Brug Let’s encrypt sammen med Axigen Mailserver

letsencrypt-logo-horizontal

Hent og installer Let’s encrypt fra https://letsencrypt.org

cd /opt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Stop mail-servern og tilse at port 80 og 443 er åbne i firewallen.

Kør

/opt/letsencrypt/letsencrypt-auto certonly --standalone --email postmaster@domain.com -d www.domain.com -d domain.com

Resultat:
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.com/fullchain.pem…….

Få certifikaten ordnede og på ret plads:

cat /etc/letsencrypt/live/domain.com/privkey.pem /etc/letsencrypt/live/domain.com/cert.pem > /var/opt/axigen/domain.com.pem
cat /etc/letsencrypt/live/domain.com/chain.pem /etc/letsencrypt/live/domain.com/fullchain.pem > /var/opt/axigen/CA.crt

 

Create the certificate PEM file to Axigen Mailserver

A. Create the certificate PEM file – let’s call it my_domain.pem

Axigen uses a .pem file to store both unecrypted private key and the SSL certificate that might be provided to you in a .crt file.
Please note that the private key file should be available as it was generated and used when you have requested the SSL certificate. If you did not saved it (or have lost it afterwards) your SSL certificate became useless as the private key could not be regenerated.

  • Private key – let’s say you have save it in my_domain.key and it should contain several text lines like:
Code:
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAASSSgEAvlvYrl1VutgpBD4EZztydddcX8zB6b6b0+NLV4jhk6zaQTa
aRTlgO6hgvLjvzrHgFFecYxtqJa03mVJUmu21dqNa7PRAK8Lt6zb50K7P+lt+rkv
0PcALacpSIYuiColzk4muiIas8UocEyo9pMhcn4zEHOX9tOSF7qEUPW23p4ymXj8
...
jBumY4c6ToPmCSB+/cRVcHkUvaUIuqmAkAKnKmFhwjnbeJN4RKPiKxUUg5LTgwLU
dmj40cldomBSpD/oDRpk0w6pjwZ2VxThPfYMIAqKmhCHRLlaUeVZfmscjnOdud0p
O2iJMn4v8PTFCFGnCIDjpXpQ3+igUfGBmd7CUjW0s/rx1FBhbGdaw3bDrHWadDvd
-----END RSA PRIVATE KEY-----

Note: The unencrypted private key could be extract from an encrypted one by using the following command:

Code:
openssl rsa -in my_domain.key.encrypted -out my_domain.key

If the encrypted key is protected by a pass phrase, enter the it when prompted otherwise the decrypt process (as expected) will fail

  • Cetificate – let’s say you have save it in my_domain.crt and it should contain several text lines like:
Code:
-----BEGIN CERTIFICATE-----
MIIF5jCCBM6gAwIBAgIDFG92sXNLl0hoWCVEbY3sHBBBgkqhkiG9w0BAQsFADB4
VR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTdp0KFhrW6
AHoysW9/RJ0Yt6RR6zAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAm
...
PL4Jfc7xOn6S0DOr4spUxyVj8QO2htzJq358Nto1zY1hSQn9/u3AefaHG0S/n9vO
DzOL1uUVzjjvk9ulZPJo/6JRyHiSnWOa3Hs0MDpQzS4I6t6XM6M7FMfDMTtk4IK8
lQtuFho0a0hmDjMmujDKwyy9iQu/aRW99N66YBiezjH3
-----END CERTIFICATE-----

Now you can prepare your my_domain.pem like:

Code:
cat my_domain.key my_domain.crt > ${AXIGEN_WORK_DIR}/my_domain.pem

B. (Optional) create the CA (Certificate Authority) CERT file – let’s call it my_CA.pem
This file should contain all CA certificates (root and intermediate ones) you have received from the certificate issuer

This should be as simple as:

Code:
cat CA_root.crt CA_intermediate1.crt CA_intermediate2.crt > ${AXIGEN_WORK_DIR}/my_CA.pem

C. Axigen Configuration
Assuming that you have saved the mandatory my_domain.pem and the optional my_CA.pem files in the Axigen working directory (and the files could be read by the user used to ran Axigen process), you could now continue to configure the SSL listener(s) with your new certificate:

Connect to WebAdmin and go to Service > Listener > SSL

  • Certificate file: my_domain.pem
  • (optional) Certificate authorities file: my_CA.pem
  • Save configuration

Note: If you like to use the self signed certificate generated by Axigen (at the installation time) you should use axigen_cert.pem file, that it is also stored in the Axigen working directory.

After you finished certificate configuration you could locally test your SSL listener like:

Code:
openssl s_client -connect <listener_ip>:<listener_port>

Source

Secure AXIGEN against brute-force with Fail2Ban [Linux]

Fail2Ban (http://wikipedia.org/wiki/Fail2ban) protects your server against intruders who try brute force to guess passwords.
Enables you to monitor standard services such as SSH, Apache, etc..

Furthermore, AXIGEN can be secured against password attacks.

The following steps are necessary:
The steps may differ depending on your distribution.

