ticrypt Mailbox Installation

(1)

tiCrypt

Mailbox Installation

Tera Insights, LLC

Alin Dobra, Thomas Samant

Version v1.0.0, 06.07.2020

(2)

Chapter 1. Introduction

The mailbox mechanism in tiCrypt allows external file importing into a user directory. The import mechanism uses the user’s public key and ensures that only the user that sets up the mailbox can access and decrypt the files.

For the mechanism to work, a website that delivers the mailbox single page application and the mailbox settings in either the deployment file or global deployment settings have to be set up to point to the mailbox website.

The mailbox application can be hosted anywhere, entirely independently of the location of the tiCrypt server.

(4)

Chapter 2. Installing the mailbox server



All the commands in this section need to be executed as root

As of version v1.0.0, tiCrypt Mailbox is only supported on CentOS/Redhat 7.0. Support for CentOS/RedHat 8.0 is planned for the future.

The main {ta} dependencies are: * a web server like Nginx * a firewall such as firewalld * the Clickhouse database * (optional) The MaxMind geolocation database: * (optional) OpenSSL for key generation

2.1. Installing pre-requisites

2.1.1. Installing Nginx

If Nginx is not installed, you can:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum -y install epel-release-latest-7.noarch.rpm

yum -y update

yum -y install nginx

then make sure it is enabled and started systemctl start nginx

systemctl enable nginx

2.1.2. Installing firewalld

We now need to set up the firewall to allow Nginx access from outside. If firewalld is not installed and enabled, you can first do:

yum -y install firewalld systemctl enable firewalld

2.1.3. Installing tiCrypt Mailbox

(5)

available from https://storage.googleapis.com/ticrypt/tiCrypt-mailbox/el7/tiCrypt-mailbox-1.0.0-1.el7.x86_64.rpm

Installation consists simply of downloading and installing the RPM. # Grab the {ta} RPM

wget https://storage.googleapis.com/ticrypt/tiCrypt-mailbox/el7/tiCrypt-mailbox-1.0.0-1.el7.x86_64.rpm

# Install

yum -y install tiCrypt-mailbox-1.0.0-1.el7.x86_64.rpm # Remove

rm tiCrypt-mailbox-1.0.0-1.el7.x86_64.rpm

We need a place to put the .szip files: /var/www/ticrypt-mailbox # Create the static directory for tiCrypt REST

mkdir -p /var/www/ticrypt-mailbox chmod a+rx /var/www/ticrypt-mailbox chown ticrypt /var/www/ticrypt-pmailbox

The tiCrypt Mailbox service3 need to be enabled: systemctl enable ticrypt-mailbox

2.2. Configuration

2.2.1. Configurint tiCrypt Mailbox

The configuration file for tiCrypt Mailbox is /etc/ticrypt/mailbox.toml. The configuration optins supported are:

Parameter Type Required Description

hostname _String _Optional _{Hostname to bind to}

port _Int _Required _{The port to bind to}

baseURL _String _Required _{The external URL for server} backendURL _String _Required _{The URL of the tiCrypt server} mailbox _String _Required _{Path to the application}_.szip_file

(6)

Parameter Type Required Description

secureCookie _Bool _Optional _{Disable/enable secure cookie}

Some notes on the configuration: * hostname should be 127.0.0.1 if you deploy behing Nginx * port should match the service port in Nginx config below * baseURL should match the external name configured in Nginx below * backendURL shoudl be fully qualified and accessible from the serfer, e.g. https://ticrypt.example.com. To test that it works do:

wget https://ticrypt.example.com/info

And make sure you get a reply containing the system info. If that does not work, connectivity with the tiCrypt server is not working.

• mailbox must point to a valid inbox-….szip file that the user nginx can read.



To update the inbox, simply download a newer the mailbox variable. The simply restart the service with inbox….szipsytemctl restart file and change ticrypt-mailbox.



secureCookie=true is only useful for debugging, assuming https cannot be used, and should never be used in production.

2.2.2. Configuring the firewall

If you have not done already, you need to allow external access to https port firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --reload

2.2.3. Setting up Nginx

The recommended way to install the web application is to use an Nginx instance that is set up for serving flat files and deal with the TLS/SSL certificate for the respective domain. This can be accomplished by adding a file /etc/nginx/conf.d/mailbox.ticrypt.conf.

With the assumptions: . The tiCrypt Mailbox service runs on port 8082 . We serve the mailbox from URL: https://mailbox.example.com . The TLS stacked certificate for the domain is stored in file /etc/pki/tls/certs/example-stacked.crt . The TLS private key is stored in file /etc/pki/tls/private/example.pem

(7)

The configuration file can look like: upstream tc-mailbox {

server 127.0.0.1:8082; }

erver {

### Configuration based on Mozilla Configuration Tool listen 443 ssl; server_name mailbox.example.com root /var/www/ticrypt-mailbox ssl_certificate /etc/pki/tls/certs/example-stacked.crt; ssl_certificate_key /etc/pki/tls/private/example.pem; ssl_session_timeout 1d; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_dhparam /etc/pki/tls/dhparam.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m;

#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; frame-ancestors 'self' http://127.0.0.1:*";

#### This is critical for tiCrypt #### client_max_body_size 16M;

ssl_session_tickets off; location / {

try_files $uri @proxy; } location @proxy { proxy_pass http://tc-mailbox; proxy_redirect off; proxy_buffering off; proxy_cache off; proxy_http_version 1.1; proxy_read_timeout 900s; proxy_connect_timeout 360s; proxy_send_timeout 360s;

proxy_set_header Host $host;

(8)

proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

}



Failure to set client_max_body_size to at least 16M will prevent large file uploads and will result in mysterious failures.



