Create the certificate PEM file to Axigen Mailserver

A. Create the certificate PEM file – let’s call it my_domain.pem

Axigen uses a .pem file to store both unecrypted private key and the SSL certificate that might be provided to you in a .crt file.
Please note that the private key file should be available as it was generated and used when you have requested the SSL certificate. If you did not saved it (or have lost it afterwards) your SSL certificate became useless as the private key could not be regenerated.

  • Private key – let’s say you have save it in my_domain.key and it should contain several text lines like:
Code:
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAASSSgEAvlvYrl1VutgpBD4EZztydddcX8zB6b6b0+NLV4jhk6zaQTa
aRTlgO6hgvLjvzrHgFFecYxtqJa03mVJUmu21dqNa7PRAK8Lt6zb50K7P+lt+rkv
0PcALacpSIYuiColzk4muiIas8UocEyo9pMhcn4zEHOX9tOSF7qEUPW23p4ymXj8
...
jBumY4c6ToPmCSB+/cRVcHkUvaUIuqmAkAKnKmFhwjnbeJN4RKPiKxUUg5LTgwLU
dmj40cldomBSpD/oDRpk0w6pjwZ2VxThPfYMIAqKmhCHRLlaUeVZfmscjnOdud0p
O2iJMn4v8PTFCFGnCIDjpXpQ3+igUfGBmd7CUjW0s/rx1FBhbGdaw3bDrHWadDvd
-----END RSA PRIVATE KEY-----

Note: The unencrypted private key could be extract from an encrypted one by using the following command:

Code:
openssl rsa -in my_domain.key.encrypted -out my_domain.key

If the encrypted key is protected by a pass phrase, enter the it when prompted otherwise the decrypt process (as expected) will fail

  • Cetificate – let’s say you have save it in my_domain.crt and it should contain several text lines like:
Code:
-----BEGIN CERTIFICATE-----
MIIF5jCCBM6gAwIBAgIDFG92sXNLl0hoWCVEbY3sHBBBgkqhkiG9w0BAQsFADB4
VR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTdp0KFhrW6
AHoysW9/RJ0Yt6RR6zAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAm
...
PL4Jfc7xOn6S0DOr4spUxyVj8QO2htzJq358Nto1zY1hSQn9/u3AefaHG0S/n9vO
DzOL1uUVzjjvk9ulZPJo/6JRyHiSnWOa3Hs0MDpQzS4I6t6XM6M7FMfDMTtk4IK8
lQtuFho0a0hmDjMmujDKwyy9iQu/aRW99N66YBiezjH3
-----END CERTIFICATE-----

Now you can prepare your my_domain.pem like:

Code:
cat my_domain.key my_domain.crt > ${AXIGEN_WORK_DIR}/my_domain.pem

B. (Optional) create the CA (Certificate Authority) CERT file – let’s call it my_CA.pem
This file should contain all CA certificates (root and intermediate ones) you have received from the certificate issuer

This should be as simple as:

Code:
cat CA_root.crt CA_intermediate1.crt CA_intermediate2.crt > ${AXIGEN_WORK_DIR}/my_CA.pem

C. Axigen Configuration
Assuming that you have saved the mandatory my_domain.pem and the optional my_CA.pem files in the Axigen working directory (and the files could be read by the user used to ran Axigen process), you could now continue to configure the SSL listener(s) with your new certificate:

Connect to WebAdmin and go to Service > Listener > SSL

  • Certificate file: my_domain.pem
  • (optional) Certificate authorities file: my_CA.pem
  • Save configuration

Note: If you like to use the self signed certificate generated by Axigen (at the installation time) you should use axigen_cert.pem file, that it is also stored in the Axigen working directory.

After you finished certificate configuration you could locally test your SSL listener like:

Code:
openssl s_client -connect <listener_ip>:<listener_port>

Source

Secure AXIGEN against brute-force with Fail2Ban [Linux]

How to install and configure Fail2ban to integrate with Axigen

Here’s how you can enable the Fail2Ban Linux integration in Axigen for increased brute-force attack protection.

