11 minutes reading time (2100 words)

Configure Encryption Gateway Email with Postfix

Linux Cat
Introduction

This installation guide provides step-by-step instructions on how to
manually
install CipherMail with the tar release. If CipherMail is going to be
installed on Ubuntu, Debian, Red Hat, CentOS or SUSE, you are strongly
advised to use
the installation guide which explains how to install CipherMail using
the deb
or rpm packages. Use this guide as background information on how to
install
CipherMail on systems not directly supported by the deb or rpm packages.

Note The recommended way to install CipherMail is by using the deb or
rpm
packages. See the installation guide on how to install CipherMail with
the deb or rpm packages.

Requirements

• PostgreSQL, MySQL or Oracle
• Postfix
• OpenJDK 7 or 8
• ANT
• Tomcat (or Jetty)

Note: Commands that should be executed by the user are shown on lines
starting with a $ sign (the $ sign is not part of the command to
execute). It is
recommended to copy and paste the commands directly to the command line.
Some PDF readers do not support copy-and-paste from PDF. Make sure that
copy-and-paste work correctly.

Warning do not install CipherMail on a live email system!

2 Install CipherMail on Ubuntu & Debian
This section explains how to install CipherMail on Ubuntu and Debian.

Note This guide assumes that CipherMail will be configured for use with
PostgreSQL. If MySQL/MariaDB or Oracle Database should be used instead,
all PostgreSQL related steps can be skipped a See Appendix A on how to
configure CipherMail for MySQL/MariaDB and Appendix B on how to
configure CipherMail for Oracle Database.

Alternatively, CipherMail can first be installed with PostgreSQL. After
confirming that

CipherMail works correctly with PostgreSQL, support for the other
database can be configured

Install required packages1

$ sudo apt-get install postgresql postfix openjdk-8-jre \
openjdk-8-jre-headless ant ant-optional \
mktemp libsasl2-modules symlinks

Note: During the installation of Postfix, select “No Configuration”.

Configure PostgreSQL

CipherMail stores all settings in a PostgreSQL database.

Create database user Create the database user djigzo with password
djigzo2

$ echo "CREATE USER djigzo ENCRYPTED PASSWORD \
'md5b720bc9de4ca53d53a4059882a0868b9';" | sudo -u postgres psql

Create database Create the database djigzo owned by database user
djigzo.

$ sudo -u postgres createdb --owner djigzo djigzo

Install CipherMail

User and group djigzo with home dir /usr/local/djigzo should be created.
CipherMail will be installed in the djigzo home dir and CipherMail will
be running as user djigzo.

$ sudo adduser --system --group --home /usr/local/djigzo \
--disabled-password --shell /bin/false djigzo

Add user djigzo to the adm group to allow user djigzo to read the
Postfix log
files3.

The sudo package is required by CipherMail. Debian does not install sudo
by default. If installing on Debian, sudo must be installed prior to
installing CipherMail.

The encoded password is equal to ‘md5’ concatenated with the MD5 hash of
the username and password.

Only required if CipherMail Web GUI should be allowed to show Postfix
log file content.

$ sudo usermod -a -G adm djigzo

Create a directory for CipherMail web owned by djigzo.

$ sudo mkdir /usr/local/djigzo-web
$ sudo chown djigzo:djigzo /usr/local/djigzo-web

Download CipherMail A full installation of CipherMail requires the
CipherMail
encryption back-end and the Web GUI front-end. Both can be downloaded
from http://www.ciphermail.com. The following two .tar.gz files are
required:

djigzo_?.?.?-?.tar.gz
djigzo-web_?.?.?-?.tar.gz

Untar the files

$ sudo -u djigzo tar xzf djigzo_?.?.?-?.tar.gz --directory \
/usr/local/djigzo/

$ sudo -u djigzo tar xzf djigzo-web_?.?.?-?.tar.gz --directory \
/usr/local/djigzo-web/

Run post install script Some initialization will be done with an ANT
script.

$ cd /usr/local/djigzo
$ sudo -u djigzo ant

Importing the database schema Import the database schema into
PostgreSQL.

$ sudo -u djigzo psql djigzo
/usr/local/djigzo/conf/database/sql/djigzo.sql

Update location of CipherMail CipherMail should be automatically started
at system startup. The startup script should know the path where
CipherMail
is installed.

$ sudo bash -c 'echo "DJIGZO_HOME=/usr/local/djigzo" >> \
/etc/default/djigzo'

Configure scripts

For some of it’s functionality, for example managing the Postfix mail
queues,
shell scripts will be used. These shell scripts should be executable,
owned by
root and only writeable by root. Some scripts will be executed from the
scripts.d directory and symlinks should therefore be created:

$ cd /usr/local/djigzo/scripts/scripts.d
$ sudo ln -s ../backup.sh
$ sudo ln -s ../daemonized-restart.sh
$ sudo ln -s ../postfix-main-config.sh
$ sudo ln -s ../postfix.sh
$ sudo ln -s ../sasl.sh
$ sudo ln -s ../system.sh

The scripts should be executable, owned by root and only writeable by
owner:

$ sudo chown -R root:root /usr/local/djigzo/scripts/*
$ sudo chmod -R 755 /usr/local/djigzo/scripts/*

sudo

For some scripts root access is required (for example to configure
Postfix). To
allow these scripts to run as root, a sudoers configuration fragment
should be
added.

