Securing PostfixAdmin

February 8, 2010 Postfixadmin

Securing the PostfixAdmin Directory on Ubuntu
Many administrators who use Postfixadmin, a web based tool to manage virtual domains on Postfix, would like to secure the transactions between the PostfixAdmin program and the administrator.  At the same time often you do not want to add the extra burden of SSL on the whole domain but just want to secure one directory.   The solution is to create a certificate for that one directory only and also locking that directory with a password so only administrators can gain access.  The example is on an Ubuntu 9.10 server, which will be very similar to most server procedures.

Enable the SSL module using the “a2enmod” command.

sudo a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

SSL Security with Apache
The next thing you’ll need for this is a server certificate.  There are two ways to get one.  You can either create your own self-signed certificate, or you can request one from a commercial Certificate Authority.  A self-signed one will work fine if you’re just using it for your organization’s internal operations.  But, if you’re dealing with the public, you’ll want a commercial certificate that verifies that you are who you say you are.

SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing or administrator passwords.

SSL is a protocol that uses TCP/IP on behalf of the higher-level protocols like HTTP. This protocol allows a SSL-enabled server to authenticate itself to a SSL-enabled client. In order to use SSL the client must request a connection on port 443 instead of the typical port 80 used by a web browser.

For either self signed or a commercial type of certificate, you’ll first need to create an encryption key:

sudo openssl genrsa -des3 -out server.key 1024
Password:
Generating RSA private key, 1024 bit long modulus
…………………….++++++
……………………….++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

You’ll now use this key to create a certificate request:

sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MT
Locality Name (eg, city) []:TC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: ubmail.example.com/postfixadmin
Email Address []:fsmith@example.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

If you need a commercial certificate, you’ll now send this request to a commercial CA.  If you’re creating your own self-signed certificate, you’ll use this request in the next step:

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key     -out server.crt
Signature ok
subject=/C=US/ST=MT/L=TC/O=MyCompany/CN=ubmail.example.com/postfixadmin/emailAddress=fsmith@example.com
Getting Private key
Enter pass phrase for server.key:

Now, you’ll need to install the key and certificate by copying them to the appropriate directories:

sudo cp server.crt /etc/ssl/certs

Open the /etc/apache2/sites-available/your_site_file  for editing.  In the “Virtual Host” section, under the “DocumentRoot” line, modify the following lines:

DocumentRoot  /var/www/my_website/postfixadmin

The goal is to impact only the postfixadmin directory of your site so that users can normally go to the other locations without knowing that the postixadmiin directory location is different.

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Save and exit.

Enable the default SSL site:
Or enable  your site.  Remember if you are using virtual hosting you will have to use IP Based virtual hosting to assign the SSL to an IP Address.

sudo  a2ensite default-ssl

After all of this is done, restart Apache:

service apache2 restart

Apache/2.2.12 mod_ssl/2.2.12 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 127.0.1.1:80 (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
[ ok ]

Now that you’ve installed  the private encryption key, you’ll need to supply your passphrase every time you start or restart Apache.

Once you get the “https” prefix right, you’ll get this if you’re using a self-signed certificate.  You will have the choice to accept or reject the self-signed certificate.

You can accept the certificate, but you’re not through yet.  There’s also the little detail of having a domain name on the certificate that doesn’t match the URL.

You can choose to view the certificate before deciding whether to accept or reject it.

You can see from the example above that the attempt to connect using regular http will not allow a connection but also you can see that if you type https://ubmail.example.com/postfixadmin it sends you to a secure login for the postfixadmin and you can use it securely.

Password Protected Directory
Now lock down the directory so only and administrator with a password can get access.

Apache provides Password Authentication to directories using the htpasswd program. The first thing that needs to be done is to decide on where to place these password files. It is important that they are not placed in areas that are easily accessed as they should only be read by apache. It is probably best to place them in the /etc/apache2 directory. You may even want to create a separate more secure directory called within /etc/apache2. Use the htpasswd program to initialize a file for sales for example:

sudo htpasswd -c /etc/apache2/postfixadmin tom

The program will request a password and then to confirm the password. The -c option creates the file so DO NOT USE IT THE SECOND TIME!!!! If you do it will wipe out the first users you placed in the file. The password file will contain passwords for any number of people you want to have access to this folder. For example if you wanted to add mary later you would use this command:

sudo htpasswd /etc/apache2/postfixadmin mary

The next step is to make sure the permissions are correct on the password files. Change the owner to apache and change permissions to 600.

chown www-data:www-data postfixadmin

The owner and group were changed to www-data. Note you will need to verify these permissions each time changes are made to the file.

chmod 600 postfixadmin

Now the file rights are rw for the owner and nothing for group or other. This is an important setting.

Once a password file has been created, the directory that needs to be protected should be setup in the config file for your web server. The Directory directive is used to create the context of the file by using:

<Directory >
</Directory>

The first line shows which directory the password will protect.

<Directory /var/www/postfixadmin>

The second line determines the kind of authentication, which is Basic.

AuthType Basic

The AuthName will show on the login this text string to verify which group should use this directory.

AuthName “Admin Group”

The AuthUserFile is the file location for the password file.

AuthUserFile /etc/apache2/postfixadmin

Each user of the directory may be determined with specific listing of the user name and the inclusion of that password in the /etc/apache2/postfixadmin password file. “require user” will mandate that no one will be able to use this directory except those users listed. require user tom jane mary joe

If there were a lot of people using the directory one password could be given to all users in the admin group for example.

<Directory /var/www/postfixadmin>
AuthType Basic
AuthName “Admin  Group”
AuthUserFile /etc/apache2/postfixadmin
require user tom jane mary joe
</Directory>

Once you have saved this restart apache and then you can see below that now not only is it encrypted but users have to have a password to access the directory.

Tags: , ,

Comments are closed.