Notes administration Linux Ubuntu Raspberry MacOsX Windows : avril 2014

dimanche 20 avril 2014

advanced settings firewall windows vista & seven

Lancer sur la ligne de commande wf.msc

Permet, en autre, de bloquer les connexions sortantes.

mercredi 9 avril 2014

Activer ssl / tls DOVECOT ubuntu 8.04 IMAPS

Dovecot SSL Configuration

To configure dovecot to use SSL, you can edit the file /etc/dovecot/dovecot.conf and amend following lines:

ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
ssl_disable = no
disable_plaintext_auth = no

Si on génère des certificats selon la méthode ci-dessous, alors remplacer ssl-cert-snakeoil.pem ssl-cert-snakeoil.key par les server.crt server.key

Generating a Certificate Signing Request (CSR)

Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key.

If the certificate will be used by service daemons, such as Apache, Postfix, Dovecot, etc, a key without a passphrase is often appropriate. Not having a passphrase allows the services to start without manual intervention, usually the preferred way to start a daemon.

This section will cover generating a key with a passphrase, and one without. The non-passphrase key will then be used to generate a certificate that can be used with various service daemons.


	Running your secure service without a passphrase is convenient because you will not need to enter the passphrase every time you start your secure service. But it is insecure and a compromise of the key means a compromise of the server as well.

To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:

openssl genrsa -des3 -out server.key 1024

%%%

Generating RSA private key,

1024 bit long modulus .....................++++++ .................++++++

unable to write 'random state' e is 65537 (0x10001)

Enter pass phrase for server.key:

You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive.

Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in theserver.key file.

Now create the insecure key, the one without a passphrase, and shuffle the key names:

openssl rsa -in server.key -out server.key.insecure

mv server.key server.key.secure

mv server.key.insecure server.key

The insecure key is now named server.key, and you can use this file to generate the CSR without passphrase.

To create the CSR, run the following command at a terminal prompt:

openssl req -new -key server.key -out server.csr

It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.

You can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

Creating a Self-Signed Certificate

To create the self-signed certificate, run the following command at a terminal prompt:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file.


	If your secure server is to be used in a production environment, you probably need a CA-signed certificate. It is not recommended to use self-signed certificate.

Installing the Certificate

You can install the key file server.key and certificate file server.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:

sudo cp server.crt /etc/ssl/certs

sudo cp server.key /etc/ssl/private

Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.

Si l'on veut un certificat qui dure plus longtemps que 365 jours simplement indiquer le nombre de jours voulus dans l'option -days

Avertissement

Ce blog est d'abord pour mon usage personnel. Il est une version on-line de mon carnet de notes qui était anciennement un cahier en papier.

Je ne garantis absolument aucune information publiée ici. J'hésite encore à rendre "privé" ce blog. Je le laisse public pour le moment. Si ces notes vous rendent service, tant mieux, sinon tant pis.

Attention, je suis un utilisateur expérimenté des systèmes unix. Ces notes souvent sommaires me suffisent à me souvenir de ce qu'il faut faire... ce ne sera pas forcément le cas pour vous. Inutile de m'en demander plus, je ne répondrai à aucune question.

Vous pouvez néanmoins laisser un commentaire si vous avez trouvé ici une information qui vous a été utile et donner un feedback sur ce qui a marché ou non pour vous.

Rechercher dans ce blog