$ sudo vi /etc/sudoers.d/ciphermail

Copy the following lines to the /etc/sudoers.d/ciphermail file:
User_Alias DJIGZO_USERS = djigzo
Cmnd_Alias DJIGZO_COMMANDS =
/usr/local/djigzo/scripts/do-execute-script.sh
DJIGZO_USERS ALL=(ALL) NOPASSWD: DJIGZO_COMMANDS
Defaults:root,djigzo !requiretty

Configure backup

CipherMail contains a backup functionality which can backup all the
relevant
settings. The files to backup will be read from the conf/backup.d
directory.
A symlink to the default list of files to backup should be added.

$ cd /usr/local/djigzo/conf/backup.d/
$ sudo ln -s ../backup_files

The conf/backup.d directory should be owned by root and only writeable
by
the owner.

$ sudo chown -R root:root /usr/local/djigzo/conf/backup.d/
$ sudo chmod -R 755 /usr/local/djigzo/conf/backup.d/

The backup_files file should be owned by root and only writeable by the
owner.

$ sudo chown root:root /usr/local/djigzo/conf/backup_files
$ sudo chmod 644 /usr/local/djigzo/conf/backup_files

Start at boot time

A softlink to the startup script will be added to /etc/init.d directory
and /etc/rc?.d will be updated.

$ sudo ln -s /usr/local/djigzo/scripts/djigzo /etc/init.d/
$ sudo update-rc.d djigzo defaults

Configure Postfix

CipherMail uses Postfix for sending and receiving email (MTA).
CipherMail
functions as a Postfix “after queue filter”. Postfix should therefore be
configured to work with the encryption back-end.

Two pre-configured Postfix configuration files, main.cf and master.cf,
can be
found in /usr/local/djigzo/conf/system. It is recommended to use these
preconfigured

Postfix configuration files. If Postfix is already configured and the
existing settings should not be overwritten, the existing Postfix
configuration
files should be manually merged with the configuration files provided by
CipherMail.

The most important Postfix configuration settings required by CipherMail
are discussed next.

main.cf configuration The Postfix main configuration file should at
least contain
the content filter setting which tells Postfix that all email should be
handled
by the CipherMail encryption back-end. The content filter setting tells
Postfix that the service running on 127.0.0.1:10025 will function as an
“after
queue filter”4
.
content_filter = djigzo:[127.0.0.1]:10025

The other settings in the pre-configured main.cf file are only required
for the
MTA configuration page of CipherMail Web GUI. Settings starting with
djigzo
will be replaced when applying changes on the MTA page. The djigzo ...
settings are used by main.cf and master.cf (the settings are referenced
as
${djigzo ...}). master.cf configuration The Postfix master configuration
file requires at least the following lines:

If you already configured a content filter you should configure
additional filters in master.cf.

This will however not be explained in this guide.

# injection port for mail handled by the back-end
127.0.0.1:10026 inet n - - - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,
no_header_body_checks, no_milters
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_tls_security_level=
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_authorized_xclient_hosts=127.0.0.0/8
-o cleanup_service_name=cleanup_reinject

# injection port for mail sent by web gui
127.0.0.1:10027 inet n - - - 10 smtpd
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_tls_security_level=
-o mynetworks=127.0.0.0/8
-o syslog_name=postfix/10027
-o message_size_limit=${djigzo_before_filter_message_size_limit}

message size limit Because CipherMail functions as an “after queue
filter”,
the size of a message after encryption or decryption can be higher than
when
the message was first received. For example, signing a message will
slightly
increase the message because of the S/MIME signature. The after queue
message size limit should therefore be larger than the message size
limit before
filtering (otherwise Postfix will reject the message after filtering).
To make
sure that the before filter size limit is lower than the after filter
size limit, a limit should be set on the smtpd service.

smtp inet n - - - - smtpd -o
message_size_limit=${djigzo_before_filter_message_size_limit}

Copy postfix config files It is advised to use the pre-configured
Postfix configuration files. The pre-configured configuration files
should be copied to the Postfix config directory.

Warning The following commands will overwrite all settings in the
original postfix config files. If existing postfix settings must be
kept, the required
changes should be manually applied.

$ sudo cp /usr/local/djigzo/conf/system/main.cf /etc/postfix/main.cf
$ sudo cp /usr/local/djigzo/conf/system/master.cf /etc/postfix/master.cf

Update aliases Postfix uses /etc/alias as the alias file. Make sure that
the
alias file is available and up-to-date.

