SUSE
The .rpm packages have been tested on SUSE Linux Enterprise 15.2.
Note
All commands should be executed as the root user.
Configure firewall
If a local firewall is enabled, it should be configured to allow access to certain ports. The following ports should be remotely accessible: SMTP (25) and 8443 1
- 1
see Port usage for a list of all used ports.
firewall-cmd --zone=public --add-port=25/tcp --permanent
firewall-cmd --zone=public --add-port=8443/tcp --permanent
firewall-cmd --reload
Tip
If the web GUI should be accessible on the standard https port (443) instead of 8443, add the following additional firewall rules
firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
firewall-cmd --reload
This will redirect all requests for port 443 to port 8443.
Install required packages
The CipherMail installation requires packages from specialized SUSE modules. These modules therefore need to be activated
SUSEConnect -p sle-module-desktop-applications/15.2/x86_64
SUSEConnect -p sle-module-development-tools/15.2/x86_64
Install packages required by CipherMail.
zypper install ant java-11-openjdk-headless java-11-openjdk-devel java-11-openjdk-devel postfix sudo
The CipherMail RPM packages are signed with a PGP key. To validate the signature of the packages, the PGP key https://www.ciphermail.com/downloads/ciphermail-signing-key.asc should be imported into RPM.
rpm --import https://www.ciphermail.com/downloads/ciphermail-signing-key.asc
The signature of the rpm packages can be validated using the following command:
rpm -K <file>
CipherMail packages
A full installation of CipherMail requires the CipherMail encryption back-end and the Web GUI front-end.
The following three packages are required:
djigzo
djigzo-web
ciphermail-core-os-no-deps
Configure back-end
Install back-end packages
zypper install djigzo-[0-9]*[0-9].noarch.rpm ciphermail-core-os-no-deps-[0-9]*[0-9].noarch.rpm
Enable the back-end service
systemctl enable ciphermail-gateway-backend
Configure database
Note
This guide assumes that CipherMail will be configured for PostgreSQL. See MySQL/MariaDB on how to configure the gateway for MySQL/MariaDB.
Install PostgreSQL
zypper install postgresql-server
Configure Postgres to auto start at boot
systemctl enable postgresql
Start PostgreSQL
systemctl start postgresql
username/password authentication should be enabled by replacing ident with md5 for localhost:
sed -i -r "s/^(host\s+all\s+all\s+127.0.0.1\/32\s+)ident/\1 md5/g" /var/lib/pgsql/data/pg_hba.conf
Restart Postgres
systemctl restart postgresql
Create database user
Note
The database connection, like user, password and database name, is configured in the file /usr/share/djigzo/conf/database/hibernate.connection.xml. The default user, password and database name is set to djigzo. If you select different values, update the hibernate.connection.xml file.
sudo -u postgres createuser -P djigzo
Note
to use the default database password, select djigzo for the password.
Update the database connection config file /usr/share/djigzo/conf/database/hibernate.connection.xml to match the selected password.
Create database
sudo -u postgres createdb --owner djigzo djigzo
Import database definition
psql -h 127.0.0.1 djigzo djigzo < /usr/share/djigzo/conf/database/sql/djigzo.sql
Use the password which was selected with the createuser command.
Configure Postfix
Email is first received by Postfix (MTA). Postfix then sends the email to the encryption back-end using an after queue filter. This requires some changes to the Postfix configuration files. CipherMail installs a pre-configured Postfix main and master configuration file which should be copied to the postfix configuration directory.
Warning
The following commands will overwrite all settings in the original postfix config files. If existing Postfix settings should be kept, the required changes to Postfix should be manually applied.
Prevent SUSE from changing the postfix config files provided by CipherMail
touch /var/adm/postfix.configured
Copy postfix configuration files.
cp -b /usr/share/djigzo/conf/system/postfix/main.suse.cf /etc/postfix/main.cf
cp -b /usr/share/djigzo/conf/system/postfix/master.suse.cf /etc/postfix/master.cf
Update aliases.
Postfix uses /etc/alias as the alias file. Make sure that the alias file is available and up-to-date.
newaliases
Restart Postfix.
systemctl restart postfix
The mail logs should be readable by user “djigzo”. We will therefore add a special maillog group.