Step 1: Install Fail2Ban
Step 2: Create a shell script:

#!/bin/bash
# $1 - log file to be used
LOG_AXI="/var/opt/axigen/log/everything.txt"
if [ -z "$1" ]
 then
 LOG_SEC=/var/opt/axigen/log/secure.txt
 else
 LOG_SEC="$1"
 fi
tail --retry --follow=name "$LOG_AXI" | while read l
 do
 timestamp=$(date '+%d-%m-%Y %T')
 case "$l" in
 *"Authentication error"*|*"could not authenticate user"*|*"error authenticating user"*) sid=$(echo "$l" | awk '{print $6}')
 if [ -n "$sid" ]
 then
 con_ip=$(grep -m 1 $sid "$LOG_AXI" | awk '{print $NF}' | sed 's/\[//g;s/:.*$//g')
 if [ -n "$con_ip" ]
 then
 echo "$timestamp $l from $con_ip" >> "$LOG_SEC"
 fi
 fi
 ;;
 esac
 done

Step 3: Make sure that there script runs automatically, for example, /etc/inittab

Notes:
If AXIGEN writes the log file to another location, please kindly adjust the path to the variable $ LOG_AXI.
For secure.txt file a log Rotate should be established
Test the script as follows:
Start the script
Check the contents of secure.txt
Run a false login with, this should be reported as follows

18-07-2014 14:35:42 07-28 14:35:42 +0300 02 localhost IMAP:000000CC: Authentication error for user ‘user1@localdomain’: Invalid password from 192.168.1.101

Step 4: Create a new module Fail2Ban to, for example, axigen.cfg under /etc/fail2ban/filter.d
With content:

# Fail2Ban configuration file
[Definition]
failregex = from <HOST>

Step 5: Configure Fail2Ban where you expand the jail.conf under /etc/fail2ban to block the following:

[axigen]
enabled = true
filter = axigen
port = all
logpath = /var/opt/axigen/log/secure.txt
bantime = 100
maxretry = 3
banaction = iptables-allports

The maximum number of failed attempts, spell-time and path please adjust accordingly.
Then please restart fail2ban.

 

From http://www.axigenmailgate.de/forum/archive/index.php/t-935.html

Oprettelse af selvsigneret SSL certifikat til Axigen Mailserver

Hvordan man skaber en selvsigneret SSL-certifikat til brug med AXIGEN

1. Brug interaktive OpenSSL config:
– Genere en OpenSSL nøgle:


openssl genrsa-out axigen_cert.key 1024

– Generer et selv-signeret certifikat ved hjælp af nøgle:


 openssl req-new-x509-key axigen_cert.key-out axigen_cert.crt

Standard gyldighed for et certifikat er 30 dage. Hvis du ønsker at forøge denne gyldighed vil sige 1 år (365 dage), kan du  tilføje dag 365 parameter til kommandoen ovenfor:


 openssl req -new -x509 -key axigen_cert.key -out axigen_cert.crt

– Kombiner nøgle og certifikat i en PEM-fil:


 cat axigen_cert.key axigen_cert.crt > axigen_cert.pem

2. Brug OpenSSL config file:
– Opret en OpenSSL config fil med navnet axigen_ssl.cnf, med følgende indhold:

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
O=AXIGEN Mail Server
OU=Automatically-generated SSL key
CN=AXIGEN
[ cert_type ]
nsCertType = server

– Opret auto-underskrevne certifikat:

openssl req -new -x509 -days 365 -nodes -config axigen_ssl.cnf \-out /var/opt/axigen/axigen_cert.pem -keyout /var/opt/axigen/axigen_cert.pem

3. Brug AXIGEN’s opstartscriptet:
På alle understøttede operativsystemer og platforme, vil AXIGEN’s opstartscriptet skabe, på første løb, et selv-signeret certifikat automatisk, og gemmes i data mappen med et navn på axigen_cert.pem.
Hvis du ønsker at regenerere certifikat, kan du køre en gang til opstartscriptet med init parameter.

For eksempel i RedHat kan du regenerere certifikatet med:
/etc/init.d/axigen init

BEMÆRK: init parameter vil også forsøge at skabe standard domæne-databasen,  (det vil allerede være oprettet).

For at se certifikatet oplysninger:
 openssl x509 -text -noout -in /var/opt/axigen/axigen_cert.pem
For at se udløbsdatoen for det angivne certifikat, skal du bruge -enddate parameter:
 openssl x509 -enddate -noout -in /var/opt/axigen/axigen_cert.pem
Output bør vare noget lignende:
 notAfter=May  1 15:16:16 2008 GMT

Virus beskyttelse på en Axigen Mailserver med ClamAV på OpenSUSE 11.*

Stop freshclam og ClamAV med at fra shell skrive:

/etc/init.d/clamd stop

/etc/init.d/freshclam stop

Skabe et directory for logfiler

mkdir  /var/log/clamav

I /etc/clamd.conf samt /etc/freshclam.conf rette til stier og ejer enligt neden:

## Config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##

# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log

# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav

# Run as another user (clamd must be started by root for this option to work)

# Default: don’t drop privileges
User axigen

I freshclam.conf

##
## Config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##

# Path to the database directory.
# WARNING: It must match clamd.conf’s directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/clamav/freshclam.log

# By default when started freshclam drops privileges and switches to the
# “clamav” user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner axigen

Skift ejerskab med

chown -R axigen:axigen /var/log/clamav

og

chown -R axigen:axigen /var/lib/clamav

Start ClamAV og freshclam fra shell

/etc/init.d/clamd start

/etc/init.d/freshclam start

Tilse at alt et opdateret med freshclam og  zypper update

ClamAV i Admin-Axigen
ClamAV i Admin-Axigen

I admin panelet Security Filtering/Antivirus Antispam Klik på “To restart the detection process click here.”

 

Har du en anden Distro så kigge på denne video

http://www.axigen.com/knowledgebase/video.php?id=174