$ sudo newaliases

Restart postfix

$ sudo service postfix restart

Install Tomcat

Install the required Tomcat package

$ sudo apt-get install tomcat8

Note: On older releases, install tomcat7 and change the commands below
to
match tomcat7 Set djigzo-web.home The system property djigzo-web.home
should reference the location where CipherMail Web GUI is stored. The
property will be
added to the Tomcat default config file.

$ sudo bash -c 'echo "JAVA_OPTS=\"\$JAVA_OPTS -Ddjigzo-web.home=\
/usr/local/djigzo-web\"" >> /etc/default/tomcat8'

Configure Tomcat memory usage In order to allow the import of very large
certificate files (.p7b or .pfx files with thousands of certificates)
CipherMail requires that Tomcat is setup with at least 128 MB heap size.

$ sudo bash -c 'echo "JAVA_OPTS=\"\$JAVA_OPTS \
-Djava.awt.headless=true -Xmx128M\"" >> /etc/default/tomcat8'

Allow reading and writing of SSL certificate CipherMail Web GUI allows
new SSL certificates for the Web GUI to be uploaded using the SSL page.
To
support this functionality, Tomcat should be allowed to read and write
the SSL
certificate.

$ sudo chown tomcat8:djigzo /usr/local/djigzo-web/ssl/sslCertificate.p12

Adding an HTTPS connector An HTTPS connector should be added to the
Tomcat server configuration. If Tomcat is only used by CipherMail, it’s
advised
to replace the existing Tomcat configuration file
(/etc/tomcat6/server.xml) with
the configuration file provided by CipherMail.

Warning This overwrites the existing server.xml file. If you want to
keep the existing server.xml file, you need to manually add the HTTPS
Connector.

See Appendix C for more information.
$ sudo cp /usr/local/djigzo-web/conf/tomcat/server.xml /etc/tomcat8/

The path to djigzo-web should be updated

$ sudo sed s#/share/djigzo-web/#/local/djigzo-web/# \
/etc/tomcat8/server.xml --in-place

Note: If using Tomcat8, because of a bug in Tomcat 8 (https://bz.apache.
org/bugzilla/show_bug.cgi?id=60940), the setting “unpackWARs” in
/etc/tomcat/server.xml should be changed from “false” to “true”

$ sudo sed -i 's/unpackWARs="false"/unpackWARs="true"/'
/etc/tomcat8/server.xml

Adding the Web admin context A context should be added to Tomcat to
enable the Web admin application.

$ sudo bash -c 'echo "Context
docBase=\"/usr/local/djigzo-web/djigzo.war\
\" />" > /etc/tomcat8/Catalina/localhost/ciphermail.xml'

Note: if you want CipherMail to use the root context, save the context
file to
ROOT.xml (overwriting the existing file) instead of to ciphermail.xml5.

Adding the Web portal context If the portal functionality is required, a
specific
portal context should be added to Tomcat.

$ sudo bash -c 'echo "Context
docBase=\"/usr/local/djigzo-web/djigzo-portal.war\
\" />" > /etc/tomcat8/Catalina/localhost/web.xml'

Restart Tomcat Tomcat should be restarted to make it use the new Tomcat
configuration.

$ sudo service tomcat8 restart

the root context allows you to access CipherMail using a URL of the form
https://192.168.178.2:8443 instead of
https://192.168.178.2:8443/ciphermail

Finalize

Create a softlink to the djigzo log file.

$ sudo ln -s /usr/local/djigzo/logs/james.wrapper.log
/var/log/djigzo.log

Protect files Some files containing passwords should only be readable by
user djigzo.

$ sudo chmod 640 /usr/local/djigzo/conf/djigzo.properties
$ sudo chmod 640 /usr/local/djigzo/conf/database/*.connection.xml

Restart services Restart Postfix and CipherMail.

$ sudo service postfix restart
$ sudo service djigzo restart

Open the Web GUI CipherMail should now be running (wait some time for
Tomcat to startup). The login page can be accessed using the following
URL

https://192.168.178.2:8443/ciphermail6
(change the IP address accordingly)

Note CipherMail comes with a pre-installed SSL certificate which is not
by
default trusted by your browser. You should therefore manually accept
the SSL certificate the first time you open the page. A new trusted SSL
certificate can be uploaded from the web GUI.

Login Use the following login credentials:

username: admin
password: admin

Note The login procedure can take some time after a restart because the
Web GUI requires some internal initialization after a restart.
Log output If CipherMail is not running, check the following log files
for errors: CipherMail log

$ less /var/log/djigzo.log

if CipherMail was installed as the root context, the URL should be
https://192.168.178.2:8443

Tomcat log
$ sudo less /var/log/tomcat8/catalina.out
0
×
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Creating Ubuntu 18.04 Masquerade

By accepting you will be accessing a service provided by a third-party external to https://www.linuxsecrets.com/

© 1984 - 2021 Linuxsecrets.com. All Rights Reserved.