Apache and mail server question.

[hockey97]

Hi, I have setup my working apache and my mail server which is working perfectly.

However, I need to start to do some changes to now add more security to both of them.

I am thinking to use ssl for both and for the mail server. I am thinking to use a different encryption method for the passwords. I currently use md5 that is salted.

I want to know start using I was thinking sha-1 or something in that line. I want the latest encryption that is suggested to be used.

for apache I have a website that has a login page. I would like to have that page use https.

 

[Morte]

Your question is a little too broad to answer properly, especially the term "mail server" as FreeBSD supports many that do both outgoing and incoming.

I'm not exactly sure what you mean by encryption method for passwords, but I'm assuming you mean how the password file is stored on the system. Apache's htpasswd uses 1000 rounds of md5 which is more secure than the very old sha-1 included for backwards compatibility. If Apache sees something it doesn't support, it passes it to the back end crypt function of FreeBSD. It's probably better to use something like SHA-256 / SHA-512 in that case. The catch is that htpasswd can't generate the hash, and you'll have to do it yourself.

Apache and SSL is a long topic, but you'll find the configuration included in /usr/local/etc/Apache22/Includes/ssl.conf to be a good starting point. You can generate your own certificate, however if you don't want a warning popping up in browsers, will have to purchase one. (https://www.startcom.org/ offers them for free, but I have no experience with them).

Good luck.

 

[Abriel]

I have w server with http://www.positivessl.com/. It's very cheap, about 15e for one year. It works great with apache22, dovecot (imaps and pop3s) and postfix.

 

[SirDice]

I think the OP is confusing password encryption (or more precisely, password hashing) with encrypting a network connection like SSL. Although they both use the same kind of techniques, they are separate and have nothing to do with each other.

Also note that simply putting your website behind SSL doesn't "secure" it. It can still be hacked if you do stupid things. All SSL does is prevent eavesdroppers and it gives the client some assurance the server is actually the server it claims to be.

 

[hockey97]

The mail server I am using is called postfix.

No, I am not confused with ssl and password hashing. I want to do 2 things to both apache and my mail server postfix. For both of them I want to start using ssl meaning https protocol. For my websites login pages and login system for my mail server.

Currently I have md5 hash that is salted. This isn't secure. I was told to use SHA-1 to hash passwords.

So, I want to enabled ssl / https for apache and for the mail server login system.

I want to change the password hashing method for postfix and dovecot. It's currently using
md5 hashing cipher. I am thinking to use SHA-1 for the password or whatever you would recommend me using that is safer to use or harder to crack.