LDAP certificate lookup

The gateway can be configured to lookup S/MIME certificates from an external LDAP server if there is no valid certificate yet for a recipient.

Enabling LDAP certificate lookup requires some configuration from the command line.

Install

Login to the gateway console with SSH.

Tip

Windows users can for example use the free putty SSH cient.

The following steps will configure the gateway to do a remote LDAP lookup for an S/MIME certificate.

Enable the required library:

sudo ln -s /usr/share/djigzo-cert-lookup/lib/djigzo-cert-lookup.jar /usr/share/djigzo/lib/lib.d/

Enable the service:

sudo ln -s /usr/share/djigzo-cert-lookup/conf/spring/djigzo-cert-lookup.xml /usr/share/djigzo/conf/spring/spring.d/

Add a fragment to the mail flow to lookup an S/MIME certificate

sudo ln -s /usr/share/djigzo-cert-lookup/conf/james/ldap-retrieve-certificates.xml /usr/share/djigzo/conf/james/SAR-INF/custom-processors.d/

Copy the default script to the directory from which scripts will be executed:

sudo cp /usr/share/djigzo-cert-lookup/scripts/ldap-retrieve-certificates.sh /usr/share/djigzo/scripts/scripts.d/

Configure

The settings for the lookup, like for example the LDAP host, should be configured to match the companies LDAP.

The default settings can be overridden using the default file /etc/default/cm-ldap-retrieve-certificates-settings.

sudo vi /etc/default/cm-ldap-retrieve-certificates-settings

The following settings can be set:

ldap_uri

This is the LDAP host to connect to. This is a require parameter and should be set to the companies LDAP server.

The format should be [SCHEME]://[FQDN]:[PORT] where [SCHEME] should be ldap or ldaps.

Examples:

ldap://ldap.example.com:389
ldaps://10.0.0.2:389
ldap_base_dn

The DN of the LDAP tree where the search should start.

Example:

ou=People,dc=example,dc=com
search_scope

The search scope can be used to limit the search. Select base, one, sub, or children to specify a base object, one-level, subtree, or children search. The default is sub.

alias_dereferencing

Specify how aliases dereferencing is done. Should be one of never, always, search, or find. The default is never.

search_filter_template

The search filter used for searching for certificates. The template should contain the token #{email}. This token will be replaced by the email address of the recipient. The default search filter tempate is set to (&(objectclass=inetOrgPerson)(mail=#{email})).

Example:

To search for email addresses on the LDAP server ldap://crtdir.certifikat.dk, use the following template (&(|(objectclass=inetOrgPerson)(objectclass=RFC822MAILUSER))(mail=#{email}))

exclude_recipients_regex

If set, recipients that match will be excluded from the LDAP lookup. This should be a space separated list of regular expressions matching the recipients email address. If not set, no recipients will be excluded.

Examples:

.*@gmail\.com
.*@gmail\.com .*@outlook\.com
include_recipients_regex

If set, an LDAP lookup will only be done for the recipient if the recipient matches. This should be a space separated list of regular expressions matching the recipients email address. If not set, all recipients will be looked up.

Examples:

.*@example\.com
.*@example\.com .*@sub\.example\.com

Note

At minimal, the following variables should be changed to match your LDAP server: ldap_uri and ldap_base_dn

Example settings

Example settings file for looking a certificate on certifikat.dk while excluding gmail.com and outlook.com:

ldap_uri="ldap://crtdir.certifikat.dk"
ldap_base_dn="o=Ingen organisatorisk tilknytning, c=DK"
search_filter_template="(&(|(objectclass=inetOrgPerson)(objectclass=RFC822MAILUSER))(mail=#{email}))"
exclude_recipients_regex=".*@gmail\.com .*@outlook\.com"

Test

Test whether the script can lookup a certificate from the ldap server:

echo "test@example.com" | /usr/share/djigzo/scripts/scripts.d/ldap-retrieve-certificates.sh

Note: Replace test@example.com with a valid email address for which there is a certificate on the LDAP server.

If the LDAP server contains a certificate for the email address, the script should return a Base64 encoded certificate.

Example:

MIIFvzCCBKegAwIBAgIQSeTtMHIdW8+....

If the LDAP server does not contain a certificate for the email address, nothing will be returned.

Finsh

Restart back-end

sudo service djigzo restart

Now when an email gets sent to an external recipient, the gateway does an LDAP search for every recipient.

Check the back-end log file to see whether the back-end starts without any problems:

tail -f /var/log/djigzo.log

Note

Make sure the correct root and intermediate certificates are installed on the gateway otherwise the certificates retrieved from LDAP will not be trusted and therefore not used.