Logins

 

Access to the MailArchiva web console and its features can be restricted to authorized users only. The following types of authentication mechanisms are supported:

 

 

In all modes, if authentication is successful, a role is assigned to the authenticated user. The user’s role determines what the user can and cannot do within the application. A user’s role can also restrict which emails the user can see. For instance, users assigned the User role can be assigned permission to see their own emails only. Refer to Roles for further details on how to define role permissions in MailArchiva.

 

Master Password


Before selecting an authentication method, it is prudent to specify the master password in the Logins section. The master password is essentially the “root” password for the system. It serves as a convenient back door in the event the system is unable to authenticate with Active Directory or LDAP servers. To login as the master user, use the username “admin” and your chosen master password. The master user has access to all the privileges in the system.

Note: If you forget the master password, edit the file server.conf located in:
 
 /etc/opt/mailarchiva/ROOT/WEB-INF/conf (Linux)
C:ProgramDataMailArchivaROOTconf (Windows)

Remove the security.login.master.password and security.login.master.username fields.


Basic Authentication


In the Basic Authentication mode, the server authenticates users from credentials stored in an XML configuration file. The users.conf configuration file is located in mailarchivaserver webappsMailArchivaWEB-INFconf from the root of your MailArchiva installation directory. You can either add users directly using the MailArchiva server console configuration screen or by editing the server.conf directly. The users.conf file, as illustrated below, contains a list of users, each of which has a username, role and a password. The users listed in users.conf will login using their username and any of the domains in the Domains section appended to it.

 

Once a user is authenticated, the user will be assigned the specified role.

The users.conf file contains the following:

 

<Users version="1.0">
<User username="admin" role="administrator" password="123"/>
<User username="user" role="user" password="abc"/>
<User username="auditor" role="auditor" password="xyz"/>
</Users>

When Basic authentication mode is enabled, users are able to change their own passwords in the Preferences section.
 
 
 
Note On Aliases

In the case of Basic Authentication, the use of email aliases is not currently supported (only LDAP & AD authentication). 

That being said, the following workaround is possible:
1) Enter markw and specify radeon.com,radeon.co.ukradeon.us in the Domains section. This will show all emails corresponding with markw across all domains.
2) Create a role for each user and specify the alternate email addresses in the view filter. e.g. anyaddress:(%email% OR  markweston)
 

 

Active Directory Authentication

 

Note: Starting with MailArchiva V10, Kerberos is now used in place of NTLM v2 for Active Directory authentication.
 
In Active Directory (AD) authentication mode, the server uses Kerberos and LDAP protocols to authenticate users residing in Active Directory. The login procedure is a five-step process:
 
  1.     MailArchiva validates the login credentials against Active Directory using Kerberos.
  2.     MailArchiva searches for the login user in Active Directory using the login name.
  3.     MailArchiva retrieves the user’s LDAP attributes (including email addresses).
  4.     MailArchiva assigns a role to the user based on the defined role assignments.
  5.     MailArchiva extracts the user’s email addresses from the mail LDAP attribute for use in search filtering.
Field Description Example
FQDN of this server Fully qualified domain name of the MailArchiva server mailarchiva.contoso.com
Base DN  Distinguished name of the base location in AD where users are located CN=Users, DC=contoso, DC=com
Default realm Kerberos realm name (all caps) (usually the AD domain in uppercase) CONTOSO.COM
Service account login User principal name of the service account mailarchiva@contoso.com
Service account password Password of the service account ********
Active directory server address FQDN of Active Directory server contoso.com
Mail Attribute The mail attribute where the user’s email addresses are obtained proxyAddresses
Email Value Regular expression used to extract email addresses SMTP:(.*)
Primary Mail Attribute The mail attribute where the user’s primary email address must be obtained mail
Primary Email Value Regular expression used to extract the primary email address (.*)
Bind Attribute Attribute used to search for the user in LDAP sAMAccountName
UPN Attribute The User Principal Name (UPN) attribute userPrincipalName
UPN Value Regular expression used to extract the UPN value (.*)
 
Gotcha's
 

1. Create a Service Account

 

Kerberos authentication requires that a service account is created in Active Directory. This account will be used by MailArchiva to query LDAP and authenticate users.

 
2. Configure MailArchiva
 

3. Assign Roles

 

During console authentication, after a user is identified, MailArchiva retrieves the user’s LDAP attributes from Active Directory and evaluates them against each configured role assignment. If an attribute’s value matches the assignment’s match criterion, the role is granted.

