Movie Trailer Romantic
Lowlife 2018 HDRip XviD AC3-EVO[EtMovies]

SafeGuard MailGateway - Manual for System Administrators - Sophos

Loading...
SafeGuard MailGateway Manual for System Administrators

SafeGuard MailGateway: Manual for System Administrators

Table of Contents 1 Introduction ........................................................................................................................ 1 1.1 About this Manual for System Administrators ......................................................... 1 1.2 Overview of this manual ......................................................................................... 1 2 Quick Start ......................................................................................................................... 3 3 Basics of E-mail Encryption/E-mail Signature ................................................................... 5 3.1 Certificates .............................................................................................................. 5 3.1.1 X.509 certificates ......................................................................................... 5 3.1.2 CA Certificates ............................................................................................. 6 3.1.3 Sub-CA certificates ...................................................................................... 6 3.1.4 User certificates ........................................................................................... 7 3.2 Checking the validity and trustworthiness of S/MIME certificates ........................... 9 3.2.1 Certificate Revocation List (CRL) ............................................................... 10 3.2.2 OCSP ......................................................................................................... 10 3.3 OpenPGP keys ..................................................................................................... 11 3.4 Checking the validity and trustworthiness of OpenPGP keys ............................... 11 3.4.1 Web of Trust .............................................................................................. 12 3.5 Exchanging S/MIME certificates or OpenPGP keys ............................................. 13 3.5.1 LDAP .......................................................................................................... 14 3.5.2 HKP key servers ........................................................................................ 14 3.6 Public Key Infrastructures (PKIs) .......................................................................... 14 3.7 The public key procedure ..................................................................................... 15 3.7.1 Encryption using the public key procedure ................................................ 15 3.7.2 Digital signature with the public key procedure .......................................... 16 4 Standards used in E-mail Encryption .............................................................................. 17 4.1 Common attributes of S/MIME and OpenPGP ..................................................... 17 4.2 S/MIME ................................................................................................................. 17 4.3 OpenPGP .............................................................................................................. 18 4.4 OpenPGP/MIME compared with OpenPGP/Inline ................................................ 18 4.4.1 OpenPGP/Inline ......................................................................................... 18 4.4.2 OpenPGP/MIME ......................................................................................... 19 4.4.3 How does SafeGuard MailGateway handle MIME e-mails with OpenPGP/Inline? ................................................................................................. 20 4.5 PrivateCrypto ........................................................................................................ 20 4.6 PDFMail ................................................................................................................ 21 4.7 Password Management in PrivateCrypto and PDFMail ........................................ 22 4.7.1 Password handling ..................................................................................... 22 4.7.2 Self-registration .......................................................................................... 22 4.7.3 Using an SMS Gateway ............................................................................ 23 5 Central E-mail Security .................................................................................................... 25 6 SafeGuard MailGateway Functional Integration .............................................................. 27 6.1 Use as an internal SafeGuard MailGateway ........................................................ 27 6.2 Integrating the SafeGuard MailGateway in your firewall ....................................... 29 6.3 The SafeGuard MailGateway with routing ............................................................ 29 6.4 DNS connection .................................................................................................... 30 6.4.1 The SafeGuard MailGateway as a DNS client ........................................... 31 6.4.2 No access to DNS server .......................................................................... 31 6.5 High availability/load distribution/clusters .............................................................. 31

iii

6.5.1 Cluster with internal database ................................................................... 6.5.2 Cluster with external database .................................................................. 6.6 The SafeGuard MailGateway's operating system ................................................. 7 Administering the SafeGuard MailGateway ..................................................................... 7.1 Web management ................................................................................................ 7.2 Console and file transfer ...................................................................................... 7.3 Central Administration .......................................................................................... 7.4 Role-based administration .................................................................................... 7.5 Multi-domain capability ......................................................................................... 7.6 Time synchronization ............................................................................................ 7.7 The logbook .......................................................................................................... 7.7.1 The technical structure of the logbook ....................................................... 7.7.2 The format of the log ................................................................................. 7.7.3 The format of a log entry ........................................................................... 7.7.4 The log2ascii program .......................................................................... 7.7.5 The packlog script ................................................................................... 7.7.6 Exporting the log automatically .................................................................. 7.8 The CentOS logbook ............................................................................................ 7.8.1 Log and alarm messages .......................................................................... 7.9 Subject line control ............................................................................................... 7.10 Status messages in the Subject line .................................................................. 7.11 Messages to the user ......................................................................................... 8 User Management with the SafeGuard MailGateway ..................................................... 8.1 Internal S/MIME .................................................................................................... 8.2 Internal OpenPGP ................................................................................................ 8.3 External S/MIME ................................................................................................... 8.4 External OpenPGP ............................................................................................... 8.5 Key server ............................................................................................................ 8.5.1 LDAP .......................................................................................................... 8.5.2 HKP ............................................................................................................ 8.6 E-mail CA ............................................................................................................. 8.6.1 S/MIME ...................................................................................................... 8.6.2 Generating certificates for existing users ................................................... 8.6.3 External PKI connection ............................................................................ 8.6.4 OpenPGP ................................................................................................... 8.6.5 Generating OpenPGP keys for existing users ........................................... 8.7 CA certificates ...................................................................................................... 9 Using the SafeGuard MailGateway to Distribute S/MIME Certificates and OpenPGP Keys .................................................................................................................................... 10 Services ......................................................................................................................... 10.1 The ESMTP Proxy .............................................................................................. 10.1.1 How the ESMTP Proxy selects rules ....................................................... 10.1.2 How do you prevent your SafeGuard MailGateway from being misused as a relay? .......................................................................................................... 10.1.3 LDAP synchronization of an Active Directory folder ................................. 10.1.4 Checking with DNS by the ESMTP Proxy ............................................... 10.1.5 How the ESMTP Proxy selects users ...................................................... 10.1.6 Wildcards and Patterns ............................................................................ 10.1.7 Configuring rules for the ESMTP Proxy ................................................... 10.2 The secure e-mail service ..................................................................................

iv

32 33 35 37 37 37 38 38 39 39 40 40 42 42 42 43 43 43 45 46 47 47 49 49 50 50 51 52 52 52 52 53 53 53 53 54 54 57 61 62 62 63 63 63 65 66 67 71

11

12

13

14

10.2.1 Configuring the rules ................................................................................ 72 10.2.2 Example configurations for the secure e-mail service .............................. 80 10.2.3 Rule evaluation for the secure e-mail service .......................................... 87 10.2.4 Status messages in the Subject line ........................................................ 90 10.2.5 Commands for the Subject line ............................................................... 90 10.3 PDFMail settings ................................................................................................. 90 10.3.1 PDF Set .................................................................................................. 90 10.4 The Postfix service ............................................................................................. 91 Installation ...................................................................................................................... 93 11.1 Preparing for installation ..................................................................................... 93 11.2 Performing the installation .................................................................................. 93 11.2.1 CD Found ................................................................................................ 94 11.2.2 Welcome to SafeGuard MailGateway ...................................................... 94 11.2.3 License Agreement .................................................................................. 94 11.2.4 Keyboard Selection .................................................................................. 94 11.2.5 Warning .................................................................................................... 95 11.2.6 Warning .................................................................................................... 95 11.2.7 Network Configuration .............................................................................. 95 11.2.8 Miscellaneous Network Settings .............................................................. 95 11.2.9 Hostname Configuration .......................................................................... 95 11.2.10 Time Zone Selection .............................................................................. 95 11.2.11 Date and Time Configuration ................................................................. 95 11.2.12 Reboot .................................................................................................... 95 11.2.13 SafeGuard MailGateway Configuration .................................................. 96 11.2.14 System ................................................................................................... 96 11.2.15 Web Management .................................................................................. 96 11.2.16 Internal e-mail domain ........................................................................... 96 11.2.17 Certificate Authority (CA) ....................................................................... 96 11.2.18 Exit ......................................................................................................... 96 Setting up Administrator Access ................................................................................... 97 12.1 Setting up web management (SSL access) ....................................................... 97 12.2 Setting up console and file transfers (SSH access) ........................................... 97 12.3 Installing and setting up PuTTY (console access) .............................................. 98 12.4 Installing and setting up Winscp (file transfers) .................................................. 98 12.5 Setting up puttygen (SSH client authentication) ................................................. 99 Web Management ....................................................................................................... 103 13.1 Logging onto Web Management (browser) ...................................................... 103 13.2 Main menu ........................................................................................................ 103 13.3 Title ................................................................................................................... 103 13.4 Administration ................................................................................................... 103 13.5 Important buttons .............................................................................................. 103 Setting up Administration ............................................................................................ 105 14.1 Monitoring ......................................................................................................... 105 14.1.1 State ....................................................................................................... 105 14.1.2 Logbook ................................................................................................. 106 14.1.3 Settings .................................................................................................. 106 14.2 System .............................................................................................................. 107 14.2.1 Change Runlevel ................................................................................... 107 14.2.2 Update .................................................................................................... 108 14.2.3 Changelog .............................................................................................. 109

v

15

16

17 18

19

20

21

22

vi

14.2.4 License ................................................................................................... 14.2.5 Backup ................................................................................................... 14.3 Logout ............................................................................................................... Configuring the Network .............................................................................................. 15.1 General ............................................................................................................. 15.2 Details ............................................................................................................... 15.3 PDF-Reply ........................................................................................................ 15.4 Mail output ........................................................................................................ Setting up an E-mail CA ............................................................................................. 16.1 S/MIME ............................................................................................................. 16.1.1 Internal PKI ............................................................................................ 16.1.2 Generate users ...................................................................................... 16.1.3 TC TrustCenter ...................................................................................... 16.1.4 LDAP publishing .................................................................................... 16.2 OpenPGP .......................................................................................................... 16.2.1 E-mail CA postmaster key ..................................................................... 16.2.2 LDAP publishing .................................................................................... 16.2.3 Generating users ................................................................................... Setting up the ESMTP proxy service .......................................................................... 17.1 Setting up the ESMTP proxy for LDAP synchronization ................................... Setting up the Secure E-Mail Service ......................................................................... 18.1 Base rules after installation .............................................................................. 18.2 Customizing Base rules .................................................................................... 18.3 Using domain certificates .................................................................................. 18.3.1 Additional decoding key ......................................................................... 18.3.2 Additional verification key ...................................................................... 18.4 Details ............................................................................................................... 18.5 Commands ........................................................................................................ Setting up PDFMail ..................................................................................................... 19.1 PDF Settings ..................................................................................................... 19.2 Generating PDF Sets ....................................................................................... 19.3 PDF sets in subject line control ........................................................................ 19.4 Selecting a PDF set for a Secure E-mail rule ................................................... Importing CA Certificates ............................................................................................ 20.1 General ............................................................................................................. 20.1.1 Options ................................................................................................... 20.2 Details ............................................................................................................... 20.2.1 CRL cache timeout ................................................................................ 20.2.2 Automatic import of CA certificates from e-mails: .................................. Setting up a Key Server/LDAP Server ........................................................................ 21.1 General ............................................................................................................. 21.2 Details ............................................................................................................... 21.2.1 Import ..................................................................................................... 21.2.2 Cache ..................................................................................................... Managing Users .......................................................................................................... 22.1 Suppressing the display of user data ............................................................... 22.2 Search filter ...................................................................................................... 22.3 Internal user S/MIME ........................................................................................ 22.3.1 Importing certificates .............................................................................. 22.3.2 Automatically importing S/MIME certificates from e-mail ........................

109 109 109 111 111 112 113 113 115 115 115 116 117 118 119 119 119 120 121 124 129 129 132 134 134 134 134 135 137 137 139 141 141 143 143 143 144 144 145 147 147 147 147 148 149 149 149 150 151 151

22.3.3 Automatic deletion of expired certificates ............................................... 22.4 OpenPGP internal users ................................................................................... 22.4.1 Importing OpenPGP keys ...................................................................... 22.4.2 Automatic deletion of expired keys ........................................................ 22.5 S/MIME external users ..................................................................................... 22.5.1 Importing certificates .............................................................................. 22.5.2 Automatic deletion of expired certificates ............................................... 22.6 OpenPGP external users .................................................................................. 22.6.1 Import OpenPGP keys ........................................................................... 22.6.2 Automatic deletion of expired certificates ............................................... 23 Administrators .............................................................................................................. 23.1 Administrators Management ............................................................................. 23.1.1 Creating Administrator Accounts ............................................................ 23.1.2 Processing Administrator accounts ........................................................ 23.2 My Account ....................................................................................................... 24 Cluster ......................................................................................................................... 24.1 Setting up a cluster .......................................................................................... 24.2 Rebuilding a cluster .......................................................................................... 25 Maintenance ................................................................................................................ 25.1 Monitoring the log ............................................................................................. 25.2 Logbook deletion .............................................................................................. 25.3 Statistics log ..................................................................................................... 25.4 Exporting log statistics ...................................................................................... 25.5 Evaluating log entries and alarm messages ..................................................... 25.5.1 Evaluating an alarm message ............................................................... 25.6 What to do if an e-mail CA/sub CA expires ...................................................... 25.6.1 E-mail CA S/MIME ................................................................................. 25.6.2 E-mail CA postmaster key ..................................................................... 25.7 The most important Linux commands .............................................................. 25.8 Removable media ............................................................................................. 25.8.1 Normal CD-ROMs .................................................................................. 25.9 Transferring files to or from the SafeGuard MailGateway ................................. 25.9.1 SCP ........................................................................................................ 25.10 Installing updates ............................................................................................ 25.11 Restoring a backup ......................................................................................... 25.12 Changing the "root" user password ................................................................ 25.13 Password for the internal database ................................................................ 25.13.1 Reading passwords for the internal database ...................................... 25.13.2 Changing the password for the internal database ................................ 25.14 Password for the public LDAP server ............................................................. 25.15 Changing the password for the public LDAP server ....................................... 25.16 Automatically exporting backups, CRLs and logs ........................................... 25.16.1 Setting up the automatic backup ......................................................... 25.16.2 Setting up the automatic export of CRLs and logs ............................... 25.17 Upgrading to a new version ........................................................................... 25.17.1 Migrating to a new version of SafeGuard MailGateway ....................... 25.18 Licensing ......................................................................................................... 25.18.1 Exchanging the license file .................................................................. 25.18.2 The licensed_users.txt file .......................................................... 25.19 Exchanging PDF Reply certificates ................................................................

152 152 153 153 154 154 155 155 156 157 159 159 159 159 160 161 161 162 163 163 165 165 165 165 165 169 169 170 170 171 171 172 172 173 173 174 175 175 176 178 178 179 179 180 182 182 183 184 184 185

vii

25.20 Translating messages ..................................................................................... 185 26 Customer Service ........................................................................................................ 189 Glossary ............................................................................................................................ 191

viii

List of Figures 3.1 Sub-CA certificates ......................................................................................................... 7 3.2 Direct trust model ......................................................................................................... 12 3.3 Trust model in larger installations ................................................................................ 12 3.4 Postmaster key ............................................................................................................. 13 5.1 E-mail gateway functionality ......................................................................................... 25 6.1 Functional setup ........................................................................................................... 27 6.2 Internal e-mail gateway ................................................................................................ 28 6.3 Network topology .......................................................................................................... 30 6.4 Internal databases ........................................................................................................ 32 6.5 Several locations .......................................................................................................... 33 6.6 Cluster model ............................................................................................................... 34 6.7 Central database .......................................................................................................... 35 7.1 Multi-domain capability ................................................................................................. 39 7.2 Logbook ........................................................................................................................ 41 7.3 CentOS Logbook .......................................................................................................... 44 9.1 Firewall ......................................................................................................................... 57 9.2 Key Server .................................................................................................................... 58 9.3 LDAP or HKP Server ................................................................................................... 59 10.1 Services ...................................................................................................................... 61 10.2 Wildcard and Pattern .................................................................................................. 66 10.3 Wildcard and Pattern scenario ................................................................................... 67 10.4 Example A .................................................................................................................. 68 10.5 Rule configuration for example A ............................................................................... 68 10.6 Example B .................................................................................................................. 69 10.7 Rule configuration for example B ............................................................................... 70 10.8 Example A and B ....................................................................................................... 70 10.9 Example A and B ....................................................................................................... 70 10.10 Example A ................................................................................................................ 71 10.11 Example B ................................................................................................................ 71 10.12 Network topology ...................................................................................................... 92 15.1 Routing ..................................................................................................................... 111 17.1 Example A ................................................................................................................ 121 17.2 General tab ............................................................................................................... 123 17.3 Rule 1 ....................................................................................................................... 123 17.4 Rule 2 ....................................................................................................................... 124 17.5 Rule 3 ....................................................................................................................... 124 17.6 Example A ................................................................................................................ 125 17.7 Rule configuration ..................................................................................................... 125 17.8 Rule configuration ..................................................................................................... 126 17.9 Modified rule 1 .......................................................................................................... 126 17.10 Modified rule 3 ........................................................................................................ 127 18.1 Policy window ........................................................................................................... 132

ix

x

List of Tables 10.1 Recipient e-mail address or sender e-mail address ................................................... 10.2 Recipient attribute or sender attribute ........................................................................ 10.3 "Recipient is licensed" or "Sender is licensed" ........................................................... 10.4 E-mail text size ........................................................................................................... 10.5 E-mail has an attachment .......................................................................................... 10.6 Attachment name ....................................................................................................... 10.7 E-mail is encrypted ..................................................................................................... 10.8 E-mail is signed .......................................................................................................... 10.9 E-mail sensitivity ......................................................................................................... 10.10 E-mail priority ............................................................................................................ 10.11 E-mail subject ........................................................................................................... 10.12 Header field ..............................................................................................................

74 74 75 75 75 75 76 76 76 77 77 77

xi

xii

1 Introduction Thank you for purchasing our SafeGuard MailGateway security system. We hope that you will be satisfied with our product. However, please do not hesitate to contact us if you have any complaints or other comments. Before you start working with the SafeGuard MailGateway, you should carefully read this Manual for System Administrators.

1.1. About this Manual for System Administrators Sophos retains the right to change or add to this Manual for System Administrators (referred to below as "the manual") without prior notice, at any time. Sophos accepts no liability for print errors and any damage that might occur as a result of them. To make it easier to find notes in this manual quickly, icons have been used to highlight the most important information:

These contain important safety information that you must follow.

These are additional notes or supplementary information.

This is an example. There is a separate manual for users who want to encrypt their e-mails by means of the SafeGuard MailGateway.

1.2. Overview of this manual This manual is primarily designed to be used by administrators who are responsible for the SafeGuard MailGateway. In addition to the "Introduction" and the "Quick Start", this manual is divided into three main areas: 1.

Basics This area, which includes Chapter 3 and Chapter 4, provides the most important basic information. You should read these chapters if you are not yet familiar with the basic principles and standards involved in e-mail encryption.

1

These include: • Basic information about e-mail encryption and e-mail signature • E-mail encryption standards • S/MIME • OpenPGP • PDFMail 2.

Functional descriptions This area, which runs from Chapter 5 to Chapter 10, provides you with all the important information about the functions supported by the SafeGuard MailGateway. It gives an overview of the features of SafeGuard MailGateway. These include: • SafeGuard MailGateway functional integration • Administering the SafeGuard MailGateway • Certificate management (S/MIME) with the SafeGuard MailGateway • OpenPGP key management with the SafeGuard MailGateway • Information about ESMTP services, Secure-Mail and Postfix with example configurations (rule selection) for these services.

3.

Operating instructions This section, which includes Chapter 11 to Chapter 21, details solution-oriented, highly practical scenarios that provide all information you require to set up and administer the SafeGuard MailGateway using web management or the console. It also provides all necessary information for maintaining your SafeGuard MailGateway. We strongly recommend that you also always use the online help because it was not possible to describe every configuration option in detail in this manual. At the end of the manual you will find notes about customer service and a "glossary".

2

2 Quick Start This chapter gives you a brief description of all the steps you need to use your SafeGuard MailGateway to edit, send and receive e-mails cryptographically. However, we strongly recommend that you also make use of the online help to supplement the brief descriptions of the operating steps given here. 1.

If you have not yet installed your SafeGuard MailGateway, please install it as described in chapter "Installation".

2.

Create administrator access on your admin PC. Chapter 12 explains how to do this.

3.

Set up console access on your admin PC. Section 12.2 up to Section 12.4 explain how to do this.

4.

Log on to web management. Please read Section 13.1.

5.

Enter the e-mail address of your admin PC so that all the alarm messages from your SafeGuard MailGateway will be sent to it. See Section 14.1.3 for details. You should also read the paragraph about "Logging" in this section.

6.

Modify the routing. If you have to use both an internal and an external e-mail router you must modify the routing settings in your SafeGuard MailGateway. Refer to the paragraph about "Routing" in Section 15.1 for details of how to do this.

7.

Set up the Postfix service. Please read Section 15.4.

8.

Create an e-mail CA for S/MIME and an e-mail CA Postmaster key for OpenPGP. See Section 16.1 for S/MIME and Section 16.2 for OpenPGP.

9.

Set up the ESMTP Proxy service. The ESMTP service proxy is responsible for accepting and transferring e-mails. For more information, please refer to Chapter 17.

10. Set up the Secure E-mail service. This service is responsible for processing e-mails cryptographically. You will find all required information about this in Chapter 18. 11. If you are using S/MIME certificates, import the CA certificates from your external communications partners. The important things to note here are listed in Chapter 20. 12. Set up the key server / LDAP server. This is described in Chapter 21.

3

4

3 Basics of E-mail Encryption/E-mail Signature This chapter provides background information about the various different standards according to which e-mails are sent to the Internet in encrypted and signed formats. Before you can become familiar with the encryption concepts supported by the SafeGuard MailGateway you will need to understand a range of different terms that will help to explain the various e-mail encryption methods that are used.

3.1. Certificates A certificate is a form of accreditation, such as your passport or birth certificate. Both documents contain information that can be used to prove your identity as well as an attestation by a government body that has confirmed your identity. A digital certificate, referred to below simply as a "certificate", is a set of data that acts as a form of passport. A certificate consists of data that has been added to a person's public key. This data can be used to identify that person. A certificate contains these elements: • A public key, whose use can be restricted • Certificate data (data about a user's identity, such as their name, User ID etc.) • A digital signature The digital signature on a certificate means that the certificate data has been confirmed by a third party or a government body. The digital signature does not confirm the genuineness of the entire certificate, but only that the signed data belong or are bound to the identity of the public key.

A certificate is therefore a public key to which one or two types of ID and an accreditation stamp from another trustworthy person are attached.

The next sections detail the certificates that are of interest to you when you are running your SafeGuard MailGateway.

3.1.1. X.509 certificates X.509 certificates comply with the international ITU-T-X.509 standard. For this reason in theory all X.509 certificates created for one application can be used by all other users that comply with ITU-T-X.509.

5

For certificates you must check whether the public key and the person to whom the key belongs belong together. In the case of an X.509 certificate the check is always carried out by a Certificate Authority or a person nominated to do so by the CA (Certificate Authority). An X.509 certificate consists of the following data: • The public part of the asymmetrical key. • The description of identity. This may be a computer, a human being or a legal entity. • Attributes that regulate how the certificate is to be used.

3.1.2. CA Certificates The integrity of an X.509 certificate is guaranteed by a digital signature. The certificate's signature must be checked. This check proves that the certificate has not been manipulated. A certificate is usually signed by a superior level certificate. It is fairly obvious that this will lead to the well-known "chicken and egg" problem. To solve this problem a hierarchical structure was defined for the X.509 standard. At the top of this system there is usually one, single Root CA certificate (sometimes, in practice, there may be a small number of these). This has signed itself and therefore represents the starting point of trustworthiness. Root CA certificates must always be checked manually. This means they cannot be checked automatically by the SafeGuard MailGateway. Each CA must assign a unique serial number to each certificate it issues. You can therefore use the serial number and the issuing CA to uniquely identify every certificate. The serial number alone is not unique.

Your SafeGuard MailGateway is able to create a CA certificate for your S/MIME certificates.

3.1.3. Sub-CA certificates A Sub-CA certificate is one lower-level certificate that is issued and signed by the Root-CA. A Sub-CA certificate can issue and sign users' certificates. In this respect, the Root-CA certificate is also the starting point of trustworthiness when Sub-CA certificates are used. This figure shows how this structure works:

6

Figure 3.1. Sub-CA certificates

3.1.4. User certificates User certificates are certificates that are based on the X.509 standard and are used by people or computers to perform cryptographic operations. The SafeGuard MailGateway supports these X.509 user certificates. • S/MIME certificates • SSL server certificates • SSL client certificates • OCSP server certificates Unlike a CA certificate, a user certificate cannot sign any other certificate. It is only used for encrypting or signing data or e-mails.

3.1.4.1. S/MIME certificates S/MIME certificates are used for digital signatures and e-mail encryption. S/MIME certificates have an e-mail address as their "identity". The S/MIME standard states that this e-mail address must match the sender's or recipient's e-mail address. SafeGuard MailGateway usually requires this as well. Domain certificates are the exception to this rule. The SafeGuard MailGateway only assigns the e-mail address to an S/MIME user certificate. SafeGuard MailGateway does not use the other details about the person to whom this e-mail

7

address belongs. For SafeGuard MailGateway it is irrelevant whether the e-mail address is that of a person, a machine or an organization. The following parameters must be set in an S/MIME certificate that SafeGuard MailGateway can process it correctly: Parameters Subject

Value

ab

emailAddress= ab

Subject Alternative Name Basic Constraints

e-mail:

c

CA:FALSE

b

d

Key Usage

Digital Signature

Key Encipherment b

Extended Key Usage

e

E-mail Protection

a

At least one of these parameters must be present. If this parameter is present, it must have this value (or in addition to other values if required). c If this parameter is present, it must have this value. d This value must be set if this certificate is to be used to sign e-mails. e This value must be set if this certificate is to be used to encrypt e-mails. b

3.1.4.2. SSL server certificates SSL server certificates are used by computers to authenticate themselves to a client in an SSL connection. The SafeGuard MailGateway uses an SSL server certificate in web management. In an SSL server certificate, the identity is the host name or the server's IP address. These parameters must be set so that the SafeGuard MailGateway can process SSL server certificates correctly: Parameters

Value

Subject

Distinguished Name of Server a

Subject Alternative Name

Netscape SSL Server Name Basic Constraints

DNS:, Address: a

a

IP

CA:FALSE

b

Extended Key Usage b

Netscape Cert Type

TLS Web server Authentication SSL server

a

If this parameter is present, it must have this value. If this parameter is present, it must have this value among others.

b

3.1.4.3. SSL client certificates SSL client certificates are used by clients (people or computers) to authenticate themselves to a server in an SSL connection. Client authentication is usually optional. In an SSL client certificate the identity is the host name of a client computer, the IP address of a client computer or a person's name.

8

These parameters must be set so that the SafeGuard MailGateway can process SSL client certificates correctly: Parameters

Value

Subject Basic Constraints

Distinguished Name of Client a

CA:FALSE b

Extended Key Usage b

Netscape Cert Type

TLS Web Client Authentication SSL Client

a

If this parameter is present, it must have this value. If this parameter is present, it must have this value among others.

b

3.1.4.4. OCSP Server Certificates OCSP server certificates are special certificates that are used for digitally signing OCSP queries. In an OCSP server certificate the identity is the server's Distinguished Name. These parameters must be set in an OCSP server certificate: Parameters

Value

Subject Basic Constraints

Distinguished Name of Server a

CA:FALSE b

Extended Key Usage

OCSP Signing

a

If this parameter is present, it must have this value. If this parameter is present, it must have this value among others.

b

3.2. Checking the validity and trustworthiness of S/MIME certificates The trustworthiness of an S/MIME certificate can be checked relatively easily, because every S/MIME certificate has always been signed by one CA certificate. Checking the trustworthiness is limited to checking a few CA certificates. Like your ID, S/MIME certificates are only valid for a specific time period. Again, like your ID, S/MIME certificates show when their period of validity starts and when it finishes. In the case of X.509 certificates the "not before" and "not after" attributes are set to limit the certificate's period of validity. These values are set when the certificate is generated and cannot be changed after that. However, this mechanism on its own is not enough. It may happen that a certificate becomes invalid ahead of time. This may happen because: • A member of staff leaves your company. • A member of staff receives a new e-mail address.

