SUSE

The .rpm packages have been tested on SUSE Linux Enterprise 12.

Note

All commands should be executed as the root user.

Configure firewall

If a local firewall is enabled, it should be configured to allow access to certain ports. The following ports should be remotely accessible: SMTP (25) and 8443 1

1

see Port usage for a list of all used ports.

The firewall can be configured with yast.

yast

Configure logging

Because CipherMail reads the logs from /var/log it’s advised to install rsyslog.

Note

This can be skipped if you do not want the MTA log to be shown on the MTA page.

zypper install rsyslog

Note

If a warning Problem: systemd-logger conflicts with namespace:otherproviders(syslog)... is shown, select Solution 1: deinstallation of systemd-logger-...

After installing rsyslog, a reboot is required

reboot

Note

This guide assumes that CipherMail will be configured for PostgreSQL. If MySQL/MariaDB or Oracle Database should be used, all PostgreSQL related steps should be skipped.

Install required packages

Certain packages need to be installed before installing CipherMail.

zypper install sudo postfix ant postgresql-server \
java-1_8_0-openjdk-headless java-1_8_0-openjdk-devel java-1_8_0-openjdk-devel

Note

If the required packages cannot be installed because of a conflict with postfix, select Solution 1: deinstallation of patterns-openSUSE-minimal_base-conflicts or manually remove the package patterns-openSUSE-minimal_base-conflicts before installing the required packages.

The CipherMail RPM packages are signed with a PGP key. To validate the signature of the packages, the PGP key https://www.ciphermail.com/downloads/ciphermail-signing-key.asc should be imported into RPM.

rpm --import https://www.ciphermail.com/downloads/ciphermail-signing-key.asc

The signature of the rpm packages can be validated using the following command:

rpm -K <file>

Install CipherMail packages

A full installation of CipherMail requires the CipherMail encryption back-end and the Web GUI front-end.

The following three files are required:

  • djigzo-*.SUSE.noarch.rpm

  • djigzo-postgres-*.SUSE.noarch.rpm

  • djigzo-web-*.noarch.rpm

Install back-end packages

zypper install djigzo-[0-9]*[0-9].SUSE.noarch.rpm
zypper install djigzo-postgres-[0-9]*[0-9].SUSE.noarch.rpm

Install Web-GUI package

zypper install djigzo-web-[0-9]*[0-9].noarch.rpm

Configure Postfix

Email is first received by Postfix (MTA). Postfix then sends the email to the encryption back-end using an after queue filter. This requires some changes to the Postfix configuration files. CipherMail installs a pre-configured Postfix main and master configuration file which should be copied to the postfix configuration directory.

Warning

The following commands will overwrite all settings in the original postfix config files. If existing Postfix settings should be kept, the required changes to Postfix should be manually applied.

Copy postfix configuration files.

sudo cp /etc/postfix/djigzo-main.cf /etc/postfix/main.cf
sudo cp /etc/postfix/djigzo-master.cf /etc/postfix/master.cf

Update aliases.

Postfix uses /etc/alias as the alias file. Make sure that the alias file is available and up-to-date.

newaliases

Restart Postfix.

systemctl restart postfix.service

The mail logs should be readable by user “djigzo”. We will therefore add a special maillog group.

Note

This can be skipped if you do not want the MTA log to be shown on the MTA page.

groupadd maillog
usermod -a -G maillog djigzo
chown root:maillog /var/log/mail.info
chmod g+r /var/log/mail.info

Configure logrotate

By default mail logs are rotated with the date appended to the filename. CipherMail however expects the rotated log files to be appended with an increasing number.

A separate rotate rule for maillog should be added by modifying the defalut syslog config.

Note

This can be skipped if you do not want the MTA log to be shown on the MTA page.

vi /etc/logrotate.d/syslog

Remove the existing /var/log/mail.info entry and then add the following entry:

/var/log/mail.info
{
    compress
    delaycompress
    nodateext
    maxage 365
    rotate 99
    missingok
    notifempty
    size +4096k
    create 640 root maillog
    sharedscripts
    postrotate
        /usr/bin/systemctl reload syslog.service > /dev/null
    endscript
}

Install Tomcat

Install the required Tomcat package:

zypper install tomcat

The system property djigzo-web.home should reference the location where CipherMail Web GUI is installed. The property will be added to the Tomcat default configuration file. To support importing files containing large number of certificates or keys, Tomcat should be configured with at least 128 MB heap size.

echo "JAVA_OPTS=\"-Ddjigzo-web.home=/usr/share/djigzo-web \
-Ddjigzo.home=/usr/share/djigzo \
-Djava.awt.headless=true -Xmx128M\"" >> /etc/tomcat/tomcat.conf

To support uploading new TLS certificates for the Web GUI, Tomcat should be allowed to read and write the PKCS#12 file containing the TLS certificate and key.

chown tomcat:djigzo /usr/share/djigzo-web/ssl/sslCertificate.p12

An HTTPS connector should be added to the Tomcat server configuration. If Tomcat is only used by CipherMail, it’s advised to replace the existing Tomcat configuration file (/etc/tomcat/server.xml) with the configuration file provided by CipherMail.

Note

If you want to keep the existing server.xml file, you need to manually add the HTTPS Connector.

cp /usr/share/djigzo-web/conf/tomcat/server.xml /etc/tomcat/

Tip

Because of a bug in some versions of Tomcat (https://bz.apache.org/bugzilla/show_bug.cgi?id=60940), the setting unpackWARs in /etc/tomcat/server.xml should be changed from false to true.

sed -i 's/unpackWARs="false"/unpackWARs="true"/' /etc/tomcat/server.xml

A context should be added to Tomcat to enable the Web admin application.

echo "<Context docBase=\"/usr/share/djigzo-web/djigzo.war\" />" | \
tee /etc/tomcat/Catalina/localhost/ciphermail.xml

If the portal functionality is required, a dedicated portal context should be added to Tomcat.

echo "<Context docBase=\"/usr/share/djigzo-web/djigzo-portal.war\" />" | \
tee /etc/tomcat/Catalina/localhost/web.xml

Tomcat should automatically start at boot:

systemctl enable tomcat.service

Finish

Restart the back-end and front-end services:

systemctl restart djigzo.service
systemctl restart tomcat.service

CipherMail should now be running (wait some time for Tomcat to startup). The login page can be accessed using the following URL:

https://192.168.178.2:8443/ciphermail

Change the IP address to the correct address.

Note

CipherMail comes with a pre-installed TLS certificate which is not by default trusted by your browser. You should therefore manually accept the TLS certificate the first time the page is opened.

Use the following login credentials:

username:

admin

password:

admin

If CipherMail is not running, check the following log files for errors:

CipherMail log:

less /var/log/djigzo.log

Tomcat log:

journalctl -u tomcat.service

Note

The login procedure can take some time after a restart because the Web GUI does some internal initialization after a restart.