Hello,
during the past few days I made some updates related to the security aspects of kamailio.org services.
Two are relevant for the community.
1) First, kamailio.org uses now a TLS certificate signed by letsencrypt.org, a free trusted CA backed up by Mozilla and other internet companies, so browsing via HTTPS should no longer issue any warning of untrusted certificate (previously we used a CACert.org certificate which was not trusted automatically by browsers).
Wiki and mailing lists portals use the letsencrypt certificate as well, so is no reason not to browse all kamailio.org and lists.sip-router.org pages only via HTTPS. Perhaps in the near future we will try to enable redirect of HTTP to HTTPS at least for the main page and login pages for wiki, mailing lists and other places that require sensitive data.
Now SSLLabs test ranks https://kamailio.org with grade A:
* https://www.ssllabs.com/ssltest/analyze.html?d=kamailio.org&latest
As a side note, for those that haven't noticed it, for quite some time kamailio.org is available also over IPv6.
2) Second, emails forwarded by kamailio.org and lists.sip-router.org are having now a DKIM signature. Also, there are SPF records in DNS for these domains. Hopefully, those two will help getting the emails to be allowed by various spam filters out there, as their legit origin can be checked.
If you check the sources of an email messages and the email server of receiving party is doing DKIM/SPF checks, you should see some headers like next (taken from an email I received to my gmail account from sr-users mailing list):
""" Authentication-Results: mx.google.com; spf=pass (google.com: domain of sr-users-bounces@lists.sip-router.org designates 193.22.119.66 as permitted sender) smtp.mailfrom=sr-users-bounces@lists.sip-router.org; dkim=pass header.i=@lists.sip-router.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sip-router.org; s=20151206; h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Reply-To:Subject:MIME-Version:Message-ID:To:From:Date; bh=lGjvCZYcxBHUHaJDnut1j2YTyPsXTnXHzUb0CgcDc1Q=; b=DlD+MKoEqyISB5Ba775t3zg70FC6ouC+tEo7j5zv4dn2Dhm4pWqkQXSfU4Kp1NqW1ZRYFC/mpg/7LEcGW2FlDL9J0FpUg1VjNmN7D1wvtW08hBBw91tsXImu9yf7KZjg/p4IbXu6vznldubrSxweIaV3q/xbrLgaqP5Dsrvs/9A=; """
Kamailio is not enforcing any of those policies on received email messages, so sending to the lists should not be affected.
Should anyone discover problems when browsing the web portals or notices issues with emails from our mailing lists, report them to sr-dev mailing list.
Also, if anyone has more hints on increasing the security/privacy for the web server and email systems we run for kamailio.org, do not hesitate to provide us suggestions.
Cheers, Daniel
Hi Daniel,
I'm also using letsencrypt since their beta program. The only issue I see is that the certs expire after 90 days, which means you will have to manually change them before those 90 days are up. They have an automated process to get new certs and insert them in the correct virtual hosts in apache, but I doubt they have any kamailio automation setup yet.
Besides that, which is no big deal, just takes more time until someone writes a script to automate the kamailio process of requesting new certs and replacing the expired ones, I'm a big fan of Letsencrypt and I recommend it to anyone that takes security seriously and doesn't want to participate in enriching the CA "mafia".
Cheers, Peter
On Tue, Dec 8, 2015 at 8:06 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
during the past few days I made some updates related to the security aspects of kamailio.org services.
Two are relevant for the community.
- First, kamailio.org uses now a TLS certificate signed by
letsencrypt.org, a free trusted CA backed up by Mozilla and other internet companies, so browsing via HTTPS should no longer issue any warning of untrusted certificate (previously we used a CACert.org certificate which was not trusted automatically by browsers).
Wiki and mailing lists portals use the letsencrypt certificate as well, so is no reason not to browse all kamailio.org and lists.sip-router.org pages only via HTTPS. Perhaps in the near future we will try to enable redirect of HTTP to HTTPS at least for the main page and login pages for wiki, mailing lists and other places that require sensitive data.
Now SSLLabs test ranks https://kamailio.org with grade A:
As a side note, for those that haven't noticed it, for quite some time kamailio.org is available also over IPv6.
- Second, emails forwarded by kamailio.org and lists.sip-router.org are
having now a DKIM signature. Also, there are SPF records in DNS for these domains. Hopefully, those two will help getting the emails to be allowed by various spam filters out there, as their legit origin can be checked.
If you check the sources of an email messages and the email server of receiving party is doing DKIM/SPF checks, you should see some headers like next (taken from an email I received to my gmail account from sr-users mailing list):
""" Authentication-Results: mx.google.com; spf=pass (google.com: domain of sr-users-bounces@lists.sip-router.org designates 193.22.119.66 as permitted sender) smtp.mailfrom=sr-users-bounces@lists.sip-router.org; dkim=pass header.i=@lists.sip-router.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d= lists.sip-router.org; s=20151206;
h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Reply-To:Subject:MIME-Version:Message-ID:To:From:Date; bh=lGjvCZYcxBHUHaJDnut1j2YTyPsXTnXHzUb0CgcDc1Q=;
b=DlD+MKoEqyISB5Ba775t3zg70FC6ouC+tEo7j5zv4dn2Dhm4pWqkQXSfU4Kp1NqW1ZRYFC/mpg/7LEcGW2FlDL9J0FpUg1VjNmN7D1wvtW08hBBw91tsXImu9yf7KZjg/p4IbXu6vznldubrSxweIaV3q/xbrLgaqP5Dsrvs/9A=; """
Kamailio is not enforcing any of those policies on received email messages, so sending to the lists should not be affected.
Should anyone discover problems when browsing the web portals or notices issues with emails from our mailing lists, report them to sr-dev mailing list.
Also, if anyone has more hints on increasing the security/privacy for the web server and email systems we run for kamailio.org, do not hesitate to provide us suggestions.
Cheers, Daniel
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com http://miconda.eu
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Am 08.12.2015 um 09:06 schrieb Daniel-Constantin Mierla:
Also, if anyone has more hints on increasing the security/privacy for the web server and email systems we run for kamailio.org, do not hesitate to provide us suggestions.
Create a permanent redirect from the HTTP websites to the HTTPS sites.
Also have a look at HSTS.
Regards, -Sven
-
Daniel-Constantin Mierla -
Peter Villeneuve -
Sven Neuhaus