One other tip. My ISO install had openssl installed, but not mod_ssl. I had to add that. See Step 1. Todd
-----Original Message----- From: Todd Beckstead [mailto:to...@csdcpa.com] Sent: Tuesday, April 13, 2010 4:32 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] Re: spam I struggled with getting the info in the wiki to work for me too. Here's a link to something that finally worked for me on my CentOS 5.4. I used the info in Section 2. http://wiki.centos.org/HowTos/Https Good luck! Todd -----Original Message----- From: madmac [mailto:sysad...@tricubemedia.com] Sent: Tuesday, April 13, 2010 4:01 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: spam Ok Guys n Gals I have rebuilt a new toaster on VM, from scratch. Using the CentQMT5-1.2.0.iso I am going to make this a ssl only, secure qmail server, if it kills me. As my current server is comprimised as previously posted. Tried maNy sites to get a " self signed " ssl cert installed for testing. even here on the wiki: http://wiki.qmailtoaster.com/index.php?title=Certificate&printable=yes In there is a line that says you can self sign, a.. NOTE - For reference, here is the command to sign the request for a self signed certificate: 1.. openssl x509 -req -days 365 -in servercert.csr -signkey servercert.key -out servercert.crt Can the poster or anyone else confirm that they have managed to get it to work , Or can anyone else help me get this installation secured. I have added all the usual , clamav, spamassasin and spamdyke, also have a huge blacklist of IP`s and Spammers ( from another source ) I have disabled root to ssh, and changed the ssh port also, modified the firewall to suite. When all this is done I will also add "fail2ban", as sugested by Jake, and any hints on installing and configuring that would also be helpfull. Notes Previously tried but failed to get https://ipaddress/webmail to work. even added what was sugested: >> add these lines to your /etc/http/squirrelmail.conf file: RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*/webmail.*)$ https://%{SERVER_NAME}$1 [L,R] restarted apache also. When I have done all the testing to confirm security, I will make it ( The VM ) avaliable. Thanks all: madmac ----- Original Message ----- From: "madmac" <sysad...@tricubemedia.com> To: <qmailtoaster-list@qmailtoaster.com> Sent: Friday, April 09, 2010 2:28 PM Subject: Re: [qmailtoaster] Re: spam > Thanks Eric and Jake, > > Will test fail2ban also on a VM > > > ----- Original Message ----- > From: "Eric Shubert" <e...@shubes.net> > To: <qmailtoaster-list@qmailtoaster.com> > Sent: Friday, April 09, 2010 10:09 AM > Subject: [qmailtoaster] Re: spam > > >> You should secure squirrelmail so that it only runs with https, so that >> passwords are not sent in the clear. To do so, configure apache with a >> valid cert (see http://wiki.qmailtoaster.com/index.php/Certificate), then >> add these lines to your /etc/http/squirrelmail.conf file: >> RewriteEngine on >> RewriteCond %{SERVER_PORT} !^443$ >> RewriteRule ^(.*/webmail.*)$ https://%{SERVER_NAME}$1 [L,R] >> >> Then >> # service httpd restart >> >> madmac wrote: >>> Is there then a way to secure squirrelmail, or any other webmail prog. >>> This is a default install of qmail with the ISO. >>> Not having it is not an option, as most of the clients can only use >>> webmail as they are on the road daily. >>> Thanks >>> ----- Original Message ----- >>> *From:* Jake Vickers <mailto:j...@qmailtoaster.com> >>> *To:* qmailtoaster-list@qmailtoaster.com >>> <mailto:qmailtoaster-list@qmailtoaster.com> >>> *Sent:* Thursday, April 08, 2010 5:53 PM >>> *Subject:* Re: [qmailtoaster] spam >>> >>> On 04/08/2010 04:21 PM, madmac wrote: >>>> Well anyone that can guess my passwords must be amazing. >>>> Let alone get through the elaborate firewall system. >>>> ssh port is " non standard " >>>> But I agree, this box is compromised " some how " >>>> File count now at 9580 and counting >>>> >>>> >>> >>> Are all of the files that are "infected" from mailboxes? >>> It does sound like your machine has been compromised. If you leave >>> Squirrelmail open (ie: no protection against password attacks) or >>> have other webapps running then this is the most likely place for >>> them to get in. Once they have an account's login credentials, they >>> can upload things to themselves and run them (don't ask me how - I >>> never looked at how they did it - I just fixed it) and then brute >>> force passwords from the local machine to obtain other access or >>> whatever they are looking to do. >>> I had one a year or so back where a guy installed phpbb - when he >>> came in the next day someone had emailed him his root password. He >>> reinstalled and put phpbb back on and had his machine compromised in >>> about 2 hours after that. >> >> >> -- >> -Eric 'shubes' >> >> >> ------------------------------------------------------------------------ --------- >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com) >> Vickers Consulting Group offers Qmailtoaster support and >> installations. >> If you need professional help with your setup, contact them today! >> ------------------------------------------------------------------------ --------- >> Please visit qmailtoaster.com for the latest news, updates, and >> packages. >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> >> >> > > > ------------------------------------------------------------------------ --------- > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > ------------------------------------------------------------------------ --------- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > > > ------------------------------------------------------------------------ --------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! ------------------------------------------------------------------------ --------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com ---------------------------------------------------------------------------- ----- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! ---------------------------------------------------------------------------- ----- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com