 

  1. Open Configuration → Logins → New Role Assignment.

  2. Select a role.

  3. Choose an LDAP attribute.

  4. Enter a match criterion (exact string or regular expression).

  5. Use Lookup to fetch a sample user’s attributes and values to assist with choosing the correct pair.

  6. Save and perform a Test Login.

 

Role assignment example Attribute Value Notes
Assign a role to a single user userPrincipalName jdoe@company.local Use when you know the user’s UPN.
Assign a role to a security group memberOf CN=MailArchiva Admins,OU=Groups,DC=company,DC=local Use the full distinguished name of the AD group.
Assign to all normal AD users objectClass user Grants role to entries with objectClass=user.
Assign by DN path distinguishedName .*OU=Engineering,DC=company,DC=local Use a regex to target a subtree (for example, everyone in Engineering).

 

4. Test Login
 

 

For multiple domains, configure MailArchiva to connect to the Global Catalog server on port 3268 and leave Base DN empty.
 
Extra Notes

 

In addition to the AD properties editable in the GUI, additional advanced LDAP properties can be set directly by editing the MailArchiva server.conf file using a text editor such as Wordpad or Vi. 
 
Field Description Server.conf Example
Alternate Email Address Secondary location where the user's emails can be found. MailArchiva will retrieve the user's email addresses from both the mail attribute and the alternate email address.

authentication.alternateemailaddress.attribute=emai

Alternate Email Address Value The regular expression pattern used to extract the email address. If you wish to take as is, use (.*). If you email addresses are in the format SMTP:joe@blog.com, then you will specify SMTP:(.*). Note position of brackets.

authentication.alternateemailaddress.value=(.*)

 

 

Experiencing AD authentication problems? Refer to Unable to Authenticate.

 

Active Directory Single Sign-On (SSO) (Kerberos)

 

Overview
 

Single Sign-On (SSO) allows a user to authenticate once within an Active Directory domain and access MailArchiva without re-entering credentials.
 

Benefits include:

 

1. Understanding the Service Account

 

A service account is a dedicated Active Directory account used by MailArchiva to perform domain authentication.
 

Key characteristics:


2. Environment Preparation

 

Before configuring Kerberos SSO, ensure the following requirements are met:
 

Requirement Description
Windows Server Windows Server 2008 or later
Active Directory Installed and properly configured
Client Devices Windows clients must be joined to the domain
Time Synchronization Client and server clocks must be synchronized

 

Note: Kerberos authentication is highly sensitive to time differences between systems.

3. Create a Service Account in Active Directory

 

There is no need to create a new 

 

Option A: Using Active Directory Users and Computers (ADUC)

 

Skip this step if already don

 

  1. Open Active Directory Users and Computers.

  2. Navigate to the Users container or your preferred Organizational Unit (OU).

  3. Right-click and select New > User.

  4. Enter the following information:

Field Value
Full Name SVC Kerberos AR
User Logon Name svc-kerberos-ar
 
  1. Set a password.

  2. Clear User must change password at next logon.

  3. Open the Account tab.

  4. Enable This account supports Kerberos AES 256-bit encryption.

Option B: Using PowerShell

 

New-ADUser -Name "svc-kerberos-ar" `
  -SamAccountName "svc-kerberos-ar" `
  -AccountPassword (ConvertTo-SecureString "StrongPassword123!" -AsPlainText -Force) `
  -Enabled $true
 
Enable AES-256 support:

 

Set-ADUser svc-kerberos-ar ` -Add @{msDS-SupportedEncryptionTypes=24}


4. Create and Verify the Service Principal Name (SPN)

 

An SPN uniquely identifies the MailArchiva service within Kerberos.

 

Verify an Existing SPN

 

setspn -Q HTTP/ar.yourealm.com@YOU_REALM

 

Create an SPN

 

setspn -A HTTP/ar.yourealm.com YOU_REALMsvc-kerberos-ar

 

Parameters

 

Parameter Description
ar.yourealm.com Fully qualified domain name (FQDN) of the MailArchiva server
HTTP/ar.yourealm.com Kerberos principal used by MailArchiva
YOU_REALM Active Directory realm

 

Important:


5. Generate the Keytab File

 

Generate a keytab file for the service account.

 

ktpass /princ HTTP/ar.yourealm.com@YOU_REALM ^
       /mapuser svc-kerberos-ar@YOU_REALM ^
       /ptype KRB5_NT_PRINCIPAL ^
       /crypto AES256-SHA1 ^
       /pass StrongPassword123! ^
       /out C:tempkrb5_service.keytab
 
Deploy the Keytab File

 

Copy the generated krb5_service.keytab file to the appropriate location.

