as things in linux get better .. am sure this will be tackled soon or someone will have a solution...

for the most part my server is up and running.. the way i want it (exactly) except for the https://

cant complain right?

thanks guys ...
Back to top
View user's profile Send private message
eltech
Guru
Guru


Joined: 05 Nov 2002
Posts: 582
Location: New York

PostPosted: Thu Dec 19, 2002 4:46 pm    Post subject: Never Gave Up & Got Results! Reply with quote

ok . with the help of a great person in a help channel...i was able to setup the SSL using squirrelmail .. please be advised that there is a plugin that can help do this for you, but its not a clean as being right in teh apache.conf ... my settings for my virtual host in apache.conf are now as below

Code:
Port 80
Listen 80
#Listen 443


Now dont ask why i dont have apache set to Listen 443, but i will say that everytime i uncommented 'Listen 443' it killed my connection, and my server did not accept traffic on port 80 or 443..

as we move on ...

Code:

NameVirtualHost *

<VirtualHost *:80>
DocumentRoot /home/httpd/htdocs
ServerName www.domain.com
ErrorLog /var/log/apache/pcnetsources-error_log
CustomLog /var/log/apache/pcnetsources-access_log common
<Directory "/home/httpd/htdocs/">
                AllowOverride None
                Options none
                Order allow,deny
                Allow from all
                DirectoryIndex index.html
        </Directory>

RewriteLog /var/log/apache/rewrite.log
RewriteLogLevel 3
RewriteEngine on
RewriteCond   %{REQUEST_URI} ^/webmail    [OR]
RewriteCond   %{HTTP_HOST}  ^mail.
RewriteRule   ^(.*) https://mail.domain.com    [R,L]


Now.. the settings above ..
anything that comes to port 80 and the URI starts with webmail OR their trying to access a http://mail.DOMAIN.com host.. it will send them over to https://mail.domain.com.

this can be for various mail.DOMAIN.com virtualhosts setups ..
in my case.. i wanted to make sure that over squerrelmail my mail.domain.com and www.domain.com/webmail were over SSL

and make sure they CANT get to
http://mail.domain.com
or
http://www.domain.com/webmail
which are not secure connections..

as i use webmail for clients/customers to login using the URL and /webmail ..

so if you now want to host www.mail.domain2.com & mail.domain2.com and make sure thats over ssl also .. you can do the same thing, just change the name of the host..
Code:

RewriteCond   %{REQUEST_URI} ^/webmail    [OR]
RewriteCond   %{HTTP_HOST}  ^mail.
RewriteRule   ^(.*) https://mail.domain2.com    [R,L]

am sure there is a more complex/shorter way to do this if you know the codes and such (i dont), but for us fundamental stage users, this is what will work :wink:

here is what my ssl section looks like

Code:

#############################
## SSL Virtual Host Context
#############################

<VirtualHost _default_:443>
#<VirtualHost *>
# General setup for the virtual host
DocumentRoot /home/httpd/squirrelmail
ServerName mail.domain.com
ServerAdmin postmaster@pcnetsources.com
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
        <Directory "/home/httpd/squirrelmail/">
               AllowOverride None
                Options none
               Order allow,deny
                Allow from all
       </Directory>

DirectoryIndex index.php

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key

RewriteEngine On
RewriteOptions inherit

</VirtualHost>


i hope this helps someone who may be having problems getting this to work, i assure this should work if you have php and ssl setup and running correctly ...

thank you to all the help provided here with this problem ..

happy holidays guys! :D
Back to top
View user's profile Send private message
474
l33t
l33t


Joined: 19 Apr 2002
Posts: 714

PostPosted: Sat Dec 21, 2002 1:03 am    Post subject: Reply with quote

:) Great! A resolution to the problem at last.

Maybe you'd seen this already, but there's a nice SSL HOWTO in the Apache documentation which disscusses some strategies for mandatory SSL and URL rewriting here: http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html. I believe this also applies to Apache 1.3.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum