[BlueOnyx:11351] Re: 5108R FTPS

Ken - Precision Web Hosting, Inc kenlists at precisionweb.net
Wed Sep 19 12:41:54 -05 2012 

----- Original Message ----- 
From: "Chris Gebhardt - VIRTBIZ Internet" <cobaltfacts at virtbiz.com>


> Thanks Michael,
> The customer is working now and he's happy, so that's a good thing.
>
> Michael Stauber wrote:
>
>> Yeah, it can be made to work on the IP of the Vsite, too - if that one
>> is different from the main IP.
>>
>> At the bottom of /etc/proftpd.conf you got the VirtualHost containers
>> for all the extra IP's. Just add a container like this for the IP of
>> that Vsite where you want FTPS to work (and substitute the correct IP):
>
> Ah, got it, OK!  That makes some sense.   Many thanks for that tip.
>
>> If the client's Vsite has an SSL certificate, you could even use that
>> one instead of defaulting to the Dovecot certificate, which I used here
>> because it's there by default and saves us the hassle of creating yet
>> another self-signed certificate just for FTPS.
>
> Yes, that sure makes sense to me.   That also brings some interesting
> possibilities to mind.
>
>> I'm thinking of hacking all this into the BlueOnyx GUI to finally
>> provide working FTPS "out of the box". But I'm still a bit torn about
>> running ProFTPD stand alone and no longer behind Xinetd (which has
>> benefits for security reasons).
>
> Seems to me that running ProFTPD in standalone mode with mod_wrap would
> provide some security here (ie: use of hosts.allow/hosts.deny).  There
> may be other considerations as well that I'm just not thinking about
> right now, but I admit to being a little fried at the end of the week!
>
> But I know I have some other customers who would enjoy the ability to
> have the FTPS "just work".  They'd also like SFTP, but I know that is an
> entirely different story and my feeling is so long as there is an option
> one way or the other, that's good enough.
>


For some reason Michael's solution did not work for me. Proftpd would not 
start.

My solution was to:
1.  Leave it as    inet
2. Add the lines below to the /etc/proftpd.conf  within the <Global> 
</Global> container
<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/tls.log
   TLSRequired off
   TLSOptions NoCertRequest
   TLSRSACertificateFile /etc/admserv/certs/certificate
   TLSRSACertificateKeyFile /etc/admserv/certs/key
   TLSVerifyClient off
   TLSRenegotiate required off
</IfModule>

Then within my "Secure FX" software set it to use:
  -  FTPS  explicit
  -  on port 22
  -  disable certificate validation (if you are using something else for the 
hostname instead of the servername )



Ken

More information about the Blueonyx mailing list