Boundary Encryption Service. MTA Setup Guide

(1)

Boundary Encryption Service

(2)

Documentation version: 2.0

Legal Notice

Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

Symantec Corporation 350 Ellis Street

Mountain View, CA 94043 http://www.symantec.com

Clients are advised to seek specialist advice to ensure that they use the Symantec services in accordance with relevant legislation and regulations. Depending on jurisdiction, this may include (but is not limited to) data protection law, privacy law, telecommunications regulations, and employment law. In many jurisdictions, it is a requirement that users of the service are informed of or required to give consent to their email being monitored or intercepted for the purpose of receiving the security services that are offered by Symantec. Due to local legislation, some features that are described in this documentation are not available in some countries. Configuration of the Services remains your responsibility and entirely in your control. In certain countries it may be necessary to obtain the consent of individual personnel. Symantec advises you to always check local legislation prior to deploying a Symantec service. You should understand your company’s requirements around electronic messaging policy and any regulatory obligations applicable to your industry and jurisdiction. Symantec can accept no liability for any civil or criminal liability that may be incurred by you as a result of the operation of the Service or the implementation of any advice that is provided hereto.

The documentation is provided "as is" and all express or implied conditions, representations, and warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, are disclaimed, except to the extent that such disclaimers are held to be legally invalid. Symantec Corporation shall not be liable for incidental or consequential damages in connection with the furnishing, performance, or use of this documentation. The information that is contained in this documentation is subject to change without notice.

Symantec may at its sole option vary these conditions of use by posting such revised terms to the website.

(3)

Technical support

If you need help on an aspect of the security services that is not covered by the online Help or administrator guides, contact your IT administrator or Support team. To find your Support team's contact details in the portal, click Support > Contact

(4)

Technical support

... 3

Chapter 1 BE MTA Setup

... 6

About configuring a mail server to work with Boundary Encryption ... 6

Chapter 2 Microsoft Exchange Server 2003

... 8

About Microsoft Exchange Server 2003 ... 8

Generating a certificate request ... 9

Getting a certificate signed ... 34

Installing the certificate ... 15

Installing root certificates ... 16

Confirming that the certificate is installed ... 22

Configuring Exchange for outbound TLS Mail ... 22

Testing secure communications ... 27

Advanced configuration information ... 29

Chapter 3 Microsoft Exchange Server 2007 and 2010

... 30

About Microsoft Exchange Server 2007 and 2010 ... 30

Generate a certificate request ... 31

Getting a certificate signed ... 34

Install the certificate ... 35

Install root and intermediary certificates ... 35

Activating the certificate ... 35

Removing the default self-signed certificate ... 35

Testing inbound TLS mail ... 36

Configuring Exchange for outbound TLS mail ... 36

Enforcing TLS on outbound mail ... 37

Chapter 4 Sendmail 8.12

... 38

About Sendmail 8.12 ... 38

Checking for TLS support ... 38

(5)

Testing secure communications with sendmail ... 41

Chapter 5 Domino 6.5

... 43

About Domino 6.5 ... 43

Installing root certificates ... 49

Installing the certificate ... 51

Configuring Domino ... 54

Testing secure communications ... 57

Chapter 6 Generic MTA

... 59

Generic MTA ... 59

5 Contents

(6)

BE MTA Setup

This chapter includes the following topics:

■ About configuring a mail server to work with Boundary Encryption

About configuring a mail server to work with

Boundary Encryption

Boundary Encryption lets you send and receive secure email between your company and your business partners through the use of digital certificates. These certificates are used to verify the identity of mail servers that send and receive mail. Then the mail is encrypted using the TLS (Transport Layer Security) protocol as it is sent over the Internet

For further details on the service and before attempting any of the configurations, read the FAQs about Boundary Encryption.

FAQs about Boundary Encryption

Ensure that your organization is configured to send your outbound email through the Symantec.cloud infrastructure. You can do this in the portal. Navigate to

Services > Email Services > Outbound Routes.

The key steps to enabling the Boundary Encryption Service are:

■ Complete the Boundary Encryption provisioning forms.

■ Generate a certificate request for your MTA (Message Transfer Agent). An MTA is the component of a mail server that receives, routes, and delivers email.

■ Get the certificate signed.

■ Install the certificate on the MTA. ■ Install the root certificate.

1

(7)

■ Configure the MTA to send and receive mail encrypted by TLS either for Secure Connect or for a defined set of business partners to a Symantec.cloud Boundary Encryption server.

■ Test that mail is encrypted and that TLS is used.

Once the Boundary Encryption Client and Business Partner Information forms are completed, the configuration steps depend on the type of mail server software in use. We provide instructions for the mail software products that are listed in the following table.

Table 1-1 Mail software products covered in this guide

Further information MTA product

See“About Microsoft Exchange Server 2003” on page 8.

