LDAP certificate lookup 
The gateway can be configured to lookup S/MIME certificates from an external LDAP server if there is no valid certificate yet for a recipient.
Enabling LDAP certificate lookup requires some configuration from the command line.
Login to the gateway console with SSH.
Tip
Windows users can for example use the free putty SSH cient.
Configuration
To enable LDAP certificate lookup, certain settings, like the LDAP server URI, the base DN etc. must be configured.
The following settings can be configured:
gateway__enable_smime_retrieve_certificates_script_lookup
gateway__ldap_retrieve_certificates_uri
gateway__ldap_retrieve_certificates_base_dn
gateway__ldap_retrieve_certificates_search_scope
gateway__ldap_retrieve_certificates_alias_dereferencing
gateway__ldap_retrieve_certificates_search_filter_template
gateway__ldap_retrieve_certificates_exclude_recipients_regex
gateway__ldap_retrieve_certificates_include_recipients_regex
gateway__ldap_retrieve_certificates_bind_dn
gateway__ldap_retrieve_certificates_password
- gateway__enable_smime_retrieve_certificates_script_lookup
If set to True, LDAP certificate lookup will be enabled
- gateway__ldap_retrieve_certificates_uri
The LDAP host to connect to. This is a require parameter and should be set to the companies LDAP server.
The format should be
[SCHEME]://[FQDN]:[PORT]where [SCHEME] should beldaporldaps.Examples:
gateway__ldap_retrieve_certificates_uri: ldap://ldap.example.com:389 gateway__ldap_retrieve_certificates_uri: ldaps://10.0.0.2:389
- gateway__ldap_retrieve_certificates_base_dn
The DN of the LDAP tree where the search should start.
Example:
gateway__ldap_retrieve_certificates_base_dn: ou=People,dc=example,dc=com
- gateway__ldap_retrieve_certificates_search_scope
The search scope can be used to limit the search. Select
base,one,sub, orchildrento specify a base object, one-level, subtree, or children search. The default is sub.Example:
gateway__ldap_retrieve_certificates_search_scope: sub
- gateway__ldap_retrieve_certificates_alias_dereferencing
Configures how alias dereferencing should be done. Should be one of
never,always,search, orfind. The default isnever.Example:
gateway__ldap_retrieve_certificates_alias_dereferencing: never
- gateway__ldap_retrieve_certificates_search_filter_template
Search filter used for searching for certificates. The token
#{email}will be replaced by the email address of the recipient. The default search filter tempate is set to(&(objectclass=inetOrgPerson)(mail=#{email})).Example:
gateway__ldap_retrieve_certificates_search_filter_template: (&(|(objectclass=inetOrgPerson)(objectclass=RFC822MAILUSER))(mail=#{email}))
- gateway__ldap_retrieve_certificates_exclude_recipients_regex
If configured, recipients that match the regular expression will be excluded from the LDAP lookup. This should be a space separated list of regular expressions matching the recipients email address.
Example:
gateway__ldap_retrieve_certificates_exclude_recipients_regex: .*@gmail\.com .*@outlook\.com
- gateway__ldap_retrieve_certificates_include_recipients_regex
If set, an LDAP lookup will only be done for the recipient if the recipient matches. This should be a space separated list of regular expressions matching the recipients email address. If not set, all recipients will be looked up.
Example:
gateway__ldap_retrieve_certificates_include_recipients_regex: .*@example\.com gateway__ldap_retrieve_certificates_include_recipients_regex: .*@example\.com .*@sub\.example\.com
- gateway__ldap_retrieve_certificates_bind_dn
If the LDAP connection requires authentication, this should be set to the DN of the LDAP user.
- gateway__ldap_retrieve_certificates_password
If the LDAP connection requires authentication, this should be set to the password of the LDAP user.
The settings should be stored in the following yaml file:
/etc/ciphermail/ansible/group_vars/all/cm-ldap-retrieve-certificates.yml
To create a valid yaml file change the following config and paste it to the command line:
sudo tee /etc/ciphermail/ansible/group_vars/all/cm-ldap-retrieve-certificates.yml <<EOF
gateway__enable_smime_retrieve_certificates_script_lookup: True
gateway__ldap_retrieve_certificates_uri: ldap://crtdir.certifikat.dk
gateway__ldap_retrieve_certificates_base_dn: o=Ingen organisatorisk tilknytning, c=DK
gateway__ldap_retrieve_certificates_search_scope: sub
gateway__ldap_retrieve_certificates_alias_dereferencing: never
gateway__ldap_retrieve_certificates_search_filter_template: (&(|(objectclass=inetOrgPerson)(objectclass=RFC822MAILUSER))(mail=#{email}))
gateway__ldap_retrieve_certificates_exclude_recipients_regex: .*@gmail\.com .*@outlook\.com
gateway__ldap_retrieve_certificates_include_recipients_regex:
gateway__ldap_retrieve_certificates_bind_dn:
gateway__ldap_retrieve_certificates_password:
EOF
To enable the LDAP config, the ansible playbook should be run:
sudo cm-run-playbook
Test
Test whether the script can lookup a certificate from the ldap server:
echo "[email protected]" | /usr/share/djigzo/scripts/scripts.d/ldap-retrieve-certificates.sh
Note: Replace test@example.com with a valid email address for which there is a certificate on the LDAP server.
If the LDAP server contains a certificate for the email address, the script should return a Base64 encoded certificate.
Example:
MIIFvzCCBKegAwIBAgIQSeTtMHIdW8+....
If the LDAP server does not contain a certificate for the email address, nothing will be returned.
Finsh
Now when an email gets sent to an external recipient, the gateway does an LDAP search for every recipient.
Check the back-end log file to see whether the back-end starts without any problems:
sudo tail -f /var/log/ciphermail-gateway-backend.log
Note
Make sure the correct root and intermediate certificates are installed on the gateway otherwise the certificates retrieved from LDAP will not be trusted and therefore not used.