Ubuntu/Debian

The .deb packages have been tested on Ubuntu 20.04 and Debian 10.

Note

The CipherMail gateway requires the sudo command. On Debian, sudo is not automatically installed.

Install required packages

sudo apt-get install ant ant-optional gpg gzip libsasl2-modules mawk openjdk-11-jre openjdk-11-jre-headless postfix sudo symlinks tar

Note

During the installation of Postfix, select “No Configuration”.

Install CipherMail packages

A full installation of CipherMail requires the CipherMail encryption back-end and the Web GUI front-end.

The following three packages are required:

  • djigzo

  • djigzo-web

  • ciphermail-core-os-debian

Configure back-end

Install back-end packages

sudo dpkg -i djigzo_[0-9]*[0-9]_all.deb ciphermail-core-os-debian_[0-9]*[0-9]_all.deb

Enable the back-end service

sudo systemctl enable ciphermail-gateway-backend

Configure database

Note

This guide assumes that CipherMail will be configured for PostgreSQL. See MySQL/MariaDB on how to configure the gateway for MySQL/MariaDB.

Install PostgreSQL

sudo apt install postgresql

Create database user

Note

The database connection, like user, password and database name, is configured in the file /usr/share/djigzo/conf/database/hibernate.connection.xml. The default user, password and database name is set to djigzo. If you select different values, update the hibernate.connection.xml file.

sudo -u postgres createuser -P djigzo

Note

to use the default database password, select djigzo for the password.

Update the database connection config file /usr/share/djigzo/conf/database/hibernate.connection.xml to match the selected password.

Create database

sudo -u postgres createdb --owner djigzo djigzo

Import database definition

psql -h 127.0.0.1 djigzo djigzo < /usr/share/djigzo/conf/database/sql/djigzo.sql

Use the password which was selected with the createuser command.

Configure Postfix

Email is first received by Postfix (MTA). Postfix then sends the email to the encryption back-end using an after queue filter. This requires some changes to the Postfix configuration files. CipherMail installs a pre-configured Postfix main and master configuration file which should be copied to the postfix configuration directory.

Warning

The following commands will overwrite all settings in the original postfix config files. If existing Postfix settings should be kept, the required changes to Postfix should be manually applied.

Copy postfix configuration files.

sudo cp -b /usr/share/djigzo/conf/system/postfix/main.deb.cf /etc/postfix/main.cf
sudo cp -b /usr/share/djigzo/conf/system/postfix/master.deb.cf /etc/postfix/master.cf

Update aliases.

Postfix uses /etc/alias as the alias file. Make sure that the alias file is available and up-to-date.

sudo newaliases

Restart Postfix.

sudo systemctl restart postfix

Configure front-end

Install Web-GUI package

sudo dpkg -i djigzo-web_[0-9]*[0-9]_all.deb

Install Tomcat

Install the required Tomcat package:

sudo apt install tomcat9

If an older release of Tomcat is used, change the commands below to match the tomcat version.

To support importing files containing large number of certificates or keys, Tomcat should be configured with at least 128 MB heap size.

echo 'JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"' | sudo tee -a /etc/default/tomcat9

To support uploading new TLS certificates for the Web GUI, Tomcat should be allowed to read and write the PKCS#12 file containing the TLS certificate and key.

sudo chown tomcat:djigzo /usr/share/djigzo-web/ssl/sslCertificate.p12

An HTTPS connector should be added to the Tomcat server configuration. If Tomcat is only used by CipherMail, it’s advised to replace the existing Tomcat configuration file (/etc/tomcat9/server.xml) with the configuration file provided by CipherMail.

Note

If you want to keep the existing server.xml file, you need to manually add the HTTPS Connector.

sudo cp -b /usr/share/djigzo-web/conf/tomcat/server.xml /etc/tomcat9/

Add the Web admin context

echo '<Context docBase="/usr/share/djigzo-web/djigzo.war" />' | \
sudo tee /etc/tomcat9/Catalina/localhost/ciphermail.xml

Add the portal context

echo '<Context docBase="/usr/share/djigzo-web/djigzo-portal.war" />' | \
sudo tee /etc/tomcat9/Catalina/localhost/web.xml

By default Tomcat is only allowed to write to certain directories. To allow uploading a new TLS certificate from the CipherMail Web GUI, the directory where the TLS certificate is stored should be added to the list of allowed directories.

Copy the Tomcat systemd unit file so it can be modified.

sudo cp /lib/systemd/system/tomcat9.service /etc/systemd/system

Under # Security, add the following line to the file /etc/systemd/system/tomcat9.service to allow writing the directory where the TLS certificate is stored:

ReadWritePaths=/usr/share/djigzo-web/ssl/

Reload the the unit files

sudo systemctl daemon-reload

Finish

Restart the back-end and front-end services:

sudo systemctl restart rsyslog
sudo systemctl restart ciphermail-gateway-backend
sudo systemctl restart tomcat9

CipherMail should now be running (wait some time for Tomcat to startup). The login page can be accessed using the following URL:

https://192.168.178.2:8443/ciphermail

Change the IP address to the correct address.

Note

CipherMail comes with a pre-installed TLS certificate which is not by default trusted by your browser. You should therefore manually accept the TLS certificate the first time the page is opened.

Login with you system account.

CipherMail gateway by default uses PAM authentication. You can login with the root acount or any system account which is member of the wheel group or the sudo group.

Tip

Additional non-PAM login accounts can be added, or PAM authentication can be disabled, after logging into the Web GUI.

If CipherMail is not running, check the following log files for errors:

CipherMail log via journald:

sudo journalctl -u ciphermail-gateway-backend

CipherMail log file:

sudo less /var/log/ciphermail-gateway-backend.log

Tomcat log:

sudo journalctl -u tomcat9

Note

The login procedure can take some time after a restart because the Web GUI does some internal initialization after a restart.