Microsoft Exchange Server 2003

See“About Microsoft Exchange Server 2007 and 2010”on page 30.

Microsoft Exchange Server 2007 and 2010

See“About Sendmail 8.12”on page 38. Sendmail 8.12

See“About Domino 6.5”on page 43. Domino 6.5

If your mail server software is not on this list, you may still be able to use the service. If you are a Symantec.cloud client, check with Client Services to see if this possible. If you are implementing this service at the request of your business partner who is a Symantec.cloud client, please confirm this with your business partner.

Note:These instructions describe the steps to configure a mail server to work with Boundary Encryption. They do not cover the initial setup of a mail server and do not address all scenarios. You may need to customize these instructions to work with your own particular configuration.

7 BE MTA Setup About configuring a mail server to work with Boundary Encryption

(8)

Microsoft Exchange Server

2003

■ About Microsoft Exchange Server 2003 ■ Generating a certificate request ■ Getting a certificate signed ■ Installing the certificate ■ Installing root certificates

■ Confirming that the certificate is installed ■ Configuring Exchange for outbound TLS Mail ■ Testing secure communications

■ Advanced configuration information

About Microsoft Exchange Server 2003

The key steps to configuring Exchange 2003 with TLS are:

■ Generate a certificate request

■ Have the certificate signed by a public CA ■ Install the certificate

■ Install root certificates

■ Check that the certificate is installed

2

(9)

■ Configure outbound communications by creating a new connector that uses TLS

■ Test proper operation, both with TLS and non-TLS mail.

Generating a certificate request

Generate a certificate request by enabling certificates on the virtual server used for routing SMTP mail to the Internet. Normally this is called "Default SMTP Virtual Server".

Note:If you use more than one virtual server, it is important that the certificate request is originated from the one that handles the TLS communication. This may or may not be the default SMTP virtual server. (For further information on creating virtual servers and allocating IP addresses and port numbers, please see the Microsoft Exchange support information.)

To generate a certificate request

1

In the left pane of Exchange System Manager, open the Servers container.

2

Click the Exchange Server computer that you want to configure, double-click the Protocols container and then double-click the SMTP container.

3

Right-click the appropriate SMTP virtual server object, and then click

Properties.

4

Click the Access tab, and then click the Certificate button.

5

After the IIS Certificate Wizard starts, click Create a new certificate, and then click Next.

6

Click Prepare the request now, but send it later, and then click Next.

9 Microsoft Exchange Server 2003 Generating a certificate request

(10)

7

Either assign an appropriate name to the certificate or accept the default setting of name of virtual server, select a bit length, and then click Next.

Symantec.cloud recommends a key length of 2048 bits. Longer key lengths affect performance and may be more expensive.

(11)

8

Type the organization and organizational unit information for the CA from which you want to request a certificate, and then click Next. This information is typically available from the CA's Web site or the information is sent to you when you register with the CA.

(12)

9

Enter the common name for your server, and then click Next.

This name must be the name that the server returns in response to the EHLO command. This is normally the fully-qualified domain name. You can check it by telnetting to port 25 of the IP address that the virtual server is running on and typing EHLO SMTP. It is also recommended that this be registered in DNS and externally resolvable to the IP address that is linked to the virtual server. In DNS, only an A (Address) record is needed - do not create a MX (Mail Exchanger) record.

You can change the name returned by the EHLO command by editing the

Fully-qualified domain name on the Advanced Delivery dialog box in the

virtual server properties. This may be useful if there is a DNS name clash or a problem with the certificate name.

10

On the Geographical Information page, type the Country/Region, State/province, and City/locality information as appropriate for your organization, and then click

(13)

11

Type a name and a path for the location in which you want to create the certificate or accept the default file name.

12

Click Next.

(14)

13

Review the information on the Request File Summary page, and then click

Next.

14

The final page confirms that a certificate with the specified file name has been created. The default setting isdrive name:\certreq.txt.

15

Click Finish.

Getting a certificate signed

The certificate request file needs to be signed by a Certification Authority (CA) trusted by Symantec.cloud. This certificate signing process may need to be repeated for each of your mail servers.

Note:This process varies from vendor to vendor. For information on getting the certificate signed, see you vendor's support documentation.

We recommend that you obtain 2,048-bit certificates from a recognized public CA. Ask your CA to ensure that the ‘SSL-Client’ X.509v3 extension is included in your certificate.

(15)

Table 2-1 The CAs trusted by Symantec.cloud Thawte Trustis FPS Usertrust Valicert Verisign QuoVadis

RSA Data Security SecureNet Starfield Tech StartCom Tata TC TrustCenter GlobalSign Go Daddy GEOTrust GTE CyberTrust IPS Servidores Netlock Network Solutions ABA.ECOM AddTrust Comodo DigiCert Inc DST Entrust.net Equifax

See“About configuring a mail server to work with Boundary Encryption”on page 6. See“Generating a certificate request”on page 9.