9

• The private key that belongs to the public certificate has fallen into the hands of an unauthorized person. In such situations you have to make clear that this certificate is now invalid. One way of doing this is by publishing a CRL.

3.2.1. Certificate Revocation List (CRL) A CRL (Certificate Revocation List) has an entry for each certificate that has become invalid ahead of time, with the following parameters: • certificate serial number • point in time at which the certificate became invalid • a note about the cause (optional) The CRL always belongs to a single CA. It can only list this CA's certificates. For this reason each CA should publish a CRL even if this list is empty. To ensure that the information in a CA's CRL stays up-to-date, the CA must update it regularly. The CRL itself has a validity period so that users can check whether they have the current one. The CRL must have a digital signature from the CA, i.e. with the private key that belongs to the CA certificate. This prevents attackers from using and spreading manipulated CRLs. As CRLs are only published from time to time, there may be a delay before users find out about the latest invalid certificates. Sometimes a CRL can be extremely large. There are CAs whose Certificate Revocation Lists run to several megabytes. Regularly updating and evaluating such large lists can take a lot of time and effort. The OCSP server provides an alternative to CRLs.

3.2.2. OCSP The Online Certificate Status Protocol (OCSP) provides an alternative to Certificate Revocation Lists (CRLs). If you want to check a certificate's validity, you do not check its status in a CRL. Instead you can query its status online from an OCSP server. To do this, you simply send a query to which the server responds with either "valid" or "not valid". The question and the response are transferred in an HTTP connection. The response from the OCSP server is signed, just as the CRL is, to prevent it being manipulated by attackers. These certificates or the private keys that belong to them can be used to create this signature: 1.

The certificate from the CA who issued the queried certificate.

2.

An OCSP server certificate directly issued by the same CA.

3.

Any other certificate that the person making the query accepts for OCSP responses.

The first scenario is the most obvious one. It corresponds to what happens with CRLs.

10

However, CA's private keys are especially sensitive data. For this reason they should not be stored on a server that can be accessed from outside via HTTP. This is why you can use (2.) a special OCSP server certificate in this case. This certificate is given a specific attribute, so that no other certificate from the CA can be misused as an OCSP server certificate. In the third scenario you can use special applications such as OCSP concentrators. These are servers that respond to OCSP queries about certificates from different CAs. To do this they evaluate, among other things, the CRLs from these CAs. Usually not every CA provides an OCSP server certificate.

3.3. OpenPGP keys OpenPGP keys play the same role in OpenPGP encryption as S/MIME certificates do in S/ MIME encryption. In the sense of the definition given in the previous chapter, OpenPGP keys are also certificates. However, OpenPGP keys are not usually known as certificates. OpenPGP keys differ from S/MIME certificates in two fundamental aspects: OpenPGP keys are not signed by a CA. Instead each OpenPGP user signs their own key. As a result, each key contains what is practically its own small Root CA, which is called a "primary key". This difference is due to historic reasons. PGP was developed to protect the e-mail communications of citizens against state monitoring measures, whereas S/MIME certificates were designed to be used in hierarchical organizations like companies and government bodies. The second difference between OpenPGP keys and S/MIME certificates is that the latter contain only one e-mail address and one public key. Apart from that S/MIME certificates cannot be changed once they have been signed by their CA. OpenPGP keys are much more complex and more dynamic. In addition to the primary key they also contain user IDs and subkeys. User IDs describe the "identities" of the key owner. They include a name, a description and an e-mail address. User IDs can be added and removed from an OpenPGP key in the same way as an owner acquires a new e-mail address or gives up an old one. Subkeys are used to encrypt e-mails. Subkeys can also be used for a digital signature but this is not common practice. The primary key is generally used for this purpose. User IDs and subkeys are signed with the primary key. This prevents an attacker from adding manipulated subkeys or user IDs to an OpenPGP key. The question for both OpenPGP keys and S/MIME certificates is the same: how can you check that a PGP key is valid?

3.4. Checking the validity and trustworthiness of OpenPGP keys As each OpenPGP key has its own root CA, the primary key, the problem here does not simply involve checking a few root CA certificates as it is for S/MIME certificates. The OpenPGP

11

standard takes into account the possibility that each OpenPGP key may be signed by a different user. This means there is no separation of CA certificates and user certificates as there is in S/MIME. Furthermore, it may happen that one OpenPGP key is signed by one or many more other keys. Every person who signs an OpenPGP key automatically becomes the "key administrator" of that key. Unlike S/MIME certificates which exist in a hierarchical structure, this method results in a completely unstructured network of relationships based on trust – known as the "Web of Trust".

3.4.1. Web of Trust Two trust models are combined with each other to form the Web of Trust. The direct trust model is the less complex. Here the user trusts the validity of a key whose origin they know. All encryption systems use this trust model. Users who check the key themselves in OpenPGP are using the direct trust model.

Figure 3.2. Direct trust model

This trust model is ideal for use in unstructured groups of people, for example in domestic life, or small, centralized OpenPGP installations. However, in larger installations you soon lose the overview.

Figure 3.3. Trust model in larger installations

For this reason you should organize your Web of Trust like a hierarchical S/MIME infrastructure. OpenPGP keys support these hierarchical structures in which you can use a CA to check certificates.

12

This is the second trust model, which is known as a Trust Hierarchy. This trust model has a tree structure in which the genuineness of each individual certificate can be checked by tracking the path from its Certificate Authority over others and back to the root certificates with direct trust. In this respect a hierarchical structure, in which specific OpenPGP keys are only used to sign other OpenPGP keys, and others are only used to sign and encrypt e-mails, represents a special scenario in the Web of Trust. An OpenPGP key that only signs other keys is also called a "Trusted Introducer" or a "Postmaster key". Unfortunately, these terms are not used consistently. Sometimes, the term "key manager" is also used in this context.

Figure 3.4. Postmaster key

3.5. Exchanging S/MIME certificates or OpenPGP keys If you want to use an S/MIME certificate or an OpenPGP key to encrypt an e-mail you are faced with the question of where to get this S/MIME certificate or OpenPGP from. If you generate certificates and keys yourself and then want to use them to encrypt or sign other e-mails, how do you publish your S/MIME certificates and OpenPGP keys? Both parties, if they do not have a suitable S/MIME certificate or OpenPGP key, can search external folders to find the appropriate certificates or keys. In this situation S/MIME certificates and OpenPGP keys take different paths.

13

In the case of S/MIME certificates you can only access public folders by using LDAP (Lightweight Directory Access Protocol). S/MIME certificates have another distribution option in that you can easily attach them to signed e-mails as invisible attachments. For OpenPGP keys you use an HKP key server and, more recently also LDAP.

3.5.1. LDAP LDAP gives you anonymous find and read access to public folders. You should select the recipient's e-mail address as the search criterion. Sometimes you may find several certificates in different folders. LDAP should be used for S/MIME certificates and also for OpenPGP keys. These folders are accessed in plain (unencrypted) text because certificates are public information. You must, of course, check these certificates once you have downloaded them from the folder. Usually every TrustCenter provides a LDAP folder for their CAs.

3.5.2. HKP key servers In OpenPGP the HKP key server fulfils the functions of the LDAP server for S/MIME certificates. However, the HKP key server, which administers only OpenPGPkeys, is not purely a database. As OpenPGP keys are dynamic data structures, it may happen that you find the key is already present when you try to upload it to the key server. The key server must then unite both versions of the key. Every OpenPGP user can upload either their own OpenPGP keys or those from other people to the key server. The second situation is very useful if they have signed the key and therefore confirmed that it can be trusted. The user can then publish their signature on this key by uploading it. However, one consequence of this may be that each OpenPGP user could, in theory, generate an OpenPGP key with any e-mail address and distribute it via a public key server. The fact that an OpenPGP key is present on a public key server therefore does not guarantee the key's trustworthiness. The key server is therefore not a replacement for the Web of Trust. The LDAP server manages both S/MIME certificates and OpenPGP keys! The HKP key server only manages OpenPGP keys!

3.6. Public Key Infrastructures (PKIs) A PKI is the body that manages certificates. They can issue, remove, store, recall and confirm the trustworthiness of certificates. They can also issue folders (LDAP and key server) and CRLs. The main feature of a PKI is the introduction of a Certificate Authority (CA). This is a person, a group, a department, a company or another group of people authorized by a company to issue

14

certificates for computer users. The functions of a CA are similar to that of the governmental department that issues passports. A CA creates certificates and uses their own private key to sign them with a digital signature. This certificate issuing function makes the CA the central component of a PKI. Anyone who wants to check that a certificate is genuine can use the CA's public key to verify the digital signature of the issuing CA and consequently the integrity of the certificate contents (primarily the public key and the identity of the certificate owner). SafeGuard MailGateway by Sophos can create this type of CA certificate and can therefore be used as your own PKI. The SafeGuard MailGateway can also be integrated quickly and easily into an existing PKI structure.

3.7. The public key procedure The problem of key management can be solved by encrypting public keys. This strategy was introduced in 1975 by Whitfield Diffie and Martin Hellman. Their concept can be described as an asymmetrical schema in which a pair of keys is used for the encryption procedure. This pair consists of a private key, which must never be published, and a public key that everyone knows. Even someone who is completely unknown to you can use your public key to encrypt an e-mail that can then only be read by you because you own the secret key. The main benefit of cryptography using public keys is that messages (e-mails) can be exchanged securely without having to agree a security procedure in advance. You no longer need a secure channel to transfer e-mails.

3.7.1. Encryption using the public key procedure The public key procedure that operates with two keys allows you to encrypt data with one part of the key (the public key), and be sure that this data can only be decrypted by the other part of the key (the private key). A "session key" is generated each time you encrypt an e-mail. This session key is used to encrypt the e-mail. The session key is then encrypted by the public key. The private key is then used to decrypt the encrypted session key and therefore also the e-mail that was encrypted by it. The important thing to note here is that both parties to an e-mail, i.e. the sender and the recipient must be able to access the public key. Only then can they exchange encrypted emails in both directions. A knows B's public key. B knows A's public key. A wants to send an encrypted e-mail to B.

15

A uses B's public key to encrypt the "e-mail". B uses their own private key to decrypt the "e-mail". B wants to send an encrypted e-mail to A. B uses A's public key to encrypt the "e-mail". A uses their own private key to decrypt the "e-mail". Therefore, the public key is always used for encryption. The private key is always used for decryption.

3.7.2. Digital signature with the public key procedure A digital signature can only be created with the private key. The corresponding public key can be used to check the authenticity of the digital signature. A digital signature does not include all the information involved in the public key procedure, it only creates a summary of the message that is to be signed. To do this you use the oneway hash function that generates a fixed-length cryptographic checksum. This cryptographic checksum, which is encrypted by the private key, can then be checked by the public key. A wants to send a signed e-mail to B. A uses their private key to sign an e-mail to B. B uses A's public key to check that the signature is genuine. B wants to send a signed e-mail to A. B uses their private key to sign an e-mail to A. A uses B's public key to check that the signature is genuine. The sender's own private key is always used to sign an e-mail. The public key is always used to verify the signature.

16

4 Standards used in E-mail Encryption S/MIME (Secure MIME) and OpenPGP (Open Pretty Good Privacy) are two methods of encrypting and signing e-mails. The main difference between these two concepts (S/MIME and OpenPGP) is in their key management. PrivateCrypto is a data format that can only be used to encrypt data - not to sign it. PDFMail is a procedure to provide external communications partners with an easy way to exchange encrypted e-mails. The next sections describe the concepts involved in e-mail encryption in more detail. • S/MIME • OpenPGP • PrivateCrypto • PDFMail

4.1. Common attributes of S/MIME and OpenPGP Both concepts are based on the asymmetrical encryption process (public key procedure) that uses one private key and one public key.

4.2. S/MIME S/MIME is an extension to the MIME mail standard which has practically replaced the old UUENCODE/UUDECODE procedure for adding attachments to e-mails. S/MIME specifies the use of a range of cryptographic algorithms. When you create an S/MIME message you must prepare the S/MIME objects (digital signature, encryption, coding) and embed them as attachments in a MIME message as transformation steps. The S/MIME objects created in the message can now be signed, encrypted, or signed and encrypted. S/MIME provides an option for sending signed messages in a clear-signed format where the digital signature is separated from the message and therefore the message can also be processed by e-mail programs that do not support S/MIME. The S/MIME data structure can also protect the sender's identity because the signature and the message can be sent in an encrypted digital envelope. S/MIME is very widely used by governmental bodies. In most countries S/MIME, or its underlying PCS#7 format, is the specified format for signatures in accordance with current digital signature legislation.

17

4.3. OpenPGP OpenPGP was originally based on the symmetrical Triple DES, IDEA and Cast procedures where the symmetrical keys are exchanged via Diffie-Hellmann or RSA. In Europe, IDEA is protected by copyright. Licenses can be purchased from the company ASCOM. Sophos supplies the SafeGuard MailGateway without an IDEA license. Please contact us if you would like to find out more about using IDEA. The public key that must be present before the check is associated as a "fingerprint" by its cryptographic checksum and a unique key identification. PGP is the oldest standard supported by SafeGuard MailGateway. The long and convoluted history of OpenPGP creates problems, for example, when using IDEA (symmetrical encryption). Despite that, OpenPGP is still the most widely-used e-mail encryption standard. OpenPGP keys are used as the keys for encrypting and providing the digital signature for OpenPGP messages. Recently, X.509 certificates have also come into use for OpenPGP. Your SafeGuard MailGateway does not support these solutions.

4.4. OpenPGP/MIME compared with OpenPGP/Inline OpenPGP/MIME and OpenPGP/Inline describe the procedure for implementing OpenPGP and GnuPG in e-mails. OpenPGP/MIME is a further development of the first OpenPGP/Inline procedure. OpenPGP/Inline was developed to become OpenPGP/MIME for the following reasons: When OpenPGP was created e-mails were basically still just unformatted messages in the style of telegrams. You could not send extended characters (é, ä, etc.), images or attachments in e-mails. To encrypt this kind of message, you take its contents, without the header and the subject line, i.e. just the pure, unformatted ASCII text. You then encrypt and, if required, sign this ASCII text in accordance with the PGP standard. The result is once again a pure ASCII message. This is called "armored ASCII". You may then send the message. This procedure known as OpenPGP/Inline. It is still commonly used today. Most OpenPGP users still use this procedure.

4.4.1. OpenPGP/Inline The OpenPGP/Inline procedure has a number of disadvantages, which have already been mentioned: • There is no clearly-defined way of handling extended characters (é, ä, etc.) Whether or not the recipient receives extended characters correctly depends entirely on which OpenPGP implementation is being used. • There is no mechanism for e-mail attachments. The sender must encrypt attachments at file level before sending them. If not, the attachments are usually sent unencrypted. This

18

is the most serious security problem and one which the majority of OpenPGP users are not even aware of. Your SafeGuard MailGateway also encrypts these attachments. • There is no mechanism for handling formatted e-mails (for example, HTML mails). Encrypted messages are often formatted with HTML format and not with the actual contents. This is not the intended result and may result in a SafeGuard MailGateway or a client not recognizing the OpenPGP encryption and therefore not decrypting the e-mail. To resolve these problems a new procedure was developed to harmonize encryption with email formatting. In this procedure, encryption is defined as an extension of the MIME standard, and defines how extended characters (é, ä, etc.), formatting and attachments are to be used. This is why the standard is called OpenPGP/MIME.

4.4.2. OpenPGP/MIME OpenPGP/MIME solves the problems mentioned above and has these advantages over the first PGP/Inline procedure: • Attachments (for example, text, tables, PDFs, HTML documents etc.) can be encrypted and signed. • Non-ASCII characters such as accented characters (é, ä, etc.) can be used without creating any problems. • The OpenPGP signature is separate from the e-mail text because it is included in the attachment. The benefits of this are: • The text is easier to read because it is not interrupted by the OpenPGP signature parts. • It is easier to create a reply because you do not need to delete the OpenPGP signature parts. • There are fewer errors, because a signed e-mail cannot be changed after the signature is added. Unfortunately, there are still not many clients that are able to process OpenPGP/MIME e-mails. For that reason you still cannot simply format outgoing e-mails with OpenPGP/MIME. From a cryptographic viewpoint, there are no significant differences between OpenPGP/Inline and OpenPGP/MIME. The SafeGuard MailGateway supports both OpenPGP/MIME and OpenPGP/Inline. When OpenPGP e-mails are decrypted, the SafeGuard MailGateway automatically identifies which procedure has been used. Outgoing e-mails are usually encrypted with OpenPGP/Inline. You can change this in web management under "Services/SecurE-Mail/Details". If SafeGuard MailGateway encrypts outgoing e-mails with OpenPGP/Inline the file attachments are, of course, also encrypted. In the case of OpenPGP/Inline the SafeGuard MailGateway also attempts to receive the character set that was used so that extended characters (é, ä, etc.) can be displayed correctly after decryption. However, the reaction of the destination determines whether this works or not.

19

If the SafeGuard MailGateway decrypts an e-mail that was encrypted with OpenPGP/Inline the contents of the OpenPGP/Inline message block are used as the body of the e-mail. In theory one e-mail may also contain several OpenPGP/Inline message blocks. All the blocks are decrypted and stored in e-mail attachments. The plain text elements of the original e-mail are transferred as the e-mail body with notes to show where the individual message blocks were inserted. OpenPGP/Inline is specified in the OpenPGP standard RFC 2440. OpenPGP/MIME is based on the OpenPGP standard and is specified in RFC 3156.

4.4.3. How does SafeGuard MailGateway handle MIME e-mails with OpenPGP/Inline? As described above, formatted e-mails cannot be processed correctly with OpenPGP/Inline. Formatted e-mails are e-mails whose bodies were formatted with HTML or a similar format (for example, PDF). A single formatted e-mail can also contain the body in different formats at the same time (for example, HTML + ASCII). The SafeGuard MailGateway can process this type of e-mail with OpenPGP/Inline by removing the formatted variants of the body and processing the ASCII part cryptographically. It does so to encrypt and sign outgoing e-mails and also to decrypt and check the signature of incoming e-mails. This ensures that the recipient client can process e-mails in the best way possible. For pure HTML e-mails the SafeGuard MailGateway checks whether the HTML body consists of an OpenPGP message block that was converted from ASCII to HTML after encryption. This formatting method is more commonly found when E-mail dispatch and encryption is set with a OpenPGP PlugIn in the client that is sending the e-mail. In such cases the SafeGuard MailGateway can attempt to extract the OpenPGP message block from the HTML coding and then decrypt it. To do this the SafeGuard MailGateway uses heuristic methods which, in theory, can mean that HTML coding can be as complex as you like. For this reason, there is no guarantee of success with this method. As it involves access to the e-mail contents, this function is usually switched off. You can activate it again via the "Services/SecureEmail/Details" menu item.

4.5. PrivateCrypto PrivateCrypto is a software product that groups a number of files and folders into a single archive and compresses them. This archive is then symmetrically encrypted. The symmetrical key is generated from a password. PrivateCrypto is an encryption software, which was originally developed by Utimaco. Now it is distributed under the name Sophos Free Encryption: http://www.sophos.com/en-us/products/free-tools/sophos-free-encryption.aspx Encryption with PrivateCrypto The SafeGuard MailGateway can generate this type of archive from an e-mail. To do this it stores the e-mail's text in one or more files. These files, along with all their file attachments, are then packed together into a PrivateCrypto archive. The archive is encrypted with a password.

20

The SafeGuard MailGateway then sends an e-mail that consists of a short note text and the PrivateCrypto archive as an attachment. Decryption with PrivateCrypto The SafeGuard MailGateway can decrypt incoming e-mails with PrivateCrypto Archive and then send on the files that these e-mails contain as regular attachments. The SafeGuard MailGateway has a database for that purpose, in which the passwords are administered according to their sender and recipient. E-mails that were encrypted with PrivateCrypto can be signed with either S/MIME or OpenPGP. This is a good idea if the sender has the appropriate key but the recipient does not.

4.6. PDFMail PDFMail is a procedure to provide external communications partners with an easy way to exchange encrypted e-mails. The procedure is based on the PDF file format. The recipient only needs a tool to open PDF documents. We recommend that you use Adobe® Reader®, Version 8 or later. When an e-mail for a recipient is encrypted on the SafeGuard MailGateway, with PDFMail, for the first time, these steps are performed: The SafeGuard MailGateway evaluates the secure e-mail rules configured on it, or the subject line command, and then saves the e-mail, including all attachments, in an encrypted PDF file. It uses the AES algorithm for encryption. At the same time the SafeGuard MailGateway generates a password for the encrypted PDFMail. The recipient receives an e-mail that contains the PDF file that was generated and encrypted by the SafeGuard MailGateway. They can use their PDF reader and the password that they have been told by the sender, by phone, for example, to decrypt the PDF file, read it, and also save any attachments separately. At the same time the recipient is sent a link. When this link is selected, a secure HTTPS connection is opened from the receiver's default browser to a web page on the SafeGuard MailGateway. The PDFMail recipient can log on this web page with his first address and the password with which he opened the PDFMail. After successful login the recipient can write their reply to the sender of the PDFMail and send it to them. It is not possible to change the sender or recipient of the PDFMail. It is not possible to change the subject line. The sender can also send themselves a copy of their reply as a PDFMail.

21

4.7. Password Management in PrivateCrypto and PDFMail The password for PrivateCrypto and PDFMail will be generated for each recipient individually. It is configurable if different passwords are generated for each sender and recipient pair. Alternatively, one recipient has one password, independent of the sender.

4.7.1. Password handling There are the following ways in which the SafeGuard MailGateway can obtain the password for the encryption with PDFMail or PrivateCrypto. • Subject line command or secure e-mail set of rules. • If encryption with PDFMail or PrivateCrypto is triggered with a command in the subject line, you can also specify a password. • In the set of rules for the secure e-mail service you can store a specific password in the rule for the recipient. Whenever an e-mail that is to be sent to this recipient with PrivateCrypto or PDFMail is encrypted, the SafeGuard MailGateway uses this password. • There is a password because the sender and recipient have already exchanged at least one e-mail with each other, with the help of PrivateCrypto or PDFMail. • However, if there is no password, because no password has been defined either in the subject line or the set of rules, then the SafeGuard MailGateway generates a random password. This password is sent to the sender in an unencrypted e-mail first. The sender can tell the recipient the password, for example by phone. • An alternative to the password generation is self-registration, where the recipient can choose his own password. The SafeGuard MailGateway only generates a new password (for the combination of sender and recipient) if the sender specifically requires this and specifies that fact via the subject line control functionality, or if this is the first time that the sender is sending an e-mail to the recipient that is encrypted with PrivateCrypto or with PDFMail. In the case of PrivateCrypto the PrivateCrypto archive must also be encrypted by the recipient with the same password as the sender used to encrypt it, so that the SafeGuard MailGateway can decrypt this e-mail again when it receives it. Your SafeGuard MailGateway stores the passwords that have been generated for PrivateCrypto and for PDFMail. In the case of PDFMail the recipient can use the password with which the PDFMail has been encrypted to log on via a secured HTTPS connection and respond to the PDFMail securely.

4.7.2. Self-registration Using self-registration the e-mail is not sent immediately, but queued on the SafeGuard MailGateway. Instead, the recipient receives a registration e-mail with a link. Using this link, the

22

recipient can choose his own password. As soon as the password is available on the SafeGuard MailGateway, the e-mail will be processed and sent. The link to the self-registration is similar to PDF-Reply. Therefore, self-registration can only be used if you also permit PDF-Reply. The advantage of the self-registration is that the password management happens without the participation of the internal sender. He does not need to worry how he can safely transmit the password to the recipient. However, the self-registration weakens the security a little bit. If an attacker is able to intercept e-mails, he can intercept the registration e-mail and assign the password himself. If he intercepts the subsequent PDFMail, he can then decrypt it easily.

4.7.3. Using an SMS Gateway The SafeGuard MailGateway can also address an SMS gateway. In this case, the generated password will not be sent to the sender but to the SMS gateway. In addition to the password the mobile number must be handed over to the SMS gateway. There are two ways in which the SafeGuard MailGateway receives the mobile number: • The sender can transfer the phone number by using a subject command. • There is the possibility of using a custom script, for example, to query an internal address database: /usr/local/bin/get_phone_number_by_email.sh The script is called with the e-mail address of the recipient as an argument. As output, the mobile number is expected. If an SMS gateway is configured and a phone number is available, the password is sent to the SMS gateway. Otherwise, the password is sent to the sender. The subject line and content of the e-mail sent to the SMS gateway are defined in the "secure-mail messages". The description how to adjust these can be found in Section 25.20. The corresponding IDs are _SMSEmailSubject and _SMSEmailBody.

23

24

5 Central E-mail Security The philosophy behind central e-mail security means that all outgoing e-mails are encrypted by the SafeGuard MailGateway in a central location, and all incoming e-mails are also decrypted by the SafeGuard MailGateway at a central location. As a result, central e-mail security is completely independent of the e-mail client in use. Central e-mail security means that the security policy can be implemented centrally by a set of rules that cannot be bypassed. It is therefore extremely important that SafeGuard MailGateway is integrated into this SMTP chain. The SafeGuard MailGateway is used to encrypt e-mails and assign a digital signature to them. The SafeGuard MailGateway must be set up between the e-mail sender and the e-mail recipient so that encryption and digital signing can be performed at a central location. SafeGuard MailGateway is normally used to transfer e-mails within an in-house network in plain (unencrypted) text and used to transfer e-mails in the Internet in encrypted form. Despite SafeGuard MailGateway, most e-mails in the Internet are not encrypted because the external communications partners (external users) do not support e-mail encryption. For the sake of simplicity we will not mention this when describing encryption in the Internet in later sections. The general functionality of the SafeGuard MailGateway looks like this:

Figure 5.1. E-mail gateway functionality

25

In this figure the split between External and Internal is purely logical. It is not at all unusual for a SafeGuard MailGateway to be equipped with only one network connection, and for both encrypted external communication and unencrypted internal communication, to run over this connection.

26

6 SafeGuard MailGateway Functional Integration The facts that the SafeGuard MailGateway needs to be present in the internal network, and that e-mails are encrypted externally, produce the following setup for your e-mail infrastructure:

Figure 6.1. Functional setup

This is the usual functional setup. However, you can always modify your physical infrastructure to suit your individual requirements.

6.1. Use as an internal SafeGuard MailGateway If you also want to secure communications in your internal network by e-mail encryption, you can use an internal SafeGuard MailGateway in addition to, or instead of, the "external" SafeGuard MailGateway described above. This results in the following configuration in the internal network:

27

Figure 6.2. Internal e-mail gateway

This concept of an external and an internal SafeGuard MailGateway combines the benefits of gateway-based encryption and end-to-end encryption: • The e-mails are protected both in the external and internal networks. • You can perform central filtering (for example, for viruses). • The heterogenous nature of the Internet (S/MIME, OpenPGP, PDFMail, PrivateCrypto, various manufacturers) is covered by the external SafeGuard MailGateway. • The homogenous nature of the internal network (S/MIME or OpenPGP, only the SafeGuard MailGateway and its own client) reduce interoperability problems on the client. There is, of course, the limitation that e-mails between the external and internal SafeGuard MailGateway are sent in plain (unencrypted) text. This is where this method differs from true end-to-end encryption. We recommend to use S/MIME as the encryption protocol in your internal network because it is directly supported by most standard clients (for example, Outlook). Apart from that it removes various problems that may arise in connection with PGP/Inline.

28

6.2. Integrating the SafeGuard MailGateway in your firewall As the SafeGuard MailGateway stores extremely confidential information (your private key), you should ensure it is well protected both physically and electronically. To do this you should set it up in your internal network or in the DMZ of your firewall. We strongly recommend to protect the SafeGuard MailGateway against any unauthorized access whether from outside or inside your company.

