LDAP certificate lookup

The gateway can be configured to lookup S/MIME certificates from an external LDAP server if there is no valid certificate yet for a recipient.

Enabling LDAP certificate lookup requires some configuration from the command line.

Login to the gateway console with SSH.

Tip

Windows users can for example use the free putty SSH cient.

The following steps will configure the gateway to do a remote LDAP lookup for an S/MIME certificate.

Enable the required library:

sudo ln -s /usr/share/djigzo-cert-lookup/lib/djigzo-cert-lookup.jar /usr/share/djigzo/lib/lib.d/

Enable the service:

sudo ln -s /usr/share/djigzo-cert-lookup/conf/spring/djigzo-cert-lookup.xml /usr/share/djigzo/conf/spring/spring.d/

Add a fragment to the mail flow to lookup an S/MIME certificate

sudo ln -s /usr/share/djigzo-cert-lookup/conf/james/ldap-retrieve-certificates.xml /usr/share/djigzo/conf/james/SAR-INF/custom-processors.d/

Copy the default script to the directory from which scripts will be executed:

sudo cp /usr/share/djigzo-cert-lookup/scripts/ldap-retrieve-certificates.sh /usr/share/djigzo/scripts/scripts.d/

Edit the script to match your ldap server (host, base DN, lookup etc.):

Note

At minimal, the following variables should be changed to match your LDAP server: ldap_server and search_base

sudo vim /usr/share/djigzo/scripts/scripts.d/ldap-retrieve-certificates.sh

Test whether the script can lookup a certificate from the ldap server:

echo "test@example.com" | /usr/share/djigzo/scripts/scripts.d/ldap-retrieve-certificates.sh

Note: Replace test@example.com with a valid email address for which there is a certificate on the LDAP server.

If the LDAP server contains a certificate for the email address, the script should return a Base64 encoded certificate.

Example:

MIIFvzCCBKegAwIBAgIQSeTtMHIdW8+....

If the LDAP server does not contain a certificate for the email address, nothing will be returned.

Restart back-end

sudo service djigzo restart

Now when an email gets sent to an external recipient, the gateway does an LDAP search for every recipient.

Check the back-end log file to see whether the back-end starts without any problems:

tail -f /var/log/djigzo.log

Note

Make sure the correct root and intermediate certificates are installed on the gateway otherwise the certificates retrieved from LDAP will not be trusted and therefore not used.