Installing the certificate

Send the certificate request file that you created in the previous section to your CA. Alternatively, your CA may have a Web-based interface that permits you to submit the certificate request. You should receive a file that has a .cer file name extension. After you receive this file, restart the Certificate Wizard to install this certificate. Refer to the FAQs about Boundary Encryption Service for important information about certificates.

Note:After completing the following procedure, you must restart the SMTP virtual server responsible for the TLS connection with Symantec.cloud. Note that restarting the virtual server, may mean a temporary loss of connectivity to the Symantec.cloud infrastructure.

1

On the virtual server that you used in the previous section, click Properties, click the Access tab, and then click the Certificate button.

2

After the Certificate Wizard restarts and you receive notification that you have a pending certificate request, click Next.

15 Microsoft Exchange Server 2003

(16)

3

On the Pending Certificate Request page, click Process the pending request

and install the certificate, and then click Next

In the Process a Pending Request, type the path to the certificate that you received from the external CA.

4

Review the Certificate Summary page, which shows the information that is contained in the certificate: who issued the certificate, when the certificate expires, what the certificate is to be used for, and the certificate friendly name. Make sure this is the correct certificate and then click Next.

5

After you receive notification that the certificate is successfully installed on the virtual server, click Finish.

For the changes to take effect, you must restart the SMTP virtual server responsible for the TLS connection with Symantec.cloud.

Installing root certificates

To avoid any problems with certificate chain validation, make sure that CA-trusted root certificates are installed for both your own certificate and that of Symantec.cloud. Many trusted root certificates are installed by default on Windows. For Windows 2000 Server, this list is kept up to date by Windows Update. For Windows Server 2003 and 2008, selected trusted root certificates are automatically installed when

(17)

you visit a Web site secured by a certificate in that chain. You can see which certificates are installed through the following procedure.

(18)

To install the root certificate

1

In a Microsoft Management Console window, on the Start menu, click Run. Type mmc and click OK.

A blank MMC console is created.

2

Click File > ADD/Remove Snap-in… > Add and then select the Certificates Snap-in.

(19)

3

Click Add.

You are prompted to choose the account that the snap-in will manage. Choose

Computer Account, click Next, leave Local computer selected and click Finish, Close, and then OK.

(20)

4

Expand the Certificates container in the left hand pane and browse to Trusted

Root Certification Authorities then Certificates. Make sure that the root

certificate for your own CA and the root certificate for Trustis are present in the list.

(21)

5

Consult your own CA for advice if you suspect that their root certificate is not already present. If the Trustis FPS Root CA is not listed, the certificate is available from:

http://www.trustis.com/roots/fps

Download the file in DER format and save it with a.cerextension. Double-click

the.cerfile and the certificate is displayed.

6

Click Install Certificate to start the Certificate Import Wizard. Leave

Automatically select the certificate store based in the type of certificate,

click Next, and then click Finish.

A message box pops up to say that the import was successful. Refresh the view in the MMC by pressing F5 and verify that the certificate is now present.

7

Close the MMC without saving the console settings.

(22)

Confirming that the certificate is installed

To confirm that the certificate is installed

1

On the Start menu, click All Programs > Microsoft Exchange > System

Manager.

2

In the left pane of Exchange System Manager, double-click Servers.

3

Click the Exchange Server computer that you want to configure, double-click the Protocols container and then double-click the SMTP container.

4

Right-click the virtual server object that the certificate has been generated and installed for, and then click Properties.

5

Click the Access tab, and check that the Communication button is active. Note:If the Communication button is grayed out, the certificate is not installed correctly.

Configuring Exchange for outbound TLS Mail

We recommend that you create an SMTP connector to handle outbound TLS delivery for the domains you have nominated to use for the Boundary Encryption service. This option is preferred over using the existing SMTP virtual server.

(23)

To create a new connector

1

In the left pane of Exchange System Manager, navigate to Administrative

Groups. Right click on Connectors and select New > SMTP Connector.

The Properties dialog of a new SMTP connector is displayed.

2

Type a meaningful name into the Name field such as "Symantec.cloud Boundary Encryption".

23 Microsoft Exchange Server 2003 Configuring Exchange for outbound TLS Mail

(24)

3

Select Forward all mail through this connector to the following smart

hosts and type in your Symantec.cloud outbound cluster hostname. You should

have received this in your New Customer confirmation email. It is in the format:

clusterxout.xx.messagelabs.com- where the x characters need to be modified to your specific hostname

4

Add the local bridgehead server by clicking Add and selecting the virtual server that is associated with your certificate. Click OK.

5

On the Address Space tab, click Add, select SMTP, and click OK.

(25)

■ The Policy Based Encryption service or the Boundary Encryption service over Secure Connect, go on to step 8.

