Secure Web Console Access (HTTP/S)

 

Since MailArchiva typically contains sensitive company information, protecting access to the web console with HTTP/S (HTTP/TLS) is advised. Without HTTP/S protection, there is little assurance of confidentiality of email data.

 

There are two possible ways to secure the MailArchiva console:

 

  1. Use MailArchiva's inbuilt certificate management 
  2. Front MailArchiva with either Nginx or Apache proxy. Use third-party certificate management services (e.g. Certbot / Let's encrypt)

Securing MailArchiva using its inbuilt certificate management is described further below. Refer to the respective proxy configurations if the second option is desirable.
 

MailArchiva certificate management

 

Which Certificate to Purchase?: If deploying MailArchiva On-Premise, a standard SSL certificate is sufficient. If deploying MailArchiva MSP, a wildcard certificate is needed. Wildcard certificates typically have a common name prefixed with a star (e.g. *.archive.org)

 

Prerequisites

 

When enabling HTTP/S, the following requirements must be met:

 

  1. A server certificate and private key must be installed.
  2. A complete CA certificate chain must be present and installed (i.e. including all intermediate and root certificates).
  3. An Apache Tomcat HTTPS connector must be configured correctly and enabled (i.e. keystore password correct, storage alias name matched and client certificate authentication disabled)

All certificates and keys must be installed in a password-protected Java key store file referenced by a storage alias name.

 

Certificate install

 

Follow either of these steps to install a server certificate in MailArchiva:

 

  1. Fetch free certificate - Automatically generate and fetch a free certificate and CA chain from the Let's Encrypt Certificate Authority (uses ACME protocol)
  2. Generate CSR - Generate a Certificate Signing Request (CSR) using the MailArchiva Console and manually submit to a Certificate Authority such as Verisign
  3. Generate CSR from command line - Generate a Certificate Signing Request (CSR) on the command-line
  4. Import - Import a pre-existing server certificate and private key from a PKCS-12 file

 

Using a text editor, modify the Tomcat app server configuration file called server.xml located in /var/opt/mailarchiva/tomcat/conf/server.xml (Linux) or C:ProgramDataMailArchivaTomcatconfserver.xml (Windows)

a) Uncomment the line:

 

<Connector port="443" allowUnsafeLegacyRenegotiation="false"  SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keyAlias="letsencrypt.org-server-tomcat" keystoreFile="/etc/opt/mailarchiva/ROOT/mailarchivacerts" keyPass="changeme" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" sslProtocol="TLS" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" maxThreads="500" minSpareThreads="25" acceptCount="500" connectionTimeout="20000" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/javascript,application/json"/>

 

b) Change the keystorePass attribute value to the keystore secret obtained from Configuration->Certificates->Lookup Key Store Secret. The password inputted in the lookup dialog must be equivalent to the volume encryption password entered during product setup. Ensure the other connector attributes match up.

 

Note: The lookup dialog does not validate whether the volume encryption password is correct or not. The password must be known to be correct. If it is incorrect, the server will not start upon restart of the service. If the volume encryption password is forgotten, rather setup an HTTPS proxy such as Nginx or Apache to handle the HTTPS communications. If the volue encryption password is lost, it is imperative to immediately backup the server.conf.

 

c) Ensure the keystoreFile path is correct. Usual paths are as follows: C:ProgramDataMailArchivaROOTmailarchivacerts (Windows) Linux: /etc/opt/mailarchiva/ROOT/mailarchivacerts (Windows).

c) If desired, comment out the (insecure) connector setup by default on port 8090.

 

 If it is desirable for traffic on port 80 to be automatically redirected to port 443, edit a file called web.xml in C:Program FilesMailArchivaServerconfweb.xml (Windows) or /opt/mailarchiva/server/conf/web.xml (Linux).
 

Add the following lines just before the closing </web-app> tag:

 

<security-constraint>
     <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

 

Restart the MailArchiva server. The server should be accessible from https://mailarchiva.company.com (replace FQDN with your domain name)

 

If the server doesn't start, consult the Tomcat startup logs in C:ProgramDataMailArchivaTomcatlogs* (Windows) or /var/opt/mailarchiva/tomcat/logs/* (Linux).  

 

Typically, the server won't start if the Tomcat connector is specified incorrectly; common reasons include:
 

  • An incorrect encryption password is specified. Did you perhaps either forget or enter an incorrect volume encryption password in Get Keystore Secret?
  • An invalid path to the MailArchiva keystore was specified.
  • Client certificate authentication is set to be true (it should be false)
  • The alias referencing the server certificate is either incorrect or not specified.
 
Was this information helpful?

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.

The page cannot be found

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please make sure you spelled the page name correctly or use the search box.