Udgivet i

Create the certificate PEM file to Axigen Mailserver

A. Create the certificate PEM file – let’s call it my_domain.pem

Axigen uses a .pem file to store both unecrypted private key and the SSL certificate that might be provided to you in a .crt file.
Please note that the private key file should be available as it was generated and used when you have requested the SSL certificate. If you did not saved it (or have lost it afterwards) your SSL certificate became useless as the private key could not be regenerated.

  • Private key – let’s say you have save it in my_domain.key and it should contain several text lines like:
Code:
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAASSSgEAvlvYrl1VutgpBD4EZztydddcX8zB6b6b0+NLV4jhk6zaQTa
aRTlgO6hgvLjvzrHgFFecYxtqJa03mVJUmu21dqNa7PRAK8Lt6zb50K7P+lt+rkv
0PcALacpSIYuiColzk4muiIas8UocEyo9pMhcn4zEHOX9tOSF7qEUPW23p4ymXj8
...
jBumY4c6ToPmCSB+/cRVcHkUvaUIuqmAkAKnKmFhwjnbeJN4RKPiKxUUg5LTgwLU
dmj40cldomBSpD/oDRpk0w6pjwZ2VxThPfYMIAqKmhCHRLlaUeVZfmscjnOdud0p
O2iJMn4v8PTFCFGnCIDjpXpQ3+igUfGBmd7CUjW0s/rx1FBhbGdaw3bDrHWadDvd
-----END RSA PRIVATE KEY-----

Note: The unencrypted private key could be extract from an encrypted one by using the following command:

Code:
openssl rsa -in my_domain.key.encrypted -out my_domain.key

If the encrypted key is protected by a pass phrase, enter the it when prompted otherwise the decrypt process (as expected) will fail

  • Cetificate – let’s say you have save it in my_domain.crt and it should contain several text lines like:
Code:
-----BEGIN CERTIFICATE-----
MIIF5jCCBM6gAwIBAgIDFG92sXNLl0hoWCVEbY3sHBBBgkqhkiG9w0BAQsFADB4
VR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTdp0KFhrW6
AHoysW9/RJ0Yt6RR6zAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAm
...
PL4Jfc7xOn6S0DOr4spUxyVj8QO2htzJq358Nto1zY1hSQn9/u3AefaHG0S/n9vO
DzOL1uUVzjjvk9ulZPJo/6JRyHiSnWOa3Hs0MDpQzS4I6t6XM6M7FMfDMTtk4IK8
lQtuFho0a0hmDjMmujDKwyy9iQu/aRW99N66YBiezjH3
-----END CERTIFICATE-----

Now you can prepare your my_domain.pem like:

Code:
cat my_domain.key my_domain.crt > ${AXIGEN_WORK_DIR}/my_domain.pem

B. (Optional) create the CA (Certificate Authority) CERT file – let’s call it my_CA.pem
This file should contain all CA certificates (root and intermediate ones) you have received from the certificate issuer

This should be as simple as:

Code:
cat CA_root.crt CA_intermediate1.crt CA_intermediate2.crt > ${AXIGEN_WORK_DIR}/my_CA.pem

C. Axigen Configuration
Assuming that you have saved the mandatory my_domain.pem and the optional my_CA.pem files in the Axigen working directory (and the files could be read by the user used to ran Axigen process), you could now continue to configure the SSL listener(s) with your new certificate:

Connect to WebAdmin and go to Service > Listener > SSL

  • Certificate file: my_domain.pem
  • (optional) Certificate authorities file: my_CA.pem
  • Save configuration

Note: If you like to use the self signed certificate generated by Axigen (at the installation time) you should use axigen_cert.pem file, that it is also stored in the Axigen working directory.

After you finished certificate configuration you could locally test your SSL listener like:

Code:
openssl s_client -connect <listener_ip>:<listener_port>

Source
Udgivet i

Secure AXIGEN against brute-force with Fail2Ban [Linux]

Fail2Ban (http://wikipedia.org/wiki/Fail2ban) protects your server against intruders who try brute force to guess passwords.
Enables you to monitor standard services such as SSH, Apache, etc..

Furthermore, AXIGEN can be secured against password attacks.

The following steps are necessary:
The steps may differ depending on your distribution.

Step 1: Install Fail2Ban
Step 2: Create a shell script:

#!/bin/bash
# $1 - log file to be used
LOG_AXI="/var/opt/axigen/log/everything.txt"
if [ -z "$1" ]
 then
 LOG_SEC=/var/opt/axigen/log/secure.txt
 else
 LOG_SEC="$1"
 fi
tail --retry --follow=name "$LOG_AXI" | while read l
 do
 timestamp=$(date '+%d-%m-%Y %T')
 case "$l" in
 *"Authentication error"*|*"could not authenticate user"*|*"error authenticating user"*) sid=$(echo "$l" | awk '{print $6}')
 if [ -n "$sid" ]
 then
 con_ip=$(grep -m 1 $sid "$LOG_AXI" | awk '{print $NF}' | sed 's/\[//g;s/:.*$//g')
 if [ -n "$con_ip" ]
 then
 echo "$timestamp $l from $con_ip" >> "$LOG_SEC"
 fi
 fi
 ;;
 esac
 done

Step 3: Make sure that there script runs automatically, for example, /etc/inittab

Notes:
If AXIGEN writes the log file to another location, please kindly adjust the path to the variable $ LOG_AXI.
For secure.txt file a log Rotate should be established
Test the script as follows:
Start the script
Check the contents of secure.txt
Run a false login with, this should be reported as follows

18-07-2014 14:35:42 07-28 14:35:42 +0300 02 localhost IMAP:000000CC: Authentication error for user ‘user1@localdomain’: Invalid password from 192.168.1.101

Step 4: Create a new module Fail2Ban to, for example, axigen.cfg under /etc/fail2ban/filter.d
With content:

# Fail2Ban configuration file
[Definition]
failregex = from <HOST>

Step 5: Configure Fail2Ban where you expand the jail.conf under /etc/fail2ban to block the following:

[axigen]
enabled = true
filter = axigen
port = all
logpath = /var/opt/axigen/log/secure.txt
bantime = 100
maxretry = 3
banaction = iptables-allports

The maximum number of failed attempts, spell-time and path please adjust accordingly.
Then please restart fail2ban.

 

From http://www.axigenmailgate.de/forum/archive/index.php/t-935.html