6.3. The SafeGuard MailGateway with routing This figure shows a typical network topology. However, you can use other network topologies.

29

Figure 6.3. Network topology

Before you can administer the SafeGuard MailGateway from your workstation via web management, or via the console, you must enter a router's IP address when you install the SafeGuard MailGateway. You do not need to enter this address if you are not using a router between the SafeGuard MailGateway and your workstation. If one internal and one external router are used, as shown above, the example configuration must be reconfigured, using web management, after installation. See "Routing" in Section 15.1.

6.4. DNS connection As you saw in the previous sections, the SafeGuard MailGateway can access both internal and external networks, and therefore also their DNS servers, to translate host names into IP addresses and vice versa. The next subsections describe individual configuration options.

30

6.4.1. The SafeGuard MailGateway as a DNS client Let us suppose you want to access one DNS server or one cluster of DNS servers. This cluster consists of several DNS servers, which all give the same responses. To do so, enter the IP address of your external DNS server as the DNS Server under Network in web management. If you run a DNS cluster, you can enter up to three IP addresses here and also ensure a high availability level.

6.4.2. No access to DNS server In some situations you do not need DNS queries at all, e.g. if you run a SafeGuard MailGateway where all incoming and outgoing e-mails are always transferred to one (or a few) e-mail servers. You can configure this in the mailer table (see below). Running the SafeGuard MailGateway without DNS has following benefits when compared to the variants described in the previous sub-section. • The SafeGuard MailGateway itself cannot be attacked even with manipulated DNS responses. • The SafeGuard MailGateway does not depend on the availability of the DNS server. • No resources are required for DNS queries. To do so, do not enter anything as the DNS Server under Network in web management. You must also modify the Postfix configuration so that Postfix can operate correctly without DNS e-mails and alarm messages. To do so, configure the mailer table as described in the online help so that all e-mails can be delivered. Here, you also have to write down the e-mail address for alarm messages.

6.5. High availability/load distribution/clusters A SafeGuard MailGateway should always be the only interface between the external network (Internet) and the internal network (LAN) that is to be protected. It is obvious that in this situation the SafeGuard MailGateway will represent both a bottleneck and a possible weak point for the entire SMTP chain. As a result the availability demands made on SafeGuard MailGateway are extremely high. To ensure that the SafeGuard MailGateway can meet the required levels of availability, it should be arranged in a redundant configuration. SafeGuard MailGateway can be set up as a cluster so that it can meet the high demands for availability made on it.

31

There are two ways to set up a cluster with SafeGuard MailGateway: 1.

Cluster model with internal database

2.

Cluster model with external database

6.5.1. Cluster with internal database You can run a cluster with the internal databases. The cluster may only contain two SafeGuard MailGateway. An internal replication service transfers any change from one database to the other database automatically. The following figure shows a cluster model for one location with internal databases.

Figure 6.4. Internal databases

To protect the replication which can contain private keys, the communication between the two SafeGuard MailGateways is secured by SSL (Secure Socket Layer). The cluster model without external database can also be realized with several locations. The following figure shows an example:

32

Figure 6.5. Several locations

Using this cluster module you have two SafeGuard MailGateways which offer a redundant database. For a cluster with more than two gateways, all the other gateways use these SafeGuard MailGateways as external databases. These connections are also secured by SSL.

6.5.2. Cluster with external database This figure shows one possible arrangement of a cluster model with the SafeGuard MailGateway.

33

Figure 6.6. Cluster model

In this model (1 site) all the keys and certificates, including all the rules for ESMTP and secure e-mail services, are stored in a central database. The central database synchronizes all the data for both SafeGuard MailGateways. Secure access to the database server is achieved by Secure Socket Layer (SSL). This cluster model can also be implemented across several locations, as shown in the next figure. We have not shown the backup LDAP servers here, so that this graphic does not look too crowded. If several sites are involved, it is, of course, a good idea not to load all the keys and rules for ESMTP and secure e-mail services onto one single LDAP server.

34

Figure 6.7. Central database

As shown in this cluster model (1 site) the keys and certificates including all the rules for ESMTP and secure e-mail services are stored in one central database. All the data is synchronized in this central database for all SafeGuard MailGateways. Secure access to the database server is achieved by Secure Socket Layer (SSL).

6.6. The SafeGuard MailGateway's operating system We decided to use the Linux operating system so that the operating system can easily be modified to meet our (and your) security requirements.

35

36

7 Administering the SafeGuard MailGateway The next sections give a short overview of the various options you can use to administer the SafeGuard MailGateway.

7.1. Web management The SafeGuard MailGateway is usually administered via a browser, over the network. As this gives good protection for this sensitive process, communications between the admin PC and the SafeGuard MailGateway are encrypted with SSL (Secure Socket Layer). Passwords are also used to provide secure authentication between the SafeGuard MailGateway and the administrator. This guarantees that both access to the SafeGuard MailGateway and the connection to the SafeGuard MailGateway are protected. The SafeGuard MailGateway is addressed via port 59. You must therefore enter ":59" at the end of the IP address. (Example: http:// SGMG.company.de:59)

7.2. Console and file transfer In everyday situations you will usually only need web management to administer the SafeGuard MailGateway. In some cases you can administer the SafeGuard MailGateway both via web management or via the console. However, there are circumstances under which you will have to access Linux via the console. These include: • restoring a backup • saving logs • evaluating logs on the SafeGuard MailGateway • examining unread e-mails • ... You can access the console locally via the keyboard and the monitor. However, this is not usually very convenient because the SafeGuard MailGateway is normally installed in a server room. This is why you can also access the console over the network, via an SSH (Secure Shell) connection. SSH enables cryptographically secure communication via insecure networks and provides a high level of security, reliable mutual partner authentication and guarantees the integrity and confidentiality of the exchanged data by SCP (Secure Copy) for example, for remote administration via the Internet. When you install the SafeGuard MailGateway an SSH key is generated for it.

37

To log onto the SafeGuard MailGateway via SSH you usually use the root password that you assigned during installation. We recommend that you generate an SSH user key, and then use it to perform key-based client authentication.

7.3. Central Administration Just as a company's security policy can be implemented in one central location (in SafeGuard MailGateway), central e-mail security administration can also be performed in one place (in SafeGuard MailGateway). The usual situation in decentral e-mail security is that the security software is installed and administered on each e-mail client so that e-mail security throughout your company can be guaranteed. If the SafeGuard MailGateway is installed there is no longer any need for this complicated and very time-consuming administration method.

7.4. Role-based administration With role-based administration you can distribute SafeGuard MailGateway administration tasks via web management to several users (referred to below as "Administrators"). In this way, one or more roles can be assigned to each administrator. In SafeGuard MailGateway, seven roles with fixed functions assigned to them have been created for this purpose. These roles cannot be changed. In detail, the roles are: Administrator

is allowed to do everything

Network Operator

changes network settings

User Operator

administers S/MIME or OpenPGP users

CA Operator

administers CA certificates

Policy Operator

changes the policy or the set of rules (ESMTP and secure e-mail)

System Operator

carries out configurations, creates backups, reboots the system, performs status queries, changes the operating state

Auditor

monitors everything but cannot change anything

Only users who have the role of "Administrator" can assign roles to individual administrators and remove them again if required. Any user who has the role of "Administrator" can create an account for other administrators (login name and password). Several roles can then be assigned to this account. More than one account can also be created for one individual role. When an administrator logs on with an account to which one or more roles have been assigned, only those areas in web management that belong to that role are released for them. They cannot process any other areas.

38

7.5. Multi-domain capability SafeGuard MailGateway has multi-domain capability which means that one or more domain or subdomain can be administered from one central location. To do so, the SafeGuard MailGateway supports several internal e-mail servers. In the SafeGuard MailGateway's set of rules you can specify how e-mails from users from specific domains are to be handled. This figure illustrates the SafeGuard MailGateway's multi-domain capability.

Figure 7.1. Multi-domain capability

7.6. Time synchronization It is important that the SafeGuard MailGateway's system time is correct. This is the only way of ensuring that protocol entries can be sorted correctly. Accurate timekeeping is critical for secure e-mails and certificate-based authentication. For this reason the SafeGuard MailGateway can synchronize its system time via the NTP (Network Time Protocol). If NTP is not available, the hardware clock can still be calibrated via the more precise, but not permanent, software clock. In addition, during installation, you can select the time zone the SafeGuard MailGateway is to use. You must do this so that the SafeGuard MailGateway can communicate correctly via the Internet with systems in other parts of the world. SafeGuard MailGateway can also automatically set itself to summertime. You can also change the time zone retrospectively in the clock-admin program. In web management under Network you can enter one or more NTP servers with which the SafeGuard MailGateway should regularly synchronize itself.

39

Please note that NTP communication is usually not protected. For this reason we recommend that you access an internal NTP server with a radio clock rather than accessing a public NTP server on the Internet.

NTP is mandatory for the cluster.

7.7. The logbook The log is the central point where all events that take place on the SafeGuard MailGateway are collected. All the events on your SafeGuard MailGateway are written to a central log to give you a uniform and complete overview of them.

7.7.1. The technical structure of the logbook The SafeGuard MailGateway provides an extended log mechanism which has all the options of the usual UNIX Syslog service that you find on normal UNIX systems and many more. The log system was extended so that it can also process large numbers of log entries very quickly. This figure shows the log data flow (in the direction of the arrows) on the SafeGuard MailGateway:

40

Figure 7.2. Logbook

The applications send their log messages to the log demon (program name logd). The log demon writes the log entries to the central log in the /var/log folder. The packlog script compresses the logs under /var/log and moves them to /var/log/ save. The export-log script uses the log2ascii program to convert the logs into ASCII format and exports them to the backup server. You can then either delete the exported logs or move them in binary format into the /var/log/exported folder. You use the log2ascii program to display the log in ASCII format in a Linux console or in web management.

41

7.7.2. The format of the log For reasons of performance the log entries are stored in binary format. Each entry is 128 bytes long. 96 bytes are available for text. If a log message is longer it is split up among several log entries. Each log file can be up to 1 MB in size. After this a new file is created. If the log demon is interrupted or reconfigured a log file may also be smaller. This is not an error. The file names of log files have this format:

gwlog.YYYY.MM.DD-hh.mm.ss.hh-c

The date (YYYY = year, MM = month, DD = day) and the time (hh = hour, mm = minute, ss = second, hh = hundredth of a second, c = counter, usually = 0) in UTC, on which the file was created, are coded in the file name. When the files are sorted alphabetically they are automatically shown in chronological sequence. If log files are compressed, they also have the file extension gz.

7.7.3. The format of a log entry Every log message contains this information: • A SafeGuard MailGateway ID which is an integer used to identify the SafeGuard MailGateway. This number (always =000) is of interest if you want to administer the log entries of several SafeGuard MailGateway. • The point in time when the log entry was generated. The date and time (including hundredths of seconds) according to the SafeGuard MailGateway's local time are displayed. • A counter which is incremented by the process that generated the message. This allows you to identify each message, within a process. • The application ID refers to the program that generated the log entry. Sophos' own applications have individual IDs. • An event ID which classifies the event in more detail. • A process ID that enables you to identify each individual process on the SafeGuard MailGateway. This is the usual Linux kernel process ID. Please ensure that this number is limited to 16 bits. When all the approximately 65,535 values have been used the Linux kernel starts counting again from 1. For this reason you should always enter the process ID with the approximate point in time to specify an exact process. • A freely definable text contains the actual information of the log entry.

7.7.4. The log2ascii program The log2ascii program can be used to convert logs from their internal binary format into a readable ASCII format. log2ascii has extensive setting options that allow you to filter out specific log entries and to influence how much information is displayed.

42

7.7.5. The packlog script The packlog script is called quite simply without any parameters. It takes all the current logs from the /var/log folder, compresses them and moves them to /var/log/save. You should never perform these steps directly. You must always use the packlog script. The reason for this is that the log demon always has one file open in the /var/log folder so that it can write new log entries. Log entries may be lost if you simply copy and compress this file. The packlog script carries out these steps in such a way that no log entries can go missing. The packlog script also writes its own log entries so that any problems that may arise can be tracked via the log. The packlog script is called every night by the cron service. However, you can also call the script yourself at any time.

7.7.6. Exporting the log automatically The SafeGuard MailGateway can automatically export the compressed logs in the /var/log/ save/ folder to an external server. The logs are saved and archive there. To export the logs, call the export-log script. Just like when packlog is used to pack the logs, the logs are exported every night by the cron service.

7.8. The CentOS logbook The system applications and the kernel use the standard Syslog mechanism to record system-related events. Syslog stores its log files in the /var/log folder. These files are normal text files which can be displayed with any editor. The logrotate function ensures that the log files generated by Syslog are stored in chronological sequence. After a maximum of 30 days the log files are compressed and moved to /var/log/save. Syslog is configured in the /etc/syslog.conf file and logrotate is configured in the /etc/ logrotate.d/ directory.

43

Figure 7.3. CentOS Logbook

The system services used by SafeGuard MailGateway log data in separate files. These files are assigned names that follow the pattern "gateway……log". The table below gives an overview of the most important system applications: System applications Log file

Description

Internal (LDAP)

This is where all the data that is relevant to the internal LDAP server is stored.

database /var/log/ gateway-database.log

Web management

/var/log/ gateway-webmgnt.log

Everything that the Apache service records for web management.

HKP Keyserver and /var/log/ PDF Reply gateway-httpdextern.log

Everything that the Apache service records for the HKP server and for PDF Reply.

yum

Shows which packets have been installed. If, for example, an update has been installed, this

44

yum.log

System applications Log file

Description records which update it was and when it was installed.

maillog

/var/log/maillog

Postfix logfile showing the sent status of e-mails.

cron

/var/log/cron

Service that performs tasks on a regular basis.

messages

/var/log/messages

All other system and kernel messages.

7.8.1. Log and alarm messages The log contains normal log messages and messages that the administrator must immediately take notice of because they mean an error has occurred on the SafeGuard MailGateway which requires a quick reaction. The system classifies this type of message as an alarm message. A corresponding value is set in the flags. Alarm messages are written to the log in the same way as normal log messages so that you have a summary of all the messages in the same place. In addition, a program is running for each alarm message to give the administrator the most current information. This is usually the script /usr/bin/Gateway/spm_mail.sh This script creates an e-mail from the upper data fields and sends this to the e-mail address you entered in web management. If you did not enter an e-mail address for alarm messages in web management these messages are not sent out: they only appear in the log, where they might easily be missed. This will also cause the Postfix spool folder to fill up quickly. You can also replace this script with your own program to further integrate the SafeGuard MailGateway into your IT infrastructure's existing monitoring systems. The parameters transferred in this script are also documented in the script. This example shows an alarm message that was generated by SafeGuard MailGateway and sent as an e-mail:

From: [email protected] To: [email protected] Subject: [Alarm from SGMG.company.de] Alarm Message from gateway "SGMG.company.de" Flags: Gateway: Date:

0003 00000000 05.04.2011

45

Time: Application: Counter: Event ID: Priority: Group: Process ID: Text:

09:53:01.65 System 0 EF03 Warning Syslog 545 init.d/gateway: Shutting down gateway operation!

The e-mail includes all the most important fields from the original log message. Priority and Group are classifications that are calculated from the Event ID.

7.9. Subject line control In a normal situation the set of rules for the secure e-mail service controls e-mail encryption. This set of rules should be designed in such a way to ensure that the majority of your e-mails are processed in the most suitable manner. Despite this, in real life, it may sometimes be necessary to override the SafeGuard MailGateway specifications for individual e-mails. The SafeGuard MailGateway uses the subject line for that purpose. This can be used in every e-mail client. This ensures interoperability of the SafeGuard MailGateway with any e-mail client that matches the SafeGuard MailGateway's basic concept. The sender of the e-mail can enter commands in the Subject line by putting them in curly brackets { } and placing them at the beginning of the line:

Subject: {These are the subject commands} This is the actual subject line.

If "Subject commands permitted” is selected in the rule for the sender, then the SafeGuard MailGateway will extract the commands from the subject line. The e-mail recipient will then receive the subject line without the command:

Subject: This is the actual subject line

Subject line control must be specifically permitted in the rule for the sender. If subject line control is not only to be permitted, but is to override the rule, then this must be specifically specified in the rule for the sender. "Subject commands permitted" means that subject line control is permitted, but a rule that matches the e-mail cannot be overridden. This setting is appropriate in the example below, for example:

46

If you want your keyring to be sent to a particular recipient, you can enter the {send_key} command in the subject line. If subject line control is permitted, but cannot override a rule, then the e-mail is returned to the sender if the contents of the subject line differ from what is specified in the rule. The e-mail is only sent if the contents of the subject line are identical to what is specified in the rule. "May override policy" can only be used in combination with "Subject command permitted" and means that the sender of the e-mail can use subject line control to overrride the secure e-mail rule. After the SafeGuard MailGateway has extracted the subject command it attempts to interpret it. You can enter several commands at once, each separated by a blank space. In this situation the commands can be in any sequence as long as they do not contradict each other. If a command contradiction occurs, the last command is used. An exception to this is the command for encryption with PrivateCrypto or PDFMail. If this command is followed by a word (blank space as the delimiter) this word is used as the password for encryption with PrivateCrypto or PDFMail. As a consequence, these passwords should not contain blank spaces. There is a range of commands that you can configure in web management under Services → Secure-Mail → Commands. If you do not enter a key word for a command this command will not be available to your users. You can also enter several synonymous key words for one command. Please ensure that you do not use extended characters (é, ä, etc.) in your subject command and password.

7.10. Status messages in the Subject line The SafeGuard MailGateway will verify an e-mail if the Verify option in the recipient rule for the secure e-mail service is set to "Remove valid signatures" or "Do not remove signatures". The verification process checks the validity of the signature. The details of the check result are written in the e-mail header or in a separate attachment. A summary of the result appears in the subject line. You can configure the SafeGuard MailGateway in such a way that it checks outgoing e-mails to see whether their Subject line contains a status message. This is usually the case if it is a reply to an incoming e-mail. In this situation the SafeGuard MailGateway can remove the status message from the subject line. This means that the status messages do not pile up in the subject line when an e-mail communication is made up of repeated "replies". As this involves accessing the subject line this function is usually deactivated, but only for cosmetic reasons.

7.11. Messages to the user If an e-mail is not, as intended, processed cryptographically by your SafeGuard MailGateway, then error messages will be sent to the sender of the e-mail. By default these message are in

47

english, but they can be modified to meet your needs, or written in your language. This can only be done via the console. This is described in Section 25.20.

48

8 User Management with the SafeGuard MailGateway The SafeGuard MailGateway uses S/MIME certificates and OpenPGP keys to encrypt e-mails and provide them with digital signatures. To do so the SafeGuard MailGateway must securely assign one or more S/MIME certificates or OpenPGP keys to each e-mail user. User management is subdivided into these areas: • Internal S/MIME All internal S/MIME certificates for end users are administered here. • Internal OpenPGP All internal OpenPGP keys for end users are administered here. • External (S/MIME) All external S/MIME certificates for end users are administered here. • External OpenPGP All external OpenPGP keys for end users are administered here. You have the option of generating new S/MIME and OpenPGP keys for your internal users before the current, valid S/MIME certificates and OpenPGP keys have expired. You can also make settings for the automatic deletion of expired S/MIME certificates and OpenPGP keys.

8.1. Internal S/MIME Certificates with private keys for your internal users are administered here. The SafeGuard MailGateway can sign e-mails for these users (with the private key) and decrypt incoming emails that were encrypted by your staff members' public key. You require S/MIME certificates for every internal user who wants to sign or encrypt e-mails. This is usually an individual certificate for each user. However, you can also use one certificate for all your internal users. You can import the certificate for internal users manually in certificate management, let them be generated automatically by the SafeGuard MailGateway, or generate them manually in web management (E-mail CA). Select the option you want in the web management Secure E-mail service.

The number of these certificates is only limited by your software license.

49

Unlike external certificates which only contain a public key, certificates for internal users must have a private key.

8.2. Internal OpenPGP OpenPGP keys with private keys for your internal users are administered here. The SafeGuard MailGateway can sign e-mails for these users (with the private key) and decrypt incoming emails that were encrypted by your staff members' public key. You require OpenPGP keys for every internal user who wants to sign or encrypt e-mails. This is a separate OpenPGP key for each internal user. You can either import the OpenPGP key for internal users manually via OpenPGP key management or have SafeGuard MailGateway generate one automatically. Select the option you want in the web management Secure E-mail service.

The number of these OpenPGP keys is only limited by your software license.

Unlike external OpenPGP keys which only contain a public key, OpenPGP keys for internal users must have a private key. OpenPGP keys for internal users, that were generated by the SafeGuard MailGateway, are automatically signed by their SafeGuard MailGateway's Postmaster key. You must specifically sign all imported OpenPGP keys. You have to publish your Postmaster key so that your communications partner can check the validity of your OpenPGP key for internal users. You can also have the SafeGuard MailGateway sign manually imported OpenPGP keys at a later point in time. This automatically makes you the key manager for imported OpenPGP keys. This is a good idea if you want to make your Postmaster key available to your communications partner so that they can check individual, internal OpenPGP user keys. You can sign internal OpenPGP keys at this point. You can also express "direct trust" for an internal OpenPGP key here.

8.3. External S/MIME S/MIME certificates for external users are administered here. The SafeGuard MailGateway uses these to encrypt e-mails for external users and to check their signatures. Certificates for external users are administered without a private key. You can import this type of certificate in several ways: • You can import a certificate manually via web management.

50

• You can download a public certificate from an LDAP server via the SafeGuard MailGateway. • You can also ask your communications partner to send you an e-mail with a signature. For S/MIME signatures the certificate is usually attached to the e-mail and automatically imported by the SafeGuard MailGateway. To check the validity of an S/MIME certificate you require the CA certificates that issued this certificate. Certificates can only be regarded as valid if the corresponding CA certificates are also valid.

8.4. External OpenPGP All external OpenPGP keys are administered here. The SafeGuard MailGateway uses these to encrypt e-mails for external users and to check their signatures. OpenPGP keys for external users are administered without a private key. You can import this type of OpenPGP key in a number of ways: • You can import an OpenPGP key manually via web management. • You can download a public OpenPGP key from a HKP or LDAP server via the SafeGuard MailGateway. • You can also ask your communications partner to send you an e-mail with the public OpenPGP key as an attachment. You must ensure that the public OpenPGP key is included in the e-mail as an attachment and that the SafeGuard MailGateway can only import it automatically in ASCII format. You can sign an OpenPGP key at this point. The key itself is not signed, only the user ID (name, comment, e-mail address) that is on the key. This makes you the key manager of this key and acts as a declaration that you have carried out enough checks on this key. Alternatively, you can trust a public OpenPGP key directly. You can activate the "Direct trust" property for this key in web management. This makes this public key immediately valid for one e-mail address. It does not require any other signatures, not even from the local e-mail CA. This procedure does not involve a signature for a public OpenPGP key. You merely inform your SafeGuard MailGateway that you have given this OpenPGP key your "direct trust". In web management you can also give an OpenPGP key the "Trustworthy as signer for other keys" attribute. In this way you can make an OpenPGP key function almost like a CA key. This key can then sign other keys and make them valid for your SafeGuard MailGateway. The SafeGuard MailGateway supports precisely this level in the Web-of-Trust for OpenPGP keys. This means that an OpenPGP key is valid if it has been signed by a key that you have marked accordingly (Trusted Introducer).

51

8.5. Key server Here you can enter the LDAP server or HKP server that is to be searched for S/MIME certificates or OpenPGP keys. Under Details you can configure the search for certificates and keys.

8.5.1. LDAP Here you enter the LDAP server on which the SafeGuard MailGateway shall search for S/ MIME certificates or OpenPGP keys for external users. The SafeGuard MailGateway will always query all LDAP servers when handling outgoing emails that are to be encrypted. If several valid certificates are present for one e-mail recipient (external user), an e-mail for this recipient is encrypted with each one of these certificates. The recipient can then use any certificate to decrypt the e-mail again. You can define whether S/MIME certificates or OpenPGP keys that were downloaded from an LDAP server are permanently stored on the SafeGuard MailGateway or reloaded when required. S/MIME The validity of certificates from an LDAP server is always checked before they are accepted. To do this the correct CA certificates (used to check user certificates) must be imported "manually" to the SafeGuard MailGateway. These include all CA certificates in the chain starting with the CA that issued the user certificate up to the root CA. CA certificates cannot be imported at this stage because they can only be imported manually. OpenPGP The validity of OpenPGP keys is always checked before they are accepted. There is a check to see whether the OpenPGP key has a valid signature. This can come from an e-mail CA Postmaster key or from another key that has been declared as "Trustworthy as signer for other keys". "Direct trust" can also have been expressed for the key.

8.5.2. HKP Here you enter the HKP key server from which the SafeGuard MailGateway can load OpenPGP keys either to check incoming e-mails with OpenPGP signatures or to encrypt outgoing e-mails. If the OpenPGP key can only be accessed via an HTTP proxy (for example: your firewall), you must also enter this proxy so that the SafeGuard MailGateway can reach the OpenPGP key server. You make this setting in the menu item Network and the tab Details.

8.6. E-mail CA The e-mail CA section is split into S/MIME and OpenPGP.

52

8.6.1. S/MIME In web management, if there is no E-mail CA yet, and you click on the "E-mail CA" area and then on "S/MIME", you open the window in which you can generate or import an e-mail CA for S/MIME. This e-mail CA then forms the basis for all your internal user certificates. Here you generate or import an e-mail CA for all your internal S/MIME users. That e-mailCA is then used to digitally sign all S/MIME certificates generated for your internal users. This signing is performed using the e-mail CA's private key. Once you have generated or imported an e-mail CA for S/MIME, you can generate S/MIME certificates for your internal users. We recommend that you do not generate an S/MIME certificate for each user "manually", but use the Secure E-mail service to generate them when needed. Without this feature you must use an external tool to generate S/MIME certificates for internal users and them import them to the SafeGuard MailGateway.

8.6.2. Generating certificates for existing users You can generate S/MIME certificates for internal users before the valid certificates have expired.

8.6.3. External PKI connection If you sign an agreement with the TC TrustCenter for the use of an external PKI service, then you can integrate the TC TrustCenter's external PKI in your SafeGuard MailGateway. Then, the TC TrustCenter will issue the internal S/MIME certificates, and sign them. To carry out this process, an SSL-encyrpted connection is established to the TC TrustCenter. In this case, your SafeGuard MailGateway "only" generates an S/MIME key. The private part of the key is saved in your SafeGuard MailGateway. The public part of the key is sent to the TC TrustCenter. The TC TrustCenter then issues the required S/MIME certificate. To enable your SafeGuard MailGateway to use these S/MIME user certificates, the relevant CA certificates must be imported from the TC TrustCenter and configured.

8.6.4. OpenPGP In web management, if you click on "E-mail CA" and then "OpenPGP", and if no OpenPGP email CA Postmaster key has yet been set up, you firstly see the window in which an e-mail CA Postmaster key for OpenPGP can be generated or imported. This now makes the Postmaster key the basis for all your internal OpenPGP user certificates. Here you can generate or import an e-mail CA Postmaster key for all your internal OpenPGP users. This Postmaster key is then used to sign all automatically generated OpenPGP keys for your internal users. This is done by the private key of the e-mail CA Postmaster key. After you have generated or imported an e-mail CA Postmaster key you can generate OpenPGP keys for your internal users. We recommend that you do not generate an OpenPGP

53

key for each user "manually" but that you use the Secure E-mail service to generate it when required.

8.6.5. Generating OpenPGP keys for existing users You have the option of generating OpenPGP keys for your internal users before the currently valid certificates have expired. You can make the required settings here.

