Secure Web Console Access (HTTP/S)

 

Since MailArchiva typically contains sensitive company information, protecting access to the web console with HTTP/S (HTTP/TLS) is advised. Without HTTP/S protection, there is little assurance of confidentiality of email data.

 

There are two possible ways to secure the MailArchiva console:

 

  1. Use MailArchiva's inbuilt certificate management 
  2. Front MailArchiva with either Nginx or Apache proxy. Use third-party certificate management services (e.g. Certbot / Let's encrypt)

Securing MailArchiva using its inbuilt certificate management is described further below. Refer to the respective proxy configurations if the second option is desirable.
 

MailArchiva certificate management

 

Which Certificate to Purchase?: If deploying MailArchiva On-Premise, a standard SSL certificate is sufficient. If deploying MailArchiva MSP, a wildcard certificate is needed. Wildcard certificates typically have a common name prefixed with a star (e.g. *.archive.org)

 

Prerequisites

 

When enabling HTTP/S, the following requirements must be met:

 

  1. A server certificate and private key must be installed.
  2. A complete CA certificate chain must be present and installed (i.e. including all intermediate and root certificates).
  3. An Apache Tomcat HTTPS connector must be configured correctly and enabled (i.e. keystore password correct, storage alias name matched and client certificate authentication disabled)

All certificates and keys must be installed in a password-protected Java key store file referenced by a storage alias name.

 

Certificate install

 

Follow either of these steps to install a server certificate in MailArchiva:

 

  1. Fetch free certificate - Automatically generate and fetch a free certificate and CA chain from the Let's Encrypt Certificate Authority (uses ACME protocol)
  2. Generate CSR - Generate a Certificate Signing Request (CSR) using the MailArchiva Console and manually submit to a Certificate Authority such as Verisign
  3. Generate CSR from command line - Generate a Certificate Signing Request (CSR) on the command-line
  4. Import - Import a pre-existing server certificate and private key from a PKCS-12 file

Using a text editor, modify the Tomcat app server configuration file called server.xml located in /var/opt/mailarchiva/tomcat/conf/server.xml (Linux) or C:\ProgramData\MailArchiva\Tomcat\conf\server.xml (Windows)

a) Uncomment the lines below. Note the format of the Connector differs between MailArchiva V9 and MailArchiva V8 since MailArchiva V9 embeds Tomcat 10 and the structure of the server.xml is changed slightly (see added SSLHostConfig tag).

 

MailArchiva V9+

 

  <Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" connectionTimeout="20000" redirectPort="8443" maxParameterCount="1000" URIEncoding="UTF-8" compression="on" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/css,text/plain,application/javascript,application/json" enableLookups="false"  disableUploadTimeout="true" address="0.0.0.0" SSLEnabled="true" maxThreads="150">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/etc/opt/mailarchiva/ROOT/conf/mailarchivacerts" type="RSA" certificateKeystorePassword="##YourKeystorePassword##" certificateKeyAlias="tomcat" />
        </SSLHostConfig>
 </Connector>

 

MailArchiva V8+

 

<Connector port="443" allowUnsafeLegacyRenegotiation="false"  SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keyAlias="tomcat"  
keystoreFile="C:\ProgramData\MailArchiva\ROOT\conf\mailarchivacerts" keystorePass="changeit" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" sslProtocol="TLS" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" maxThreads="500" minSpareThreads="25" acceptCount="500" connectionTimeout="1800000" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" disableUploadTimeout="true" compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/javascript,application/json"/>    

 

b) Update the TLS connector attributes (illustrated above) as follows:

 

  1. Log into the MailArchiva web console.
  2. Go to Configuration→Certificates
  3. Click on Lookup Key Store Secret and enter the volume encryption password (the one entered during the initial setup of the product). After clicking the lookup button, the corresponding key store secret should be displayed.
  4. Edit the TLS connector (illustrated above) in the Tomcat server.xml such that its certificateKeystorePassword attribute value is changed to the lookup value of the keystore secret.
  5. Ensure the certificateKeystoreFile path is correct. Default values are C:\ProgramData\MailArchiva\ROOT\mailarchivacerts (Windows) and /etc/opt/mailarchiva/ROOT/conf/mailarchivacerts (Linux).
  6. Ensure the specific certificateKeyAlias refers to the alias in the keystore where the server certificate resides.
Note: The lookup dialog does not validate whether the volume encryption password is correct or not. The password must be known to be correct. If it is incorrect, the server will not start upon restart of the service. If the volume encryption password is forgotten, rather setup an HTTPS proxy such as Nginx or Apache to handle the HTTPS communications. If the volue encryption password is lost, it is imperative to immediately backup the server.conf.

 

c) If desired, comment out the (insecure) connector setup by default on port 8090.

 

d) If desired, to automatically redirect traffic from port 80 to 443, edit a file called web.xml in C:\ProgramData\MailArchiva\Tomcat\conf\web.xml (Windows) or /var/opt/mailarchiva/tomcat/conf/web.xml (Linux).

 

Add the following lines just before the closing </web-app> tag:

 

<security-constraint>
     <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

 

Restart the MailArchiva server. Access the server console via a web browser such as Chrome or Firefox. The server should now be accessible from the equivalent of https://mailarchiva.company.com (replace FQDN with your domain name). If HTTP/S is working, a lock icon should be present in the browser address bar.

 

If the server doesn't start, consult the Tomcat startup logs in C:\ProgramData\MailArchiva\Tomcat\logs\* (Windows) or /var/opt/mailarchiva/tomcat/logs/* (Linux) to ascertain the reason.

 

Typically, the server will not start if the Tomcat connector is specified incorrectly; common reasons include:
 

  • An incorrect encryption password is specified. Did you perhaps either forget or enter an incorrect volume encryption password in Get Keystore Secret?
  • An invalid path to the MailArchiva keystore was specified.
  • Client certificate authentication is set to true on the connector (it should be false)
  • The alias referencing the server certificate is either incorrect or not specified.

 

If the above suggestions are not helping, refer to these further troubleshooting steps.

 
© 2005 - 2025 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.

-