(source : http://www.starbridge.org/spip/spip.php?article12&artsuite=6#sommaire_1) http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines installation de apache,mysql,php :
aptitude install apache2 mysql-server php5 php5-mysql phpmyadmin
paramétrage du mode sécurisé pour apache :
Activation du ssl :
a2enmod ssl
Création du virtualhost :
cd /etc/apache2/sites-available/ vi ssl
Et on colle :
NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin webmaster@mdl29.net ServerName www.mdl29.net DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place # Commented out for Ubuntu #RedirectMatch ^/$ /apache2-default/ </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride AuthConfig Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On SSLEngine On SSLCertificateFile /etc/apache2/ssl/mdl29-certkey-www.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </VirtualHost>
Edition du fichier ports.conf afin de vérifier que le port 443 y figure (ce qui devrait être le cas) :
vi /etc/apache2/ports.conf
et on ajoute la ligne (si besoin)
listen 443
Activation du virtualhost :
a2ensite ssl
Génération des certificats :
On édite la configuration de ssl pour pouvoir signer des certificats sur 10 ans, au lieu d’1 an par défaut (comme çà, on est tranquille plus longtemps) :
vi /etc/ssl/openssl.cnf
on change la ligne default_days en
default_days = 3650
Création du Certificat Racine :
cd ~ mkdir CERT /usr/lib/ssl/misc/CA.pl -newca
Entrez les paramètres requis et choississez un pass phrase laissez “challenge password” vide.
CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ....... ......................................... writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Brest Locality Name (eg, city) []:Brest Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdl29.net Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:mdl29.net Email Address []:tech@mdl29.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: //blablabla// Data Base Updated
Création d'une clé privée pour le serveur et d'’un certificat public non signé.
Il est important de créer un certificat avec le même nom que celui utilisé pour la connexion (ex : si on se connecte au serveur web par www.mdl29.net, il faut créer un certificat avec un “Common Name” en www.mdl29.net) .
Création d'un certificat public non signé et une clé, puis signature avec le CA :
cd ~/CERT openssl req -new -nodes -keyout mdl29-key-www.pem -out mdl29-req-www.pem -days 3650
On entre les informations en prenant soin de bien spécifier le Common Name en www.mdl29.net. Il faut également mettre les mêmes informations entrées dans le CA plus tôt.
cd ~ openssl ca -out CERT/mdl29-cert-www.pem -infiles CERT/mdl29-req-www.pem cd CERT/ cat mdl29-key-www.pem mdl29-cert-www.pem >mdl29-certkey-www.pem mkdir /etc/apache2/ssl cp mdl29-certkey-www.pem /etc/apache2/ssl/ chmod 600 /etc/apache2/ssl/mdl29-certkey-www.pem
On redémarre Apache :
/etc/init.d/apache2 restart
On peut vérifier la connexion en ssl sur l'adresse https://ip_de_la_machine
installation de roundcube :
aptitude install php5-ldap
on redémarre apache :
/etc/init.d/apache2 restart
(voir si cette partie est nécessaire car pas de connexion ldap avec roundcube)
sous lenny, il n'y a pas de paquet pour roundcube, nous allons récupérer la dernière version (0.3.1) :
cd /var/www wget http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.3.1/roundcubemail-0.3.1.tar.gz?use_mirror=freefr tar -xzvf roundcubemail-0.3.1.tar.gz
L'autorisation d'accès à roundcube étant gérée par dovecot, la configuration de roundcube sera assez basique.
On renomme le répertoire (histoire de rendre plus facile l'accès) :
mv roundcubemail-0.3.1 roundcube
paramétrage de roundcube :
cd /var/www/roundcube/config mv db.inc.php.dist db.inc.php mv main.inc.php.dist main.inc.php
On créé la base et l'utilisateur :
mysql -u root -p create database roundcube; GRANT SELECT, INSERT, UPDATE, DELETE ON roundcube.* TO 'roundcube'@'localhost' IDENTIFIED BY '*****'; FLUSH PRIVILEGES; quit
(remplacer les '* * * * *' par votre mot de passe)
On importe la base de données :
mysql -u root -p roundcube < ../SQL/mysql.initial.sql
Il faut adapter les fichiers de configuration (/var/www/roundcube/config/db.inc.php et main.inc.php) en fonction de vos souhaits.
db.inc.php : il faut modifier le fichier en indiquant le mot de passe choisi pour l'utilisateur sql de roundcube :
vi /var/www/roundcube/config/db.inc.php
et modifier la ligne :
$rcmail_config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcube';
en remplaçant pass par le password choisi plus haut (attention à la modification de la fin de la ligne aussi).
