Since MailArchiva typically contains sensitive company information, protecting access to the web console with HTTP/S (HTTP/TLS) is advised. Without HTTP/S protection, there is little assurance of confidentiality of email data.
There are two possible ways to secure the MailArchiva console:
- Use MailArchiva's inbuilt certificate management
- Front MailArchiva with either Nginx or Apache proxy. Use third-party certificate management services (e.g. Certbot / Let's encrypt)
Securing MailArchiva using its inbuilt certificate management is described further below. Refer to the respective proxy configurations if the second option is desirable.
When enabling HTTP/S, the following requirements must be met:
- A server certificate and private key must be installed.
- A complete CA certificate chain must be present and installed (i.e. including all intermediate and root certificates).
- An Apache Tomcat HTTPS connector must be configured correctly and enabled (i.e. keystore password correct, storage alias name matched and client certificate authentication disabled)
All certificates and keys must be installed in a password-protected Java key store file referenced by a storage alias name.
Follow either of these steps to install a server certificate in MailArchiva:
- Fetch free certificate - Automatically generate and fetch a free certificate and CA chain from the Let's Encrypt Certificate Authority (uses ACME protocol)
- Generate CSR - Generate a Certificate Signing Request (CSR) using the MailArchiva Console and manually submit to a Certificate Authority such as Verisign
- Generate CSR from command line - Generate a Certificate Signing Request (CSR) on the command-line
- Import - Import a pre-existing server certificate and private key from a PKCS-12 file
Using a text editor, modify the Tomcat app server configuration file called server.xml located in /var/opt/mailarchiva/tomcat/conf/server.xml (Linux) or C:ProgramDataMailArchivaTomcatconfserver.xml (Windows)
a) Uncomment the line:
b) Change the keystorePass attribute value to the keystore secret obtained from Configuration->Certificates->Lookup Key Store Secret. The password inputted in the lookup dialog must be equivalent to the volume encryption password entered during product setup. Ensure the other connector attributes match up.
c) Ensure the keystoreFile path is correct. Usual paths are as follows: C:ProgramDataMailArchivaROOTmailarchivacerts (Windows) Linux: /etc/opt/mailarchiva/ROOT/mailarchivacerts (Windows).
c) If desired, comment out the (insecure) connector setup by default on port 8090.
If it is desirable for traffic on port 80 to be automatically redirected to port 443, edit a file called web.xml in C:Program FilesMailArchivaServerconfweb.xml (Windows) or /opt/mailarchiva/server/conf/web.xml (Linux).
Add the following lines just before the closing </web-app> tag:
Restart the MailArchiva server. The server should be accessible from https://mailarchiva.company.com (replace FQDN with your domain name)
If the server doesn't start, consult the Tomcat startup logs in C:ProgramDataMailArchivaTomcatlogs* (Windows) or /var/opt/mailarchiva/tomcat/logs/* (Linux).
Typically, the server won't start if the Tomcat connector is specified incorrectly; common reasons include:
- An incorrect encryption password is specified. Did you perhaps either forget or enter an incorrect volume encryption password in Get Keystore Secret?
- An invalid path to the MailArchiva keystore was specified.
- Client certificate authentication is set to be true (it should be false)
- The alias referencing the server certificate is either incorrect or not specified.
Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.