■ Just the Boundary Encryption service for your business partners, click Add, select SMTP and enter the domain name of your business partner. Click

OK. Repeat this step for all of your business partners.

25 Microsoft Exchange Server 2003 Configuring Exchange for outbound TLS Mail

(26)

7

Select the existing SMTP entry (with a * in the address column), click Remove, and confirm that you want to remove the entry.

(27)

8

Click the Advanced tab and then click Outbound Security. Select the TLS

encryption checkbox, so that it is checked. Click OK twice to complete the

connector configuration

Testing secure communications

Exchange should now be tested to verify that secure communications are taking place. You should also verify that insecure communications to organizations outside the Secure Private Email Network continue to function normally. To do so, send email to an unsecured email address and wait for the reply mail.

27 Microsoft Exchange Server 2003 Testing secure communications

(28)

To test secure connection

1

Telnet to port 25 of the IP address that the virtual server is running on.

2

Type inEHLOand press Enter.

You see a list of SMTP commands.

3

TypeSTART TLS

The server responds withOK.

4

Verify with Symantec.cloud Client Services that the set up for your service has been completed.

5

Turn on logging. In Exchange System Manager, right-click the virtual server that you created. Check Enable Logging. Edit the Properties to determine the log file directory. Normally this is underC:\WINDOWS\System32\LogFiles.

Send or receive some email with a partner using the Boundary Encryption Service and then review the log file. If Exchange is encrypting the mail with TLS, the STARTTLS verb is visible in the logs.

(29)

6

Send an email to a server that is known to offer TLS. Check the message headers for an indication that the message was in fact encrypted. Mail servers relaying the message generally add a header detailing the type of encryption used.

7

Optionally, you can use network monitor to capture traffic going to and from port 25 of the IP address that the virtual server is running on, to verify that the information is encrypted and that the email content is not in plain text. For more information about setting up and using Network Monitor, see "Monitoring Network Performance" in the Microsoft Windows Server 2003 Resource Kit Server Operations Guide or refer to Microsoft Knowledgebase article Q148942 (http://support.microsoft.com/support/kb/articles/q148/9/42.asp).

Advanced configuration information

By default, Exchange does not check certificate chain validity. This check is recommended for maximum security. To enable this, you must edit the metabase.

Note:Exercise extreme caution when editing the metabase; using it incorrectly can cause serious problems requiring you to reinstall Exchange or the operating system. Back up the metabase before you start.

If your server is running IIS 5.0, use MetaEdit 2.2, obtainable from the following URL:

http://support.microsoft.com/default.aspx?scid=kb;en-us;232068

If your server is running IIS 6.0, use Metabase Explorer which can be found in the

IIS 6.0 Resource Kit. This is available for download from Microsoft at the following

link:http://download.microsoft.com/download/7/8/2/ 782c25d3-0f90-4619-ba36-f0d8f351d398/iis60rkt.exe

Review the instructions that come with the tool and then add or change the following metakeys:

smtpsvc/{vsi#}/VerifySSLCertIssuer 1

smtpsvc/{vsi#}/VerifySSLCertSubject 1

Note:If theVerifySSLCertSubjectcheck is enforced, then Exchange tries to match the subject with the smarthost name entry on the SMTP connector pointing to the remote TLS enabled server. This ensures that the Symantec.cloud server is identified correctly.

29 Microsoft Exchange Server 2003 Advanced configuration information

(30)

Microsoft Exchange Server

2007 and 2010

■ About Microsoft Exchange Server 2007 and 2010 ■ Generate a certificate request

■ Getting a certificate signed ■ Install the certificate

■ Install root and intermediary certificates ■ Activating the certificate

■ Removing the default self-signed certificate ■ Testing inbound TLS mail

■ Configuring Exchange for outbound TLS mail

About Microsoft Exchange Server 2007 and 2010

The key steps to configuring Exchange with TLS are:

■ Generate a certificate request

■ Have the certificate signed by a public CA ■ Install root certificates

■ Install the certificate

■ Activate the certificate for the required Exchange services

3

(31)

■ Remove the default self signed certificate

■ Finalize TLS configuration

■ Enforce TLS on outbound Email (optional)

Note:If you use Microsoft Exchange 2010, you can complete the certification tasks Exchange Certificate Wizard.

To access the Microsoft 2010 Exchange Certificate wizard

1

In the console tree, click Server Configuration.

2

In the action pane, click New Exchange Certificate to open the wizard. This wizard helps you determine the type of certificates you need for your Exchange organization.

3

Complete the screens of the wizard as required.

For full instructions on using the wizard, see the following URL:

http://technet.microsoft.com/en-us/library/dd351057.aspx.