 

Platform Location
Linux /etc/opt/mailarchiva/ROOT/krb5_service.keytab
Windows C:ProgramDataMailAchivaROOTconfkrb5_service.keytab

 

Important

 

When the service account password changes:
 

  1. The Key Version Number (KVNO) changes.

  2. The existing keytab becomes invalid.

  3. A new keytab must be generated and deployed to Archiva.

Reset the Service Account Password (Optional)

 

Set-ADAccountPassword svc-kerberos-ar `
  -Reset `
  -NewPassword (Read-Host -AsSecureString)

6. Verify Keytab Contents
 

Verify the generated keytab file.
 

ktutil -k /path/to/krb5_service.keytab list


Expected output:
 

Vno  Type                     Principal
  3  aes256-cts-hmac-sha1-96  HTTP/ar.yourealm.com@YOU_REALM

 

Field Descriptions

 

Field Description
Vno Key Version Number (KVNO)
Type Encryption type (AES256)
Principal SPN associated with the key

 

Note:

Windows systems require Kerberos utilities to be installed before running these commands.


7. Test Authentication Using the Keytab
 

Acquire a Kerberos ticket:
 

kinit -k -t /path/to/krb5_service.keytab HTTP/ar.yourealm.com@YOU_REALM


View the ticket details:
 

klist -v


Verify:


8. Configure Client Browsers
 
Internet Explorer and Microsoft Edge
 
  1. Open Control Panel > Internet Options.

  2. Add the Archiva URL to Trusted Sites.

  3. If using HTTP, ensure HTTPS-only requirements are not enforced.

  4. Configure the security settings for the Trusted Sites zone appropriately.


Microsoft Edge Settings
 
  1. Open Settings.

  2. Navigate to Privacy, Search, and Services.

  3. Enable Windows Authentication.

  4. Restart the browser.

 

Verification
 

From a domain-joined workstation:

  1. Open MailArchiva

  2. Confirm that no password prompt appears.

  3. Verify successful login.

For troubleshooting, use:


9. Configure Tomcat for SSO (Optional)
 

When upgrading from versions earlier than 10, Tomcat must be configured to support larger Kerberos authentication headers.
 

Step 1: Stop the Archiva Service


Stop the MailArchiva service before making configuration changes.
 

Step 2: Edit server.xml

 

Platform Location
Linux /var/opt/mailarchiva/tomcat/server.xml
Windows C:ProgramDataMailArchivatomcatconfserver.xml

Step 3: Increase Header Size

 

Locate each <Connector> definition in Tomcat's server.xml and ensure the following attribute is present:

 

maxHttpHeaderSize="65536"

 

Step 4: Restart MailArchiva


Start the MailArchiva service after saving the configuration changes.


Summary

 

Component

Purpose
Service Account Identifies MailArchiva within Active Directory
SPN Associates Kerberos authentication with the Archiva service
Keytab Stores the Kerberos secret key used for authentication
KVNO Must match the current version stored in Active Directory

 

Remember:

 

LDAP Authentication

 

When LDAP authentication is enabled, MailArchiva authenticates to a directory service such as OpenLDAP using pure password-based credentials.

The following process occurs during LDAP console login:

Since directory structures tend to be unique across different organizations, care must be taken to ensure that the base DN, service account login DN, bind attribute and email attribute is correct for the target directory. For example, some companies use “mail” as the location where user email addresses are stored, while others use “email”.To determine the structure of a directory, it may be useful to connect to it using the Linux command line utility ldapsearch or one of the many LDAP browsers available. Once the correct LDAP settings have been entered, it is necessary to create one or more role assignments for the purpose of assigning MailArchiva roles to the users residing in the directory.

 

Field
Description Example
LDAP Server Address Fully qualified domain name of LDAP server openldap.company.com:389
Base DN The distinguished name of the location in AD where MailArchiva should start searching for end-user entries. Cn=Users, dc=Company, dc=Com
Service Account Login DN The distinguished name of an admin user in LDAP
cn=Administrator,cn=Users,
dc=company, dc=com
Service Account Password The service account password  
Mail Attribute The mail attribute where the user’s email addresses are obtained mail mail
Mail Value The regular expression used to extract the user’s email address from the mail attribute (.*)
Bind Attribute The field in LDAP that contains the username or login name of the user. uid
 
Note: Should your LDAP be configured for anonymous LDAP bind, empty out the Service Account Login and Service Account Password fields.
 
In addition to the above properties, additional advanced LDAP properties can be set directly by editing the MailArchiva server.conf file using a text editor such as Wordpad or Vi. 
 
