[sr-dev] info: kamailio.org updates - letsencrypt for https and dkim for email

Daniel-Constantin Mierla miconda at gmail.com
Tue Dec 8 09:06:02 CET 2015


Hello,

during the past few days I made some updates related to the security
aspects of kamailio.org services.

Two are relevant for the community.

1) First, kamailio.org uses now a TLS certificate signed by
letsencrypt.org, a free trusted CA backed up by Mozilla and other
internet companies, so browsing via HTTPS should no longer issue any
warning of untrusted certificate (previously we used a CACert.org
certificate which was not trusted automatically by browsers).

Wiki and mailing lists portals use the letsencrypt certificate as well,
so is no reason not to browse all kamailio.org and lists.sip-router.org
pages only via HTTPS. Perhaps in the near future we will try to enable
redirect of HTTP to HTTPS at least for the main page and login pages for
wiki, mailing lists and other places that require sensitive data.

Now SSLLabs test ranks https://kamailio.org with grade A:

  * https://www.ssllabs.com/ssltest/analyze.html?d=kamailio.org&latest

As a side note, for those that haven't noticed it, for quite some time
kamailio.org is available also over IPv6.

2) Second, emails forwarded by kamailio.org and lists.sip-router.org are
having now a DKIM signature. Also, there are SPF records in DNS for
these domains. Hopefully, those two will help getting the emails to be
allowed by various spam filters out there, as their legit origin can be
checked.

If you check the sources of an email messages and the email server of
receiving party is doing DKIM/SPF checks, you should see some headers
like next (taken from an email I received to my gmail account from
sr-users mailing list):

"""
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of sr-users-bounces at lists.sip-router.org designates 193.22.119.66 as permitted sender) smtp.mailfrom=sr-users-bounces at lists.sip-router.org;
       dkim=pass header.i=@lists.sip-router.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sip-router.org; s=20151206;
	h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Reply-To:Subject:MIME-Version:Message-ID:To:From:Date; bh=lGjvCZYcxBHUHaJDnut1j2YTyPsXTnXHzUb0CgcDc1Q=;
	b=DlD+MKoEqyISB5Ba775t3zg70FC6ouC+tEo7j5zv4dn2Dhm4pWqkQXSfU4Kp1NqW1ZRYFC/mpg/7LEcGW2FlDL9J0FpUg1VjNmN7D1wvtW08hBBw91tsXImu9yf7KZjg/p4IbXu6vznldubrSxweIaV3q/xbrLgaqP5Dsrvs/9A=;
"""

Kamailio is not enforcing any of those policies on received email
messages, so sending to the lists should not be affected.

Should anyone discover problems when browsing the web portals or notices
issues with emails from our mailing lists, report them to sr-dev mailing
list.

Also, if anyone has more hints on increasing the security/privacy for
the web server and email systems we run for kamailio.org, do not
hesitate to provide us suggestions.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
http://miconda.eu




More information about the sr-dev mailing list