RedHat/CentOS

The RPM packages have been tested on RedHat 8 and CentOS Stream.

Note

All commands should be executed as the root user.

SELinux

By default SELinux is enabled on RedHat/CentOS. SELinux prevents certain operations to be executed which are required by CipherMail. For example, a local listening port on port 10026 must be opened by Postfix (this port is used by CipherMail as the Postfix “reinjection” port). SELinux however, by default, does not allow this. Disabling SELinux is recommended if you are not familiar with SELinux.

SELinux can be disabled by editing the file /etc/sysconfig/selinux.

Set SELINUX=disabled and reboot the server.

Configure firewall

RedHat and CentOS by default blocks access to most ports. The firewall should therefore be configured to allow access to the ports used by CipherMail.

The following ports should be remotely accessible: SMTP (25) and 8443 1

1

see Port usage for a list of all used ports.

firewall-cmd --zone=public --add-port=25/tcp --permanent
firewall-cmd --zone=public --add-port=8443/tcp --permanent
firewall-cmd --reload

Tip

If the web GUI should be accessible on the standard https port (443) instead of 8443, add the following additional firewall rules

firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
firewall-cmd --reload

This will redirect all requests for port 443 to port 8443.

CipherMail packages

A full installation of CipherMail requires the CipherMail encryption back-end and the Web GUI front-end.

The following three packages are required:

  • djigzo

  • djigzo-web

  • ciphermail-core-os-rhel8

Configure back-end

Install back-end packages

dnf install djigzo-[0-9]*[0-9].noarch.rpm ciphermail-core-os-rhel8-[0-9]*[0-9].noarch.rpm

Enable the back-end service

systemctl enable ciphermail-gateway-backend

Configure database

Note

This guide assumes that CipherMail will be configured for PostgreSQL. See MySQL/MariaDB on how to configure the gateway for MySQL/MariaDB.

Install PostgreSQL

dnf install postgresql-server

Configure Postgres to auto start at boot

systemctl enable postgresql

PostgreSQL should be initialized and restarted.

postgresql-setup initdb

username/password authentication should be enabled by replacing ident with md5 for localhost:

sed -i -r "s/^(host\s+all\s+all\s+127.0.0.1\/32\s+)ident/\1 md5/g" /var/lib/pgsql/data/pg_hba.conf

Restart Postgres

systemctl restart postgresql

Create database user

Note

The database connection, like user, password and database name, is configured in the file /usr/share/djigzo/conf/database/hibernate.connection.xml. The default user, password and database name is set to djigzo. If you select different values, update the hibernate.connection.xml file.

sudo -u postgres createuser -P djigzo

Note

to use the default database password, select djigzo for the password.

Update the database connection config file /usr/share/djigzo/conf/database/hibernate.connection.xml to match the selected password.

Create database

sudo -u postgres createdb --owner djigzo djigzo

Import database definition

psql -h 127.0.0.1 djigzo djigzo < /usr/share/djigzo/conf/database/sql/djigzo.sql

Use the password which was selected with the createuser command.

Configure Postfix

Email is first received by Postfix (MTA). Postfix then sends the email to the encryption back-end using an after queue filter. This requires some changes to the Postfix configuration files. CipherMail installs a pre-configured Postfix main and master configuration file which should be copied to the postfix configuration directory.

Warning

The following commands will overwrite all settings in the original postfix config files. If existing Postfix settings should be kept, the required changes to Postfix should be manually applied.

Copy postfix configuration files.

cp -b /usr/share/djigzo/conf/system/postfix/main.rh.cf /etc/postfix/main.cf
cp -b /usr/share/djigzo/conf/system/postfix/master.rh.cf /etc/postfix/master.cf

Update aliases.

Postfix uses /etc/alias as the alias file. Make sure that the alias file is available and up-to-date.

newaliases

Restart Postfix.

systemctl restart postfix

The mail logs should be readable by user “djigzo”. We will therefore add a special maillog group.

