[sr-dev] info: kamailio.org updates - letsencrypt for https and dkim for email

Peter Villeneuve petervnv1 at gmail.com
Wed Dec 9 18:47:47 CET 2015 

Forgot to point out the obvious. My previous comment applies to kamailio's
use of TLS, not the website where kamailio is hosted.

On Wed, Dec 9, 2015 at 5:46 PM, Peter Villeneuve <petervnv1 at gmail.com>
wrote:

> Hi Daniel,
>
> I'm also using letsencrypt since their beta program.
> The only issue I see is that the certs expire after 90 days, which means
> you will have to manually change them before those 90 days are up.
> They have an automated process to get new certs and insert them in the
> correct virtual hosts in apache, but I doubt they have any kamailio
> automation setup yet.
>
> Besides that, which is no big deal, just takes more time until someone
> writes a script to automate the kamailio process of requesting new certs
> and replacing the expired ones, I'm a big fan of Letsencrypt and I
> recommend it to anyone that takes security seriously and doesn't want to
> participate in enriching the CA "mafia".
>
> Cheers,
> Peter
>
> On Tue, Dec 8, 2015 at 8:06 AM, Daniel-Constantin Mierla <
> miconda at gmail.com> wrote:
>
>> Hello,
>>
>> during the past few days I made some updates related to the security
>> aspects of kamailio.org services.
>>
>> Two are relevant for the community.
>>
>> 1) First, kamailio.org uses now a TLS certificate signed by
>> letsencrypt.org, a free trusted CA backed up by Mozilla and other
>> internet companies, so browsing via HTTPS should no longer issue any
>> warning of untrusted certificate (previously we used a CACert.org
>> certificate which was not trusted automatically by browsers).
>>
>> Wiki and mailing lists portals use the letsencrypt certificate as well,
>> so is no reason not to browse all kamailio.org and lists.sip-router.org
>> pages only via HTTPS. Perhaps in the near future we will try to enable
>> redirect of HTTP to HTTPS at least for the main page and login pages for
>> wiki, mailing lists and other places that require sensitive data.
>>
>> Now SSLLabs test ranks https://kamailio.org with grade A:
>>
>>   * https://www.ssllabs.com/ssltest/analyze.html?d=kamailio.org&latest
>>
>> As a side note, for those that haven't noticed it, for quite some time
>> kamailio.org is available also over IPv6.
>>
>> 2) Second, emails forwarded by kamailio.org and lists.sip-router.org are
>> having now a DKIM signature. Also, there are SPF records in DNS for
>> these domains. Hopefully, those two will help getting the emails to be
>> allowed by various spam filters out there, as their legit origin can be
>> checked.
>>
>> If you check the sources of an email messages and the email server of
>> receiving party is doing DKIM/SPF checks, you should see some headers
>> like next (taken from an email I received to my gmail account from
>> sr-users mailing list):
>>
>> """
>> Authentication-Results: mx.google.com;
>>        spf=pass (google.com: domain of
>> sr-users-bounces at lists.sip-router.org designates 193.22.119.66 as
>> permitted sender) smtp.mailfrom=sr-users-bounces at lists.sip-router.org;
>>        dkim=pass header.i=@lists.sip-router.org
>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=
>> lists.sip-router.org; s=20151206;
>>
>> h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Reply-To:Subject:MIME-Version:Message-ID:To:From:Date;
>> bh=lGjvCZYcxBHUHaJDnut1j2YTyPsXTnXHzUb0CgcDc1Q=;
>>
>> b=DlD+MKoEqyISB5Ba775t3zg70FC6ouC+tEo7j5zv4dn2Dhm4pWqkQXSfU4Kp1NqW1ZRYFC/mpg/7LEcGW2FlDL9J0FpUg1VjNmN7D1wvtW08hBBw91tsXImu9yf7KZjg/p4IbXu6vznldubrSxweIaV3q/xbrLgaqP5Dsrvs/9A=;
>> """
>>
>> Kamailio is not enforcing any of those policies on received email
>> messages, so sending to the lists should not be affected.
>>
>> Should anyone discover problems when browsing the web portals or notices
>> issues with emails from our mailing lists, report them to sr-dev mailing
>> list.
>>
>> Also, if anyone has more hints on increasing the security/privacy for
>> the web server and email systems we run for kamailio.org, do not
>> hesitate to provide us suggestions.
>>
>> Cheers,
>> Daniel
>>
>> --
>> Daniel-Constantin Mierla
>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>> Book: SIP Routing With Kamailio - http://www.asipto.com
>> http://miconda.eu
>>
>>
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20151209/334fcef4/attachment-0001.html>

More information about the sr-dev mailing list