Generate a certificate request

A self-signed certificate is installed with each Exchange 2007 installation. For the Exchange server to communicate with Symantec.cloud over TLS, this certificate needs to be replaced. The certificate request must be signed by a supported certificate authority (CA). The steps for generating the certificate request, installing, and activating the certificate for TLS services are detailed below.

Note:If you already have a signed certificate from a previous version of Exchange, skip to the following section:

See“Install the certificate”on page 35. To view available certificates:

◆ In the Exchange Management shell, use the command:

get-exchangecertificate

The two thumbprints relate to the default self-signed certificates installed as part of the Exchange 2007 installation.

Note:The Services column displays the self-signed certificate currently being used for IMAP, POP, IIS, and SMTP (IP.WS).

31 Microsoft Exchange Server 2007 and 2010

(32)

(33)

◆ In the Exchange Management shell, use the command:

new-exchangecertificatefollowed by:

Followed by a comma-separated list of all names (SANs) that are represented within the environment.

-domainname

Note:Include multiple SANs to ensure compatibility with both internal and external secure communication. Ensure that you include at least the name of the SMTP server that will communicate with Symantec.cloud, such as mail.yourdomain.com. This is typically the name advertised on the SMTP banner of the server.

Followed by the friendly name. This is an arbitrary value for your certificate

-FriendlyName

This confirms that you are asking for a certificate to be generated -generaterequest:$true

Followed by the key size of your certificate e.g. 2048. (We recommend that you obtain 2,048-bit certificates)

-keysize

This is the path to the saved certificate request –path

This defines that the private key should be exportable -privatekeyexportable:$true

This is the X400 name on the certificate –subjectname

For example:

new-exchangecertificate -domainname yourdomain.com,

yourdomain.local, netbiosname, mailserver.yourdomain.com

-FriendlyName yourcompanyfriendlyname -generaterequest:$true -keysize 2048 -path pathtofile -privatekeyexportable:$true -subjectname X400address

Note:The text in italics above needs to be changed to the data relevant to your environment.

The following is an example request:

(34)

The first thumbprint is the certificate request that has just been generated.

Getting a certificate signed

The certificate request file needs to be signed by a Certification Authority (CA) trusted by Symantec.cloud. This certificate signing process may need to be repeated for each of your mail servers.

Note:This process varies from vendor to vendor. For information on getting the certificate signed, see you vendor's support documentation.

We recommend that you obtain 2,048-bit certificates from a recognized public CA. Ask your CA to ensure that the ‘SSL-Client’ X.509v3 extension is included in your certificate.

Table 3-1 The CAs trusted by Symantec.cloud

Thawte Trustis FPS Usertrust Valicert Verisign QuoVadis

RSA Data Security SecureNet Starfield Tech StartCom Tata TC TrustCenter GlobalSign Go Daddy GEOTrust GTE CyberTrust IPS Servidores Netlock Network Solutions ABA.ECOM AddTrust Comodo DigiCert Inc DST Entrust.net Equifax

(35)

See“Generating a certificate request”on page 9.

Install the certificate

Once the signed certificate has been obtained from a trusted CA, it must be installed using the Exchange Management Shell.

To install the certificate

◆ In the Exchange Management shell, enter the command

Import-ExchangeCertificate -path followed by the path and file name of the certificate:

Install root and intermediary certificates

For information on installation of root and intermediary certificates from your vendor, follow the instructions for Exchange 2003. These certificates cannot be installed using the Exchange Management Console.

See“Installing root certificates”on page 16.

Activating the certificate

The signed certificate must be activated for the necessary Exchange Services. In the example below, all services are enabled for this certificate. At least SMTP is required for TLS communications with Symantec.cloud.

Removing the default self-signed certificate

To remove the default self-signed certificate

◆ Remove the default signed certificate:

The original self-signed certificate is now removed. The newly installed certificate signed by a trusted third party shown below can now send and receive secure email with Symantec.cloud for the services advertised.

(36)

Testing inbound TLS mail

To test inbound TLS connectivity once the certificate installation process has concluded, contact Symantec.cloud.

Configuring Exchange for outbound TLS mail

Note:To enforce TLS on your outbound mail, see the following section: See“Enforcing TLS on outbound mail”on page 37.

To deliver outbound TLS mail to Symantec.cloud

1

Open the Exchange Management Console and navigate to the Organization Configuration.

2

Within your transport node, create a send connector.

3

Modify the properties of the connector to represent the address space. To use this connector for all outbound mail use * .

4

On the Network tab, click Add and enter the smart host setting for your region (as provided to you by Symantec.cloud). This is in the format;

■ clusterxout.yy.messagelabs.com - where x should be replaced with the appropriate cluster number and yy the appropriate region code

(37)

5

Click Apply.

6

Highlight the required smarthost in the list.

7

Click OK.

