CTS 2311 (Unix/Linux Security) Project #8
PKI Setup

 

Due: by the start of class on the date shown on the syllabus

Description and Background Information:

This project requires you to use many of the skills and techniques learned previously.  You will not be given step-by-step directions; instead you will be given tasks to do.  This is similar to the directions you might receive on the job.

For this project, you will add encryption to your web and email services. This means creating a PKI certificate for each service.  Self-signed certificates are fine for this project, or you can obtain a real one (see the hints section below).  You will need to support access from your second host to each service on your first host.

Requirements:

Perform the following tasks:

  1. Re-create your email setup from the email setup project.  That includes a web service using Apache.  Add an index.html file to your website's DOCROOT, just so something shows.  (It should have a link to your web-based email service.)
  2. Setup PKI for Apache, so your web service can be accessed from your second computer using either HTTP or HTTPS.
  3. Setup PKI for Postfix.  (That is, enable “STARTTLS”).

The following tasks are optional, and not required for this project.  (I really doubt any student will have sufficient time to complete these extra tasks!)  For a real-word email service, you will need to do more than encrypt the connections.  Real-word web services support protected content, requiring authentication of users in addition to encryption.

The optional tasks are:

  1. You will want to authenticate email users as well, and only permit authenticated users to send email.
  2. Setup Amavis for virus and spam scanning, for your email service.
  3. Create a virtual website, that only supports HTTPS, and only for specified, authenticated users.

Hints:

Use the walk-throughs and other resources found on our class web page.  Also, remember you can test email using telnet localhost 25.  If you want to test STARTTLS too, you need a client that can handle the encryption; telnet can't.  Here's one good way (mailserver is your mail server's DNS name or IP):

openssl s_client -connect mailserver:25 -starttls smtp -prexit

Here is a list of certificate authorities that offer free SSL/TLS certificates:

Update:  Ignore that list and use Let's Encrypt, which provides free web server certificates.  The certificates expire after 90 days but can be automatically renewed.  To use the certificate could not be easier:

sudo dnf install python-certbot-apache
sudo certbot --apache

That will generate the Let's Encrypt certificate, install it, and automatically configure the Apache web server to use it!  For more information on this, visit certbot.eff.org.

To be turned in:

A copy of your journal pages describing each task you performed.  You can send as email to (preferred).  If email is a problem for some reason, you may turn in a hard-copy.  In this case the pages should be readable, dated, and stapled together.  Your name should appear on the first page. 

Don't turn in your whole journal, just a copy of the relevant sections.  It is common in fact to keep the journal as a text file on the system (with a paper backup of course).

Please see your syllabus for more information about submitting projects.