The above config file assumes that the TLS/SSL certificate is stacked. Astacked/bundled certificate is the concatenation of the actual certificate and the local certificate authority chain of certificates.

Now, we just just have few more steps: # Verify the TLS certificate

openssl x509 -in /etc/pki/tls/certs/example-stacked.crt -text -noout # Verify the TLS private key

openssl rsa -in /etc/pki/tls/private/example.pem -check



If your certificate or the private key is not correct, Nginx will not start. Check_{the validity before restarting Nginx}

Some critical things that remain are:

# Create or download non-standard Diffie-Hellman parameters. # Either generate new ones yourself:

openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048 # Or download from Mozilla:

curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/pki/tls/dhparam.pem # Tell SELinux that Nginx can connect

setsebool -P httpd_can_network_connect=true

Now we can restart Nginx systemctl restart nginx

(9)

2.2.4. Wrapping up

To wrap up the installation, we simply start the tiCrypt Mailbox service with: systemctl start ticrypt-mailbox

and verify that the service works by navigating to the public url. You should get a message telling you that you do not have the required credentials but the page should load.

2.2.5. Debugging

If the application is not served correctly, check the error logs of tiCrypt Mailbox to ensure that the mailbox file can be found and that it is correctly signed.



You need to update the mailbox .szip file soon after it becomes available since it might contain security patches and usability improvements.

2.3. Updating the tiCrypt Mailbox server

The tiCrypt Mailbox server is very simple and need updating rarely. In the event that you need to update it, do:

1. Install the new .rpm packages

2. Restart the tiCrypt Mailbox service with: systemctl restart ticrypt-mailbox

(10)

Chapter 3. Installing the web application



If you installed the tiCrypt Mailbox service, you should not install the webapplication. The tiCrypt Mailbox service is a better choice and has better security.



Use this installation method only if you cannot install the service.

3.1. Setting up Nginx

The recommended way to install the web application is to use an Nginx instance that is set up for serving flat files and deal with the TLS/SSL certificate for the respective domain. This can be accomplished by adding a file /etc/nginx/conf.d/mailbox.ticrypt.conf with the content:

(11)

server { listen 443 ssl; listen [::]:443 ssl; server_name mailbox.example.com; root /var/www/ticrypt-mailbox; ssl_certificate /etc/pki/tls/certs/mailbox_bundle.crt; ssl_certificate_key /etc/pki/tls/private/mailbox_key.pem; ssl_session_timeout 1d;

ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_dhparam /etc/pki/tls/dhparam.pem; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA- AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off;

add_header Strict-Transport-Security "max-age=63072000" always; add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; ssl_stapling on; ssl_stapling_verify on; resolver 208.67.222.222 1.1.1.1; resolver_timeout 5s; }

Notice that you have to make the following changes: 1. server_name to the actual domain hosting the mailbox 2. ssl_certificate to the file containing the TLS/SSL certificate (not the key) 3. ssl_certificate_key to the file containing the coresponding private key

If you need a more sophisticated setup, please consult the Nginx documentation at https://nginx.org/en/docs/

3.2. Download and extract the web application

(12)

/var/www/ticrypt-mailbox directory. # mkdir -p /var/www/ticrypt-mailbox # cd /var/www/ticrypt-mailbox # wget https://storage.googleapis.com/ticrypt//mailbox/inbox-tiCrypt_1_9_7.zip # unzip inbox-tiCrypt_1_9_7.zip # rm inbox-tiCrypt_1_9_7.zip

The above instructions assume that the web app is placed in the root of the virtual domain. This is the recommended method of installation. If you want to place the web app in a sub-directory, the same procedure applies (w.r.t. the subdirectory), but the file inbox.html needs to be edited. The line

becomes

or

If you want to simplify the inbox URL (so that it does not contain inbox.html), in the directory where you installed the mailbox web app, create the following symbolic link:

# ln -sf inbox.html index.html

Since index.html is loaded by default, the URL for the inbox will now be: https://mailbox.example.com instead of https://mailbox.example.com/inbox.html

At this point, the mailbox files are installed. The only remaining task is writing the configuration file that indicates to the mailbox where the backend server is.

3.3. Writing the

config.js

file

(13)

a JavaScript file. The file config.js has to be placed in the root of the web app (where the file inbox.html is). Please keep the format below and only change the location of the server:

const settings = {

"baseUrl": "https://ticrypt.example.com" }

(14)

Chapter 4. Configuring tiCrypt to use the

mailbox

4.1. Actions in tiCrypt frontend

The tiCrypt frontend gets the information about where the mailbox URL is from the configuration provided by tiCrypt Connect. To set/change the mailbox URL, either the deployment file needs to be changed (we do not recommend this), or the mailbox URL needs to be set. To perform this, from the "Management" tab, select "Deployment Settings" and edit the "Mailbox Settings" card.

In our case, we will set the mailbox URL to https://mailbox.example.com/inbox.html and set the priority to "Override." This priority indicates that this setting will take priority over the setting in the deployment file.

4.2. Restart Nginx and test

The last step in the process is to restart Nginx: # systemctrl restart nginx

You can now navigate to https://mailbox.example.com/inbox.html to test that the web application is running correctly.

(15)

If everything is working correctly, you can set up mailboxes within tiCrypt and send links generated to external users.