Ubuntu/Debian¶
The .deb packages have been tested on Ubuntu 20.04 and Debian 10.
Note
The CipherMail gateway requires the sudo
command. On Debian, sudo is not automatically installed.
Install required packages¶
sudo apt-get install postgresql postfix openjdk-11-jre openjdk-11-jre-headless \
ant ant-optional libsasl2-modules symlinks
Note
During the installation of Postfix, select “No Configuration”.
Install CipherMail packages¶
A full installation of CipherMail requires the CipherMail encryption back-end and the Web GUI front-end.
Note
This guide assumes that CipherMail will be configured for PostgreSQL. If MySQL/MariaDB or Oracle Database should be used, all PostgreSQL related steps should be skipped.
The following three files are required:
djigzo_*_all.deb
djigzo-postgres_*_all.deb
djigzo-web_*_all.deb
Install back-end packages.
sudo dpkg -i djigzo_[0-9]*[0-9]_all.deb
sudo dpkg -i djigzo-postgres_[0-9]*[0-9]_all.deb
Restart back-end.
sudo service djigzo restart
Install Web-GUI package.
sudo dpkg -i djigzo-web_[0-9]*[0-9]_all.deb
Configure Postfix¶
Email is first received by Postfix (MTA). Postfix then sends the email to the encryption back-end using an after queue filter. This requires some changes to the Postfix configuration files. CipherMail installs a pre-configured Postfix main and master configuration file which should be copied to the postfix configuration directory.
Warning
The following commands will overwrite all settings in the original postfix config files. If existing Postfix settings should be kept, the required changes to Postfix should be manually applied.
Copy postfix configuration files.
sudo cp /etc/postfix/djigzo-main.cf /etc/postfix/main.cf
sudo cp /etc/postfix/djigzo-master.cf /etc/postfix/master.cf
Update aliases.
Postfix uses /etc/alias as the alias file. Make sure that the alias file is available and up-to-date.
sudo newaliases
Restart Postfix.
sudo service postfix restart
Install Tomcat¶
Install the required Tomcat package:
sudo apt-get install tomcat9
If an older release of Tomcat is used, change the commands below to match the tomcat version.
The system property djigzo-web.home
should reference the location where CipherMail Web GUI is installed. The
property will be added to the Tomcat default configuration file.
echo "JAVA_OPTS=\"\$JAVA_OPTS \
-Ddjigzo-web.home=/usr/share/djigzo-web \
-Ddjigzo.home=/usr/share/djigzo\"" | \
sudo tee -a /etc/default/tomcat9
To support importing files containing large number of certificates or keys, Tomcat should be configured with at least 128 MB heap size.
echo "JAVA_OPTS=\"\$JAVA_OPTS -Djava.awt.headless=true -Xmx128M\"" | \
sudo tee -a /etc/default/tomcat9
To support uploading new TLS certificates for the Web GUI, Tomcat should be allowed to read and write the PKCS#12 file containing the TLS certificate and key.
sudo chown tomcat:djigzo /usr/share/djigzo-web/ssl/sslCertificate.p12
An HTTPS connector should be added to the Tomcat server configuration. If Tomcat is only used by CipherMail, it’s advised to replace the
existing Tomcat configuration file (/etc/tomcat9/server.xml
) with the configuration file provided by CipherMail.
Note
If you want to keep the existing server.xml file, you need to manually add the HTTPS Connector.
sudo cp /usr/share/djigzo-web/conf/tomcat/server.xml /etc/tomcat9/
Tip
Because of a bug in some versions of Tomcat (https://bz.apache.org/bugzilla/show_bug.cgi?id=60940), the setting unpackWARs
in /etc/tomcat/server.xml
should be changed from false
to true
.
sudo sed -i 's/unpackWARs="false"/unpackWARs="true"/' /etc/tomcat9/server.xml
A context should be added to Tomcat to enable the Web admin application.
echo "<Context docBase=\"/usr/share/djigzo-web/djigzo.war\" />" | \
sudo tee /etc/tomcat9/Catalina/localhost/ciphermail.xml
If the portal functionality is required, a dedicated portal context should be added to Tomcat.
echo "<Context docBase=\"/usr/share/djigzo-web/djigzo-portal.war\" />" | \
sudo tee /etc/tomcat9/Catalina/localhost/web.xml
By default Tomcat is only allowed to write to certain directories. To allow uploading a new TLS certificate from the CipherMail Web GUI, the directory where the TLS certificate is stored should be added to the list of allowed directories.
Copy the Tomcat systemd unit file so it can be modified.
sudo cp /lib/systemd/system/tomcat9.service /etc/systemd/system
Under # Security
, add the following line to the file /etc/systemd/system/tomcat9.service
to allow writing the directory where the TLS certificate is stored:
ReadWritePaths=/usr/share/djigzo-web/ssl/
Reload the the unit files
sudo systemctl daemon-reload
Tomcat should be restarted to make it use the new Tomcat configuration.
sudo service tomcat9 restart
Finish¶
CipherMail should now be running (wait some time for Tomcat to startup). The login page can be accessed using the following URL:
https://192.168.178.2:8443/ciphermail
Change the IP address to the correct address.
Note
CipherMail comes with a pre-installed TLS certificate which is not by default trusted by your browser. You should therefore manually accept the TLS certificate the first time the page is opened.
Use the following login credentials:
username: |
admin |
password: |
admin |
If CipherMail is not running, check the following log files for errors:
CipherMail log:
less /var/log/djigzo.log
Tomcat log:
journalctl -u tomcat9.service
Note
The login procedure can take some time after a restart because the Web GUI does some internal initialization after a restart.