LDAP certificate lookup¶
The gateway can be configured to lookup S/MIME certificates from an external LDAP server if there is no valid certificate yet for a recipient.
Enabling LDAP certificate lookup requires some configuration from the command line.
Install¶
Login to the gateway console with SSH.
Tip
Windows users can for example use the free putty SSH cient.
The following steps will configure the gateway to do a remote LDAP lookup for an S/MIME certificate.
Enable the required library:
sudo ln -s /usr/share/djigzo-cert-lookup/lib/djigzo-cert-lookup.jar /usr/share/djigzo/lib/lib.d/
Enable the service:
sudo ln -s /usr/share/djigzo-cert-lookup/conf/spring/djigzo-cert-lookup.xml /usr/share/djigzo/conf/spring/spring.d/
Add a fragment to the mail flow to lookup an S/MIME certificate
sudo ln -s /usr/share/djigzo-cert-lookup/conf/james/ldap-retrieve-certificates.xml /usr/share/djigzo/conf/james/SAR-INF/custom-processors.d/
Copy the default script to the directory from which scripts will be executed:
sudo cp /usr/share/djigzo-cert-lookup/scripts/ldap-retrieve-certificates.sh /usr/share/djigzo/scripts/scripts.d/
Configure¶
The settings for the lookup, like for example the LDAP host, should be configured to match the companies LDAP.
The default settings can be overridden using the default file /etc/default/cm-ldap-retrieve-certificates-settings
.
sudo vi /etc/default/cm-ldap-retrieve-certificates-settings
The following settings can be set:
- ldap_uri
This is the LDAP host to connect to. This is a require parameter and should be set to the companies LDAP server.
The format should be
[SCHEME]://[FQDN]:[PORT]
where [SCHEME] should beldap
orldaps
.Examples:
ldap://ldap.example.com:389 ldaps://10.0.0.2:389
- ldap_base_dn
The DN of the LDAP tree where the search should start.
Example:
ou=People,dc=example,dc=com
- search_scope
The search scope can be used to limit the search. Select
base
,one
,sub
, orchildren
to specify a base object, one-level, subtree, or children search. The default is sub.- alias_dereferencing
Specify how aliases dereferencing is done. Should be one of
never
,always
,search
, orfind
. The default isnever
.- search_filter_template
The search filter used for searching for certificates. The template should contain the token
#{email}
. This token will be replaced by the email address of the recipient. The default search filter tempate is set to(&(objectclass=inetOrgPerson)(mail=#{email}))
.- Example:
To search for email addresses on the LDAP server
ldap://crtdir.certifikat.dk
, use the following template(&(|(objectclass=inetOrgPerson)(objectclass=RFC822MAILUSER))(mail=#{email}))
- exclude_recipients_regex
If set, recipients that match will be excluded from the LDAP lookup. This should be a space separated list of regular expressions matching the recipients email address. If not set, no recipients will be excluded.
Examples:
.*@gmail\.com .*@gmail\.com .*@outlook\.com
- include_recipients_regex
If set, an LDAP lookup will only be done for the recipient if the recipient matches. This should be a space separated list of regular expressions matching the recipients email address. If not set, all recipients will be looked up.
Examples:
.*@example\.com .*@example\.com .*@sub\.example\.com
Note
At minimal, the following variables should be changed to match your LDAP server: ldap_uri
and ldap_base_dn
Example settings¶
Example settings file for looking a certificate on certifikat.dk while excluding gmail.com and outlook.com:
ldap_uri="ldap://crtdir.certifikat.dk" ldap_base_dn="o=Ingen organisatorisk tilknytning, c=DK" search_filter_template="(&(|(objectclass=inetOrgPerson)(objectclass=RFC822MAILUSER))(mail=#{email}))" exclude_recipients_regex=".*@gmail\.com .*@outlook\.com"
Test¶
Test whether the script can lookup a certificate from the ldap server:
echo "test@example.com" | /usr/share/djigzo/scripts/scripts.d/ldap-retrieve-certificates.sh
Note: Replace test@example.com with a valid email address for which there is a certificate on the LDAP server.
If the LDAP server contains a certificate for the email address, the script should return a Base64 encoded certificate.
Example:
MIIFvzCCBKegAwIBAgIQSeTtMHIdW8+....
If the LDAP server does not contain a certificate for the email address, nothing will be returned.
Finsh¶
Restart back-end
sudo service djigzo restart
Now when an email gets sent to an external recipient, the gateway does an LDAP search for every recipient.
Check the back-end log file to see whether the back-end starts without any problems:
tail -f /var/log/djigzo.log
Note
Make sure the correct root and intermediate certificates are installed on the gateway otherwise the certificates retrieved from LDAP will not be trusted and therefore not used.