www.novell.com securing your groupwise ® system morris blackham software engineer novell, inc....
TRANSCRIPT
www.novell.com
Securing Your GroupWise® SystemSecuring Your GroupWise® System
Morris BlackhamSoftware EngineerNovell, [email protected]
Danita ZanrèSenior ConsultantCaledonia Network [email protected]
Michael BellSoftware DeveloperArmana [email protected]
Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries
MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
Session Objectives
• Understand pre-requisites and configuration for:
• SSL WebAccess, GWIA, MTP, MTA/POA HTTP
• Server certificates Generating CSRs, obtaining certificates—third-party
or Novell Certificate Server
• GWIA Securing connections Preventing GWIA from being an open relay
Session Objectives (cont.)
• Securing Internet post offices without a VPN Reduce infrastructure costs without sacrificing
security
• Antivirus/content filtering Protect your system from the flood of e-mail
viruses
• LDAP authentication to the GroupWise® mailbox Single password for Novell eDirectory™, the
GroupWise Client, and WebAccess
SSL and Certificates
• GroupWise agents use OpenSSL implementation
• Generating Certificate Signing Request (CSR) GWCSRGEN.EXE with GroupWise 6 SP1 OpenSSL—create CSR or self-signed certificates
• Obtaining certificates Third-party Certificate Authorities Verisign, Thawte Novell Certificate Server
Using GWSCRGEN
* Note: All fields MUST be filled in
Filenames must be 8.3 format
Use 2 char abbreviation
Do not use abbreviation
Fully qualified DNS hostname of server
Securely Using the Internet as a WAN: Prerequisites
• GroupWise 6 SP1 agents at all WAN nodes MTA-MTA (Domain-to-Domain) MTA-POA (Domain-to-Post Office)
• Signed certificates imported to all WAN node agents
GWCSRGEN.EXE available for generating CSRs
• Agent with certificate is now SSL-enabled for message transfer
GWIA—Securing Your Connections
• Secure SMTP transactions using STARTTLS Connecting SMTP host must also support STARTTLS (you can test by sending to
myrealbox.com)
• Secure POP3/IMAP4 Support on ports 995 (POP3) and 993 (IMAP4) Also support STARTTLS method with ports 110 and
143
• HTTPS connection for HTTP monitoring
GWIA—Preventing Relaying
• GWIA 6 Relaying is disabled by default Relaying is now denied at a SMTP daemon level Relay exceptions can be IP addresses or address range Added SMTP AUTH, if POP/IMAP clients use authentication
on outbound SMTP, relay access control is bypassed
• GWIA 5.5 and 5.5EP Apply latest support pack or FTF to eliminate
“[email protected]” from being relayed
GWIA Anti-Virus Solutions
• Use of SMTP home directory (Third-party directory)
Intercepts all incoming and outgoing e-mail
See TID 10065630 for configuration details
Two products available• Guinevere—http://www.openandhome.com• FootNote—http://www.stack.co.uk
GWIA Anti-Virus Solutions
• Other anti-virus solutions using relay host Not specific to GroupWise GWIA relays third-party host for virus checking MX record references virus checking host,
relays inbound messages to GWIA Products include
• Symantec—Norton Anti-Virus for Gateways• McAfee—Webshield• Trend Micro—Interscan• MailSweeper for SMTP
MTA Anti-Virus Solution
• MTA level virus protection Intercepts all mail routed through the domain Gateway messages, except WebAccess All inter-post office traffic
• Product: GWAVA http://www.beginfinite.com
Related Session: TUT225
Securing WebAccess
• No WebAccess specific steps needed
• Enable WebServer for SSL connection NES—Uses Novell Server Certificate IIS—Uses NT/2000 Certificate Apache—Open SSL certificate
LDAP Authentication To GroupWise
Post Office agent
GroupWise6 SP1
LDAP server
eDirectory 8.5
(or any LDAP v3 Directory)
Login request Credentials
Results
GroupWise client
GroupWise
WebAccess
Results
LDAP Authentication: Prerequisites And Limitations
• GroupWise 6 SP1 POA, WebAccess, and Client (Client and WebAccess required for interface support of
password expiration dialogs)
• eDirectory 8.5 LDAP Server, with GroupWise users in the eDirectory 8.5 tree
OR
• User object MAIL attribute synchronization between GroupWise and the LDAP server of choice
• For full password expiration functionality, the POA must be forced to BIND
LDAP Configuration: Why Leave the LDAP User Name Blank?
• Credential behavior with the LDAP user name and password
POA will use this user name and password to connect, and then do a ‘compare’ of the user-provided credentials against the LDAP directory
‘Compare’ does not support expiration of passwords
• Credential behavior without the LDAP user name and password
POA will use the user-provided credentials to attempt to bind to the LDAP server
Password expiration is supported for a BIND connection
LDAP Configuration: SSL Certificate Use and Requirements
• Why Use SSL? Without SSL, LDAP credentials are passed in the clear
• This is unacceptable, even within your firewall
• SSL certificate must be a Trusted Root Certificate for the LDAP directory
This is the way the standard is written—it’s an LDAP requirement
• The LDAP SSL port is 636
Exporting the Trusted Root Cert
Detail screen of a server certificate object, Trusted Root CertExport the Trusted Root in .DER format