Radicale Calendar Server with Debian 8 (Jessie) and IMAP/SHADOW Authentication via Apache httpd

As I plan to move from a proprietary calendaring to a more „ressource-aware” open source solution, I decided to give Radicale a try. It is open source, appears to be rather pragmatic in its approach to „standards” and has a small footprint in regards to system requirements.

With me running Debian 8 on my server, I decided to stick with the available package and not install „from source”. So a quick „apt-get install radicale” took care of installing the necessary software (do not forget to enable the Radicale daemon in /etc/default/radicale).

The configuration of Radicale is rather straightforward and simple. In regards to transport security, You can reuse an existing TLS certificate (or get a new one from Let’s encrypt). For authentication, you can choose between several options. As I don’t have an LDAP server (yet) and I didn’t want to create a .httpasswd entry for each user, I chose „IMAP”. So Radicale will validate all credentials against the local IMAP server (Dovecot in my case).

The relevant bits and pieces of my /etc/radicale/config file look like this:

# bin to all legacy IP addresses
hosts = 0.0.0.0:5232
 
# SSL flag, enable HTTPS protocol
ssl = True
 
# SSL certificate path
certificate = /etc/ssl/certs/kalender.fullchain.cer
# SSL private key
key = /etc/ssl/private/kalender.key
 
# SSL Protocol used. See python's ssl module for available values
# TLS 1.0 or higher, as I still have to support older Android clients
protocol = ssl.PROTOCOL_TLSv1_2
 
# Ciphers available. See python's ssl module for available ciphers
# OWASP Cipher String 'B' (Broad compatibility)
# Again, more then strictly recommended in 2017 due to older Android devices
ciphers = DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 
# Message displayed in the client when a password is needed
realm ="Kalenderserver - Password Required"
 
[auth]
# Authentication method
# Value: None | htpasswd | IMAP | LDAP | PAM | courier | http | remote_user | custom
type = IMAP
 
# IMAP Configuration
imap_hostname = localhost
imap_port = 143
imap_ssl = true
 
[rights]
# Rights backend
# Value: None | authenticated | owner_only | owner_write | from_file | custom
type = owner_only
 
[storage]
# Storage backend
# Value: filesystem | multifilesystem | database | custom
type = filesystem
 
# Folder for storing local collections, created if not present
filesystem_folder = /var/lib/radicale/collections

If you want/need to share your calendar with other users, play around with the [rights] section. For my setup, this was fine.

This setup should also give you an adequate TLS configuration. There is of course room for improvement, if you know your clients all support TLS 1.2 and modern ciphers. See the OWASP TLS Cipher String Cheat Sheet and bettercrypto.org for details.

Once you restart the Radicale server via sudo service radicale restart you should get a "Radicale works!" message in the browser – if you opened up port 5232 on the firewall.

If you also enabled any form of authentication, the browser or ical/caldav client will prompt you with a „Basic Authentication” prompt for the credentials. If you, like in my case, configured IMAP, you will see in your IMAP log a connection, verifying the credentials you entered.

This is nice, but I did not want to open another port on my firewall for this. So how could I proxy this through my existing Apache httpd? Unfortunately, this is only covered halfway in the documentation.

You do have to create a (new) virtual host (eg. „calendar.example.com”) and configure the python WSGI module as well as authentication. To do so, we need a few modules installed and activated:

sudo apt-get install libapache2-mod-wsgi libapache2-mod-authnz-external pwauth
sudo a2enmod authnz_external
sudo a2enmod wsgi

The Apache httpd config for that virtual host including WSGI setup and authentication via mod-auth-external and pwauth might look like this:

<VirtualHost *:443>
    ServerName calendar.example.com
    
    # WSGI (WSGI is the Web Server Gateway Interface) config for radicale
    # Group "adm" so radicale can write to it's log file in /var/log/radicale
    WSGIDaemonProcess radicale user=radicale group=adm threads=1
    WSGIScriptAlias / /usr/share/radicale/radicale.wsgi
    
    # Add Authentication via pwauth
    <IfModule mod_authnz_external.c>
        AddExternalAuth pwauth /usr/sbin/pwauth
        SetExternalAuthMethod pwauth pipe
    </IfModule>
    
    <Directory /usr/share/radicale>
        WSGIProcessGroup radicale
        WSGIApplicationGroup %{GLOBAL}
        # Pass on authentication data to radicale
        WSGIPassAuthorization On
        AllowOverride None
        
        AuthType Basic
        # This should be the same string as the radicale "realm" value
        AuthName "Kalenderserver - Password Required"
        AuthBasicProvider external
        AuthExternal pwauth
        # Any valid user will be allowed to athenticate.
        # You could restrict this further via authz_unixgroup
        Require valid-user
    </Directory>

With that configuration, Apache will verify access against usernames & passwords in the passwd/shadow files (do NOT use mod_authnz_pam for that!) and will pass the authentication data on to radicale. If you add authz_unixgroup, you could further limit the number of users to the members of a specific group, …

 

As always, I stood on the shoulders of giants in my work on this. So further reading should be:

• Radicale Installation on Jessie
• Radicale - Authentication
• Radicale - Apache and mod_wsgi
• WSGI – Web Server Gateway Interface
• Apache 2 and HTTP Authentication with PAM
• TLS Cipher String Cheat Sheet - OWASP
• mod-auth-external
• pwauth

Do be aware, that Radicale 2, which is currently at RC2, will bring changes (only support for httpasswd auth, …). As I am using Debian stable and do not see any immediate benefits in upgrading Radicale atm., I am rather happy with this setup.

Tagged as: caldav, calendar, calender, carddav, debian, how-to, howto, ical, kalender | Author: Martin Leyrer
[Samstag, 20170520, 17:19 | permanent link | 0 Kommentar(e)