1. Enable Security Log in Axigen using the below CLI commands

CLI Commands to enable Security Log
<#> config server
<server#> config log
<server-log#> set enableSecurityLog yes
<server-log#> commit
<server#> commit
<#> save config
<#> quit
Restart the Axigen service
/etc/init.d/axigen restart

2. Install Fail2Ban using your OS package-management utility

For CentOS / RedHat

Install the Epel repository

yum install epel-release

Install fail2ban

yum install fail2ban
For Ubuntu / Debian

Install fail2ban

sudo apt install fail2ban

3. Create the “axigen.conf” file in /etc/fail2ban/filter.d folder and add the below configuration

# Fail2Ban filter for axigen
#
# Revision: 2016040601
#
# If you want to protect Axigen from being bruteforced by password
# authentication then configure enableSecurityLog = yes in axigen.cfg
# and reload configuration.
#
# Log file: ${AXIGEN_WORK_DIR}/log/security.txt
# Log example: 2016-03-08 12:41:29 +0200 02 aximon SECURITY:PROXY_WEBMAIL;0002607C;82.36.25.70;61707;OP_FAIL;root@q.me;Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0;Authentication error; Invalid password
#
#
# Notes:
# * Feature introduced by Axigen version 9.0
# * Axigen 9 default separator was ':'
# * Axigen 10 default separator switched to ';' (due to IPv6 address format)
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = axigen
failregex = ^%(__prefix_line)s.* SECURITY:[A-Z3_\-]+[:;][0-9A-F]+[:;]<HOST>[:;][0-9]+[:;]OP_FAIL[:;].*$
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

4. Edit the /etc/fail2ban/jail.d/jail.local file and add in the end the following lines

/etc/fail2ban/jail.d/jail.local
[axigen]
enabled = true
backend = polling
logpath = /var/opt/axigen/log/security.txt
banaction = iptables-allports
maxretry = 10
findtime = 600
bantime = 600

Create the file /etc/fail2ban/jail.d/jail.local if it doesn’t exist.

If the security log file (security.txt) is not in the default location change the value of logpath with the correct one.

5. Add the trusted IP(s) to ignore list – whitelist

To avoid admin lockout, you may add your IP to the ignore list in /etc/fail2ban/jail.conf config file:

# “ignoreip” can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 192.168.1.10 192.168.2.0/24

6. Enable and start the fail2ban service

systemctl enable fail2ban
systemctl start fail2ban

7. Check the list of banned IPs

fail2ban-client status <JAIL_NAME>

Example:

# fail2ban-client status axigen Status for the jail: axigen
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/opt/axigen/log/security.txt `- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.4.145

8. Unban an IP address

fail2ban-client set <YOUR_JAIL_NAME> unbanip <IP_ADDRESS>

Example:

# fail2ban-client set axigen unbanip 192.168.4.145

# fail2ban-client status axigen Status for the jail: axigen
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/opt/axigen/log/security.txt `- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:

 

 

From https://www.axigen.com/articles/fail2ban-linux-brute-force-attack-protection_82.html

Oprettelse af selvsigneret SSL certifikat til Axigen Mailserver

Hvordan man skaber en selvsigneret SSL-certifikat til brug med AXIGEN

1. Brug interaktive OpenSSL config:
– Genere en OpenSSL nøgle:


openssl genrsa-out axigen_cert.key 1024

– Generer et selv-signeret certifikat ved hjælp af nøgle:


 openssl req-new-x509-key axigen_cert.key-out axigen_cert.crt

Standard gyldighed for et certifikat er 30 dage. Hvis du ønsker at forøge denne gyldighed vil sige 1 år (365 dage), kan du  tilføje dag 365 parameter til kommandoen ovenfor:


 openssl req -new -x509 -key axigen_cert.key -out axigen_cert.crt

– Kombiner nøgle og certifikat i en PEM-fil:


 cat axigen_cert.key axigen_cert.crt > axigen_cert.pem

2. Brug OpenSSL config file:
– Opret en OpenSSL config fil med navnet axigen_ssl.cnf, med følgende indhold:

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
O=AXIGEN Mail Server
OU=Automatically-generated SSL key
CN=AXIGEN
[ cert_type ]
nsCertType = server

– Opret auto-underskrevne certifikat:

openssl req -new -x509 -days 365 -nodes -config axigen_ssl.cnf \-out /var/opt/axigen/axigen_cert.pem -keyout /var/opt/axigen/axigen_cert.pem

3. Brug AXIGEN’s opstartscriptet:
På alle understøttede operativsystemer og platforme, vil AXIGEN’s opstartscriptet skabe, på første løb, et selv-signeret certifikat automatisk, og gemmes i data mappen med et navn på axigen_cert.pem.
Hvis du ønsker at regenerere certifikat, kan du køre en gang til opstartscriptet med init parameter.

For eksempel i RedHat kan du regenerere certifikatet med:
/etc/init.d/axigen init

BEMÆRK: init parameter vil også forsøge at skabe standard domæne-databasen,  (det vil allerede være oprettet).

For at se certifikatet oplysninger:
 openssl x509 -text -noout -in /var/opt/axigen/axigen_cert.pem
For at se udløbsdatoen for det angivne certifikat, skal du bruge -enddate parameter:
 openssl x509 -enddate -noout -in /var/opt/axigen/axigen_cert.pem
Output bør vare noget lignende:
 notAfter=May  1 15:16:16 2008 GMT