Enforcing TLS on outbound mail

To enforce TLS on the send connector

◆ In the Exchange Management shell, enter the command:Set-SendConnector

"Outbound Email"-RequireTLS:$TrueWhere "Outbound Email" is the name of the send connector being used for the communication with Symantec.cloud. This can be verified using the command:get-sendConnector |list

To test outbound TLS connectivity, contact Symantec.cloud.

37 Microsoft Exchange Server 2007 and 2010 Configuring Exchange for outbound TLS mail

(38)

Sendmail 8.12

■ About Sendmail 8.12 ■ Checking for TLS support ■ Generating a certificate request ■ Installing certificates

■ Testing secure communications with sendmail

About Sendmail 8.12

Note:For instructions on other versions of Sendmail, see the Sendmail Support article SMTP STARTTLS in sendmail/Secure Switch:

http://www.sendmail.org/~ca/email/starttls.html

In the following instructions, names starting withconfrefer to m4 variable names used in a.mcfile.OpenSSLmust be installed on the server running sendmail.

Checking for TLS support

Sendmail 8.12 (and 8.11) supports TLS as defined in RFC 2487. It may need to be recompiled withSTARTTLSsupport if this has not already been done. Type the

following command:

sendmail -d0 < /dev/null | grep -i tls

If TLS is supported, theSTARTTLSverb is visible in the output. If not, recompile

sendmail withSTARTTLSsupport via a custom site.config.m4 must be installed on

4

(39)

the system in question first. Alternatively,STARTTLSmay be available in a special

package or port of sendmail, depending on the vendor in question.

Generating a certificate request

Check that your preferred certificate authority is listed in the following section or choose one from that list:

See“Getting a certificate signed”on page 34.

Most major CAs have detailed instructions on how to generate the Certificate Signing Request (CSR). See their Web sites for details. Make sure that the common name is the fully qualified domain name of your host.

Note:For sendmail to start up unattended, the private key must not be encrypted. Otherwise, you must enter the passphrase each time sendmail is started as server or client.

Installing certificates

Note:If you install a new certificate (including a renewed certificate), you should restart the Sendmail daemon after you install the certificate. This is because Sendmail caches the certificate and needs a restart to clear the cached certificate and pick up the new one.

39 Sendmail 8.12 Generating a certificate request

(40)

To install a certificate

1

Install the CA certificate of your own CA intoconfCACERT.

Note:Do not list too many root CA certificates in that file. Otherwise,OpenSSL

may not work as expected, and the TLS handshake will fail.

2

Install the CA certificate of Symantec.cloud' CA Trustis intoconfCACERT_PATH

with symbolic links of its hash pointing to it: C=FileName_of_CA_Certificate

ln -s $C `openssl x509 -noout -hash < $C`.0 (or sslc instead of openssl)

This CA certificate is required to successfully authenticate the Symantec.cloud infrastructure. The signature of the certificate presented by Symantec.cloud is checked against this CA. If the CA issued the certificate, the authentication is considered successful.

3

Install the certificate that you generated asconfSERVER_CERTand the private key asconfSERVER_KEY.

Make sure that the file is only readable by root or the trusted user. For simplicity, use the same file names forconfCLIENT_CERTandconfCLIENT_KEY,

respectively.

If your CA used an Intermediate CA to sign your certificate, then you should include the Intermediate CA certificates in the file pointed to by

confSERVER_CERTalong with your signed certificate. Your signed certificate

should be at the top of the file, with any Intermediate CA certificates following it; for example:

Signed-Certificate

First-Intermediate-CA-Certificate Second-Intermediate-CA-Certificate <EOF>

(41)

4

If you runSendmail 8.11 or laterand your OS does not have /dev/urandom, then you need to set up a source to seed the pseudo random number generator. For Solaris 7 and 8, you may assess whether a suitable kernel module for /dev/random is available or see whetherSunhas a package calledSUNWski

for your operating system. It is strongly advised to use at least EGD (Entropy Gathering Daemon) and compile sendmail with the flagEGD, and point confRAND_FILEto the socket used by EGD (useegd:as a prefix). If neither

/dev/urandom norEGDare available, make sure that useful random data is available all the time inconfRAND_FILE(usefile:as a prefix). If the file has not been modified in the last 10 minutes before it is to be used by sendmail, the content is considered obsolete. In this case, the pseudo-random number generator for TLS is only seeded with other random data if the

DontBlameSendmail option InsufficientEntropy is set. This is almost always not sufficient for security.

5

Set the following variables in sendmail.mc and then build the configuration file sendmail.cf. define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl define(`confCLIENT_CERT', `/etc/mail/certs/MYcert.pem')dnl define(`confCLIENT_KEY', `/etc/mail/certs/MYkey.pem')dnl

6

Restart the Sendmail daemon.

Testing secure communications with sendmail

When the previous procedures have been completed, Sendmail is configured to use secure communications. It is ready to send mail via TLS to any mail server that offers it, as well as offering TLS to any mail server that connects as a client. You can test the connection.

