Secure Web Console Access (HTTP/S)
Since MailArchiva typically contains sensitive company information, protecting access to the web console with HTTP/S (HTTP/TLS) is advised. Without HTTP/S protection, there is little assurance of confidentiality of email data.
There are two possible ways to secure the MailArchiva console:
- Use MailArchiva's inbuilt certificate management
- Front MailArchiva with either Nginx or Apache proxy. Use third-party certificate management services (e.g. Certbot / Let's encrypt)
Securing MailArchiva using its inbuilt certificate management is described further below. Refer to the respective proxy configurations if the second option is desirable.
MailArchiva certificate management
Prerequisites
When enabling HTTP/S, the following requirements must be met:
- A server certificate and private key must be installed.
- A complete CA certificate chain must be present and installed (i.e. including all intermediate and root certificates).
- An Apache Tomcat HTTPS connector must be configured correctly and enabled (i.e. keystore password correct, storage alias name matched and client certificate authentication disabled)
All certificates and keys must be installed in a password-protected Java key store file referenced by a storage alias name.
Certificate install
Follow either of these steps to install a server certificate in MailArchiva:
- Fetch free certificate - Automatically generate and fetch a free certificate and CA chain from the Let's Encrypt Certificate Authority (uses ACME protocol)
- Generate CSR - Generate a Certificate Signing Request (CSR) using the MailArchiva Console and manually submit to a Certificate Authority such as Verisign
- Generate CSR from command line - Generate a Certificate Signing Request (CSR) on the command-line
- Import - Import a pre-existing server certificate and private key from a PKCS-12 file
Using a text editor, modify the Tomcat app server configuration file called server.xml located in /var/opt/mailarchiva/tomcat/conf/server.xml (Linux) or C:\ProgramData\MailArchiva\Tomcat\conf\server.xml (Windows)
a) Uncomment the line:
MailArchiva V9+
<SSLHostConfig>
<Certificate certificateKeystoreFile="/etc/opt/mailarchiva/ROOT/conf/mailarchivacerts" type="RSA" certificateKeystorePassword="##YourKeystorePassword##" certificateKeyAlias="tomcat" />
</SSLHostConfig>
</Connector>
Change the certificateKeystorePassword attribute value to the keystore secret obtained from Configuration->Certificates->Lookup Key Store Secret. Ensure the certificateKeystoreFile path is correct. The default values are C:\ProgramData\MailArchiva\ROOT\mailarchivacerts (Windows) and /etc/opt/mailarchiva/ROOT/conf/mailarchivacerts (Linux).
MailArchiva V8+
keystoreFile="C:\ProgramData\MailArchiva\ROOT\conf\mailarchivacerts" keystorePass="changeit" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" sslProtocol="TLS" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" maxThreads="500" minSpareThreads="25" acceptCount="500" connectionTimeout="1800000" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" disableUploadTimeout="true" compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/javascript,application/json"/>
Change the keystorePass attribute value to the keystore secret obtained from Configuration->Certificates->Lookup Key Store Secret. Ensure the keystoreFile path is correct. Usual paths are as follows: C:\ProgramData\MailArchiva\ROOT\mailarchivacerts
The password inputted in the lookup dialog must be equivalent to the volume encryption password entered during product setup. Ensure the other connector attributes match up.
b) If desired, comment out the (insecure) connector setup by default on port 8090.
c) If it is desirable for traffic on port 80 to be automatically redirected to port 443, edit a file called web.xml in C:\ProgramData\MailArchiva\Tomcat\conf\web.xml (Windows) or /var/opt/mailarchiva/tomcat/conf/web.xml (Linux).
Add the following lines just before the closing </web-app> tag:
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Restart the MailArchiva server. Access the server console via a web browser such as Chrome or Firefox. The server should now be accessible from the equivalent of https://mailarchiva.company.com (replace FQDN with your domain name). If HTTP/S is working, a lock icon should be present in the browser address bar.
If the server doesn't start, consult the Tomcat startup logs in C:\ProgramData\MailArchiva\Tomcat\logs\* (Windows) or /var/opt/mailarchiva/tomcat/logs/* (Linux) to ascertain the reason.
Typically, the server will not start if the Tomcat connector is specified incorrectly; common reasons include:
- An incorrect encryption password is specified. Did you perhaps either forget or enter an incorrect volume encryption password in Get Keystore Secret?
- An invalid path to the MailArchiva keystore was specified.
- Client certificate authentication is set to true on the connector (it should be false)
- The alias referencing the server certificate is either incorrect or not specified.
If the above suggestions are not helping, refer to these further troubleshooting steps.
Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.