8.7. CA certificates CA certificates are administered here. CA certificates are needed to check S/MIME user certificates that were not issued by the e-mail CA. These can only be declared valid if the corresponding CA certificate is valid. You therefore also need the CA certificates that issued these user certificates either directly or indirectly. The certificate is checked before you can send an encrypted e-mail to your communications partner. For this reason you must import the corresponding CA certificates for external users. As user certificates can also be declared invalid before their expiration date each CA maintains a Certificate Revocation List (CRL) that is updated regularly. Alternatively, a CA can also provide an OCSP (Online Certificate Status Protocol) service. You can query the current block status of any external user certificates via this service. To check a certificate's validity the SafeGuard MailGateway works through these process steps: 1.

If the serial number on the list stands explicitly for a certificate that is, or is not, trustworthy, the check ends here.

2.

If the OCSP service for the CA is configured in SafeGuard MailGateway, the SafeGuard MailGateway queries it for the status. If it gets a response, the certificate is accepted or rejected accordingly.

3.

If there is no reply from the OCSP the SafeGuard MailGateway attempts to load a CRL from the following sources: • Is an automatically updated (HTTP, HTTPS or LDAP) CRL available? • Does the S/MIME certificate have the X.509 extension for the CRL distribution point (CDP)? • Is a manually imported CRL available? If a CRL is available, a check is run to see whether or not the certificate has been removed. If several CRLs are available the most up-to-date one is always used.

4.

54

If no CRL is available, the certificate is rejected.

You can make these settings separately for each CA. You can select the best available check for each CA. After installation no CAs are installed on the SafeGuard MailGateway by default. Only you can decide, on the basis of your security guidelines and your communications partners, which public and private CAs you need on your SafeGuard MailGateway.

55

56

9 Using the SafeGuard MailGateway to Distribute S/MIME Certificates and OpenPGP Keys The most simple method of distributing your S/MIME certificates and OpenPGP keys is to attach them directly to an e-mail and therefore ensure that the certificates and keys are distributed manually. Although your SafeGuard MailGateway supports this function for both S/MIME certificates and OpenPGP keys, manual distribution is only practical up to a certain point. The SafeGuard MailGateway operates an internal LDAP server where certificates and key can be stored. This is not an LDAP database server, it is instead a second server that runs separately. You can allow public access to this area of the SafeGuard MailGateway. It can be accessed both via LDAP and HKP. You can use LDAP to query S/MIME certificates as well as OpenPGP keys. HKP can only be used to query OpenPGP keys. As the SafeGuard MailGateway should be installed in a protected area, for example behind a firewall, direct access to the S/MIME certificates and OpenPGP keys in SafeGuard MailGateway presents a security risk as it means access to the SafeGuard MailGateway from outside must be allowed through the firewall. The main risk is due to the fact that private keys are also stored on the SafeGuard MailGateway. See figure below.

Figure 9.1. Firewall

For this reason, the only solution here is to have your own key server. This one is installed in the extranet and made available to the public by allowing them access to this external key server. The key server can be installed on a second SafeGuard MailGateway. The advantage of this solution is that access to this second SafeGuard MailGateway does not have to be permitted, as shown above, by your firewall. See figure below.

57

Figure 9.2. Key Server

You can also use an external standard LDAP server or an HKP server. See figure below.

58

Figure 9.3. LDAP or HKP Server

59

60

10 Services This chapter is designed to familiarize you with the services that the SafeGuard MailGateway provides for processing e-mails. SafeGuard MailGateway provides these services: • ESMTP Proxy: The ESMTP Proxy service is responsible for accepting e-mails via ESMTP. E-mails can be accepted, in accordance with your policy, either from an internal e-mail server or from the Internet. • Secure E-mail: The secure e-mail service is responsible for the cryptographic processing of e-mails. The same applies here: e-mails can be processed in both directions, from the e-mail server to the Internet and from the Internet to the e-mail server. • Postfix The Postfix service is responsible for sending e-mails in both directions, "incoming" and "outgoing". This figure illustrates how these services work together:

Figure 10.1. Services

In web management services are configured in these areas: • Basic configuration (i.e. configuration that does not depend on a connection) • Rules • Options for the particular rules • Network mail outbox The basic configuration includes service properties that operate independently of any selected rules. This configuration therefore applies even before you select a specific rule. When a service carries out a procedure it selects the appropriate rule(s) for it. This varies from service to service. For that reason you must follow the exact procedure for individual services very carefully.

61

10.1. The ESMTP Proxy The ESMTP Proxy is responsible for accepting e-mails from an internal e-mail server and from the Internet. In the SafeGuard MailGateway it is configured via the ESMTP Proxy. In a standard configuration you only need two connection rules. One rule permits e-mails to be sent from your internal e-mail computers or e-mail server to email servers in the Internet. The other rule permits e-mail servers in the Internet to send e-mails to your e-mail computer or e-mail server. The next sections describe individual aspects of rule configuration in greater detail.

10.1.1. How the ESMTP Proxy selects rules Before you configure rules for the ESMTP Proxy, you should know which criteria the service uses to select the correct rule. Otherwise your configuration may be incorrect. ESMTP is responsible for processing ESMTP connections. These are processed via a TCP connection (usually port 25). When an ESMTP connection is created to the SafeGuard MailGateway the ESMTP Proxy starts up and selects one rule that will apply to the entire connection. This connection can be used to transfer no, one, or more e-mails to the SafeGuard MailGateway. The rule uses IP addresses (source) to define whether the connection is permitted or forbidden and which restrictions must be taken into account when implementing this connection. If no rule for this connection is present, or if this connection is expressly forbidden, the connection is immediately terminated at TCP level. If one or more rules are present the SafeGuard MailGateway reacts in the following manner: The ESMTP Proxy searches through the rules from top to bottom (in the same sequence as the rules appear in web management) and selects the first rule that suits the connection. Other rules are not taken into account. The SafeGuard MailGateway sorts the rules in web management in such a way that special rules always apply before general rules. This means you can specify general rules more precisely or allow exceptions.

First the more precisely specified rule (exception), then the general rule!

In the SafeGuard MailGateway the rules are sorted by the source's IP network address, first the rules for individual IP addresses, then the rules for larger networks. This makes it possible to define rules which apply to larger networks more specifically for an individual IP address in the network or to allow exceptions.

62

First the rule for a single IP address in a network, then the rule for the entire network!

A rule must match all the following properties of a connection before it can be selected: • IP address of the source (the e-mail server which created the connection to the SafeGuard MailGateway) • time profile (day of the week, and time) • alias IP address via which the SafeGuard MailGateway is addressed • TCP port on which the connection is accepted by the SafeGuard MailGateway (usually port 25)

10.1.2. How do you prevent your SafeGuard MailGateway from being misused as a relay? Senders of spam e-mails may attempt to send an e-mail to your SafeGuard MailGateway from outside, which your SafeGuard MailGateway is then to send to many other people (e-mail addresses). You must therefore prevent e-mails that come from outside being resent outside. You can do this by selecting your users. When you create a connection rule you can enter the source (IP address of the e-mail server) to define whether this connection rule applies to "internal" or "external" e-mails. You must now restrict the number of permitted senders and recipients for the e-mails accordingly. You can do this by creating lists of permitted and non-permitted senders and recipients. Each rule for the ESMTP Proxy has this type of list. The sender and recipient lists consist of patterns and wildcards.

10.1.3. LDAP synchronization of an Active Directory folder Another way to prevent misuse of your SafeGuard MailGateway is LDAP synchronization of an Active Directory folder. Here you perform an LDAP query on an Active Directory folder and, in it, check whether the e-mail address is actually present in your company. If this e-mail address is not present in your company, then the e-mail from the Internet will be blocked. You can also use this LDAP query in the Active Directory folder to ensure that internal users can only send e-mails over the Internet if these internal users, with the associated e-mail address, actually exist in your company.

10.1.4. Checking with DNS by the ESMTP Proxy The ESMTP Proxy can use the DNS to check addresses (IP addresses and e-mail addresses). Instead of being defined for each specific rule this option is set globally as part of the basic configuration.

63

10.1.4.1. Checking IP addresses with DNS The ESMTP Proxy can check the "source" IP address for consistency. In this case "source" is the e-mail server which creates the ESMTP connection to the SafeGuard MailGateway. You can perform these checks: • In a simple check the source's IP address is converted into a host name. Prerequisite: the IP address must be present in the DNS system. • In a doubled check the source's IP address is first converted into a host name and then converted back into an IP address. Both IP addresses must be identical. Prerequisite: the IP address and the host name must be present in the DNS system. This double check makes it more difficult for falsified DNS entries to cover their tracks. If the check is interrupted this may, depending on the configuration, cause the connection to be terminated, trigger a warning in the log or simply be ignored. When you configure the ESMTP Proxy you can select various combinations of types of check and define how the system is to react if an IP address/name conversion fails. When you configure individual proxies, these variants are available: Variant

Effect

double/error

A second check is performed. If the DNS check fails, the connection is refused.

double/warning/error

A second check is performed. If the DNS IP name/name resolution fails, a warning is written to the log. If the name/IP address resolution fails, the connection is refused.

double/warning

A second check is performed. If the DNS check fails, a warning is written to the log.

simple/error

An initial check is performed. If the DNS check fails, the connection is refused.

simple/warning

An initial check is performed. If the DNS check fails, a warning is written to the log.

OUT

No DNS check takes place.

If you carry out a simple check you can at least define the source's host name. If this is successful the name is entered in the SafeGuard MailGateway's log. Otherwise you will only find the source's IP address there. We recommend that you always switch off the DNS check because many e-mail servers in the Internet do not have effective DNS resolution and because the DNS check takes time and effort.

10.1.4.2. DNS checks on sender and recipient addresses The sender and recipient addresses that are transferred into the ESMTP MAIL FROM and RCPT TO commands are structured in the usual way:

64

@ The ESMTP service can resolve the part (for example, ) in DNS to see whether or not the e-mail address is valid. This check does not produce a final result because it does not verify whether the value is valid. Despite this the e-mail address is always invalid, if cannot be resolved. If an e-mail address is checked and found to be invalid in this respect, an error code is issued in response to the corresponding ESMTP command (MAIL FROM or RCPT TO). As a consequence the SafeGuard MailGateway rejects this e-mail (for this recipient at least). Checking e-mail addresses has these benefits: If the sender of an e-mail is invalid you cannot send a reply to this e-mail. These e-mails often remain in the e-mail system and must be deleted by an administrator. E-mails with invalid senders are usually spam e-mails. If an e-mail has an invalid recipient it cannot be sent. For that reason there is no real reason to accept it in the first place.

10.1.5. How the ESMTP Proxy selects users You use the IP address (source) to create a rule for the ESMTP Proxy. For this IP address you then specify e-mail addresses for the sender and the recipient (users).

A complete rule consists of: IP address + sender + recipient.

You only use the IP address (source) to select the rule. A check is carried out here to see whether the IP address is permitted or forbidden. If the IP address is not permitted the connection is rejected. If the IP address is permitted, the user selection process continues, using the sender and recipient e-mail addresses. In this situation the ESMTP Proxy checks whether the e-mail addresses transferred to the ESMTP MAIL FROM and RCPT TO commands match the e-mail addresses permitted in the rule. The SafeGuard MailGateway has to check both e-mail senders and e-mail recipients. If the SafeGuard MailGateway did not check this it could be used to send spam e-mails. This should be prevented at all cost. Many e-mail servers do not accept e-mails from any server that is not sufficiently protected against misuse by spam e-mails. This can present a significant obstacle to you sending your own e-mails.

65

10.1.6. Wildcards and Patterns Wildcards and patterns are used to define which e-mail addresses are permitted in the rules (ESMTP Proxy). This section explains what wildcards and patterns are and how you make best possible use of them for the ESMTP Proxy. This figure illustrates a wildcard and a pattern.

Figure 10.2. Wildcard and Pattern

A pattern that uses wildcards is compared precisely against each e-mail address. The comparison runs from left to right, which is why the sequence of patterns and wildcards is significant. Wildcards

Meaning

*

no character, one character or any character string

!

forbids the next pattern and must be placed at the beginning of the pattern

?

exactly one character (any character)

""

a blank sender is permitted and is used, for example, to send error messages

p?

permits "p" and one other character <*@company.de> permits everything that is sent to <@company.de> forbids everything that is sent to <@company.de> <*@*> permits all e-mail addresses permits everything that starts with the letter "p" plus 1 character after that

If a pattern starts with "!" the next pattern is explicitly forbidden. If a pattern starts with "*" the next pattern is explicitly permitted. If no matching pattern is found, the e-mail address is forbidden.

66

The blank sender address "" represents error messages that are sent automatically, for example, "recipient unknown"!

To ensure that this type of error message does not get lost you must permit blank senders for incoming and outgoing e-mails. Unlike every other pattern you must always enter quotation marks "" when you use an empty pattern. The aim of the rules is to define that: • No e-mail can be sent to the company from outside that can then be sent outside again. • No internal e-mail can be sent to the Internet by mistake. • No-one outside the company can send an e-mail and pretend to be an internal sender. This figure shows a correct scenario where the aims listed above have been achieved by the use of wildcards and patterns:

Figure 10.3. Wildcard and Pattern scenario

Please note that you can only define one rule for each IP address. This rules may include one or more patterns.

10.1.7. Configuring rules for the ESMTP Proxy In both examples A and B (complete configuration for ESMTP Proxy rules) a real network configuration is used as the starting point. • A company uses the IP network address 10.0.0.0/8 in-house • The internal e-mail server has IP address 10.1.1.25

67

• The company uses the e-mail domain @company.de Example A A company has a transparent firewall. The company has an internal e-mail server (IP address 10.1.1.25). The SafeGuard MailGateway is to communicate directly with the e-mail servers in the Internet. This figure shows the network structure for example A.

Figure 10.4. Example A

These rules must be configured in the SafeGuard MailGateway for example A: 1.

Outgoing e-mails should only be accepted by an internal e-mail server:

2.

Outgoing e-mails from all other computers must be rejected:

3.

Incoming e-mails should be accepted by any e-mail server in the Internet.

This figure shows the rule configuration for example A.

Figure 10.5. Rule configuration for example A

68

Example B A company has a firewall. The company has an internal e-mail server (IP address 10.1.1.25). The company has an external e-mail server in its DMZ (IP address 10.255.255.25). The SafeGuard MailGateway is to transfer all outgoing e-mails to this mail server. Incoming e-mails will only be accepted by this e-mail server. This figure shows the network structure for example B.

Figure 10.6. Example B

These rules must be configured in the SafeGuard MailGateway for example B: 1.

Outgoing e-mails should only be accepted by an internal e-mail server:

2.

Outgoing e-mails from all other computers must be rejected:

3.

Incoming e-mails should only be accepted by an external e-mail server.

This figure shows the rule configuration for example B.

69

Figure 10.7. Rule configuration for example B

In examples A and B the actions "Permitted" and "Forbidden" are included in the rules. In the SafeGuard MailGateway you can explicitly permit or forbid specific connections. Forbidden means that no ESMTP connection is created! Explanations of the examples

Figure 10.8. Example A and B

The internal e-mail server permits outgoing e-mails that have <@company.de> as their sender. This ensures that staff members cannot send e-mails with a forged sender address into the Internet. The blank sender "" is permitted because it is used for automatically generated messages as defined in the ESMTP standard.

Figure 10.9. Example A and B

No member of Company staff can divert around the internal e-mail server to send an outgoing e-mail. This internal e-mail server is responsible for authenticating users and verifying the

70

sender address. However, if someone were to try to get around it, they could not get a connection because the connection itself is forbidden. 1

Figure 10.10. Example A

All e-mails can be accepted by any internal e-mail server (0.0.0.0/0). No external sender in the Internet can pretend to be an internal e-mail address (). Because the recipient must be <*@company.de> the SafeGuard MailGateway cannot be misused as a relay for spam. All possible e-mail addresses in the Internet (<*@*>) can be assigned to the company. The blank sender "" is permitted because it is used for automatically generated messages as defined in the ESMTP standard.

Figure 10.11. Example B

All e-mails can only be accepted by the external mail server (10.255.255.25/32). No e-mail from the Internet can be accepted directly! No external sender from the Internet can pretend to be an internal e-mail address (). All possible e-mail addresses in the Internet can be passed on from the external e-mail server to the SafeGuard MailGateway. The blank sender "" is permitted because it is used for automatically generated messages as defined in the ESMTP standard.

10.2. The secure e-mail service The secure e-mail service is responsible for signing, verifying, encrypting and decrypting emails. • The rules for the secure e-mail service can be defined for specific senders and recipients. This gives you many more options (wildcards, LDAP attributes etc.) which are described in greater detail below. 1

Source not 0.0.0.0, which means 0.0.0.0/32

71

• You must sort the rules for the secure e-mail service manually. When doing so, remember that the special rules are always to be processed before the general rules and sorted accordingly. • Once the program has been installed successfully (and you have entered your domain during the installation), your SafeGuard MailGateway will already contain five rules. You use these five rules to: • Generate a S/MIME certificate and an OpenPGP key for your members of staff. Rule = Generate standard key • Attempt to encrypt all the e-mails that are sent out from your domains. Rule = Default encryption rule • Decrypt and verify all e-mails that are sent to your domains. Rule = Decryption for incoming e-mails Therefore, as soon as it has been installed your SafeGuard MailGateway is already preconfigured for all aspects of the secure e-mail service. It attempts to ensure that no emails can be sent "to the outside world" without first being encrypted and that all inbound e-mails are automatically decrypted and verified. • From now you can also define several conditions for a particular rule ("if" or "if not") and also specify whether "Match all the following” conditions or "Match any of the following” conditions are to be taken into account. • For a particular rule, you can also specify that no further rules are to be evaluated (Breaking rule). • You can use chaining (concatenation) to ensure that a rule is followed by another rule of your choice. Chaining allows you to specify that one or more rules can be skipped during the evaluation process.

10.2.1. Configuring the rules This section details the things you must take into account when configuring rules for the secure e-mail service. Header row You enter a name and a description for the rule in the header row. The rules are numbered automatically in ascending order. To activate a rule, simply click on the "Active" checkbox. This is the only method of releasing, and therefore activating, a rule. Subject commands permitted / May override policy If you want to allow subject line control, click on the "Subject commands permitted" checkbox.

72

If you want this rule to be overruled by subject line control, select the "May override policy" checkbox. However, if you only select "Subject commands permitted" and do not activate "May override policy" you will restrict subject line control. After you have installed your SafeGuard MailGateway, rule 5 states that all e-mails sent from your internal domains are to be encrypted, and, if no key can be found, the e-mails are to be sent in plain text. If you do not want this rule to be overruled by subject line control, but you do want subject line commands, such as "Send key" to be added to it, you should only activate "Subject commands permitted". In this situation, although you do allow your in-house staff to use subject line control, it is greatly restricted. In this scenario your members of staff would only be able to use commands that match the pre-defined rule or which add to the rule, such as "Send key". If a key is present, subject line control cannot prevent an e-mail from being encrypted. You should only activate both "Subject commands permitted" and "May override policy" if you want to give your in-house users complete freedom in they way they use the secure e-mail service to process their e-mails. Breaking rule Click on the "Breaking rule" checkbox if you want to prevent any further rules from being evaluated after this rule. If this rule matches, the secure e-mail service interrupts the evaluation process. This option allows you to influence the sequence in which the secure e-mail service evaluates the rules. Conditions "Match all the following" means that a number of conditions have been pre-defined here and that each of these conditions is to be taken into account. Every e-mail sent from the board of management to the company lawyer must be encrypted with PDFMail. In this example, you have two conditions. 1st condition = the e-mail is sent from the board of management and 2nd condition = the e-mail recipient is the company lawyer. In this situation you must activate Match all the following because both conditions (sender is the board of management and recipient is the lawyer) must be taken into account. Match any of the following means that several conditions have been pre-defined here, but only one of them is to be taken into account. All e-mails that have private, confidential, secret or contract in their subject line are to be encrypted and signed. In this example you have four conditions.

73

1st condition = private or 2nd condition = confidential or 3rd condition = secret or 4th condition = contract In this case you must activate Match any of the following because one of the conditions (private, confidential, secret or contract) is to be taken into consideration. The next section describes what you have to take into account when specifying conditions. These tables illustrate possible combinations of conditions and their meanings:

Table 10.1. Recipient e-mail address or sender e-mail address Conditions Is

Definition

a

Example

Matches one eOnly mail address Entry "location"

Contains

IF OR

Recipient e-mail address Begins with OR

Substring match matches Entry "Mail" Substring match matches

IF

Entry "company.de" Sender e- Ends with Substring match NOT mail admatches dress Matches wildEntry, "*@company.de" card (place- Wildcard match matches everything with <@company.de> holder) Matches regValid regular exular expresEntry ".*\@company.de$" pression sion a

not case sensitive

Table 10.2. Recipient attribute or sender attribute Conditions IF

Recipient Is attribute

OR OR

Contains

Begins with Sender atEnds with NOT tribute IF

74

Definition

a

Example

Matches only one atEntry "OU" / "location" tribute Substring match

Entry Entry "OU" / "location"

Substring match

Entry Entry "OU" / "location"

Substring match

Entry Entry "OU" / "location"

Conditions

Definition

a

Matches wildcard (placehold- Wildcard match er)

Example Attribute "OU" *location*

Matches regular Valid regular expres- Attribute "OU" expression sion .*location.* a

not case sensitive

When an attribute is entered, the program searches an LDAP directory (internal Directory Server / LDAP Sync server) to see whether an entry for this e-mail address is already present. If this entry is found in the LDAP, you must enter the attribute and the value of the LDAP entry here.

Table 10.3. "Recipient is licensed" or "Sender is licensed" Conditions

Definition

IF The user is licensed, if there is a private key for the e-mail adOR "Recipient is licensed" dress in the SafeGuard MailGateway, or if the address is conIF or "Sender is licensed" tained in the file licenced_users.txt NOT

Table 10.4. E-mail text size Conditions IF OR E-mail IF size NOT

text

Definition

Example

Greater than

Greater than the value entered in bytes, 1024 KB or MB

Smaller than

Smaller than the value entered in bytes, 100 KB or MB

Table 10.5. E-mail has an attachment Conditions

Definition

IF OR E-mail has an attach- The program evaluates all MIME parts that have either a file IF ment name or the content disposition: attachment as an attachment. NOT

Table 10.6. Attachment name Conditions IF OR IF

Is Attachment name

Definition

a

Matches one name

Example Only picture.jpg Entry "location"

Contains

Substring match

Matches picture_of_aachen.jpg

NOT

75

Conditions

Definition

a

Example Entry "picture"

Begins with

Substring match

matches picture_of_aachen.jpg Entry "aachen.jpg"

Ends with

Substring match

Matches wildcard (placehold- Wildcard match er) Matches regular Valid regular expression expression

matches picture_of_aachen.jpg Entry "*.jpg" matches everything with picture_of_aachen.jpg Entry ".*\.jpg$"

a

not case sensitive

Table 10.7. E-mail is encrypted Conditions IF OR E-mail is encrypted IF NOT

Definition

With any method

Any method

With S/MIME

Is encrypted with an S/MIME key

With OpenPGP

Is encrypted with an OpenPGP key

With PrivateCrypto

Is encrypted with PrivateCrypto

Table 10.8. E-mail is signed Conditions IF OR E-mail is signed IF NOT

Definition

With any method

Any method

With S/MIME

Is signed with an S/MIME key

With OpenPGP

Is signed with an OpenPGP key

Table 10.9. E-mail sensitivity Conditions

Definition

Example Normal

IF OR E-mail sensitivity IF NOT

Personal is

E-mail sensitivity Private Company Confidential

In some e-mail clients you can specify that an e-mail is to be handled as normal, personal, private or company confidential. Your SafeGuard MailGateway can tell the difference.

76

Table 10.10. E-mail priority Conditions

Definition

Example Normal Low

IF OR E-mail priority IF NOT

is

E-mail priority

Lowest High Highest

In some e-mail clients you can specify the e-mail priority. Your SafeGuard MailGateway can tell the difference.

Table 10.11. E-mail subject Conditions

IF OR IF

E-mail subject

Definition

a

Example

Is

Matches an subject line

e-mail

Contains

Substring match

confidential

Begins with

Substring match

confidential

Ends with

Substring match

confidential

Matches a wildWildcard match card

NOT

confidential

*confidential*

Matches regular Valid regular expres.*confidential.* expression sion a

not case sensitive

Table 10.12. Header field Conditions Is Contains header Begins with

IF OR IF

E-mail field e.g. ple"

NOT

Ends with

Definition

a

Example

Matches a header field value E-mail Gateway Substring match

Gate

Substring match

E-mail

Substring match

Gateway

"X-exam- Matches a wildWildcard match card Matches regular Valid regular expression expression

*E-mail Gate* .* E-mail.*

a

not case sensitive

You can define any number of conditions that are to be applied to a rule. Action

77

After you have defined the conditions for the rule that is to be created, you must specify which action is to be performed. Here you have these options: Do nothing The rule is not processed. The mail is simply forwarded without being processed by your SafeGuard MailGateway unless another option is defined in the other rules. Generate key Keys (S/MIME or OpenPGP) are only to be generated for your in-house staff. To prevent more than one key being generated for one member of staff, you can select the "If key not exist" restriction here and specify whether an S/MIME or an OpenPGP key should be generated. Another example would be if you had purchased a license for a limited number of users, for the SafeGuard MailGateway, and a key is only to be generated for particular staff or for a particular group of staff. In this case, you should remember that your SafeGuard MailGateway always generates one key for the sender. For this reason the conditions for this action must always be based on the sender. Encrypt and sign e-mail You can only sign for your internal staff if a key is present for them. This action only concerns e-mails that are sent out from your internal domains. To encrypt e-mails, the internal sender must be licensed and have a private key. Decrypt and verify e-mail This concerns e-mails that are sent to your internal domains from outside. Provided the public key of the external communications partner is present, the mail can be verified. Return to sender Here the e-mail is sent back to the sender. Delete e-mail Self-explanatory Chaining When this action is performed, the rule is linked to another rule. Here you must also state which rule the current rule is to be linked with (concatenated). This setting is only useful if you want to ignore one or more rules in the evaluation and want to influence the actual evaluation (from above to below). Send Key You can specify that the public key is attached to the e-mail as a normal attachment, along with the associated CA chain for your internal staff, and then sent. This is a good way to ensure that your communications partner can check your signature and send you encrypted e-mails. Here you can also choose between S/MIME or OpenPGP encryption. If you send an e-mail that has

78

been signed with S/MIME, your public key will already have been attached automatically. The Send key is only appropriate if your communications partner has an e-mail client that can also extract a certificate. Add header field This action can be used to add any field to the e-mail header, e.g.: X-my-special-header: added Adding a header can be useful to mark e-mails, especially in interacting with another MTA. Delete header field You can use this action to delete any field from the e-mail header. Acknowledgement This action can be used to inform the sender of an e-mail that his e-mail was processed by the SafeGuard MailGateway. Similar to the verification the acknowledgement e-mail contains information about the encryption or the signature state of the e-mail. Alarm The admin can use this action to trigger an alarm e-mail. If you have configured several actions for one rule, you can use Input from action to define whether the original e-mail should be used for the next action, or whether the e-mail is to be used in the state that it is in after the first or second action. The example below shows the effects of Input from action. Imagine that you want to decrypt and verify all encrypted and signed e-mails that are sent to your internal domains, and to sign them and transfer them to an archive. After this, the original e-mail is passed on to Rule (Decryption internal), for further processing, with the help of chaining. To achieve this the rule must therefore be configured as follows: Name

Inbound e-mail

Description

External > Internal, archiving

Subject commands permitted

No

May override policy

No

Breaking rule

No

Conditions Matches all the following

Yes

Matches any of the following

No

79

If

Recipient e-mail address

Ends with

company.de

If not

Sender e-mail address

Ends with

company.de

Action: 1 Decrypt and verify e-mail

Yes

Remove valid signatures

Yes

“Input from action”

original

Action: 2 Forward e-mail

Yes

Forward to e-mail address

[email protected]

“Input from action”

1

Action: 3 Chaining

Yes

Next rule

Decrypt internal

“Input from action”

2

Action 1 decrypts and verifies the e-mail without removing its signature. Action 2 "accepts" the e-mail, after action 1 (decrypt and verify) has been performed, and sends it to the archive in plain (unencrypted) text, with an attached signature. Action 3 "accepts" the e-mail, after action 1 and action 2 have been performed, and, using chaining, passes it on to Rule (Decryption internal).