Field Description Server.conf Example
Alternate Email Address Secondary location where the user's emails can be found. MailArchiva will retrieve the user's email addresses from both the mail attribute and the alternate email address.

ldap3.alternateemailaddress.attribute=emai

Alternate Email Address Value The regular expression pattern used to extract the email address. If you wish to take as is, use (.*). If you email addresses are in the format SMTP:joe@blog.com, then you would specify SMTP:(.*). Note position of brackets.

ldap3.alternateemailaddress.value=(.*)

 
Experiencing LDAP authentication problems? Refer to Unable to Authenticate.
 

 

Microsoft Azure Authentication (Office 365)TFhPsQbeU+oAAAAASUVORK5CYII=

 

MailArchiva has the capability to securely authenticate users residing in Office 365 (using the OpenID Connect (OIDC) protocol built on OAuth 2.0). To enable login using Office 365 credentials, choose Azure as the console login method in Configuration->Logins. Using this login method, there is no need to define individual users in MailArchiva, since users are authenticated against user credentials residing in Microsoft Azure Active Directory (i.e. Office 365).

 

During Microsoft Azure login, users are redirected to Microsoft Office 365 for authentication, and then after successful login, redirected back to MailArchiva, and a logon session established. As user credentials are inputted into the common Microsoft login website, at no point in the process does MailArchiva have the opportunity to intercept the user's Office 365 credentials. As an added advantage,  MailArchiva built-in roles (e.g. administrator, audit, user) and custom roles, can be assigned according to the user groups (e.g. Administrators) and attributes (e.g. userPrincipalName) defined in Microsoft Azure Active Directory.

 

For example, in the Azure console login settings in Configuration->Logins, a role mapping can be defined that maps the MailArchiva administrator role to all users belonging to the Microsoft Office 365 Administrator Group. The mapping has the effect that Office 365 users belonging to the Office 365 Administrator Group are automatically assigned the MailArchiva Administrator role during login to MailArchiva. Thus, there is no need to create a separate role mapping for each individual user. Rather, the role mapping can be done at a group level.

 

 

When a MailArchiva Cloud instance is first setup, authentication to Microsoft Office 365 is preconfigured and automatically enabled. By default, the Office 365 user who created the MailArchiva instance, is automatically assigned the Administrator role in MailArchiva. Additional role assignments can be defined as per the following:

 

  1. Click the New Role Assignment button
  2. Select the desired MailArchiva role to map (.e.g. Administrator)
  3. Click Lookup button. A Lookup Window appears.
  4. Enter the administrators email address/UPN. Click Lookup.
  5. Choose an appropriate attribute (e.g. Administrator Group) to map.
  6. Click Save to save the mapping. 
  7. Perform a Test Authentication to verify that the correct role is assigned to a target user or group of users.

In addition to the MailArchiva Cloud, it is possible to integrate Azure authentication for MailArchiva On-Premise. Refer to Office Setup for instructions on how to achieve this.

 

 

OpenID Connect Authentication

 

OpenID Connect is a protocol for authenticating against federated login services such as provided by Google Apps or Office 365. Using OpenID Connect, it is possible to authenticate users using their Google Apps or Office 365 credentials.

 

The following process occurs during Google console login:
 

 
Field Description Eample
Issuer URL federated login provider's issuer URL
https://accounts.google.com
Client ID client ID (provided by federated login provider) 551839461178-oibomon4ndrqeolqja99c861jleggt4g.apps.googleusercontent.com
Client Secret client secret (provided by federated login provider) XXXXXX
Authentication Callback URL After successful login, URL where the authentication provider must redirect to process the token  http://localhost:8090/authorize.do
Scopes Specifies what access privileges are being requested openid,profile,email


Once the user is authenticated, the user needs to be assigned a role in MailArchiva. This is achieved by creating a Role Assignment. Each Role Assignment maps an OpenID user field (such as user_login) to a role in MailArchiva. Refer to the Google Apps OpenID Connect example below for further instructions.

 

Google Apps OpenID Connect

 

From the Google Developers Console:

 

 

From inside MailArchiva:
 

 

To assign a role to a specific logged-in user, enter:

Logout the MailArchiva console, by clicking the username at the top right. Click Logout. Visit http://localhost:8090. MailArchiva should immediately redirect to the Google Apps login page. After logging in, it should redirect to MailArchiva with the logged in user.

 

Note: If there is a misconfiguration in the login service, it is always possible to log back into the MailArchiva console as admin by accessing the URL http://localhost:8090/signonform.do directly.

 

To assign users to a group in Google Apps:

 

 

SAML Authentication

 

MailArchiva has the ability to authenticate against federated login services supporting the SAML protocol. For instance, one can use a federated login service such as OneLogin to provide single-sign-on access to the MailArchiva web console.

