Secure Web Console Access (HTTP/S)

 

Since MailArchiva typically contains sensitive company information, protecting access to the web console with HTTP/S (HTTP/TLS) is advised. Without HTTP/S protection, there is little assurance of confidentiality of email data.

 

There are two possible ways to secure the MailArchiva console:

 

  1. Use MailArchiva's inbuilt certificate management 
  2. Front MailArchiva with either Nginx or Apache proxy. Use third-party certificate management services (e.g. Certbot / Let's encrypt)

Securing MailArchiva using its inbuilt certificate management is described further below. Refer to the respective proxy configurations if the second option is desirable.
 

MailArchiva certificate management

 

Which Certificate to Purchase?: If deploying MailArchiva On-Premise, a standard SSL certificate is sufficient. If deploying MailArchiva MSP, a wildcard certificate is needed. Wildcard certificates typically have a common name prefixed with a star (e.g. *.archive.org)

 

Prerequisites

 

When enabling HTTP/S, the following requirements must be met:

 

  1. A server certificate and private key must be installed.
  2. A complete CA certificate chain must be present and installed (i.e. including all intermediate and root certificates).
  3. An Apache Tomcat HTTPS connector must be configured correctly and enabled (i.e. keystore password correct, storage alias name matched and client certificate authentication disabled)

All certificates and keys must be installed in a password-protected Java key store file referenced by a storage alias name.

 

Certificate install

 

Follow either of these steps to install a server certificate in MailArchiva:

 

  1. Fetch free certificate - Automatically generate and fetch a free certificate and CA chain from the Let's Encrypt Certificate Authority (uses ACME protocol)
  2. Generate CSR - Generate a Certificate Signing Request (CSR) using the MailArchiva Console and manually submit to a Certificate Authority such as Verisign
  3. Generate CSR from command line - Generate a Certificate Signing Request (CSR) on the command-line
  4. Import - Import a pre-existing server certificate and private key from a PKCS-12 file

 

Using a text editor, modify the Tomcat app server configuration file called server.xml located in /var/opt/mailarchiva/tomcat/conf/server.xml (Linux) or C:\ProgramData\MailArchiva\Tomcat\conf\server.xml (Windows)

a) Uncomment the line:

 

MailArchiva V9+

 

  <Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" connectionTimeout="20000" redirectPort="8443" maxParameterCount="1000" URIEncoding="UTF-8" compression="on" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/css,text/plain,application/javascript,application/json" enableLookups="false"  disableUploadTimeout="true" address="0.0.0.0" SSLEnabled="true" maxThreads="150">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/etc/opt/mailarchiva/ROOT/conf/mailarchivacerts" type="RSA" certificateKeystorePassword="##YourKeystorePassword##" certificateKeyAlias="tomcat" />
        </SSLHostConfig>
 </Connector>

 

Change the certificateKeystorePassword attribute value to the keystore secret obtained from Configuration->Certificates->Lookup Key Store Secret. Ensure the certificateKeystoreFile path is correct. Usual paths are as follows: C:\ProgramData\MailArchiva\ROOT\mailarchivacerts

 

MailArchiva V8+

 

<Connector port="443" allowUnsafeLegacyRenegotiation="false"  SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keyAlias="tomcat"  
keystoreFile="C:\ProgramData\MailArchiva\ROOT\conf\mailarchivacerts" keystorePass="changeit" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" sslProtocol="TLS" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" maxThreads="500" minSpareThreads="25" acceptCount="500" connectionTimeout="1800000" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" disableUploadTimeout="true" compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/javascript,application/json"/>    

 

Change the keystorePass attribute value to the keystore secret obtained from Configuration->Certificates->Lookup Key Store Secret. Ensure the keystoreFile path is correct. Usual paths are as follows: C:\ProgramData\MailArchiva\ROOT\mailarchivacerts

 

The password inputted in the lookup dialog must be equivalent to the volume encryption password entered during product setup. Ensure the other connector attributes match up.

 

Note: The lookup dialog does not validate whether the volume encryption password is correct or not. The password must be known to be correct. If it is incorrect, the server will not start upon restart of the service. If the volume encryption password is forgotten, rather setup an HTTPS proxy such as Nginx or Apache to handle the HTTPS communications. If the volue encryption password is lost, it is imperative to immediately backup the server.conf.

 

b) If desired, comment out the (insecure) connector setup by default on port 8090.

 

c) If it is desirable for traffic on port 80 to be automatically redirected to port 443, edit a file called web.xml in C:\Program Files\MailArchiva\Server\conf\web.xml (Windows) or /opt/mailarchiva/server/conf/web.xml (Linux).
 

Add the following lines just before the closing </web-app> tag:

 

<security-constraint>
     <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

 

Restart the MailArchiva server. Access the server console via a web browser such as Chrome or Firefox. The server should now be accessible from the equivalent of https://mailarchiva.company.com (replace FQDN with your domain name). If HTTP/S is working, a lock icon should be present in the browser address bar.

 

If the server doesn't start, consult the Tomcat startup logs in C:\ProgramData\MailArchiva\Tomcat\logs\* (Windows) or /var/opt/mailarchiva/tomcat/logs/* (Linux) to ascertain the reason.

 

Typically, the server will not start if the Tomcat connector is specified incorrectly; common reasons include:
 

  • An incorrect encryption password is specified. Did you perhaps either forget or enter an incorrect volume encryption password in Get Keystore Secret?
  • An invalid path to the MailArchiva keystore was specified.
  • Client certificate authentication is set to true on the connector (it should be false)
  • The alias referencing the server certificate is either incorrect or not specified.

 

If the above suggestions are not helping, refer to these further troubleshooting steps.

 
© 2005 - 2024 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.

-