10.2.2. Example configurations for the secure email service This example consists of two components: The Base rules which are already present after installation has successfully been performed. The optional rules which are examples of possible additions to the Base rules. These examples may not necessarily be relevant to your specific situation. Base rules A company wants to use individual certificates or OpenPGP keys for its employees. The company allows its staff members to use Subject line control. The company wants to encrypt outbound e-mails with S/MIME or OpenPGP whenever possible.

80

Base rule 1 Name

Internal decryption

Description

Decryption for incoming e-mails

Subject commands permitted

No

May override policy

No

Breaking rule

Yes

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Recipient e-mail address

Matches card

wild- *@company.de

Action: 1 Decrypt and verify e-mail

Yes

Display result: • in the subject line

Yes

• in the header field

Yes

Signature verification: • Remove all signatures

Yes

Base rule 2 Name

Generate key

Description

Generate standard key

Subject commands permitted

Yes

May override policy

No

Breaking rule

No

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Sender e-mail address

Matches card

wild- *@company.de

Action: 1 If key does not exist

Yes

S/MIME

Yes

81

Action: 1 OpenPGP

Yes

Action: 2 Chaining

Yes

Next rule

4 Separator rule

Input from action

1

Base rule 3 Name

Breaking rule

Description

Breaking rule

Subject commands permitted

No

May override policy

No

Breaking rule

Yes

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Sender e-mail address

Matches card

wild- *

Action: 1 Do nothing

Yes

Base rule 4 Name

Separator rule

Description

Separator rule

Subject commands permitted

No

May override policy

No

Breaking rule

No

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Sender e-mail address

Matches card

Action: 1 Do nothing

82

Yes

wild- *

Base rule 5 Name

Default encryption

Description

Default encryption rule

Subject commands permitted

Yes

May override policy

Yes

Breaking rule

Yes

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Recipient e-mail address

Matches a wild- * card

Action: 1 Encrypt and sign e-mail

Yes

Input from action

Original

Signing

With sender key If the private key of the sender and the public key of the recipient are available.

Encryption

Yes S/MIME or OpenPGP With recipient key If no key is found: Send in plain text.

Explanation: Rule 1 ensures that all e-mails which are sent to your domains are automatically decrypted and verified. Rule 2 ensures that an S/MIME or an OpenPGP key is generated for all licensed members of staff. After this, processing continues from Rule 4. Rule 3 ensures that all e-mails which do not fit either Rule 1 or Rule 2 are sent in plain text. These are e-mails, that were not sent to *@company.de domains and also not sent out by *@company.de domains. Rule 4 is applied if Rule 2 was evaluated. The e-mail is not processed. The e-mail is then sent to the following for processing. Rule 5 ensures that all e-mails sent from inside the organization to the outside world are automatically encrypted and signed, if the sender's private keys and the recipient's public key are present. Optional rules

83

This section gives you some optional examples that represent sensible additions to the base rules: Using optional rules you have to ensure the correct order yourself! For outgoing e-mails the place between the "Separator rule" and the "Default encryption" is the correct place in almost all cases. Normally, such special rules should be "Breaking rules". Optional rule 1: E-mail subject line All e-mails that contain private, confidential, secret or contract in their subject lines are to be encrypted and signed. If e-mails cannot be encrypted with S/ MIME or OpenPGP, PDFMail should be used to encrypt them. In this case the configuration for the rules for this example must be as follows: Name

E-mail subject line

Description

Private, confidential, secret, contract

Subject commands permitted

No

May override policy

No

Breaking rule

Yes

Conditions Matches all the following

No

Matches any of the following

Yes

If

E-mail line

subject

Contains

Private

If

E-mail line

subject

Contains

Confidential

If

E-mail line

subject

Contains

Secret

If

E-mail line

subject

Contains

Contract

Action: 1 Encrypt and sign e-mail

Yes

Sign

Yes

With sender key

Yes

If the private key of the sender and the public key of the re- Yes cipient are available. Encrypt

84

Yes With S/MIME or OpenPGP

Yes

With recipient key

yes

If no key was found

Send PDFMail

Password

Optional

Input from action

Original

End-to-end encryption End-to-end encryption in both directions is to be used for communication between the company's directors and the company lawyer. Your SafeGuard MailGateway's service is not to process these e-mails, but simply to pass them on. To ensure that the condition in both directions can be fulfilled, two rules must be configured here. Optional rule 2: Lawyer > Directors Name

Lawyer

Description

Lawyer < Directors

Subject commands permitted

No

May override policy

No

Breaking rule

Yes

Conditions Matches all the following

Yes

Matches any of the following

No

If

Sender e-mail address

Ends with

If

E-mail is encrypted

With any method

If

Recipient attribute

memberOf

is

<@anwalt.de>

Board of Directors

Action: 1 Do nothing

Yes

Optional rule 3: Directors > Lawyer Name

Board of Directors

Description

Directors > Lawyer

Subject commands permitted

No

May override policy

No

Breaking rule

Yes

Conditions Matches all the following

Yes

85

Conditions Matches any of the following

No

If

Sender attribute

memberOf

Is

If

E-mail is encrypted

With any method

If

Recipient e-mail address

Ends with

Board of Directors <@anwalt.de>

Action: 1 Do nothing

Yes

Optional Rule 4 Inbound e-mails All inbound e-mails should be decrypted and archived with a signature. After this, the e-mail should be handled in accordance with Rule (Decryption for internal). Name

Inbound e-mail

Description

External > Internal, archiving

Subject commands permitted

No

May override policy

No

Breaking rule

No

Conditions Matches all the following

Yes

Matches any of the following

No

If

Recipient e-mail address

Ends with

<@company.de>

If not Sender e-mail address

Ends with

<@company.de>

Action: 1 Decrypt and verify e-mail

Yes

Do not remove signatures

Yes

Display result of verification in the subject line No Input from action

Original

Action: 2 Forward e-mail

Yes

Forward to e-mail address



Input from action

1

86

10.2.3. Rule evaluation for the secure e-mail service The rules are processed from top to bottom. See the following possibilities how to influence the way that the secure e-mail service evaluates the rules: 1.

You can sort the rules.

2.

You can activate "Breaking rule" for a rule. This then prevents all other rules that follow that rule from being evaluated.

3.

You can activate the "Chaining" (concatenation) action and so define that one or more rules are ignored and that the rule to be next evaluated is the one you have selected.

To ensure that you sort the rules correctly, let's have another quick look at the base rules and the optional rules: Base rules: 1.

All e-mails that are sent to the organization from outside are to be decrypted and verified

2.

A certificate (S/MIME) or a key (OpenPGP) is to be generated for all internal staff.

3.

Do nothing , if rules 1 and 2 are not evaluated.

4.

Used if rule 2 was evaluated (No processing).

5.

All e-mails that are sent from within the organization to an outside recipient are always to be encrypted with S/MIME or OpenPGP. If this is not possible, they are to be sent in plain (unencrypted) text.

Optional rules: 1.

All e-mails that have "private", or "confidential", or "secret" or "contract" in their subject line are to be encrypted and signed. If no key is found, PDFMail is being used to perform encryption.

2.

If the company lawyer sends an e-mail to the Board of directors, this e-mail should not be processed by your SafeGuard MailGateway's secure E-mail service. It only passes on this e-mail. End-to-end encryption.

3.

If the Board of director’s send an e-mail to the company lawyer, this e-mail should not be processed by your SafeGuard MailGateway's secure e-mail service. It only passes on this e-mail. End-to-end-encryption.

4.

All inbound e-mails should be decrypted and be archived with a signature. After this, the original e-mail is passed on to Rule (decryption for internal), for further processing, with the help of chaining.

So that your SafeGuard MailGateway also evaluates these rules correctly you must now sort these rules. When doing so you must note which are general rules and which are special rules. The secure e-mail service evaluates the rules in the table from top to bottom.

87

The base rules are general rules. They affect all of your in-house domains. The optional rules are special rules which complete, refine or restrict the general rules (Base rules). Consequently you must sort the base rules and the optional rules in the table in the "Policy" window in the way shown in the table below: No. Name

Description

Subject

Break

Condition

Action

Lawyer > Directors

-

Yes

Sender: DON <@anwalt.de>

1

Lawyer

2

Incoming mails

e- External > Internal, archiving

-

No

Recipient: DEC; FWD

3

Decryption ternal

in- Decrypt incoming e-mails

-

Yes

Recipient: DEC <*company.de>

4

Generate key

Generate standard key

-

No

Sender: GEN, CHA <*@company.de>

5

Breaking rule

Breaking rule

-

Yes

Sec: *

DON

6

Separator rule

Separator rule

-

No

Sec: *

DON

7

Board of Direc- Directors tors Lawyer

>

-

Yes

LDAP attributes DON

8

E-mail line

subject private, confidential, secret, contract

-

Yes

E-mail subject

9

Internal encryp- Rule for intion house encryption

+

No

Sender ENC <*@company.de>

ENC, CHA

Reason: Rule 1 is a special, breaking rule (optional). If this rule matches an e-mail, no other rules should be evaluated. Rule 2 is a special rule with chaining to Rule 3. This rule supplements the general Rule 3 (internal decryption). Rule 3 is a general rule for internal decryption. (Base rule) Rule 4 is a general rule for the company.de domains (Base rule) and concerns outbound emails. Rule 5 is a general rule (Base rule) which ensures that all e-mails, that have not been evaluated by previous rules, are passed on in their original condition. Rule 6 is a general rule for (base rule). It is applied after Rule 3. Rule 7 is a special, breaking rule. If this rule matches an e-mail, no other rules should be evaluated.

88

Rule 8 is a special rule that refines general rule 9 (Internal encryption). Rule 9 is a general rule for internal encryption. (Base rule) Now you have sorted the rules in the table in the "Policy" window, here are some examples to show you how the rules are evaluated, if an e-mail is sent to your SafeGuard MailGateway. After your SafeGuard MailGateway has been installed, a user sends an e-mail outside the organization for the first time. Rules 1 to 3 are not applied because they only affect e-mails that are being sent to your domains. The is not the case for this e-mail. As no keys have yet been generated for the internal users, Rule 4, "Generate key", is now evaluated for the first time. Transfer to Rule 6. The next rule that matches this e-mail is Rule 6 (Separator rule). After that, the e-mail goes to rule 7, if an in-house e-mail was sent from the Board of Directors to the Lawyer, this rule is applied and processing ends here. Otherwise, the e-mail goes to Rule 8, which is not evaluated here as there is no subject line. Base rule 9 (Internal encryption) also fits this e-mail and is evaluated. The Management Board sent an e-mail that was encrypted on the client to the company lawyer. Here Rule 4, "Generate key", is now evaluated for the first time. Transfer to Rule 6. The next rule that matches this e-mail is Rule 6 (Separator rule). After that, the e-mail goes to rule 7, as it was sent from the Board of Directors to the Lawyer, this rules is applied and processing ends here. As the e-mail was encrypted on the client, and not by your SafeGuard MailGateway, all the other rules are not applied. An internal user sends an e-mail out of the organization, and it contains the word "confidential" in the subject line. Your SafeGuard MailGateway has already generated a key for all staff. The e-mail matches Rule 4 (already completed), Rule 6 (does nothing) and Rule 8. Since Rule 8 is a breaking rule, no other rules are evaluated.

An encrypted and signed e-mail is sent to your internal domains from outside.

In this example, Rule 2 fits: it decrypts and verifies all inbound e-mails and archives them with their attached signature. After that the e-mail goes to rule 3, which is evaluates standard decryption for internal e-mails. Since Rule 3 is an breaking rule, no other rules are evaluated.

89

10.2.4. Status messages in the Subject line The secure e-mail service also configures the entries for status messages in the subject line. You define this under Services → Secure E-mail → Subject Messages.

10.2.5. Commands for the Subject line You can also use the secure e-mail service to configure commands for subject line control. These ones are also defined under Services → Secure E-mail → Commands. The fixed rules that you specify in the SafeGuard MailGateway include an option for allowing your members of staff to use subject line control. Here the sender of an e-mail can define whether the e-mail is to be signed or encrypted. The sender can also decide which procedure, S/MIME, OpenPGP, PrivateCrypto or PDFMail, should be used. Because you are the administrator you can define in the rules who is allowed to use subject line control and what they are permitted to influence. Subject commands are allowed if any of the matching rules contains the activated option Subject commands permitted. When you, as the administrator, permit a sender to use subject line control the subject line in the e-mail is analyzed. If the subject line contains the text {command} this command is evaluated and the e-mail is processed accordingly. Depending on the particular configuration the command can stand either At the beginning of the subject, At the end of the subject or Anywhere in the subject. Especially for encryption and signing rules you have to decide, if commands are allowed to overrule the fixed rule. Therefore, you have to activate the option May override policy. Additional information about commands is provided in a separate set of instructions that you should give to your members of staff (e-mail users).

10.3. PDFMail settings There are several ways for you to configure PDFMail. You can make global settings that then apply for all secure e-mail rules for which PDFMail is to be used as the encryption method. You can also make settings that are only to be applied to individual secure e-mail rules. You have the option of using the PDFMail encryption method with or without secure PDF replies. You can configure secure PDF replies for individual secure e-mail rules with the help of a PDF set.

10.3.1. PDF Set If you want to use the PDFMail encryption method, you can either use the default PDF set or else generate one or more PDF sets which can then be used for one or more secure email rules.

90

A complete PDF set consists of several components. The table below explains all fields of a PDF set. Option

Description

PDF set name

Please enter a unique name of this cover set. This name will be shown when selecting the cover set at the PDF rules.

Allow PDFMail reply

Here you can decide if you want to provide a secure way to reply to a PDFMail. If you activate this option, an additional page containing the reply link will be attached to the PDFMail.

PDF set description

Here you can enter a short description.

Upload PDF cover file

Here you can upload the cover for PDFMail. This cover will be prefixed to the actual e-mail. If you do not upload a cover, no cover will be used for PDFMail.

On the secure reply page you can see a company logo. This Upload company logo for se- logo can be uploaded here. cure PDFMail reply If you do not upload a logo, the logo of the "Default CoverSet" will be used. Enter the name which can be used to connect to the gateway Displayed FQDN for secure from the outside by the recipient of a PDFMail. PDFMail reply If you do not enter a FQDN, the URL defined at PDF Settings will be used. PDF plain text

Here you can define the plain text part of a PDFMail. If you do not define anything, the plain text part of the "Default CoverSet" will be used.

PDF register text

Here, you can enter the text of the e-mail which is sent to the recipient in case of self registration. It is mandatory that the email contains the placeholder $$LINK$$. If you do not define anything, the register text of the "Default CoverSet" will be used.

After your SafeGuard MailGateway has been installed, there is already a default PDF set called "Default CoverSet". In this "Default CoverSet", Secure PDF reply has already been activated, Sophos' cover sheet is used, Sophos' logo is displayed on the Secure Reply page and the link for the Secure Reply page is taken from the global settings (URL for Secure PDF reply). If you want to use the SafeGuard MailGateway for hosting, for several business partners, then having one cover set is not adequate for your needs. You must then create one or more PDF sets for each business partner to whom you want to make the SafeGuard MailGateway's services available. Each of these PDF sets should then also be specially customized to suit these business partners (own cover sheet, own logo for the Secure Reply page and, if required, also a dedicated link to the Secure Reply page).

10.4. The Postfix service The Postfix service is responsible for sending processed e-mails. It sends e-mails both to the Internet and within your organization. Your network structure determines where this service sends the e-mails.

91

The example used here shows a network structure you are already familiar with. Example B A company has a firewall. The company has an internal e-mail server (IP address 10.1.1.25). The company has an external e-mail server in its DMZ (IP address 10.255.255.25). The SafeGuard MailGateway is to transfer all outgoing e-mails to this e-mail server. Incoming e-mails will only be accepted by this e-mail server.

Figure 10.12. Network topology

You must enter this data in web management in the mailer table. This is the correct mailer table entry for network example shown above! Domain

Mailer

company.de

SMTP:[10.1.1.25]

*

SMTP:[10.255.255.25]

The first entry ensures that everything with company.de in the e-mail address is also sent to company.de (internal e-mail server). The second entry (asterisk) ensures that every other email goes to the external e-mail server.

92

11 Installation You have received an installation CD which contains a CentOS-based Linux distribution and a SafeGuard MailGateway application. The installation runs automatically from this CD. It installs CentOS plus the SafeGuard MailGateway application. As a result, you do not need to install the CentOS Linux operating system first, and then install the SafeGuard MailGateway application. The SafeGuard MailGateway application can be installed very easily. It is supplied on a bootable installation CD-ROM that you use to install all the software you require, (including the operating system and drivers). However, when you install the SafeGuard MailGateway application, this process will automatically format your hard disk, and therefore all the data currently present on your computer will be deleted.

11.1. Preparing for installation Before you start the installation process, you must take a couple of preventative measures to ensure that everything runs smoothly. Configure your hardware so you can boot from the installation CD-ROM.

If the BIOS supports booting from USB CD-ROM, you can also use an external USB CDROM disk drive.

When you install the SafeGuard MailGateway you will be assigned a number of passwords, so have something ready for noting them down. Once the installation is complete, make sure you keep your notes about the passwords in a safe place. You will need passwords for web management administration. If someone else can access this data, they then may be able to manipulate your SafeGuard MailGateway. If you lose the passwords, you have to reinstall the SafeGuard MailGateway.

11.2. Performing the installation You have now made the following preparations: • You have got something ready for noting down the passwords. • You have a valid license file, which is usually supplied by e-mail. • You know the IP address of the SafeGuard MailGateway. • You know the hostname of the computer.

93

• You know the network masks. • You know the IP address of the default router. • You have a monitor and a keyboard connected to the computer. • You have modified the BIOS so the computer can boot from CD-ROM. Insert the installation CD in the SafeGuard MailGateway's CD-ROM drive. The computer now boots from CD-ROM. Wait until this prompt appears: • This is Sophos SafeGuard MailGateway. • To install Sophos SafeGuard MailGateway press the key. • Automatic boot from the next boot medium will commence in 30 seconds. Now press ENTER within the next 30 seconds to run the installation. If not, after 30 seconds the program automatically boots from hard disk.

11.2.1. CD Found Here you can decide whether to test the CD you have inserted in the drive before performing the installation. This is a CentOS feature. Click either OK or Skip, to continue the installation. If you perform the CD test, the CD will be ejected afterward and you have to insert it again. In case of an installation in VMware, this ejection can be easily overseen.

11.2.2. Welcome to SafeGuard MailGateway Now click OK to continue the installation.

11.2.3. License Agreement Please read the license terms and conditions, and click I Accept button if you agree to them. If you do not agree with the terms and conditions of the license, then click Exit. The installation is then interrupted.

11.2.4. Keyboard Selection Please select the language (keyboard layout) you require for your keyboard and then click OK to confirm this.

94

11.2.5. Warning If you are using a hard disk on which an installation has already been performed, a warning message appears at this point. Click Yes button to confirm this message and continue with the installation.

11.2.6. Warning This warning message tells you that Sophos accepts no responsibility for any loss of data on this hard disk. Please read this warning message carefully. Then type in the word "ACCEPTED" and click OK.

11.2.7. Network Configuration Here, enter the IP address of the network connection and, if necessary, the network mask. If you want to configure static routes, you have to press Route. In the following window you can add and delete static routes. You can quit the window by clicking OK.

11.2.8. Miscellaneous Network Settings Here, enter the IP address of the default router. You can also enter details about the DNS here. Then click OK to finish processing.

11.2.9. Hostname Configuration This is where you enter the host name (Fully Qualified Domain Name) that you want to specify for your SafeGuard MailGateway. The hostname must be complete i.e. it must also include a domain (e.g. SGMG.company.de). Then click OK to finish processing.

11.2.10. Time Zone Selection Use the direction keys to select the required time zone, and then click OK to confirm. The installation now continues. This may take a few minutes.

11.2.11. Date and Time Configuration Please enter the correct time, as described in the window, and then click OK to confirm.

11.2.12. Reboot Your Linux installation is now complete. You must restart the computer and then make a few more important settings for your SafeGuard MailGateway. To do so, click the Reboot to continue.

95

11.2.13. SafeGuard MailGateway Configuration Click Next to continue.

11.2.14. System Here, enter the password for the Unix "root" user. You then need to enter the password again. Click Next to confirm your entries. You use this password to log on to the console, as the "root" user, or to log on via SSH from your administrator PC, if you want SafeGuard MailGateway to run with a Unix shell. All the rights on the SafeGuard MailGateway are assigned to the Unix "root" user, which allows them to act as the system administrator. As a result, they can access any file and can administer the SafeGuard MailGateway without any restrictions. The password must start with a letter.

11.2.15. Web Management Here, enter a unique login name and the web management password (which you must enter twice). Then click Next to confirm your entries.

11.2.16. Internal e-mail domain Enter your in-house domains here. The domains you specify here are used to generate the base rules for your SafeGuard MailGateway.

11.2.17. Certificate Authority (CA) • Enter the Common Name here first. • Then specify the Organization Unit. • Enter the name of your organization. • Then your country. Only use two letters to enter this data. (For example United States of America = us) • Now enter the password for the CA and enter your password again. • Click Next to confirm your entries.

11.2.18. Exit Click Exit to close the installation.

96

12 Setting up Administrator Access This chapter describes how you give your administrators access to the SafeGuard MailGateway on your admin PC.

12.1. Setting up web management (SSL access) The SafeGuard MailGateway is managed over the network with a browser. This communication process is sensitive, and needs good protection, so it is encrypted with SSL. In addition, you can use passwords to ensure secure authentication between the SafeGuard MailGateway and the administrator. For smooth operation during administration, the browser must support these functions: • JavaScript • Cookies • Cascading Style Sheets • SSL encryption with 128-bit keys

12.2. Setting up console and file transfers (SSH access) In a "normal situation" you can administer the SafeGuard MailGateway over web management. However, in these cases you will have to access it via the console: • restoring a backup • saving logs • evaluating logs on the SafeGuard MailGateway • examining e-mails that have not been processed • etc. For a secure SSH connection you must have the appropriate Windows client software on your administrator PC. This is not included in the SafeGuard MailGateway delivery. The SafeGuard MailGateway has been tested successfully with this SSH client software: • PuTTY • Winscp

97

• puttygen (SSH client authentication) You can download PuTTY from this website: http://www.openssh.org You can download Winscp from here: http://winscp.net

12.3. Installing and setting up PuTTY (console access) • Install the software on your administrator PC and start the PuTTY.exe. The "PuTTY Configuration” window is displayed: • Enter the host name or the IP address of your SafeGuard MailGateway as the "host name" (or IP address). • Activate SSH under Protocol (if it is not already active). The correct port is selected automatically. • Enter a name (for example SGMG) under Saved Session and then click on Save. You can now automatically call up the SSH connection to your SafeGuard MailGateway. • Under Connection, activate SSH and check whether 2 only or 2 are activated under Preferred SSH protocol version:.

Do not under any circumstances select 1 only or 1 as the SSH protocol version.

• Now click on Open. The console access windows to your SafeGuard MailGateway is displayed. • Here, enter "root" at login as: and then the password assigned to the "root" user during installation. You have now successfully created a secure SSH connection (console access) to your SafeGuard MailGateway.

12.4. Installing and setting up Winscp (file transfers) • Install Winscp so that the "puttygen" program installs at the same time. • First start Winscp on your Administrator PC.

98

The window "WinSCP Login" is displayed: • Enter the host name or the IP address of your SafeGuard MailGateway as the Hostname. • Enter "root" as the User name. • Now click on Save. This means you do not need to enter the IP address and the user name the next time you create the connection. The application opens a window in which the "stored sessions" are saved. • Click on the connection stored in the center of the window and then click on Login. • In the next window, enter the "root" password and confirm it by clicking OK. You can ignore the "Error loading up user groups" error message. You have now successfully created a secure SSH connection (file transfers) to your SafeGuard MailGateway.

12.5. Setting up puttygen (SSH client authentication) You have already installed the puttygen software on your computer together with the Winscp software. • Start the "Puttygen" software on your administrator PC. • Next to Number of bits in a generated key, enter the number of the bits that the system is to use to generate the key. (1024/2048) • Under Parameters and Type of key to generate: click on SSH2 RSA or SSH2 DSA.

You should not under any circumstances select SSH1 (RSA) as the Type of key to generate.

• Click on Generate and move the mouse pointer to the empty field in the window. Two SSH keys are now generated. • Now enter a name for the public key in addition to "Key comment". • You must now save both keys to your Administrator PC. However, the SafeGuard MailGateway (Linux) must perform a few more steps before it can process an SSH public key generated by puttygen. This is because the PuTTY program was designed for Windows.

99

Do not under any circumstances click on Save public key to save public SSH keys! To save the public SSH key you must perform these steps carefully. • In the field where the key is displayed, (as shown above) use the mouse pointer to mark the entire key and copy it to the Clipboard (Ctrl+C). • Now open the "Notepad" program and paste in the key from the Clipboard (Ctrl+V). • Give the public key a name (for example, companysshpublic) and then save it. The format you use does not make any difference to your SafeGuard MailGateway (Linux). • Now enter "PuTTY Key generator" in the window and then a passphrase in the Key passphrase: field. This is the passphrase that will be used for the private key. Enter passphrase again. (This entry is optional!) • Now click Save private key and give the key a name (for example, companysshprivate). You then have to make your SSH public key accessible to your SafeGuard MailGateway. For that reason, you must save the SSH public key to your SafeGuard MailGateway. • To do so, start the Winscp software and log in. • In the SafeGuard MailGateway, open the .ssh folder and copy your SSH public key into it. If the /root/.ssh folder is not displayed, you must then go to "Winscp" and open the Preferences window under Options. There, click on Panels and check whether Show Hidden files is selected under Common. Now you access your SafeGuard MailGateway via the console to generate the authorized_keys file and link it with your SSH public key. • Use PuTTY to access your SafeGuard MailGateway via the console. • Toggle to the /root/.ssh folder with the command: cd /root/.ssh Now enter this command: cat companysshpublic >> authorized_keys

"companyshpublic" is only used here as an example!

This command generates the authorized_keys file and links it to the public key "companysshpublic". You must now reconfigure the PuTTY software for console access. • Start the Putty.exe for console access.

100

• Under Saved Sessions:, select SGMG or one of the sessions you saved. • Click Load • Under Category, click Connection and enter "root" as the Auto-login Username. • Under Category and SSH, select Auth and then click on Browse.. under Private key file for authentication to select your private SSH key. • Under Category, click on Session and then click on Save to save your settings. • Now click on Open If you have followed these steps correctly, you are prompted to enter this passphrase here. Please enter the passphrase. You have now successfully generated SSH keys for SSH client authentication and used your SSH key to log onto the SafeGuard MailGateway.

101

102

13 Web Management This chapter provides an overview of your SafeGuard MailGateway's web management so that you can become familiar with how to use if as quickly as possible.

13.1. Logging onto Web Management (browser) Your SafeGuard MailGateway's web management is addressed via port 59. You must therefore enter the URL for your SafeGuard MailGateway in this format: http:// SGMG.company.de:59

13.2. Main menu The main menu appears at the very left-hand side in web management and has a maximum of two menu levels. Each menu level is responsible for a specific aspect in web management.

13.3. Title The title area appears in the upper part of each window. The window you have just opened is displayed here as well as a number of important buttons such as Save, Apply, Cancel, Back and Help that are shown on the right. On the left, in the title area, you can call up other submenu items (tab) from the main menu you select.