Note

This can be skipped if you do not want the MTA log to be shown on the MTA page.

groupadd maillog
usermod -a -G maillog djigzo
chown root:maillog /var/log/maillog
chmod g+r /var/log/maillog

Configure Postfix to auto start at boot

systemctl enable postfix

Configure logrotate

By default mail logs are rotated with the date appended to the filename. CipherMail however expects the rotated log files to be appended with an increasing number.

A separate rotate rule for maillog should be added by modifying the defalut syslog config.

Note

This can be skipped if you do not want the MTA log to be shown on the MTA page.

vi /etc/logrotate.d/syslog

Remove the existing /var/log/maillog entry and then add the following entry:

/var/log/maillog
{
    nodateext
    compress
    create 640 root maillog
    delaycompress
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}

Configure rsyslog

RSyslog rate-limits log messages if there are too many log messages in a certain time frame. On a busy server, the default rate-limit is too low resulting dropped log messages.

Change the rate-limit

echo '$imjournalRatelimitInterval 60' > /etc/rsyslog.d/ratelimit.conf

Configure front-end

Install Web-GUI package

dnf install djigzo-web-[0-9]*[0-9].noarch.rpm

Install Servlet engine

Before we can install the servlet engine (tomcat), the pki-core module must be enabled

dnf module enable pki-core

Install the pki-servlet-engine package:

dnf install pki-servlet-engine

To support importing files containing large number of certificates or keys, Tomcat should be configured with at least 128 MB heap size.

echo 'JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"' >> /etc/sysconfig/tomcat

To support uploading new TLS certificates for the Web GUI, Tomcat should be allowed to read and write the PKCS#12 file containing the TLS certificate and key.

chown tomcat:djigzo /usr/share/djigzo-web/ssl/sslCertificate.p12

An HTTPS connector should be added to the Tomcat server configuration. If Tomcat is only used by CipherMail, it’s advised to replace the existing Tomcat configuration file (/etc/tomcat/server.xml) with the configuration file provided by CipherMail.

Note

If you want to keep the existing server.xml file, you need to manually add the HTTPS Connector.

cp -b /usr/share/djigzo-web/conf/tomcat/server.xml /etc/tomcat/

Add the Web admin context

echo '<Context docBase="/usr/share/djigzo-web/djigzo.war" />' > /etc/tomcat/Catalina/localhost/ciphermail.xml

Add the portal context

echo '<Context docBase="/usr/share/djigzo-web/djigzo-portal.war" />' > /etc/tomcat/Catalina/localhost/web.xml

Tomcat should automatically start at boot:

systemctl enable tomcat

Finish

Restart the back-end and front-end services:

systemctl restart rsyslog
systemctl restart ciphermail-gateway-backend
systemctl restart tomcat

CipherMail should now be running (wait some time for Tomcat to startup). The login page can be accessed using the following URL:

https://192.168.178.2:8443/ciphermail 2

2

If redirection from 8443 to 443 is enabled or Apache or NGINX is used as a front-end proxy use the standard HTTPS port 443.

Change the IP address to the correct address.

Note

CipherMail comes with a pre-installed TLS certificate which is not by default trusted by your browser. You should therefore manually accept the TLS certificate the first time the page is opened.

Login with you system account.

CipherMail gateway by default uses PAM authentication. You can login with the root acount or any system account which is member of the wheel group or the sudo group.

Tip

Additional non-PAM login accounts can be added, or PAM authentication can be disabled, after logging into the Web GUI.

If CipherMail is not running, check the following log files for errors:

CipherMail log via journald:

journalctl -u ciphermail-gateway-backend

CipherMail log file:

less /var/log/ciphermail-gateway-backend.log

Tomcat log:

journalctl -u tomcat

Note

The login procedure can take some time after a restart because the Web GUI does some internal initialization after a restart.