 

The following process occurs during Google console login:

 

 

Field Description Example
SSL Login URL federated login provider's login URL. Also known as the Idp SSO target URL
https://app.onelogin.com/trust/saml2/http-post/sso/436692
Assertion Consumer Service URL After successful login, URL where the authentication provider must redirect to process the token  http://localhost:8090/authorize.do
Issuer federated login provider's issuer URL https://app.onelogin.com/saml/metadata/436692
Certificate X.509 certificate obtained from the federated login provider Certificate must first be imported from Configuration->Certificates
Scopes Specifies what access privileges are being requested openid,profile,email
 
Bind Attribute The name of an attribute that can be used to bind to a user User.FirstName
Email Attribute The name of an attribute containing the user's email addresses  User.email
Email Value A regular expression for matching the user attribute. In most cases, this does not need to be changed. (.*)

 

Once the user is authenticated, the user will need to be assigned a role in MailArchiva. This is achieved by mapping a SAML user field (such as User.email or User.MemberOf) to a role in MailArchiva. Refer to the OneLogin example below for further instruction.

 

OneLogin

 

OneLogin provides federated single signon services. With SAML authentication enabled, it is possible for users to login to the MailArchiva console using their OneLogin credentials. 

 

From the OneLogin Administrator Dashboard:

 

Note: The ACS URL and ACS URL Validator fields will need to be adjusted to match the specific URL used to access your MailArchiva system. Assuming your MailArchiva server is assigned an external domain name, such as mailarchiva.company.com, the ACS URL would be "https://mailarchiva.company.com/authorize.do", while the ACS Validator URL would be "^https://malarchiva.company.com/authorize.do/$"

 

From inside the MailArchiva Console:

 

 

 To assign a role to a specific logged in user, enter:

 

 

Logout the MailArchiva console, by clicking the username at the top right. Click Logout. Visit http://localhost:8090. MailArchiva should immediately redirect to the OneLogin login page. After logging in, it should redirect to MailArchiva with the logged in user.

 

Note: If there is a misconfiguration in the login service, it is always possible to log back into the MailArchiva console as admin by accessing the URL http://localhost:8090/signonform.do directly.

 

Note: It is possible to assign roles using any number of SAML fields. Common fields include: 

 

SAML Test Connector Fields Value
E-mail (Attribute) User.email
Email (SAML NameID) User.email
First Name (Attribute) User.FirstName
Last Name (Attribute) User.LastName
Member of (Groups) (Attribute) User.MemberOf

 

IMAP/POP Login

 

 

In architectures where an authentication server is not available, it may be useful to authenticate users against either an IMAP or POP server.

 

The following process occurs during IMAP/POP authentication:

 

 

To enable IMAP/POP authentication:

 

Security Note: When defining an IMAP/POP connection, ensure that TLS is configured and enabled on the connection.
Note: Regular expression matches are supported. Thus, to assign all users to the Users role, enter ".*" in the matches value field.

 

TOTP Two Factor (2FA) Authentication

 

The two-factor authentication (2FA) feature offers an additional layer of security by requiring users to authenticate using a one-time-password (OTP) in addition to their regular password-based credential. 2FA is supported by way of the RFC 6238 Time-based One-Time Password (TOTP) algorithm. With 2FA enabled, in addition to authenticating with a password, users are required to input a one-time-password (OTP) generated by a TOTP mobile authenticator app such as Google Authenticator. To enable 2FA, login to the MailArchiva console as admin, open Configuration->Logins, and check "Add extra layer of security..".

 

 

After 2FA is enabled, all users will be prompted at next login to register the MailArchiva application on a TOTP mobile phone app such Google Authenticator. Each user registers MailArchiva on their TOTP mobile app by scanning a QR-code (see image to right) using their mobile phone. Thereafter, after logging in, each user will be prompted to input the OTP displayed on the TOTP app for authentication purposes. During login, a user may also opt to trust the device for 30 days, in which case, they will not be prompted for 2FA for another 30 days provided they are logging in using the same browser on the same machine.


If a user is unable to authenticate for any reason, their 2FA registration must be reset by an administrator. To reset a user's 2FA registration, login to MailArchiva using the admin account, go to Configuration->Logins, click the "Reset user" button. Enter the user's  User Principal Name (UPN) or username in the popup dialog and click the "Reset user" button. Provided the reset is successful, on next login, the user will be prompted to re-register the MailArchiva application again on their TOTP mobile phone app. If resetting a user for the second time, if the user had not logged in and registered for TOTP authentication yet, a message will popup stating "Reset failed as user's two-step auth was already reset". It is simply stating there was no need to reset, as the user was not registered yet.

 

 

 

 

 

Create your own Knowledge Base