13.4. Administration This is where the actual administration of web management takes place. A number of different menus are displayed in this area. You can select them either via the main menu or via the tab in title area.

13.5. Important buttons Button

Meaning

Save

Click on this button to save your settings in web management. If you quit the area you have just processed without saving, all your changes will be lost. Web management will remind you about this before it happens.

Cancel

Click on this button to reject all the changes.

Help

Click on this button to open a help window. If the area in which you call up help consists of several pages a help page appears for each individual page.

103

Button

Meaning

Back

Click on this button to return to the main page of the area you are currently working in. You will see this button, for example, on the help pages. You should always use web management's Back button and not the <- button in your browser!

Apply

Click on this button to transfer all the changes for example, to current connection rules or to processed users, that were made in web management to the appropriate table. If you want to make these changes permanent, you must then click on Save.

104

14 Setting up Administration In this chapter we describe how to use Webmanagement to set up some important base settings for your SGMG.

14.1. Monitoring On the left-hand side of the main menu bar, click on Monitor. This web management menu item provides you with these monitoring functions: • State • Logbook • Settings

14.1.1. State Please click State in Monitoring to display these status messages about your SafeGuard MailGateway: • Runlevel Shows the Runlevel of the Gateway. • E-mail queue Shows you how many e-mails are currently present in the Gateway and what their processing status is. • Memory usage Shows the memory usage. • Harddisk usage Shows the hard disk load. • CPU load Shows the CPU load. • Uptime Shows you how long your SafeGuard MailGateway has been running. In addition to clicking Update, you can specify in the selection menu how often the status display is to be updated. The Network tab page gives you more network information about the status of your SafeGuard MailGateway (TCP and UDP links).

105

14.1.2. Logbook If you have selected the menu item Logbook, you can view a statistical evaluation of the log entries under Monitor → Logbook → Statistic. You can use the Search filter to specify the time period in which entries are to be displayed. Click on Details on to get more options for ways in which to display the statistical evaluation. Although this statistical evaluation is useful for analyzing log and alarm messages it can also be used for a number of other purposes. For more information, refer to Section 25.5. The online help will tell you how to use the search filter! Click on the tab Log2ascii to display logbook entries. You also have a search filter that you can use to find specific log entries. You can carry out the initial analysis of log and alarm messages at this stage. For more information about how to do this effectively, please refer to Section 25.5.

14.1.3. Settings Under Monitoring, if you have selected the Settings menu item, you can: • Send alarm messages to: Here, enter the administrator's e-mail address. This means that error messages are now sent directly as e-mails to your own company e-mail address. If you do not enter an e-mail address for the alarm messages, they are "only" written to the log! The "Postfix" service then attempts to send these alarm messages even if you have not specified an e-mail address for them. This may overload the "Postfix" service. • Logging Here you specify how much data is to be written to the log. You have a number of options. The default setting here is "medium". This default setting is usually sufficient to allow you to evaluate the log. However, it may happen that you need to change this setting to "All" so that absolutely everything is written to the log if problems arise. Data from the ESMTP Proxy and secure e-mail services is recorded in a different place. Under Services/ESMTP in the tab Details you specify which data is to be logged for both these services. The default setting here is also "Medium". However, if problems occur you may need to change this setting to "All" so that absolutely everything involving these services is written to the log. • Delete all logfiles older than The SafeGuard MailGateway automatically deletes all old log files. Here you can define after which time the log files should be deleted. The predefined is a time span of two years. All log files mentioned Section 7.7 resp. Section 7.8 are affected.

106

When you have finished processing in this window, remember to click Save. Click on Details to set resource monitoring parameters. We strongly recommend to read the online help about this!

14.2. System Click on the menu item System in the main menu bar to display the following options: • Runlevel • Update • Changelog • License • Backup

14.2.1. Change Runlevel The operating state defines how your SafeGuard MailGateway generally functions. You can select one of these operating states: • Shut down If you select this operating state the SafeGuard MailGateway software including its operating system are shut down in a regulated manner. As with all modern operating systems we recommend that you do this before you switch off the SafeGuard MailGateway. • Reboot If you select this operating state the SafeGuard MailGateway software including its operating system is restarted. During this operation the SafeGuard MailGateway and web management are blocked. • Block all connections If you select this operating state the ESMTP Proxy service no longer accepts e-mails. Despite this, you can continue administering the SafeGuard MailGateway over the network. This operating state is primarily designed for maintenance tasks or to block the SafeGuard MailGateway temporarily to e-mail traffic. • Gateway operation If you select this operating state the SafeGuard MailGateway runs normally. Once you have selected an operating state, click on the button Set runlevel. You can also change your SafeGuard MailGateway's operating state via the console. To do so, you must enter these commands:

107

Shut down

init 0 or stop

Reboot

init 6 or reboot

Block all connections

init 2

Gateway operations

init 3

14.2.2. Update Sophos provides new updates on a regular base for SafeGuard MailGateway. Those updates might contain both bug fixes and new features. On the page Update you can configure the automatic updates and perform a manual update. Automatic Updates By default the SafeGuard MailGateway downloads new updates automatically and informs the administrator. No automatic installation of the updates will be performed. You can choose between the following configurations: • Search for, download and install updates • Search for updates and download only • Search for updates only • Manually Manual Update Here you can perform the following actions: Button

Meaning

Search for updates

The SafeGuard MailGateway checks the update server if new updates are available.

Download updates

The SafeGuard MailGateway checks the update server if new updates are available and downloads them. Larger updates will take some time. So we recommend to activate the automatic download of the updates.

Show last changes

If not done before, the SafeGuard MailGateway downloads new updates first. After that the new parts of the changelogs of all new packages are displayed. Only those parts are shown, which are different from the already installed packages.

Install updates

If not done before, the SafeGuard MailGateway downloads new updates first. After that the updates are installed. Larger updates will take some time.

If the updates contain a new version of the web management, you will be asked to download the file system.php.

108

Button

Meaning You can cancel that. The web management will be ready again after a few minutes.

14.2.3. Changelog Here, you can see the Changelogs of the SafeGuard MailGateway rpm packages. By default All is selected. In this case the merged Changelogs of all packages are displayed sorted by date. You can also select the Changelogs of the single packages.

14.2.4. License Here you can upload a new license file and display the current one.

14.2.5. Backup If you click on the "Backup" button, the SafeGuard MailGateway loads a compressed TAR archive that includes configuration files and saved certificates to your administrator PC. You can use the UNIX TAR tool or the Windows "Winzip" tool to open the backup. The backup contains confidential data (such as private certificates and keys)! This is why you should keep the backup in a secure location. Section 25.11 describes how you can restore your backup on your SafeGuard MailGateway.

14.3. Logout This menu item logs you out of web management. We recommend that you click the button Logout to close the secure connection to your SafeGuard MailGateway every time you finish your administration tasks in web management. If you are inactive in web management for 20 minutes, you are automatically logged out! Click on button OK to log onto the SafeGuard MailGateway's web management again.

109

110

15 Configuring the Network After installation you must finish configuring your network, depending on how it has been implemented. To do so, click on the menu item Network on the left in the main menu bar.

15.1. General IP address You already entered your SafeGuard MailGateway's IP address when you installed your SafeGuard MailGateway. Here you can change the IP address and the net mask. Hostname You already entered your SafeGuard MailGateway's host name when you installed your SafeGuard MailGateway. Here you can change the host name. Routing This example is used to illustrate a routing configuration: A company has one external router that has the IP address 192.168.6.254. The company has one internal router that has the IP address 192.168.6.1. You want to modify the routing operation so that the internal router takes on routing tasks to the internal LAN (network 10.0.0.0/8). The external router, acting as a default router, (network 192.168.6.254) carries out routing tasks to the Internet. In this example, the correct entry in web management should look like this:

Figure 15.1. Routing

In most situations you only need to enter a default router!

NTP server

111

Here you can enter one or more NTP servers that regularly update the time on your SafeGuard MailGateway. As your SafeGuard MailGateway generates certificates and keys and signs emails it is critical that it knows the exact time. DNS server The simplest case is that you only need to enter one DNS server here. This is part of your internal network and can also initiate external DNS queries. In this situation you only enter one DNS server. HTTP proxy/HTTPS proxy If your SafeGuard MailGateway is set up behind a proxy firewall you must enter the corresponding Proxy here for http and https. LDAP over HTTPS If you want your SafeGuard MailGateway to perform LDAP queries on external LDAP servers via https proxy you must set this flag here.

15.2. Details In the tab Details you can make a number of additional settings for network configuration. Public LDAP If you want to allow direct access to your SafeGuard MailGateway from outside, click on the Active checkbox. Normally, you can use the default setting for the port (389). If you need to change the port here, you must also change the default entry for the LDAP server under E-Mail CA → S/MIME → LDAP publishing and E-Mail CA → OpenPGP → LDAP publishing! Public HKP Here you can specify whether, and on which port, the public HKP server is to be addressed. If you have activated the HKP server, access from both external and internal users is allowed. Alias IP addresses Here you can assign an Alias IP address for your SafeGuard MailGateway. You will find more details about this in the online help. Additional host names This is where you can assign additional host names for your SafeGuard MailGateway. You will find more details about this in the online help.

112

15.3. PDF-Reply PDF-Reply Here you can specify whether, and on which port, the PDF Reply server is to be addressed. Your SafeGuard MailGateway is set up to permit PDF Reply. If you do not want this, although you are using PDFMail, deselect the checkbox. PDF-Reply server certificate Access to the PDF-Reply server is secured by a TLS/SSL connection. When your SafeGuard MailGateway is installed, a certificate is generated for the PDF Reply website. Here you can exchange the PDF-Reply certificate by your own certificate. Section 25.19 describes all basic information needed to exchange the certificate. Select the buttons Display and Export to display the currently used PDF-Reply certificate and export it with or without a private key (for example for a backup).

15.4. Mail output You must configure mail output so that the "Postfix" program on the SafeGuard MailGateway knows where it should send outgoing e-mails to. Postfix normally uses DNS to find the correct e-mail server for outgoing e-mails. However, this does not work in these situations: • If no DNS is available. • The DNS refers to the SafeGuard MailGateway itself as the e-mail server for an e-mail domain. This results in an endless loop. You specify the entry for "Mail output" in this format: * SMTP:[192.168.6.254]

113

114

16 Setting up an E-mail CA This chapter describes how you generate or import an e-mail CA or an e-mail CA Postmaster key for S/MIME and OpenPGP. It also tells you how to integrate a PKI from the TC TrustCenter.

You need a license for the "E-mail CA" feature.

16.1. S/MIME You need an e-mail CA before you can generate user certificates (S/MIME) for your inhouse users. You can either import an e-mail CA or generate one. You can also generate user certificates first. If no e-mail CA is present, it is generated automatically along with the user certificate. However, "manually" generating user certificates would take a lot of time and effort. We recommend that you generate user certificates automatically with the secure e-mail service. On the left of the main menu bar, click on the menu item e-mail CA and then the menu item S/MIME. If you have not already generated or imported an e-mail CA you automatically go to the tab Internal PKI.

16.1.1. Internal PKI In this area you can make all necessary settings for S/MIME e-mail CA (Internal PKI and TC TrustCenter). E-mail CA certificate A CA Certificate (e-mail CA) represents the starting point of trust. This e-mail CA issues all subsequent S/MIME certificates for internal users. A CRL (Certificate Revocation List) is generated automatically along with the e-mail CA. In the upper area, "E-mail CA certificate", the values entered during installation (Common Name/Distinguished Name) have been set. In addition the default validity period for e-mail CA and the CRLs is set. You can change these values here. We suggest to take a note of the period of validity of your e-mail CA certificate. If the e-mail CA certificate expires, then all user certificates will be invalid and no others can be generated. If you press the button Generate, the system generates an e-mail CA and a CRL. Certificates attributes

115

You must configure the certificates attributes, no matter whether you generate your internal S/MIME certificates "manually" or automatically via the "Secure E-mail" service. The "Distinguished Name" has been defaulted from the value set during installation. The value you enter here then applies for all internal S/MIME certificates. If you want to publish a CRL, you should enter the "CRL Distribution Point" so that your communications partners can find your CRL. If you want to permit an OCSP query, you should enter the "OCSP address" here so that this query can also be executed. For all other details, please refer to the online help. OCSP Responder certificate An OCSP query is an alternative to the CRL and is used to check the validity of certificates. A certificate's status is queried online on an OCSP server. You can also permit the status to be queried (OCSP) on your SafeGuard MailGateway from outside. To do so, you use the OCSP Responser certificate to sign this OCSP response. After you have installed your SafeGuard MailGateway a certificate appears in this area. This is the SSL server certificate that was generated for your web management during installation. This is used for OCSP queries within the SafeGuard MailGateway. Your SafeGuard MailGateway runs an internal OCSP query to check its own S/MIME certificates. This is not practical for an external OCSP query. As your internal user certificates are all issued by your e-mail CA certificate, it is a good idea to use this as the OCSP Responder certificate. After you have generated an e-mail CA you can export it to the "E-mail CA certificate" area (you must use the private key) and import it again to your SafeGuard MailGateway in the "OCSP Response certificate" area. This action is only appropriate if you want to permit external OCSP queries so that you can check your certificates. You can also run your SafeGuard MailGateway as an "OCSP server". If you want to have your certificates checked by a CRL instead of doing this, you do not need to change anything in the "OCSP Responder Certificate" field.

You do, however, need a license for external OCSP queries to your SafeGuard MailGateway!

16.1.2. Generate users Choose PKI Here you must choose whether you want to generate or use an "Internal PKI" or a "TC TrustCenter PKI".

116

If you select an "Internal PKI", then your SafeGuard MailGateway issues the e-mail CA and the associated user certificates. If you select the "TC TrustCenter PKI", then your SafeGuard MailGateway "only" generates the S/MIME key for your users and sends the public part of the key to the TC TrustCenter. The TC TrustCenter then generates a user certificate with a TC TrustCenter digital signature from the keys. Generate certificate for internal user Here you can generate S/MIME certificates for internal users "manually". To do so you must enter the "Common Name" (name of the user) and the e-mail address". This procedure is very time-consuming but there is a shortcut. You can specify in the rules (Services → Secure E-Mail) that S/MIME certificates are generated automatically for your internal users if no certificate is present. If you want save time by using this shortcut you do not need to generate S/MIME certificates here for your internal users. Generate certificates for existing users If your S/MIME user certificates will expire in a short time and so become invalid, you can generate S/MIME certificates for your internal users here, and distribute them, so that they are already using the new ones before the old ones expire. In "Generate before expiration", enter a value in days (e.g. 60d) to specify the number of days before the "old" certificates expire that the new certificates are to be generated. "Generate for all internal users", applies for certificates that are either imported or have been generated from the rules or manually. "Generate for users issued by this e-mail CA", only applies for certificates that are generated by your SafeGuard MailGateway's e-mail CA. "Generate for users with the rule option generate", only applies for certificates that are generated by your SafeGuard MailGateway's rules (Secure E-mail).

16.1.3. TC TrustCenter In this area you can make all necessary settings for your TC TrustCenter Account. Here you can also configure the "Certificate attributes" for the S/MIME user certificates that your TC TrustCenter issues. If you have selected an "Internal PKI", then you do not need to make any settings here. Account settings • Here, first import the SSL certificate for secure communication with TC TrustCenter and enter the PKCS#12 password. You have to generate this SSL certificate on the TC TrustCenter website. • Then enter your "Account name" for the TC TrustCenter account.

117

The "Account name" usually matches your company name. You can find the exact name on the TC TrustCenter website: Configuration → Settings → Account settings → Account name: • You must enter a "Timeout" value which matches the "Maximum Processing Time Request and Issuance of Certificates" that is described in the Service Level Agreement (SLA) Report from the TC TrustCenter. The TC TrustCenter will tell you the time value that you must enter here. Select the buttons Display and Export to display the imported SSL certificate and export it with or without a private key (for example for a backup). Certificate attributes • Here, enter the "Key Length” for the S/MIME user certificate. • Here, enter a Distinguished Name for the S/MIME user certificates. The Distinguished Name is transferred into the certificate and ensures that one certificate with the same name is never issueed for different people. C=

Country

L=

Locality

O=

Organization

OU =

Organization Unit

You must fill all fields for the "Distinguished Name (DN)”. Do not forgot to save the values you enter.

16.1.4. LDAP publishing In the field E-Mail CA → S/MIME, please click on the tab LDAP publishing. Publish generated user certificate Here you specify the location in which you want your internal user certificates and your e-mail CA and CRL to be published. If you want to allow direct access to your SafeGuard MailGateway from outside then select the Public LDAP selection box by choosing Network in the main menu and then opening the tab Details. If you want to permit access to your SafeGuard MailGateway from outside and have the public LDAP active you do not need to change any of the settings you see here in web management. However, if you feel this standard situation is not "secure" enough (direct access to your SafeGuard MailGateway from outside), you can install your own LDAP server which can, for example, be set up inside the DMZ.

118

You must set up your own LDAP server complete with all its folders and paths. You cannot use the SafeGuard MailGateway to assign folders or paths. Once you have set up your own LDAP server, enter the relevant data under "LDAP publishing" to ensure that your e-mail CA plus CRL and your internal user certificates are published on the LDAP server. Please read the online help for details of the data to be entered at this stage.

16.2. OpenPGP You can even generate a user key directly for your in-house users when you use OpenPGP keys. If no e-mail CA Postmaster key is present, one will be generated along with the user key. We recommend that you use the same procedure as for S/MIME. If no key is present, you can have the secure e-mail service generate an internal OpenPGP key automatically. However, an e-mail CA Postmaster key must be present before you can do this.

16.2.1. E-mail CA postmaster key On the left of the main menu bar, click on the menu item E-mail CA and then the menu item OpenPGP. If no e-mail CA Postmaster key is present, you automatically go to the tab Postmaster. Here you can either generate or import an e-mail Postmaster key. E-mail address/Comment Here, please enter a global e-mail address (for example, [email protected]) and a comment. The e-mail address and the comment correspond to the common name used for S/ MIME and are used to uniquely identify the e-mail CA Postmaster key. Validity period You do not usually have to enter an expiration date for the key if you use OpenPGP keys. For this reason, leave this field blank if you want your e-mail CA Postmaster key to always be valid. Designated Revoker If you want a second OpenPGP key to be able to revoke your e-mail CA Postmaster key, you must enter the fingerprint and the format of the corresponding OpenPGP key. The Designated Revoker represents the "E-mail CA" of your Postmaster key and should for security reasons not be stored on your SafeGuard MailGateway. With a Designated Revoker you create a revocation key for your e-mail CA Postmaster key that can declare the Postmaster key as invalid. If you leave this field blank you are the only person who can revoke your e-mail CA Postmaster key.

16.2.2. LDAP publishing Here you specify where your e-mail CA Postmaster key and your OpenPGP user keys are to be published. The default setting is that your OpenPGP key is published on the LDAP server that is running on the SafeGuard MailGateway. If this is alright, do not make any changes here.

119

However, if you want to use your own "external" LDAP server or a key server (only for OpenPGP) that is not running on your SafeGuard MailGateway, then select the Public LDAP selection box by choosing Network in the main menu and then opening the tab Details.

16.2.3. Generating users In the upper part of the window you can generate OpenPGP keys certificates for internal users. This procedure is very time-consuming but there is a shortcut. You can specify in the rules (Services → Secure E-Mail) that OpenPGP keys are generated automatically for your internal users if no key is present. If you want save time by using this shortcut you do not need to generate OpenPGP keys here for your internal users. Generate OpenPGP key for an internal user Here you can generate OpenPGP keys "manually" for your internal OpenPGP users. Generate OpenPGP keys for existing users Here, please enter a value in days (e.g. 60d) to specify how many days before expiration a new OpenPGP key is to be generated for a user. You can also specify whether new keys are to be generated for "Generate for all internal users" or for "Generate for users with the rule option generate". Common OpenPGP key settings In this part of the window you make settings that then apply to all internal OpenPGP keys, (just as for S/MIME). It makes no difference whether the key was generated "manually" or automatically by the secure e-mail service. Comment Here, please enter a comment that shows that this is a company key. Validity period In the case of OpenPGP it is usual to leave this blank so that the key has unlimited validity. Designated Revoker If you already entered a Designated Revoker when you generated your e-mail Postmaster key, this entry also appears here automatically. If you do not change anything, the Designated Revoker for your e-mail CA Postmaster key can also revoke your internal OpenPGP key. However, if you want to make a different OpenPGP key your Designated Revoker for the internal OpenPGP key, enter this key's fingerprint here. For security reasons we recommend to not store this Designated Revoker on your SafeGuard MailGateway.

120

17 Setting up the ESMTP proxy service The ESMTP Proxy service is responsible for receiving e-mails from internal e-mail servers and for accepting e-mails from the Internet. Section 10.1 describes all the basic information you need about the ESMTP Proxy service. This section explains how to enter the correct rules for the senders and recipients of e-mails that use the ESMTP Proxy service. To do so we use a familiar example from Section 10.1, "The ESMTP Proxy service". The aims to achieve here are: 1.

No e-mails can be sent to <*@company.de> from outside that can then be resent outside the corporate network.

2.

No internal e-mail from <*@company.de> can be sent to the Internet by mistake.

3.

No external sender can send an e-mail to <*@company.de> and pretend to be an internal sender e-mail address.

This network configuration is used here as an example: 1.

The IP address in-house is 10.0.0.0/8.

2.

The internal e-mail server has IP address 10.1.1.25.

3.

A company uses the e-mail domain <*@company.de>.

Figure 17.1. Example A

These rules should be configured: Outgoing e-mails should only be accepted by an internal e-mail server. First complete rule:

121

Source:

10.1.1.25/32

Sender:

<*@company.de>,""

Recipients:

,<*@*>

allow

• In the main menu bar, on the left, click on the menu item Services and then the submenu item ESMTP. • Enter IP address 10.1.1.25/32 as the Source. • Select allow. • In the table, click on the rule that has the IP address 10.1.1.25/32 and then click on the button Users and enter , <*@*> for the recipient and <*@company.de>,"" for the sender. • Click Apply when you have finished editing and click on Insert. This automatically returns you to the tab General where you click on Save to finish processing the first rule. You can also process all the rules at once and then click on Save. Outgoing e-mails from all other computers must be rejected. Second complete rule: Source:

10.0.0.0/8

Sender:

<*@*>

Recipients:

<*@*>

block

• Click on new Rule and enter the IP address 10.0.0.0/8 as the Source. • Then click on Block and then Insert. The new rule is now displayed below in the table. • In the table, click on the rule that has IP address 10.0.0.0/8, next click on the button Users and enter <*@*> for the recipient and the sender. • Click Apply when you have finished editing. Back in the tab General, click on Save when you have finished processing this rule.

Although the source 10.0.0.0./8 is explicitly forbidden and therefore no connection is created you must still enter a sender and a recipient to complete the rule.

Incoming e-mails should be accepted by any mail server in the Internet.

122

Third complete rule: Source:

0.0.0.0/0

Sender:

, <*@*>,""

Recipients:

<*@company.de>

allowed

• Click on new Rule and enter the IP address 0.0.0.0/0 as the Source. • Select allow and click on Insert. The new rule is now displayed below in the table. • In the table, click on rule that has IP address 0.0.0.0/0 and then click on the button Users and enter , <*@*>,"" for the sender and <*@company.de> for the recipient. • Click Apply when you have finished editing. Back in the tab General, click on Save when you have finished processing this rule. If you have done everything correctly your table in the tab General should look like this:

Figure 17.2. General tab

The user for rule no. 1 must look like this:

Figure 17.3. Rule 1

The user for rule no. 2 must look like this:

123

Figure 17.4. Rule 2

The user for rule no. 3 must look like this:

Figure 17.5. Rule 3

This completes the configuration of the ESMTP service in the example configuration shown above.

17.1. Setting up the ESMTP proxy for LDAP synchronization You will find this section of interest if you want to set up LDAP synchronization for an Active Directory folder. You can also set up LDAP synchronization via an Active Directory folder for inbound and outgoing e-mails. Of course, here, LDAP synchronization for all inbound e-mails is of primary interest.

124

If you only want to use the LDAP synchronization to check all inbound e-mail addresses then you only need to tailor an ESMTP rule. If you require checking for both directions then you must tailor two ESMTP rules. In the example below we show how to set up LDAP synchronization for both incoming and outgoing e-mails. The aims to achieve here are: • All e-mails from the Internet should be synchronized with your Active Directory folder via LDAP synchronization. • All e-mails from internal senders to the Internet should also be synchronized with your Active Directory folder via LDAP synchronization. This network configuration is used here as an example: 1.

A company uses the IP address 10.0.0.0/8 in-house.

2.

The internal e-mail server has IP address 10.1.1.25.

3.

The company uses the e-mail domain <*@company.de>.

Figure 17.6. Example A

Your rule configuration should therefore look like this:

Figure 17.7. Rule configuration

These rules need to be updated: Outgoing e-mails should only be accepted by the internal e-mail server and synchronized with the Active Directory folder via LDAP synchronization. Rule No. 1: Source:

10.1.1.25/32

Sender:

<*@company.de:ldap_exist>, ""

Recipients:

, <*@*>

allowed

125

Ingoing e-mails from the Internet should be accepted by any e-mail server and synchronized with the Active Directory folder via LDAP synchronization. Rule No. 3: Source:

0.0.0.0/0

Sender:

, <*@*>, ""

Recipients:

<*@company.de:ldap_exist>

allowed

• In the main menu bar, on the left-hand side, select the menu item Services, and then ESMTP. • In the table, in rule no. 1, add the source 1 10.1.1.25/32 and click the button User. • Update the rule for the sender as shown in the table above (Senders). • Click on "Accept" You automatically return to the tab page General. • Select rule no. 3, with the source 0.0.0.0/0 and click the button User. • Update the rule for the sender as shown in the table above (Senders). • Click on Accept. You then automatically return to the tab page General where you can now finish processing the rule by clicking Save. The users for modified Rule No.1 should look like this:

Figure 17.8. Rule configuration

Figure 17.9. Modified rule 1

126

The users for modified Rule No.3 should look like this:

Figure 17.10. Modified rule 3

This completes the additional configuration of the ESMTP service for LDAP synchronization, using the example configuration described above.

127

128

18 Setting up the Secure E-Mail Service The secure e-mail service is responsible for signing, verifying, encrypting and decrypting emails. The rules for the secure e-mail service are defined according to which senders and recipients are involved. Section 10.2.1 describes all the basic information you need to operate the secure e-mail service.

18.1. Base rules after installation After a successful installation, during which you have entered the names of your domains, the system will already have generated base rules in the secure e-mail service. A company wants to use individual certificates or OpenPGP keys for its employees. The company allows its staff members to use subject line control. The company wants to encrypt outbound e-mails with S/MIME or OpenPGP whenever possible. Base rule 1 Name

Internal decryption

Description

Decryption for incoming e-mails

Subject commands permitted

no

May override policy

no

Breaking rule

yes

Conditions Matches all the following conditions

yes

Matches any of the following conditions

no

If

Recipient e-mail address

Matches wildcard

*@company.de

Action: 1 Decrypt and verify e-mail

Yes

Do not remove valid signature

Yes

Display result of verification in the subject line Yes Base rule 2

129

Name

Generate key

Description

Generate standard key

Subject commands permitted

Yes

May override policy

No

Breaking rule

No

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Sender e-mail address

Matches wildcard

*@company.de

Action: 1 If key does not exist

Yes

S/MIME

Yes

OpenPGP

Yes

Action: 2 Chaining

Yes

Next rule

4 Separator rule

Input from action

1

Base rule 3 Name

Breaking rule

Description

Breaking rule

Subject commands permitted

No

May override policy

No

Breaking rule

Yes

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Sender e-mail address

Matches wildcard

Action: 1 Do nothing Base rule 4

130

Yes

*

Name

Separator rule

Description

Separator rule

Subject commands permitted

No

May override policy

No

Breaking rule

No

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Sender e-mail address

Matches wildcard

*

Action: 1 Do nothing

Yes

Base rule 5 Name

Default encryption

Description

Default encryption rule

Subject commands permitted

Yes

May override policy

Yes

Breaking rule

Yes

Conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Recipient e-mail address

Matches wildcard

*

Action: 1 Encrypt and sign e-mail

Yes

Input from action

Original

Signing

With sender key If the private key of the sender and the public key of the recipient are available.