41 Sendmail 8.12 Testing secure communications with sendmail

(42)

To test the connection

1

Make sure that the sendmail daemon is running, then telnet to port 25 of the server (i.e. localhost if you are on the sendmail server).

2

Issue the SMTP commandEHLO SMTPand look for250-STARTTLSin the

response.

If this option is not given, check your log file to determine if any security problems are logged, e.g. unsafe files. If this does not reveal any problems, increase the LogLevel to 14 and try again.

3

The configuration should now be tested. Send an email to a server that is known to offer TLS. Check the message headers and the sendmail log files for an indication that the message was in fact encrypted. Mail servers relaying the message generally add a header detailing the type of encryption used.

(43)

Domino 6.5

■ About Domino 6.5

■ Generating a certificate request ■ Installing root certificates ■ Installing the certificate ■ Configuring Domino

■ Testing secure communications

About Domino 6.5

For details of other versions of Domino, see the Domino Support articles:

http://www-01.ibm.com/support/docview.wss?uid=swg21108352 How to configure Domino for secure SMTP

sessions using STARTTLS

http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21268695 How to set up SSL using a third-party

certificate authority (CA):

Generating a certificate request

The first stage in configuring Domino to use TLS is to generate the certificate that is used to encrypt traffic.

5

(44)

To generate a certificate request

1

Start the Domino Administrator application and log on.

2

Choose File > Database > Open. The Open Database window appears.

3

Select the server name to administer (not Local) from the drop down list.

4

Scroll down and select the Server Certificate Admin database and click open. If Server Certificate Admin is not present you may need to install and configure the Domino web component.

5

Click Create Key Rings & Certificates in the left pane.

(45)

7

The Create Key Ring page appears.

8

In the Key Ring File Name field, type and note the name of the key ring file and the location where you want to store your key ring file.

9

Enter and confirm the password in the relevant fields.

45 Domino 6.5 Generating a certificate request

(46)

10

Select the required Key Size from the drop down list.

We recommend a key length of 2048 bits, if supported. Longer key lengths affect performance and may be more expensive.

11

Complete the Distinguished Name section.

The Common Name must be the same as the one returned by the server by telnetting to port 25 of the server and issuing anEHLO SMTPcommand.

12

Click the Create Key Ring button. The Key Ring Created window appears.

(47)

14

Click 2. Create Certificate Request. The Create Server Certificate Request page appears.

15

Ensure the same Key Ring File Name is entered as in step 8.

16

In the Log Certificate Request drop-down list, click Yes.

17

Select either the Paste into form on CA’s site or Send to CA by e-mail option as appropriate. (If you select this last option complete the additional fields that appear as appropriate.)

18

Click Create Certificate Request button.

47 Domino 6.5 Generating a certificate request

(48)

19

A dialog box appears to enter your password. Enter the password entered in step 9 and click OK.

20

If you selected the paste option then a Certificate Request Created window appears. Highlight all the text in the lower text area including theBEGINand

ENDheaders (note: you may need to highlight beyond the end of the visible text area). Copy the text to the clipboard as appropriate (on Windows use

Ctrl+C or right-click on the highlighted text and choose Copy). Paste the text

into the appropriate place as directed by your certificate authority. This often is a page on the CA's Web site , but can be a text file or email.

(49)

21

If you selected the email option then a Certificate Request Created and

Mailed window appears.

22

Click OK.

The certificate request process is complete.

Installing root certificates

The next stage is to install CA Trusted Root certificates into the server key ring. Up to two certificates are required: one from Symantec.cloud' CA Trustis and one from your CA, if this is not Trustis. This process can be started at any time. The Trustis FPS root certificate can be obtained from:

http://www.trustis.com/roots/fps/

Select the certificate in PEM format. Your CA will make their root certificate available for download - contact them for further details.

49 Domino 6.5 Installing root certificates

(50)

To install the root certificate

1

Return to the Create Key Rings & Certificates screen (Steps 1 to 5 in the section on Generating a certificate request).

2

Click 3. Install Trusted Root Certificate Into Key Ring. The Install Trusted

Root Certificate page appears.

3

Ensure that the correct key ring file name location is selected (as entered in Step 8 of the section on Generating a certificate request). Enter a meaningful name in the Certificate Label field.

4

Select either the File or Clipboard Certificate source options:

a. If you select Clipboard, paste the certificate (including BEGIN and END headers) into the Certificate from Clipboard field then click Merge Certificate

into Key Ring. A dialog box appears to enter your password. Enter the

password entered in step 9 of the section on Generating a certificate request and click OK.

b. If you select file, enter the full path and file name of the received certificate file. Click Merge Certificate into Key Ring.

A dialog box appears to enter your password. Enter the password entered in 9 of the section on Generating a certificate request and click OK.

