This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

SMTP..POP..IMAP (Vulernablilty) Certificate Error
#11
RE: SMTP..POP..IMAP (Vulernablilty) Certificate Error
When I go to those URLs now, they say 'forbidden'. This is not good enough?
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#12
RE: SMTP..POP..IMAP (Vulernablilty) Certificate Error
(06-18-2017, 01:34 AM)TGates Wrote: When I go to those URLs now, they say 'forbidden'. This is not good enough?

It says that cuz u already visited the URL before in ur browser. 

look at what i mean here: 
http://i.imgur.com/EJdKs79.gifv

[Image: EJdKs79.gif]

Sad
Reply
Thanks given by:
#13
RE: SMTP..POP..IMAP (Vulernablilty) Certificate Error
:c I can't think of way to fix this.
Reply
Thanks given by:
#14
RE: SMTP..POP..IMAP (Vulernablilty) Certificate Error
I just tested a custom vhost entry that redirects smtp.domain.com to wherever I point it too.
So, accessing either port 80 or 443 will redirect to wherever you choose yet should still allow access to your mail ports.
Non-SSL:
Code:
</VirtualHost>
<virtualhost *:80>
ServerName smtp.domain.com
ServerAdmin webmaster@domain.com
Redirect permanent / https://www.google.com/
SSL:
Code:
</VirtualHost>
<virtualhost *:443>
ServerName smtp.domain.com
ServerAdmin webmaster@domain.com
Redirect permanent / https://www.google.com/
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/mail.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mail.domain.com/chain.pem
# Keeping below for future upgrades.
# Requires Apache >= 2.4
SSLCompression off
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by: M0HX
#15
RE: SMTP..POP..IMAP (Vulernablilty) Certificate Error
(06-20-2017, 02:56 AM)TGates Wrote: I just tested a custom vhost entry that redirects smtp.domain.com to wherever I point it too.
So, accessing either port 80 or 443 will redirect to wherever you choose yet should still allow access to your mail ports.
Non-SSL:
Code:
</VirtualHost>
<virtualhost *:80>
ServerName smtp.domain.com
ServerAdmin webmaster@domain.com
Redirect permanent / https://www.google.com/
SSL:
Code:
</VirtualHost>
<virtualhost *:443>
ServerName smtp.domain.com
ServerAdmin webmaster@domain.com
Redirect permanent / https://www.google.com/
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/mail.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mail.domain.com/chain.pem
# Keeping below for future upgrades.
# Requires Apache >= 2.4
SSLCompression off

Thank you so much!

I edited the above codes so that I don't have to enter a custom vhost entry for each subdomain (smtp..imap..etc) 

here's my last settings:

httpd.conf
Code:
# Sentora Apache Include file
# Written by Bobby Allen, 15/05/2011

# Set the Sentora Alias (used for development, sable will eventually use a VHOST)
#Alias
/Sentora /etc/sentora/panel

# Set a default server name for the master configuration to supress Apache daemon warnings
ServerName localhost

# Setup the directory settings and PHP security flags for the Sentora application directory.
<Directory /etc/sentora/panel>
    Options +FollowSymLinks
    DirectoryIndex index.php
    <IfModule mod_php5.c>
        AddType application/x-httpd-php .php
        php_flag magic_quotes_gpc Off
        php_flag track_vars On
        php_flag register_globals Off
        php_admin_value upload_tmp_dir /var/sentora/temp
    </IfModule>
</Directory>

# Disallow web access to directories that don't need it/that we don't want people looking in!
<Directory /etc/sentora/panel/cnf/>
    Require all denied 
</Directory>
<Directory /etc/sentora/panel/modules/*/hooks>
    Require all denied 
</Directory>

# Set server tokens
ServerTokens Prod

####################################################################

#Default
entry for any undefined domain or direct IP access
<VirtualHost *:80>
        Redirect / http://domain.com/
</VirtualHost>
#Default
entry for any undefined domain or direct IP access
<VirtualHost *:443>
        Redirect / http://domain.com/
</VirtualHost>



####################################################################

# Now we include the generic VHOST configuration file that holds all Sentora user hosted vhost data
Include /etc/sentora/configs/apache/httpd-vhosts.conf
Include /etc/sentora/configs/apache/httpd-ssl-vhosts.conf

httpd-ssl-vhosts.conf
Code:
################################################################
# Apache VHOST configuration file for both http and https to work!
# Set 443 in Sentora Port and VHost for domain and here only 80!
################################################################

# ports to listen (only required ones):
Listen 443



##################################################
# Configuration for Sentora control panel | cp.domain.com | SSL
<virtualhost *:443>
ServerName cp.domain.com
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ErrorLog "/var/sentora/logs/sentora-error.log" 
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

# Custom settings are loaded below this line (if any exist)
SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLCertificateFile /etc/letsencrypt/live/cp.domain.com/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/cp.domain.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/cp.domain.com/chain.pem

# Keeping bellow for future upgrades.

# Requires Apache >= 2.4

SSLCompression off
</VirtualHost>
##################################################


################################################################
# Configuration for domain | domain.com | SSL


# DOMAIN: domain.com
<virtualhost *:443>
ServerName domain.com
ServerAlias  www.domain.com
ServerAdmin zadmin@localhost
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/domain.com-error.log" 
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/domain.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/">
  Options +FollowSymLinks -Indexes
  AllowOverride All
  Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)
SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem

# Keeping bellow for future upgrades.

# Requires Apache >= 2.4

SSLCompression off
</virtualhost>
# END DOMAIN: domain.com
################################################################


## No Certificate subdomains fix. SSL ERROR fix
###################
<virtualhost *:443>
ServerName mail.domain.com
ServerAlias *.domain.com
ServerAdmin admin@domain.com
Redirect permanent / http://domain.com/
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/mail.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mail.domain.com/chain.pem
# Keeping below for future upgrades.
# Requires Apache >= 2.4
SSLCompression off
</VirtualHost>


It still may say (SSL ERROR) but it won't expose the IP/User.. Instead it will give error mismatch certificate which is the (mail.domian.com) I think its nice way to handle it!

Also I think if i got *.domain.com wildcard SSL certificate. I won't get any errors :p cuz certificate will be for all!
sadly letsencrypt doesn't provide wildcards yet :c

Again.. thank you so much ^^.  Heart
Reply
Thanks given by:
#16
RE: SMTP..POP..IMAP (Vulernablilty) Certificate Error
No problem. Glad that it is sorted out!
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Repo update error hostingms 3 6 ,829 02-14-2024, 09:20 AM
Last Post: TGates
apt-get install mod_ssl ERROR CMs222 9 28 ,357 11-11-2022, 09:14 PM
Last Post: zustudios
Sentora debug and error files johnnyp 0 1 ,596 10-27-2022, 06:16 PM
Last Post: johnnyp

Forum Jump:


Users browsing this thread: 2 Guest(s)