Encryption

Yes S/MIME or OpenPGP With recipient key If no key is found: Send in plain text.

131

To see these Base rules in a table, select the window Policy in the tab General in Services → Secure E-Mail.

Figure 18.1. Policy window

The "Active" column shows whether this rule is active. The "Sub." column shows whether subject line control is active for this rule. The "Break" column shows whether this rule is a breaking rule. The "Conditions" column shows some of the conditions. This column has a tooltip which you can display with the mouse pointer. The "Action" column shows which action is performed for this rule. Below you will find a table that lists the abbreviations for the actions, and explains their meaning: Abbreviation

Action

GEN

Generate key

ENC

Encryption

DEC

Decryption

FWD

Forward

CHA

Chaining, go to rule

BOU

Bounce e-mail back to sender

DEL

Delete e-mail

SND

Send Key

DON

Do nothing

HD+

Add a header field

HD-

Delete a header field

ACK

Acknowledgment

ALE

Alert

18.2. Customizing Base rules If you have only purchased a limited number of licenses for your SafeGuard MailGateway, and you do not want an S/MIME certificate or an OpenPGP key to be generated for all your internal staff, then you must customize the first Base rule to suit.

132

In the example below, an S/MIME certificate or an OpenPGP key is only to be generated for particular departments in your company. In this case you only need to customize the conditions for the generation of keys. Here we show you the customized Base rule 1, which is restricted via LDAP attributes. Base rule 1 (in the case of a restricted number of licenses) Name

Generate key

Description

Generate standard key

Subject commands permitted

No

May override policy

No

Breaking rule

No

Old conditions Matches all the following conditions

Yes

Matches any of the following conditions

No

If

Sender e-mail address

Matches wildcard

*

New conditions Matches all the following conditions

No

Matches any of the following conditions

Yes

if

Sender attribute

memberOf

is

Board of Directors

if

Sender attribute

memberOf

is

Sales

if

Sender attribute

memberOf

is

Marketing

if

Sender attribute

memberOf

is

Finances

Action: 1 If key not exist

Yes

S/MIME

Yes

OpenPGP

Yes

• From the main menu option Services, please select the menu option Secure E-Mail and open the window Policy. • In it, activate Rule 1 (Generate key) in the table and click the button Edit. • In the window Policy, under Conditions, first deactivate Match all the following and then activate Match any of the following.

133

If you need to add or delete conditions you can use the plus or minus buttons. Then, set up the other conditions as shown below: if

Sender attribute

memberOf

is

Board of Directors

if

Sender attribute

memberOf

is

Sales

if

Sender attribute

memberOf

is

Marketing

if

Sender attribute

memberOf

is

Finances

Make no other changes to this rule. To finish customizing it, please select Apply and, in the window Policy, save your changes to Base rule 1. If you want to create a new rule, select the button New in the window Policy. To delete a rule, select the rule from the table in the window Policy, left-click on it, and select the button Delete. To copy a rule, select the rule from the table in the window Policy, and select the button Copy. A copy of the rule will be attached at the end. To sort a rule upwards or downwards, select the rule from the table in the window Policy and use the direction button to "push" it upwards or downwards. You can only ever move a rule up or down one place at a time.

18.3. Using domain certificates You can use domain certificates both to decrypt and to verify e-mails.

18.3.1. Additional decoding key If you are working with domain keys, you can configure a decryption rule in which you can specify an additional decoding key (here the e-mail address of the domain key).

18.3.2. Additional verification key If your communications partner is working with domain keys, you can configure a verification rule in which you can specify an additional verification key (here the e-mail address of the domain key).

18.4. Details You can make general settings that affect the cryptographic processing of e-mails data via the menu Services, subitem Secure E-Mail and the tab Details. These settings then apply for all e-mails. The exact entries you need are listed in the online help.

134

18.5. Commands Your SafeGuard MailGateway's default configuration is that subject line control is allowed for your internal users. You can modify these default settings to suit your own requirements. With subject line control your in-house users can directly influence the secure e-mail service and override it if necessary. In the main menu bar, click on Service → Secure E-Mail and there click the tab Commands. Here you can make all the settings involved with subject line control. For more configuration details, please read the online help.

135

136

19 Setting up PDFMail This section begins by describing the global settings for PDFMail: these apply for all secure email rules in which the PDFMail encryption method is to be used.

19.1. PDF Settings To open the PDF Settings click on Services → Secure E-mail → PDF Settings. URL für secure PDFMail reply Here, the hostname of your SafeGuard MailGateway is displayed. This URL is displayed in the PDF Reply page as a link. Sender address for PDFMail reply copy The recipient of a secure PDFMail can send himself a copy of his own reply e-mail. Here, you can enter the sender address for the secured copy of the reply. Symmetric cipher for PDF encryption Here, you can choose the symmetric algorithm for the PDF encryption. We recommend to keep the default setting AES-128. Use plain text for PDFMail encryption Here, you can specify whether e-mail in HTML format or in plain text is being used for encryption method PDFMail. Of course, this is only possible if the text of the e-mail is also present in plain text. Add original e-mail as mail.eml attachment Here, you can specify whether the whole original e-mail should be attached to the encrypted PDF. The advantage is that the recipient can import this into his e-mail client. The disadvantage is that the size of the PDFMail is nearly doubled. Show PDF encrypted e-mail with original e-mail information Here, you can specify whether, when PDFMail is used, the system does not only display the contents of the original e-mail, but also the original information (e-mail addresses of the sender, the recipient, and additional recipients, the subject, the creation date, and the number of attachments). If you do not select this option, then only the content of the e-mail is displayed in the PDFMail. Password storage time Passwords that are to be used for PDFMail or PrivateCrypto are saved in the database. Here you can specify how long unused passwords are to be saved. Password reuse time

137

Here, you can specify how long a password for PDFMail and PrivateCrypto is to be saved after it was last used. For example you can specify here that a password is no longer to be used if it has not been used for more than one week. A new password is then generated for the specific combination of sender and recipient. Password expiration time Here, you can define how long a password will be valid after its first usage. After this time a new random password will be generated (if needed). In contrast to Password reuse time this time span is independent of the actual password usage. Minimium length of passwords Here, you can specify how many characters a password must contain at least. The value must not be less than 4. Maximum length of passwords Here, you can specify how many characters a password must contain at most. The value must not be greater than 32. Allow PDFMail recipient to change password If you wish to allow the recipient of a PDFMail to set a new password, then you can specify this here. This password that is set by the recipient will be overridden if a password has been set in a rule, or if a password has been assigned via the subject line commands. Use one global password for each PDFMail recipient If you select this option, then the first password that is generated for this recipient is always used for this recipient. If you do not select this option, the system generates a new password for each sender and recipient pair. If no password is available To encrypt with PDFMail the SafeGuard MailGateway needs a password. If no password is available, SafeGuard MailGateway can either Generate a password automatically, or Use self-registration. Self-registration sender address Using self-registration the recipient will receive an e-mail, containing the link for the registration. Here you can specify if the sender address of this e-mail should be the Sender address of the original e-mail, or you can define a Following e-mail address: that is used instead. Alert sender immediately if e-mail is queued Send a notification e-mail to the sender immediately if the e-mail is placed in the queue. Inform sender if recipient has provided a password Send a notification e-mail to the sender as soon as the recipient has provided a password and the queued e-mail can be sent.

138

Inform sender if e-mail is queued for more than Here you can specify the time span until the sender of the e-mail will be informed, that his email is not delivered but placed in the queue. Delete e-mail if queued for more than Here you can specify the time span when the e-mail will be deleted in the queue. Length of auto-generated password If no valid password is present for a new communication partner, the SafeGuard MailGateway generates a random one automatically. Here, you can define the length of these generated passwords. Send password e-mail only if newly generated If you activate this option, only newly generated passwords are mailed to the sender. Otherwise, the password e-mail is also sent for passwords found in the database. Send password e-mail to Here, you can specify who should receive the password e-mail. If nothing is specified, the email will be sent to the sender of the e-mail. • Sender of the e-mail This is the default. The e-mail is sent to the sender address which is used in the SMTP protocol. • E-mail address in the From: field The e-mail is sent to the address in the From: field of the e-mail header. Usually, this address is identical to the sender in the SMTP protocol, but sometimes there are exceptions. • E-mail address in the Reply-To: field The e-mail is sent to the address in the Reply-To: field of the e-mail header. • E-mail address in the Sender: field The e-mail is sent to the address in the Sender: field of the e-mail header. • Following e-mail addresses: Here, you can specify special recipients for the password e-mails (e.g. ). You can define more than one address separated by a comma.

19.2. Generating PDF Sets Once you have installed your SafeGuard MailGateway and selected the submenu item Secure E-mail from the main menu Services, and then opened the tab PDF Cover, then you will see a PDF set called "CoverSet1" in the bottom part of the window. This PDF set contains a cover sheet and a Sophos logo that is displayed on the secure reply page.

139

This PDF set has been set as the default. You can change this if you have generated your own PDF sets. Please note that you cannot delete a PDF set that has been set as a default. This ensures that one PDF set is always available. The information below tells you how to generate your own PDF sets. For more information, please refer to Section 10.3. There you will find a table that contains important information about what you need to take into consideration when generating PDF sets, and what effects the individual configurations have. You can customize the cover sheet that you plan to use for your PDF sets to meet your own requirements. To do so, you must do the following: • Using, for example, Word or another software package, design your own cover sheet with your company name, and generate a PDF document from it. • Then save this PDF document on your admin PC.

The maximum file size for a PDF cover sheet is 5 MB.

• Then you must shrink your company logo to the following size: • File size 100 KB • Width 250 pixels • Height 250 pixels • Now also save this customized logo on your admin PC. • Above the table, in the selection list on the extreme left-hand side, select "new" PDF set. • Please enter a name for the new PDF set. • If you want to permit "Secure PDF replies" for this PDF set, then please activate that function. • If you want to use a cover sheet, then click the button Browse and load the PDF cover sheet you created earlier. • Click the button Browse and load the logo you customized earlier. • Next to "Displayed FQDN for secure PDF reply", enter the link that is to be displayed on the PDF Reply page. If you leave this empty, the global URL, which you can configure at PDF Settings, will be used. Please ensure that the link name you enter will also be resolved in the right way by your DNS server.

140

If you do not enter a link in either the global settings, next to "URL for secure PDFMail reply", or in one of the PDF sets, then a secure PDF reply cannot be made. It is not enough to just select "Allow PDF reply". • Confirm the data you have entered by clicking Add and then Save it. You can set a PDF set that you have generated as the default by selecting that PDF set and then clicking the button Default. Click the button Export cover to export a cover sheet or display it, once you have selected the corresponding PDF set.

19.3. PDF sets in subject line control If you send a PDFMail using a subject command, usually the default PDF set is used. If you want to use different PDF sets for different groups of senders, you can achieve this by using policy rules. If there is a PDF set defined in any matching rule, this will be used instead of the default set. Therefore, you can create a rule for a sender group which contains an Encrypt and sign e-mail action. As encryption method you select With PDFMail, so you can choose the cover set for this group of senders. If you just want to define a cover in case of subject command and do not want to enforce PDFMail encryption for every e-mail, you have to disable the action options Sign and Encrypt.

The whole rule must be Active. Otherwise, it will be ignored.

It is not possible to select or override a PDF set via subject line control. However, you certainly can change or override the password via the subject line. If any problems should occur with the PDF sets that you have generated, then the default PDF set is always used as a fallback.

19.4. Selecting a PDF set for a Secure Email rule After you have successfully generated one or more PDF sets, you must generate a Secure Email rule in which the encryption method PDFMail is to be used. • Select the menu option Secure E-mail from the main meu option Services.

141

• Click the button New to generate a rule in which the encryption method PDFMail is to be used. • Under Encrypt, if you select With PDFMail, you can enter the password underneath it. • Below that you can select one of the existing PDF sets. We have configured the software in such a way that the default PDF set is always displayed as the default setting.

142

20 Importing CA Certificates Before you can check users certificates, you require the CA certificates that issued them. These are usually your external communications partner's CA certificates. In some situations you must also import the CA certificates of your internal users. If your e-mail CA is a sub-CA you acquired from a TrustCenter, or comes from your own company's PKI you must import the corresponding Root CA here. The same applies if you have acquired an e-mail CA from a third-party supplier. The method you use to acquire an external CA certificate depends on where your communications partner published their CA certificates. It is important that these CA certificates are explicitly imported to your SafeGuard MailGateway. In the main menu bar, on the left, click on the menu item CA certificates.

20.1. General In the tab General you can import a CA certificate. • Click on Browse (or equivalent button, depending on which browser you are using), select the CA certificate you want to import and then click on Import. • Save the CA certificate import. • Select the imported CA certificate in the table and click on the button Options.

20.1.1. Options Here you can define the CA certificate's "Trust status". Security Level You can define a security level for this CA. The possible values are: High, Medium, Low and Not trusted. The default level is Medium. The security level is displayed with the S/MIME verification information. You can also define a Minimum CA Security Level for S/MIME certificates for S/MIME encryption. If the Security Level is Not trusted, all certificates issued by this CA are invalid. Do not check superior CA chain This flag only appears for a sub-CA certificate. A Root CA does not have a higher-level CA because it is the starting point of trustworthiness. May sign OCSP responses for other CAs Here you can define, that this CA certificate and OCSP responder certificates issued by this CA certificate are entitled to sign OCSP answers for other CAs. This is needed if the gateway is connected to an OCSP responder, which answers OCSP responses for several CAs.

143

Trustworthy certificates of this CA Here you define the trust status (reliable or not reliable) of user certificates from specific CAs. If you no longer trust a user certificate from a particular CA this is the only place where you can state that these user certificates are not reliable. If you do consider a user certificate to be trustworthy you can declare that it is reliable here. In the second case the result is that this user certificate is not checked either by a CRL or via an OCSP query. However, if this user certificate from the CA becomes invalid, you will have a security problem. The entries used for individual user certificates are controlled via wildcards. You will find more details about this in the online help. If you do not enter a certificate here all the user certificates from this CA are either checked by OCSP or with the corresponding CRL. This is the "normal situation". Revocation status of certificates issued by this CA Here you have a number of options for checking the block status of user certificates from this CA certificate. To ensure that you can also find out the correct block status of specific user certificates you should make entries that cover all the options. • OCSP • CRL • CDP • LDAP • manual CRL The exact entries you need are listed in the online help. Please remember to Apply your entries and Save them in the tab General.

20.2. Details In the tab Details you can define some global settings for the CA certificates.

20.2.1. CRL cache timeout Downloading a CLR might take some time, therefore a CRL is stored in a cache, once it has been downloaded. You can set how long a certificate revocation list may be cached at longest, before it must be reloaded.

144

20.2.2. Automatic import of CA certificates from e-mails: Here you can define if CA certificates should be imported automatically. An automatically imported CA certificate is assigned to the security level Not trusted and is invalid. To activate the CA certificate you have to change the Security Level: under the Options of this CA.

145

146

21 Setting up a Key Server/LDAP Server Before you can encrypt or check the signature of e-mails to your communications partner, you need a public S/MIME certificate or a public OpenPGP key. For example, if you want to encrypt an e-mail to your external communications partner and your SafeGuard MailGateway does not have a suitable S/MIME certificate or a suitable OpenPGP key for this external user. In this situation you can "tell" your SafeGuard MailGateway where it is to search for S/MIME certificates or OpenPGP keys. To do this, in the main menu bar, click on the menu item Key server.

21.1. General Select new Server: and then decide whether you want to use an LDAP or an HKP server. E-mail pattern E-mail patterns are used to control the search for e-mail addresses. If the company you want to communicate with has its own LDAP server you can exclude this company's addresses from the search on a public LDAP server. The online help will guide you through how to use e-mail patterns. This server is used for HKP server are only used for OpenPGP keys. LDAP servers can be used for both S/MIME certificates and OpenPGP keys. You should select the appropriate server depending on whether you want your SafeGuard MailGateway to search for S/MIME or OpenPGP or S/MIME and OpenPGP. • When you have finished editing in this window, click on Insert and then Save to save your settings. • Now, click on the tab Details.

21.2. Details In the tab Details you can define some global settings for the Key Server/LDAP Server.

21.2.1. Import The option The keys found on the servers will be imported: if a key or certificate found on a public server should be imported into the database of the SafeGuard MailGateway. The following settings are possible:

147

• Never No key will be imported into the database. • If valid A found key will be imported into the database, if it is valid. • Always Every key found will be imported into the database. Independent of the configured settings, keys which already exist in the database are updated.

21.2.2. Cache To search for keys and certificates on external servers always lasts a few seconds which delay the e-mail flow. So to speed up the processing, each search request is cached in the RAM of the gateway. Here, you can configure the parameters of the cache. Cache size (MB): Here you can define the size of the cache for the certificates and key, which were found on public key servers. For each MB about 600 certificate/keys can be stored. If the cache is full the certificates/keys which have not been used for the longest time will be deleted automatically. Cache timeout for found certificates/keys: Here you can define how long certificate and keys should stay in the cache. As long as there are certificates and keys for a certain e-mail address in the cache, for this address no search will be performed on the public key servers. Cache timeout for negative search results: Here you can define how long e-mail addresses, for which no certificate or key was found on a public key server, should be stored in the cache. As long an e-mail address is in the cache no search on public servers will be performed.

148

22 Managing Users In the "Users" menu item, in the main menu bar, there are options that will enable you to manage all your internal and external users (S/MIME) and (OpenPGP). If you select a submenu item (Internal S/MIME/OpenPGP - External S/MIME/OpenPGP) in the main menu item Users, a window listing the users appears automatically. The default setting shows all users. In a large installation (more than 1000 users) this may take some time. Smaller installations do not have this problem. In the case of a large installation we recommend that you first suppress the display and then use a search filter to restrict the data or else carry out a targeted search.

22.1. Suppressing the display of user data If you want to suppress the display of user data, you must edit the wm_config.php file. • To do so, use the appropriate password to log onto the console as the root user. • Then use this command to move to the folder that contains the wm_config.php file: cd /gateway/chroot/webmgnt/include/ • Open the wm_config.php file with this command: vi wm_config.php • Enter i to activate "write" mode. • In the wm_config.php file, scroll down to this line: $AUTO_LOAD_USERS = TRUE; • Here, change TRUE to FALSE and remember to leave the semicolon after it. Now use this command to save and quit this file: esc:x You have now suppressed the display of user data in user management. Now log out of the console with the logout command.

22.2. Search filter The user management includes a filter that is specially designed to make searching for certificates or OpenPGP keys much more convenient. As the search filter for internal/external S/MIME and for internal/external OpenPGP has the same functionality, it is described here.

149

If you have suppressed the display of user data as described in the previous section, you can implement the filter immediately. If you have not suppressed this display, all the users are first displayed on screen. Only then you can use the filter. Details on Click on this button to extend the filter options. You have a number of different options here. Reset Click this button to reset the entries you make in the filter. Details off Click on this button to restrict your filter options. Search Click this button to start the search for certificates. If you have not entered anything in the filter or deactivated it by clicking the button Filter off, the SafeGuard MailGateway searches for all certificates or OpenPGP keys.

22.3. Internal user S/MIME In the main menu bar, click on Users and then select the Internal (S/MIME) menu item. Here you can administer all Internal user S/MIME. Display Click on this button to display details about the certificate. Edit If you want to edit a certificate, select the corresponding entry in the table and then click on the button Edit. • E-mail address(es) You can delete the e-mail address for this key or add another e-mail address. If you add an e-mail address, it is not added to the certificate itself. It is merely stored in the SafeGuard MailGateway's database. • Information Here you enter some information. • Do not check superior CA chain If you set this flag the system no longer checks the certificate (CRL/OCSP). You "declare" that this specific certificate is reliable. This may be necessary if you do not have the CA that

150

corresponds to this certificate. This may happen if you acquired your internal certificates from a TrustCenter, but do not have the corresponding CA. In this case you declare that all these certificates are reliable. Export Click on this button to export the certificate. Here you can export the certificate either with (set the flag) or without a private key. Revoke If a member of staff leaves your company and you want to take their certificate "out of circulation". In this case you should not simply delete the certificate, you should instead click the button Revoke to make it invalid. You can, of course, only revoke a certificate that was issued by your e-mail CA! It does not matter if the certificate was issued by your internal PKI or by TC TrustCenter.

The corresponding entry in the CRL is only made directly if you revoke the certificate.

After you have revoked the certificate you should not delete it immediately in your SafeGuard MailGateway. E-mails that were encrypted with the public part of the revoked certificate can still be decrypted by your SafeGuard MailGateway even if the certificate has been revoked. Delete If you delete a certificate it means that it is actually removed from your SafeGuard MailGateway. Remember to Apply and Save your entries.

22.3.1. Importing certificates If you do not generate your internal S/MIME certificates yourself, but acquire them from a TrustCenter, you have the option here of importing internal S/MIME certificates along with the corresponding CA certificate "by hand". Internal user certificates must contain a private key.

22.3.2. Automatically importing S/MIME certificates from e-mail If you do not want to generate your internal S/MIME certificates from your SafeGuard MailGateway, but want to acquire them from a TrustCenter instead, you can specify an e-mail address here to allow .p12 files to be imported automatically. The automatic import function

151

will not work if these .p12 files are protected by a password. To ensure that the .p12 files are sent securely, you can encrypt the e-mail message that contains them using a key that is present on the SafeGuard MailGateway. The .p12 file will import both the private and the public part of the S/MIME certificate. In addition, an internal user is created. You can also specify whether the certificates should "never" be imported, or "only if valid". If you select "only if valid", you must also ensure that the certificates chain (Root CA) is imported to your SafeGuard MailGateway.

22.3.3. Automatic deletion of expired certificates If you want to delete expired S/MIME certificates then select the checkbox Activate automatic deletion and, below it, in days, specify when the certificates should be deleted. Remember to Save your entries.

22.4. OpenPGP internal users In the main menu bar, click on Users and then on the menu item Internal (OpenPGP). Here you can administer all "Internal user OpenPGP". Display Click this button to show details of the OpenPGP key. Edit If you want to edit an OpenPGP key, select the corresponding key in the table and then click on the button Edit. • Edit information about this key Here you enter "Information about this key". • Trustworthy as signer for other key If you activate this flag, the keys signed by this key will become valid. • E-mail addresses for this key / New e-mail address for this key You can delete the e-mail address for this key, or add another e-mail address. If you add an e-mail address you must select the checkbox Direct trust. This tells your SafeGuard MailGateway that you trust the e-mail address that was added to this key. This new e-mail address is not added to the key itself and can therefore not be signed. It is merely stored in the SafeGuard MailGateway's database. • Direct trust

152

You click the checkbox Direct trust to declare that you trust a key that has not been signed. The "Direct trust" option only ever refers to one of the key's e-mail addresses and not to the entire key. Export Here you can export a key with (set the flag) or without a private key. Sign Here you click the button Sign to sign all the keys with your "E-mail CA Postmaster key". It does not matter whether the key has already been signed or not. Revoke If you want to "revoke" a key, select the key you want in the table and click on the button Revoke. This generates a "Revocation Signature". You must make this available to your SafeGuard MailGateway so that it can actually revoke the key. First save the Revocation Signature to your admin PC. Then click on the tab Import OpenPGP keys and import the "Revocation Signature" in the usual way for an OpenPGP key. Remember to Save your settings. When you now select the tab Internal User OpenPGP the entry "revoke" appears under "Expiration" after this key. After you have revoked a key you should not immediately delete it from your SafeGuard MailGateway. E-mails that were encrypted with the public part of the revoked key can still be decrypted by your SafeGuard MailGateway even if the key has been revoked. Delete To delete a key, select the one you want in the table and click on the button Delete. The key is then actually removed from your SafeGuard MailGateway.

22.4.1. Importing OpenPGP keys If you do not generate your OpenPGP keys yourself, you can import OpenPGP keys for your internal users here. OpenPGP keys for internal users must contain a private key.

22.4.2. Automatic deletion of expired keys If you want to delete expired OpenPGP keys then select the checkbox Activate automatic deletion and, below it, in days, specify when the certificates should be deleted.

153

Remember to Save your entries.

22.5. S/MIME external users In the main menu bar, select "Users" and then click on the "External (S/MIME)" menu item. Here you can administer all "S/MIME external users". Display Click on this button to display details about the certificate. Edit Click on the button Edit to assign additional e-mail addresses to this certificate, or replace the e-mail address for this certificate. • E-mail address(es) Here you can change the e-mail address for this certificate or assign another e-mail address to it. • Information Here you can enter additional information about this certificate. • Do not check superior CA chain If you set this flag the system no longer checks the certificate (CRL/OCSP). You "declare" that this specific certificate is reliable. This may be necessary if you do not have the CA that corresponds to this certificate. Export Click on this button to export a certificate. Delete Click on this button to delete a certificate and remove it from your SafeGuard MailGateway.

22.5.1. Importing certificates Here you can "manually" import external certificates. However, you cannot import the corresponding CA at this point. The only way to do this is via the menu item CA Certificates. External certificates only contain the public part of the certificate. Import certificate for an external user Here you can "manually" import an external user certificate. Automatic import of S/MIME-certificates from e-mails

154

The simplest way of acquiring S/MIME certificates from external users is to automatically import the S/MIME certificates that are attached to the e-mails. If an e-mail was signed with S/MIME, the signature also contains the public part of the certificate that was used to sign it. • E-mail address(es) for automatic import Here you use wildcards and patterns to specify e-mail addresses whose accompanying S/MIME certificates are to be imported or not imported. For more information, please refer to Section 10.1.6. The default setting "*" means the S/MIME certificates of all e-mail addresses are to be accepted. • Importing S/MIME certificates Here you select the circumstances under which S/MIME certificates are to be automatically imported. Remember to Save your entries.

22.5.2. Automatic deletion of expired certificates If you want to delete expired S/MIME certificates then select the checkbox Activate automatic deletion and, below it, in days, specify when the certificates should be deleted. Remember to "Save" your entries.

22.6. OpenPGP external users In the main menu bar, select User and then the External (OpenPGP). Here you can administer all "OpenPGP external users". Display Click on this button to display details about this key. Edit If you want to edit an OpenPGP key, select the corresponding key in the table and then click on the button Edit. • Information about this key Here you enter a "Comment" about this key. • Trustworthy as signer for other keys If you activate this flag, the keys signed by this key will become valid. • E-mail addresses for this key / new e-mail address for this key

155

If you add an e-mail address you must select the checkbox "Direct trust". This tells your SafeGuard MailGateway that you trust the e-mail address that was added to this key. This new e-mail address is not added to the key itself and can therefore not be signed. It is merely stored in the SafeGuard MailGateway's database. • Direct trust You can also click the checkbox Direct trust to declare that you trust a key that has not been signed. The "Direct Trust" option only ever refers to one of the key's e-mail addresses and not to the entire key. Export Click on this button to export a key. Sign Here you click the button Sign to sign all the keys with your "E-mail CA Postmaster key". It does not matter whether the key has already been signed or not. Delete To delete a key, select the one you want in the table and click on the button Delete. The key is then actually removed from your SafeGuard MailGateway.

22.6.1. Import OpenPGP keys Here you can import external OpenPGP keys. External OpenPGP keys only contain the public part of the key. Import OpenPGP keys of an external user Here you can "manually" import an external key. Automatic import of OpenPGP keys from e-mails The simplest way of acquiring OpenPGP keys from external users is to automatically import the OpenPGP keys that are attached to the e-mails. They must be attached to an e-mail in ASCII format so that your SafeGuard MailGateway can import them automatically. • E-mail address(es) for automatic import Here you use wildcards and patterns to specify e-mail addresses whose accompanying OpenPGP keys are to be imported or not imported. For more information, please refer to Section 10.1.6. The default setting "*" means the OpenPGP keys of all e-mail addresses are to be accepted. • Import OpenPGP keys

156

Here you specify the conditions under which OpenPGP keys are to be imported automatically.