main.inc.php : ce fichier contient beaucoup de commentaire qui explique chaque paramètre. En voici un fonctionnel (purgé des commentaires pour une lecture plus facile sur la doc) :
<?php /* +-----------------------------------------------------------------------+ | Main configuration file | | | | This file is part of the RoundCube Webmail client | | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland | | Licensed under the GNU GPL | | | +-----------------------------------------------------------------------+ */ $rcmail_config = array(); $rcmail_config['debug_level'] = 1; $rcmail_config['log_driver'] = 'file'; $rcmail_config['log_date_format'] = 'd-M-Y H:i:s O'; $rcmail_config['syslog_id'] = 'roundcube'; $rcmail_config['syslog_facility'] = LOG_USER; $rcmail_config['log_dir'] = 'logs/'; $rcmail_config['temp_dir'] = 'temp/'; $rcmail_config['plugins'] = array(); $rcmail_config['enable_caching'] = FALSE; $rcmail_config['message_cache_lifetime'] = '10d'; $rcmail_config['force_https'] = TRUE; $rcmail_config['auto_create_user'] = TRUE; $rcmail_config['default_host'] = 'imap://mdl29.net:143'; $rcmail_config['default_port'] = 143; $rcmail_config['imap_auth_type'] = null; $rcmail_config['imap_root'] = null; $rcmail_config['imap_delimiter'] = null; $rcmail_config['username_domain'] = ''; $rcmail_config['mail_domain'] = ''; $rcmail_config['virtuser_file'] = ''; $rcmail_config['virtuser_query'] = ''; $rcmail_config['smtp_server'] = ''; $rcmail_config['smtp_port'] = 25; $rcmail_config['smtp_user'] = ''; $rcmail_config['smtp_pass'] = ''; $rcmail_config['smtp_auth_type'] = ''; $rcmail_config['smtp_helo_host'] = ''; $rcmail_config['smtp_log'] = TRUE; $rcmail_config['sql_debug'] = false; $rcmail_config['imap_debug'] = false; $rcmail_config['ldap_debug'] = false; $rcmail_config['smtp_debug'] = false; $rcmail_config['sendmail_delay'] = 0; $rcmail_config['list_cols'] = array('subject', 'from', 'date', 'size', 'flag', 'attachment'); $rcmail_config['skin_include_php'] = FALSE; $rcmail_config['session_lifetime'] = 10; $rcmail_config['ip_check'] = false; $rcmail_config['double_auth'] = false; $rcmail_config['des_key'] = 'rcmail-!24ByteDESkey*Str'; $rcmail_config['language'] = 'fr_FR'; $rcmail_config['date_short'] = 'D H:i'; $rcmail_config['date_long'] = 'd.m.Y H:i'; $rcmail_config['date_today'] = 'H:i'; $rcmail_config['useragent'] = 'RoundCube Webmail/'.RCMAIL_VERSION; $rcmail_config['product_name'] = 'RoundCube Webmail'; $rcmail_config['drafts_mbox'] = 'Drafts'; $rcmail_config['junk_mbox'] = 'Junk'; $rcmail_config['sent_mbox'] = 'Sent'; $rcmail_config['trash_mbox'] = 'Trash'; $rcmail_config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash'); $rcmail_config['create_default_folders'] = TRUE; $rcmail_config['protect_default_folders'] = TRUE; $rcmail_config['quota_zero_as_unlimited'] = TRUE; $rcmail_config['mdn_requests'] = 0; $rcmail_config['default_charset'] = 'ISO-8859-1'; $rcmail_config['enable_spellcheck'] = TRUE; $rcmail_config['spellcheck_engine'] = 'pspell'; $rcmail_config['spellcheck_uri'] = ''; $rcmail_config['spellcheck_languages'] = NULL; $rcmail_config['generic_message_footer'] = ''; $rcmail_config['http_received_header'] = false; $rcmail_config['http_received_header_encrypt'] = false; $rcmail_config['mail_header_delimiter'] = NULL; $rcmail_config['session_domain'] = ''; $rcmail_config['address_book_type'] = 'sql'; $rcmail_config['ldap_public'] = array(); $rcmail_config['autocomplete_addressbooks'] = array('sql'); $rcmail_config['dont_override'] = array(); $rcmail_config['identities_level'] = 1; $rcmail_config['include_host_config'] = false; $rcmail_config['max_pagesize'] = 200; $rcmail_config['mime_magic'] = '/usr/share/file/magic'; $rcmail_config['message_sort_col'] = 'date'; $rcmail_config['message_sort_order'] = 'DESC'; $rcmail_config['enable_installer'] = false; $rcmail_config['log_logins'] = false; $rcmail_config['delete_always'] = false; $rcmail_config['min_keep_alive'] = 60; $rcmail_config['email_dns_check'] = false; $rcmail_config['skin'] = 'default'; $rcmail_config['pagesize'] = 40; $rcmail_config['timezone'] = 'auto'; $rcmail_config['dst_active'] = (bool)date('I'); $rcmail_config['prefer_html'] = TRUE; $rcmail_config['show_images'] = 0; $rcmail_config['htmleditor'] = FALSE; $rcmail_config['prettydate'] = TRUE; $rcmail_config['draft_autosave'] = 300; $rcmail_config['preview_pane'] = FALSE; $rcmail_config['focus_on_new_message'] = true; $rcmail_config['logout_purge'] = FALSE; $rcmail_config['logout_expunge'] = FALSE; $rcmail_config['inline_images'] = TRUE; $rcmail_config['mime_param_folding'] = 1; $rcmail_config['skip_deleted'] = FALSE; $rcmail_config['read_when_deleted'] = TRUE; $rcmail_config['flag_for_deletion'] = FALSE; $rcmail_config['keep_alive'] = 60; $rcmail_config['check_all_folders'] = FALSE; $rcmail_config['display_next'] = FALSE; $rcmail_config['index_sort'] = TRUE; ?>
enfin il reste à faire :
chown -R www-data:www-data /var/www/roundcube
Il ne reste plus qu'à tester la connexion avec roundcube sur https://ip_de_la_machine/roundcube .
il faut installer le paquet 2vcard.
Puis exporter le carnet d'adresses de Thunderbird (au format ldif - format par défaut).
Ensuite dans un terminal :
2vcard -f ldif -i fichier.ldif -o fichier.vcard
(en remplaçant fichier par le nom du fichier)
Il ne reste plus qu'à importer le carnet d'adresses sous Roundcube (le fichier.vcard).