Note
This can be skipped if you do not want the MTA log to be shown on the MTA page.
groupadd maillog
usermod -a -G maillog djigzo
chown root:maillog /var/log/mail.info
chmod g+r /var/log/mail.info
SUSE stores the postfix log files in mail.info instead of /var/log/maillog. Configure the back-end to read mail.info
echo -e "cm.log.mail.file.0=/var/log/mail.info\ncm.log.mail.file.1=/var/log/mail.info.1" > \
/usr/share/djigzo/conf/spring/spring.properties.d/z-smtp-log-config.properties
Configure Postfix to auto start at boot
systemctl enable postfix
Configure logrotate
By default mail logs are rotated with the date appended to the filename. CipherMail however expects the rotated log files to be appended with an increasing number.
A separate rotate rule for maillog should be added by modifying the defalut syslog config.
Note
This can be skipped if you do not want the MTA log to be shown on the MTA page.
vi /etc/logrotate.d/syslog
Remove the existing /var/log/mail.info entry and then add the following entry:
/var/log/mail.info
{
compress
delaycompress
nodateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root maillog
sharedscripts
postrotate
/usr/bin/systemctl reload syslog.service > /dev/null
endscript
}
Configure rsyslog
RSyslog rate-limits log messages if there are too many log messages in a certain time frame. On a busy server, the default rate-limit is too low resulting dropped log messages.
Change the rate-limit
echo '$imjournalRatelimitInterval 60' > /etc/rsyslog.d/ratelimit.conf
Configure front-end
Install Web-GUI package
zypper install djigzo-web-[0-9]*[0-9].noarch.rpm
Install Tomcat
Before Tomcat can be installed, the web-scripting modules should be activated
SUSEConnect -p sle-module-web-scripting/15.2/x86_64
Install Tomcat
zypper install tomcat
To support importing files containing large number of certificates or keys, Tomcat should be configured with at least 128 MB heap size.
echo 'JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"' >> /etc/sysconfig/tomcat
To support uploading new TLS certificates for the Web GUI, Tomcat should be allowed to read and write the PKCS#12 file containing the TLS certificate and key.
chown tomcat:djigzo /usr/share/djigzo-web/ssl/sslCertificate.p12
An HTTPS connector should be added to the Tomcat server configuration. If Tomcat is only used by CipherMail, it’s advised to replace the
existing Tomcat configuration file (/etc/tomcat/server.xml) with the configuration file provided by CipherMail.
Note
If you want to keep the existing server.xml file, you need to manually add the HTTPS Connector.
cp -b /usr/share/djigzo-web/conf/tomcat/server.xml /etc/tomcat/
Create the localhost sub directory where the web content files will be added
mkdir -p /etc/tomcat/Catalina/localhost
Add the Web admin context
echo '<Context docBase="/usr/share/djigzo-web/djigzo.war" />' > /etc/tomcat/Catalina/localhost/ciphermail.xml
Add the portal context
echo '<Context docBase="/usr/share/djigzo-web/djigzo-portal.war" />' > /etc/tomcat/Catalina/localhost/web.xml
Tomcat should automatically start at boot:
systemctl enable tomcat
Finish
Restart the back-end and front-end services:
systemctl restart rsyslog
systemctl restart ciphermail-gateway-backend
systemctl restart tomcat
CipherMail should now be running (wait some time for Tomcat to startup). The login page can be accessed using the following URL:
https://192.168.178.2:8443/ciphermail 2
- 2
If redirection from 8443 to 443 is enabled or Apache or NGINX is used as a front-end proxy use the standard HTTPS port 443.
Change the IP address to the correct address.
Note
CipherMail comes with a pre-installed TLS certificate which is not by default trusted by your browser. You should therefore manually accept the TLS certificate the first time the page is opened.
Login with you system account.
CipherMail gateway by default uses PAM authentication. You can login with the root acount or any system account which is member of the wheel group or the sudo group.
Tip
Additional non-PAM login accounts can be added, or PAM authentication can be disabled, after logging into the Web GUI.
If CipherMail is not running, check the following log files for errors:
CipherMail log via journald:
journalctl -u ciphermail-gateway-backend
CipherMail log file:
less /var/log/ciphermail-gateway-backend.log
Tomcat log:
journalctl -u tomcat
Note
The login procedure can take some time after a restart because the Web GUI does some internal initialization after a restart.