5

After either of the previous steps a Merge Signed Certificate Confirmation window appears as below:

Click OK to import the certificate.

(51)

Installing the certificate

The next stage is to install the certificate into the key ring. This process is started once the certificate has been received from the CA.

To install the certificate

1

When you receive the signed certificate from the CA return to the Create Key

Rings & Certificates screen (Steps 1 to 5 in the section on Generating a

certificate request).

2

Click 4. Install Certificate Into Key Ring. The Merge Certificate Into Key

Ring page appears.

3

Ensure that the correct key ring file name location is selected as in entered in step 8 of the section on Generating a certificate request.

51 Domino 6.5 Installing the certificate

(52)

4

Select either the File or Clipboard Certificate source options:

a. If you select Clipboard, paste the certificate (including BEGIN and END headers) into the Certificate from Clipboard field then click Merge Certificate

into Key Ring. A dialog box appears to enter your password. Enter the

password entered in step 9 of the the section on Generating a certificate request and click OK.

b. If you select file, enter the full path and file name of the received certificate file. Click Merge Certificate into Key Ring. A dialog box appears to enter your password. Enter the password entered in step 9 of the the section on Generating a certificate request and click OK.

5

After either of the previous steps a Merge Signed Certificate Confirmation window appears as below:

(53)

6

If an Unrecognized Certificate Authority signature appears, you must add the CA root certificate first. Ensure that the instructions in the previous section

Installing root certificates have been completed successfully.

7

Two files now exist for the keyring for the name and location entered in step 8 of the section on Generating a certificate request. One file has a.kyrextension and one file an.sthextension. Transfer both these files to the Lotus Domino server data directory. You need to know where this is (e.g. /notes/dataor

/local/notesdata). Ensure that the files are transferred in binary mode if using FTP. Ensure that the files are owned by the notes user and group as per your Domino server settings (e.g. the notes user and notes group). You can do this on UNIX\Linux by doingchown notes:notes keyfile.kyr

keyfile.sth- where keyfile is the name of your keyring files.

53 Domino 6.5 Installing the certificate

(54)

Configuring Domino

Domino must now be configured to use secure communications.

1

Open the server configuration document by navigating to the configuration view for your server. (That is, on your domain tab, select the Configuration tab, expand server, select Configuration, and double-click the relevant configuration document in the right pane)

(55)

2

On the Router/SMTP tab, select the Advanced tab, then Commands and

Extensions and input Enabled into the SSL negotiated over TCP/IP port

drop-down to enable inbound negotiated SSL\TLS.

3

Click Save & Close.

55 Domino 6.5 Configuring Domino

(56)

(57)

5

Choose the Ports tab, then the Internet Ports tab and then the Mail tab

6

Edit the Mail (SMTP Outbound) column, TCP/IP port status field to be Negotiate

SSL. Set SSL key file name to the name of the .kyr file stored in the Domino

server notes data directory. Set the SSL protocol version to Negotiated. Change Accept SSL site certificates to No. Change Accept expired SSL

certificates to No. Click Save & Close.

7

Restart the Domino server.

Testing secure communications

You can now test the configuration.

57 Domino 6.5 Testing secure communications

(58)

To test secure communications with Domino

◆ Send a test mail to and from Domino to other SMTP servers supporting and configured for TLS. Examine the message headers to determine whether the email has been encrypted. Mail servers relaying the message generally add a header detailing the type of encryption used.

(59)

Generic MTA

■ Generic MTA

Generic MTA

This section details the key steps that are necessary for any MTA. Depending on the MTA in use, the order that you carry out these steps in may vary.

For further details on the service and before attempting any of the configurations, read the FAQs about Boundary Encryption.

To setup a generic MTA for Boundary Encryption

1

Ensure that your preferred certificate authority is an approved Certificate Authority or choose one from that list. Then generate a Certificate Signing Request (CSR) and send it to your CA.

2

When the certificate is returned, install it on the MTA.

3

Install root certificates for your CA if necessary and for the CA Trustis. The Trustis FPS Root Certificate is available fromhttp://www.trustis.com/roots/fps

in various different formats. Choose whichever is appropriate for your environment. Generally, if your certificate installation procedure supports copying and pasting certificates, do the following:

■ Open the certificate in PEM format, and then cut and paste the content between "---BEGIN CERTIFICATE---" and "---END CERTIFICATE---".

4

Configure your MTA to use TLS. This step is application-dependent. Some MTAs may not require any further configuration.

6

(60)

5

Telnet to port 25 of the IP address that the virtual server is running on. Type inEHLOand press Enter. You will see a list of SMTP commands. TypeSTART TLS. The server responds withOK.

6

Send a test email message to an address on a server that is known to support TLS. Check the message headers for any evidence that the message was encrypted. Mail servers relaying the message generally add a header detailing the type of encryption used.