View Single Post
  #5  
Old 31st December 2012, 15:20
zapyahoo zapyahoo is offline
Member
 
Join Date: Dec 2012
Posts: 72
Thanks: 4
Thanked 5 Times in 5 Posts
Default

Hello Falko,

For some reason my postfix installation had no SSL cert. Reading the how-to there's no mention to it. So I had to do a bunch of things, from the top of my head, bellow are some important steps.

Made sure that postfix, dovecot and roundcube were using the same SSL "mail" and not the ISPConfig "cp" SSL.
Although the "mail" SSL location files are different (just copies). That's something I'm going to implement next, because it will be easier to replace when they expire, postfix, dovecot and apache2 will pull the SSL "mail" from the same location.

So, to start I added my mail.domain.com STARTSSL to postifix main.cf
cd /etc/postfix
ln -s /etc/ssl/roundcube/ssl.crt smtpd.cert
ln -s /etc/ssl/roundcube/ssl.key smtpd.key
main.cf
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_CAfile = /etc/ssl/roundcube/sub.class1.server.ca.crt

Also in the apache2 vhost roundcube.conf
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/ssl/roundcube/ssl.crt
SSLCertificateKeyFile /etc/ssl/roundcube/ssl.key
SSLCertificateChainFile /etc/ssl/roundcube/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/roundcube/ca.pem

and to finish it, dovecot.conf
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key

Restarted all services and did an ipsconfig php -q update.php to integrate all this.

**********
I also "frankansteined" my 2 DNS servers to be integrated with ISPConfig. I always read that we should start with a clean ISPConfig installation ... no, that's 2 easy
The reason was that my NS1 also had cacti and nagios3 running, and I wanted to keep all the hosts configuration and databases for them.

went smooth... Right now I already have them beautifully integrated as master and slave NS's in ISPconfig keeping my cacti and nagios.

Also added DNSSEC to both servers, you guys have no dnssec integration нн
**********
Today or tomorrow will integrate the webserver + database server to the ISPConfig setup.
Could have done this already, I already have "the" webserver running and it's my crown jewel. Apache2 and mysql are tweaked to perfection with 100ms response times, 2/3 seconds total page load times for heavy Joomla / Jomsocial websites... over WAN. This one will not be a clean ISPConfig install
**********
Later this week will start testing openvz server integrated into ISPConfig3, very familiar with VM's like sphere and virtualbox but never used openvz before. The only thing I like about openvz is the fact that it is "open", and that's about it... the project seems stalled or dead and it's officially the slowest virtual machines in the world. Google says so.

If I'm not happy with it, as a future project might pull a stunt and develop a module to integrate virtualbox into ISPConfig. Virtualbox is free and as good support and runs on all sorts of hosts, each vmachine as an individual identifier, good control over cores/ram/eth, etc. and it's fast.
**********

Some people are happy if it runs, I'm only happy went it's fast and the error log shows 0 entries...
Reply With Quote