22.6.2. Automatic deletion of expired certificates If you want to delete expired OpenPGP keys then select the checkbox Activate automatic deletion and, below it, in days, specify when the certificates should be deleted. Remember to Save your entries.

157

158

23 Administrators This chapter describes the managing of the administrators as well as the editing of an own account.

23.1. Administrators Management Only users who have the role of "Administrator" are allowed to manage the administrators.

23.1.1. Creating Administrator Accounts This section describes how you create an account for a role. • Click on the menu item Administrators on the left-hand side of the main menu bar and then select Management. You can then see all the administrators who were set up during installation. • Now click on Add new Account and then on the button Edit • Please enter a unique name under Login name. The entries "Real name", "E-mail address" and "Info" are merely for added information and are not mandatory. • Now select one or more roles under Administration role. More details regarding the administration role can be found in Section 7.4. • In Set password, assign a unique password for this administrator. Enter this password again. • In Choose language select the language for this administrator. • Click on Apply to confirm your entries The administrator data you have just entered now appears in the table in the window Administrators Management. • Remember to Save your entries.

23.1.2. Processing Administrator accounts We will show you how to process administrator accounts here. • Click on the main menu item Administrators and then on Management.

159

• Select a Login name from the table and click on Edit. This is where you make all the necessary changes to this Login name (Administration role, set password, choose language). You cannot change the login name. This can only happen when you delete the account and then create a new one. • Remember to click on OK to confirm your entries and then on Save to save them.

23.2. My Account This is where each SafeGuard MailGateway administrator can view and process his own account. • Click on the menu item Administrators and then on My Account. Here you can change your password and switch the language from German to English. • Remember to click on OK to confirm your entries and then on Save to save them.

160

24 Cluster In this section you will learn how to set up or rebuild a cluster.

24.1. Setting up a cluster 1.

Install two SafeGuard MailGateways. See Section 11.2.

2.

Set up each SafeGuard MailGateway separately (refer to Chapter 12 to Chapter 15 in this manual for details). On both gateways NTP configuration is mandatory!

3.

Open the console access on one SafeGuard MailGateway.

4.

Use the relevant password to log onto the SafeGuard MailGateway as the root user.

5.

Start the cluster setup with this command: setup-cluster-member.sh –r --master --verbose Replace the placeholder with the IP address or name of the other gateway. The --verbose option ensures that status reports about the replication run will appear on the screen as the replication progresses. If you do not want this information to be displayed, start the cluster setup without the --verbose option. The --master option makes sure, that the database of this gateway is copied to the other one. Once the cluster is running, there is no "master" anymore. Both SafeGuard MailGateways are equal.

First, the setup function attempts to establish an SSH connection with the remote host. The console will inform you that the setup function cannot perform authentication on the remote host (IP address), and that it cannot, therefore, establish a connection to the remote host. You must then confirm whether you want to continue establishing the connection. You should answer this by entering "yes" at the console. You will then be prompted to enter the root password to exchange SSH keys. Please enter the root password for the remote host. You must repeat this entry to confirm this step. Now you are prompted for the root password for the initial database replication, from the master to the remote host. Enter the root password for the remote host. The setup creates the cluster automatically. The script configures all the required settings. The cluster setup script creates a backup of the database configuration files. This is saved to /var/tmp. We recommend to store this cluster backup on your admin PC.

161

Example name of a cluster backup: setup-cluster-2008.5.30-02.03.06.20024 Finally, test whether the cluster setup was successful, and whether both databases are replicated on the SafeGuard MailGateway. To do so, simply use the web management tool to make a couple of changes on one SafeGuard MailGateway, and then check whether these changes have been replicated on the other SafeGuard MailGateway. All the settings in Network and Monitoring must also be set and configured separately on each gateway. These settings are not stored in the database and are therefore also not replicated!

24.2. Rebuilding a cluster There are two situations in which you may need to rebuild a cluster. The first is when migrating to a new version of the SafeGuard MailGateway. The second is when this service on a cluster computer is interrupted because of a fault. In both cases you must first dismantle the existing cluster. If you want to migrate to a new version of the SafeGuard MailGateway, you must dismantle the cluster on both computers. • Launch console access to every computer in the cluster. • Use the appropriate password to log in as the root user on each of the computers in the cluster. • Then use this command on all the computers in the cluster to dismantle the cluster: revert-setup-cluster-member.sh Once you have performed the migration on both computers, build a new cluster (see Section 24.1). If the service has been interrupted on one of the computers in the cluster, you therefore only need to dismantle the cluster on the other computer that is still working.

162

25 Maintenance This chapter describes all the general maintenance tasks for your SafeGuard MailGateway that you will need to be familiar with.

25.1. Monitoring the log You can view the log on your SafeGuard MailGateway directly from the console. To do so you use the log2ascii tool. You can also view the log from your administrator PC via a secure SSH connection. If you have logged on to your admin PC on the console you use this command to view the log on the console: log2ascii -pc You can also enter this command directly on the SafeGuard MailGateway's console. log2ascii has extensive setting options that allow you to filter out specific log entries and to influence how much information is displayed. These tables give an overview of these setting options. You must remember to always enter log2ascii first and then the options you require, separated by a blank space. Option

Meaning

-l

Output only the last log entries

-A

Output only log entries for the applications you specify. You can specify the applications by name or by their ID.

-E

Output only log entries that have the event IDs you specify

-P

Output only log entries that have the processes you specify

-F

Output only log entries from this point in time onwards

-S

Output only log entries before this point in time

Option

Meaning

a

Output application ID

-c

Output counter for log entries

-e

Output event ID

-p

Output process ID

163

Option

Meaning

-s

Break output after the specified number of columns

t

Do not display headers and footers

Option

Meaning

f

On-going display of new log entries

V

Display version of log2ascii

-z

Compress logs

-h

Display online help

-n

Read log from

log2ascii usually evaluates log files in the /var/log folder in accordance with the predefined options. As a result, you see all the log entries for the current day. However, you can also display the contents of any other log files. To do so, enter the name of the files you require in the log2ascii command line. Example: log2ascii [filter and display options] If you selected the -z option, you can specify compressed files as they appear in the /var/ log/save/ and /var/log/exported/ folders. The naming convention log files give you a simple and efficient way of selecting specific logs for particular periods of time. For example, log2ascii /var/log/save/gwlog.2011.06.* selects all the log files from June 2011. Please note that you must enter the path along with the file name for files that are not present in the /var/log folder. This is the case in the example shown above. For options -S and -F you use the following format to specify a point in time. YYY:MM:DD:hh:mm:ss:hh The letters have the same meaning as they do in the log file names (see above). You do not have to enter figures for the last entry unless you really want to specify the time to the last hundredth of a second. Therefore, -F 2011:07:05 -S 2011:07:06:12 means the same as -F 2011:07:05:00:00:00:00 -S 2011:07:06:12:59:59:99 If current values are to be updated, you can also leave out the values at the beginning. However, if you do so, do not leave out the colon. For example, if you want to call log2ascii on the afternoon of 5th July 2011, -F :::12: -S :::18

164

means the same as -F 2011:07:05:12:00:00:00 -S 2011:07:05:18:59:59:99 Although these options may seem a little complicated, they do provide a powerful evaluation tool.

25.2. Logbook deletion The log files will be automatically deleted after a configurable time span (see Section 14.1.3)

25.3. Statistics log If you click Monitor in the main menu bar, and then select the Log, you can display statistical data about the e-mail traffic on your SafeGuard MailGateway in the tab Statistics. This statistical information is displayed in different ways, depending on how you have configured the "Search filter": it can be divided into inbound and outgoing e-mails, and take into account which encryption and digital signature processes you have used.

25.4. Exporting log statistics If you select Monitor in the main menu bar, and then select Log, you can then open the tab Statistics and use the Search filter function to export the log statistics. In the Search filter function, select the Export format you require (PDF, html or csv), and then click the button Export.

25.5. Evaluating log entries and alarm messages This section describes how you can evaluate log entries or alarm messages. To do this, you use the log2ascii program already mentioned in previous sections. If you enter the log2ascii command on your console or via the shell on your admin PC, all the current day's log entries are displayed, and this may take quite a while. This is why we recommend to limit how many log entries appear. You will find the commands you need for this either in the previous section or if you enter the log2ascii -help command.

25.5.1. Evaluating an alarm message The alarm message used here is, of course, only an example to show you how to evaluate these messages and resolve the problem using log analysis. Alarm Message from gateway "SGMG.company.de"

165

Flags: 0003 Gateway: 00000000 Date: 25.07.2011 Time: 21:41:04.69 Application: SMTP Daemon Counter: 4539324 Event ID: F010 Priority: Error Group: Application Process ID: 2996 Text: /gateway/chroot/esmtpp/processing/dir_kwDIF7o2/sec_kwDIF7o2_0 moved to /chroot/esmtpp/bad/sec_kwDIF7o2_0 This alarm message contains a number of notes that appear after the "Text:" which can help you further: The SMTP demon has moved the e-mail to the /gateway/chroot/esmtpp/bad folder („move to bad”). E-mails that have been moved to the "bad" folder have these file names: sec_kw sec_ means that although the e-mail was processed successfully by the secure e-mail service it was not passed onto Postfix. It is 90% probable that this is a spam e-mail. kw kw means that the e-mail was not processed correctly by the secure e-mail service. Another important note is the Process ID. You can evaluate e-mails in a number of ways: 1st option: • Use the appropriate password to log onto the console as the root user s. • Enter this command to go to the /gateway/chroot/esmtpp/bad folder: cd gateway/chroot/esmtpp/bad • Use this command to open the e-mail sec_kwDIF7o2_0: less sec_kwDIF7o2_0 In the e-mail, scroll down and look to see whether there is a note, for example, about spam e-mail. If this is a spam e-mail, use this command to delete the file: rm sec_kwDIF7o2_0

166

If analyzing the e-mail does not help, you have another option for resolving the problem. 2nd option: To do so, search the log for all log entries that are involved with this message. It is a good idea to use the Process ID as one of your search criteria. You can search for a logbook entry's Process ID either by using Web Management or the console. Both options are described here: Search using Web management: • Click on the main menu item Monitor, the submenu item Logbook and then on the tab Log2ascii. • Then click on the button Details on. You can now search for the process ID you require in the Process ID field. As the alarm message you want to evaluate also lists the "Application", you can further restrict your search to a specific application. You can also search by date and time. To do so, enter the date and time in this format: "dd.mm.yyyy hh:mm:ss" (18.08.2011 14:15:17) If you select "Application" the abbreviations you see there mean the following: certc

Is responsible for communications between web management and the database (S/MIME).

certd

Checks the certificate (S/MIME).

create_shm Shared memory/cache for configuration data configc

Writes the configuration to the database.

configd

Checks any changes made to the configuration.

ctrld

Control Daemon/monitors system resources (hard disk capacity, number of processes, number of licenses, etc.)

esmtpp

Receives e-mails.

logd

Log Daemon

pdfreply

A log entry is generated for every authentication via PDF Reply.

pgpc

Is responsible for communications between web management and the database (OpenPGP)

smd

Regulates communications between web management and the gateway.

smtpd

Processes e-mails.

webaccountc

This is responsible for communications between web management and the database (admin roles).

Search using the console Enter this command on the console:

167

log2ascii -ecP 2996 |less This searches for, and displays, all log entries that belong together with process ID 2996. As the alarm message shown here includes a time, you can analyze the log entries that were generated at this point in time. This will usually give you all the information you need to resolve the problem. 3rd option: If you need help with this analysis, you should reproduce the problem and all the entries made for it in the log and send it to your partner so that they can perform the additional steps required to analyze it. However, you should only take this step if you can't think of another way of resolving the problem described in the alarm messages and the log entries. • Enter this command on the console: packlog This command compresses the log and moves it to the /var/log/save folder. • Before reproducing the error, check under Services → ESMTP → Details and Monitoring → Settings that Logging is set to "All". If not, please make this setting now. • You have to wait now for about 5 seconds until the settings become effective. • Now you can reproduce the error. • To do so, move or copy the e-mail from bad to processing. • To move the e-mail, enter this command: mv sec_kwDIF7o2_0 • To copy it, enter: cp -p sec_kwDIF7o2_0 Here, you must remember to include -p in the command used to copy the e-mail! This ensures that the permissions and users are not changed. • The secure e-mail service will then process the e-mail once more. After the error has been reproduced, you must compress the log again and move it to the /var/log/save folder. • Enter this command once again: packlog • Log on with your data transfer software (for example, Winscp) and open the /var/log/ save folder. You will see all the compressed logs there.

168

File name: gwlog YYYY.MM.DD-HH.MM.SS-0.gz The only compressed log of interest to you here is the one you have just compressed with the packlog command. Please note the date and time! You can now send this compressed log to your partner from whom you purchased your SafeGuard MailGateway for further analysis.

25.6. What to do if an e-mail CA/sub CA expires The e-mail CA for S/MIME and the e-mail CA Postmaster key for OpenPGP are the basis for all the user certificates or keys issued by them. If the e-mail CA reaches its expiration date, you must react quickly. This section describes the best action to take without having to interrupt e-mail traffic on your SafeGuard MailGateway. You must also follow the procedure we recommend here if your sub CA expires.

25.6.1. E-mail CA S/MIME If your internal e-mail CA expires, no matter whether you imported it or generated it yourself, all the internal user certificates it signed become invalid and you cannot generate new ones. You should take these steps approximately 24 months before your e-mail CA's expiration date. Please take careful note of when your user certificates expire. User certificates usually have shorter lifespans than your e-mail CA. As a result, you should not create user certificates that are valid for longer than your e-mail CA. To ensure you can transfer smoothly from the "old" e-mail CA to the "new" e-mail CA, we recommend to take the following steps. 1.

Export the "old" e-mail CA to your administrator PC, twice: a.

Export the "old" e-mail CA with a private key. Store this e-mail CA with the private key in a safe place.

b.

Export the "old" e-mail CA without a private key to your administrator PC.

2.

If necessary, you must generate the "old" CRL once again and modify the expiration date of the "old" e-mail CA. Modify the date of the "old" e-mail CA's CRL in web management. Via the console you can then use the certc -update_crl command to generate a new CRL.

3.

Export the "old", modified CRL to your administrator PC.

4.

Import the "old" e-mail CA without a private key as a CA certificate to your SafeGuard MailGateway. This ensures, during this transitional period, that user certificates issued by the "old e-mail CA" remain valid and can continue to be used (signed).

5.

Import the "old", modified CRL.

169

6.

Generate or import a "new" e-mail CA. This new e-mail CA also generates or imports a new CRL.

7. Please note that the Distinguished Name of the "new" e-mail CA is different from the Distinguished Name of the "old" e-mail CA. 8.

Publish the old and new e-mail CAs with their corresponding CRLs to inform your external communications partners about the change of e-mail CA.

25.6.2. E-mail CA postmaster key If your internal e-mail CA Postmaster key expires, no matter whether you imported it or generated it yourself, all the internal user keys it signed also become invalid, unless they have been signed by another key, and you cannot generate new ones. To ensure you can transfer smoothly from the "old" e-mail CA to the "new" e-mail CA Postmaster key, we recommend to take the following steps. You should take these steps approximately 24 months before your e-mail CA Postmaster key's expiration date. 1.

Export the "old" e-mail CA Postmaster key to your administrator PC, twice: a.

Export the "old" e-mail CA Postmaster key with a private key. Store this e-mail CA Postmaster key with the private key in a safe place.

b.

Export the "old" e-mail CA Postmaster key without a private key to your administrator PC.

2.

Import the "old" e-mail CA Postmaster key without a private key as an external user key to your SafeGuard MailGateway. This ensures, during this transitional period, that user certificates issued by the "old" e-mail CA Postmaster key remain valid and can continue to be used (signed).

3.

Mark the "old" e-mail CA Postmaster key "Trustworthy as signer for other keys".

4.

Generate or import a "new" e-mail CA Postmaster key.

5.

Publish the new e-mail CA Postmaster key.

Instead of steps 2. and 3. you can also use the new e-mail CA Postmaster key to sign all internal and external OpenPGP user keys, if they have not already been signed by another key. As signing all internal and external OpenPGP keys takes a great deal of time and effort, we recommend that you follow steps 1. through 5.

25.7. The most important Linux commands This table lists the most important Linux commands you need to work on the console.

170

Command:

Meaning:

cd

Change folder

cp

Copy file

less

Display/read file

ls

Display all files in a folder

vi

Open file i

Activate write mode in an file that was opened with vi

esc:w

Save a file that was opened with vi

esc:q

Quit a file that was opened with vi

esc:x

Quit and save file that was opened with vi

log2ascii

Open log

log2ascii -help

Display help for the log

Ctrl + C

Quit log or other applications

init (X)

Change operating state

logout

Quit console

25.8. Removable media You can mount a range of different removable media in your SafeGuard MailGateway. This section describes how you integrate these removable media into the system and also how you can remove them again.

25.8.1. Normal CD-ROMs CD-ROMs are formatted in accordance with the ISO 9660 standard. • When you insert a CD-ROM in the CD-ROM disk drive (SCSI or IDE), you must enter this command in the shell (console): mount -t iso9660 /dev/cdrom /mnt You can now access the contents of the CD-ROM in /mnt. You cannot simply remove a CD-ROM from the drive once it has been integrated in the system. • Before the system can release the CD-ROM, you must enter this command in the shell (console): umount /mnt • You can now remove the CD-ROM from your system.

171

CD writers are only supported as CD-ROM drives and not used for writing (burning) data.

25.9. Transferring files to or from the SafeGuard MailGateway Sometimes you will need to transfer files to or from your SafeGuard MailGateway. This includes: • Exporting logs • Loading a backup To transfer files to your SafeGuard MailGateway you can use: • a removable medium • the SCP server on your SafeGuard MailGateway • a Windows-based client (for example, Winscp)

25.9.1. SCP Your SafeGuard MailGateway also runs a client for the Secure Copy Protocol (SCP). This is a file transfer protocol that is based on the Secure Shell (SSH) protocol. It provides a high security, because the connection has strong encryption. In addition, this protocol offers powerful functionality for authenticating servers by means of an SSH server key, authenticating clients with a password (standard) or effective client authentication with an SSH key. SSH/SCP servers run on most Unix/Linux servers. As not every customer has this type of server, your SafeGuard MailGateway provides one for them.

You can also access your SafeGuard MailGateway from a Windows-based client in order to exchange files.

Visit our website to get an overview of the available clients: http://www.openssh.org You will find them in "Alternatives". For Windows, we decided to use Putty as the SSH client and Winscp as the SCP client. We use puttygen to generate SSH keys. You can, of course, use other SSH or SCP clients.

172

25.10. Installing updates The default setting for your SafeGuard MailGateway is that it automatically searches for and downloads updates (Service Packs and fixes). However, if your SafeGuard MailGateway has been installed behind a firewall, you can enter an http proxy so that you can receive updates automatically. To do so, click the main menu item Network and then open the tab General. Your system administrator will tell you which proxy you need to enter. If you are the administrator, and have selected the main menu item Monitor and the tab General, and then entered your e-mail address next to Send alarm messages as e-mail, your SafeGuard MailGateway will automatically send you an e-mail when it finds and downloads an update. However, you still need to install the update manually. • To do so, click the main menu bar System and then the tab Update. The "Log the last update" field shows whether a new update has been found. • Now click the Install updates to install the new update. In the upper part of the window, you can also configure a different method for handling the update.

25.11. Restoring a backup This section describes how you restore a backup on your SafeGuard MailGateway. You may need to restore data to: • Restore your SafeGuard MailGateways after a data loss or hardware failure • Migrate the installation to new hardware • Copy an installation, for example for test systems The best way of restoring a backup is to reinstall your SafeGuard MailGateway together with all current service packs.

Before you can restore a backup, you must ensure that a valid license file is already installed on your SafeGuard MailGateway.

To perform the restore, first transfer the backup file to your SafeGuard MailGateway. • Start your SCP client (for example, Winscp) and copy the backup file (backup.tgz) to the /var/tmp folder. • Use the correct password to log onto the console as the root user.

173

• Enter this command to move to the /var/tmp folder: cd /var/tmp • To restore the backup, enter: restore Backup.tgz When you perform a restore, your SafeGuard MailGateway creates a sub-directory in /var/ that has the name restore.xxxxx. You can now use these files for the restoration. If the restore is successful, you should then delete these files because they may contain private keys. When you restore the backup, the rules are also transferred into web management. The new network settings are not active immediately. You first have to click on Save under Network. Thus, you are able to correct the network configuration before activating it. You can only load a backup into a system with the same version number. The data format of the configuration files usually changes from one version of the SafeGuard MailGateway to the next (for example, from 5.30 to 5.80).

25.12. Changing the "root" user password The root user is the system administrator of your SafeGuard MailGateway and has unrestricted rights on it. The root user's password is assigned for the first time when your SafeGuard MailGateway is installed. You can only change this password via your SafeGuard MailGateway's console. Password restrictions: min: 5 characters, max: 8 characters. Your SafeGuard MailGateway will reject unsuitable passwords. • Use the appropriate (old) password to log onto the console as the root user. • Enter this command to start the program so that you can change the root user password: passwd You are now prompted to enter the new password for the root user and then to enter it again. If you enter the password twice correctly, the program for changing the root user's password closes automatically. You can now simply log out of the console (logout). You still need to save the Root user's newly assigned password (in encrypted format) to the administrator's account data. • In the main menu bar, click on Administrators and then on the submenu item Management.

174

• Select the tab page Details and click on the checkbox this host. • Now, via the console, enter the password that has just been assigned to the root user and then repeat it. • First click on OK to confirm this and then click on Save. You have now successfully changed the password for the root user!

25.13. Password for the internal database Access to the internal database is protected by a password. This is known as "LDAP simple bind" access. Various services in your SafeGuard MailGateway use this password to access the internal database. This password is selected randomly during installation and stored in different locations: The slapd-database.conf file contains the configuration files for the internal database server. This is an OpenLDAP server. This configuration file contains the password, in this format: rootpw "" This configuration file is located here: /gateway/chroot/database/etc/slapd-database.conf The Gatewayrc file, which is saved to four different places, contains the password in this format: common: db_ldap_pwd "" The original version of the Gatewayrc file is stored here: /gateway/chroot/webmgnt/conf/default/Gatewayrc Copies of this original can be found in: /gateway/chroot/certd/etc/Gateway/Gatewayrc /gateway/chroot/webmgnt/etc/Gateway/Gatewayrc /etc/Gateway/Gatewayrc Services that require access to the internal database read the password from the Gatewayrc file and use it to log onto the database. The database compares the password with the one stored in hashed form in the slapddatabase.conf file.

25.13.1. Reading passwords for the internal database To access the internal database you will need the password from the Gatewayrc file.

175

• Start your SSH client (for example Putty) and use the appropriate password to log on as the root user. • Enter this command to move to the /etc/Gateway/Gatewayrc file: cd /etc/Gateway • To open the Gatewayrc file, enter: less Gatewayrc The password for the internal database appears in the bottom line: common: db_ldap_pwd „xxxxxxx” All of the most important configurations for your SafeGuard MailGateway are stored in the internal database. Unless you know what you are doing, we strongly recommend not to make any changes here. If it is absolutely necessary for you to access this internal database, you should always make a backup of your SafeGuard MailGateway first.

25.13.2. Changing the password for the internal database As a number of services query the internal database's password you should first switch your SafeGuard MailGateway to block mode before you change the password. • To change the run level, enter: init 2 • First change the Gatewayrc file with the plain text password. To do this, enter this command to find the correct file: cd /gateway/chroot/webmgnt/conf/default • Now, for safety reasons, copy this file by entering: cp Gatewayrc Gatewayrc.orig • Enter this command to open the Gatewayrc file: vi Gatewayrc Now edit this file. • To do so, press the i key to activate write mode. • Now use the direction keys to go to the place where the password is shown in plain (unencrypted) text. common: db_ldap_pwd "password in plaintext"

176

• Delete the old password inside the quotation marks and enter a new one. To leave write mode and save this file, enter: esc:x • Now stop the database. To do so, enter: /etc/rc.d/init.d/gateway-database stop • You can now edit the slapd-database.conf file. First, enter this command to move to the correct folder: /gateway/chroot/database/etc • For safety reasons, make a copy of the file you want to edit by entering: cp slapd-database.conf slapd-database.conf.orig • Enter the next command to add the new password in hashed form to the lapddatabase.conf file: slappasswd -s >> slapd-database.conf • Now open the slapd-database.conf file with this command: vi slapd-database.conf • You must now remove the old hashed password from the slapd-database.conf file and replace it with a new one. To do so, you must edit this file. Enter i to activate write mode. • Use the direction keys to scroll down. The old hashed password is displayed at the bottom next to rootpw in quotation marks. The new hashed password is displayed underneath it. • Enter rootpw in front of the new hashed password and place quotation marks around it. You should now have two identical lines with the old and new hashed passwords. • You can now delete the line with the old hashed password completely. • To save and close this file, enter: esc:x • Now enter this command to restart the database: /etc/rc.d/init.d/gateway-database start Finally you must configure your SafeGuard MailGateway and reset the run level into Gateway operation. • To configure, please call the corresponding script:

177

configure • To change the run level, enter: init 3 Your SafeGuard MailGateway will now use the new password for its internal database.

25.14. Password for the public LDAP server Access to the public LDAP server is protected by a password. This is called "LDAP simple bind access". The secure e-mail service logs on with this password to write new S/MIME certificates or OpenPGP keys to the public LDAP server and to publish them. This password is selected randomly during installation and stored in different locations. The slapd-ldap.conf file contains the configuration files for the public LDAP server. This is an OpenLDAP server. This configuration file contains the password in this format: rootpw "" This configuration file is located here: /gateway/chroot/ldap/etc/slapd-ldap.conf The password is stored in plain text in web management and can also be viewed there at these locations: • In the main menu bar, on the left, click on E-mail CA, then on the submenu item S/MIME. In the next window, click the tab LDAP publishing. Next to Password: you will now see the password for the public LDAP server. • In the main menu bar, on the left, click on E-mail CA, then on the item OpenPGP. In the next window, click on the tab LDAP publishing. There you see the password for the public LDAP server next to Password:, just as for S/MIME.

25.15. Changing the password for the public LDAP server If you want to change the password for the public LDAP server, you must do so in these locations in your web management: • E-mail CA → S/MIME → LDAP publishing • E-mail CA → OpenPGP → LDAP publishing

178

As the secure e-mail service queries the password for the public LDAP server, you should first switch your SafeGuard MailGateway to block mode before you change the password. Use web management to change the operating state. • To do so, click on the menu item System in the main menu bar and, under Runlevel, select the operating state you require (in this case block all connections) and then click on the button Set runlevel. • Go to E-mail CA → S/MIME → LDAP publishing and enter the new password for the public LDAP server again next to Password:. • Ensure that the value of Bind DN: is "cn=admin,cn=Public Keyserver". • Go to E-mail CA → OpenPGP → LDAP publishing. Enter the new password again next to Password: as you do for S/MIME. • Ensure that the value of Bind DN: is "cn=admin,cn=Public Keyserver". • Remember to Save your entries. Finally, reset your SafeGuard MailGateway run level to "Gateway operation". To change the operating state via web management, open the System in the main menu bar, click on the operating state Gateway operation and then click on Set runlevel. You have now changed the password for the public LDAP server. If your public LDAP server is installed on an "external" LDAP server instead of on your SafeGuard MailGateway, you must modify the password on this "external" LDAP server.

25.16. Automatically exporting backups, CRLs and logs In SafeGuard MailGateway we have implemented a couple of scripts that will take care of regular administrative tasks for you. These include: • an up-to-date backup • a current CRL for the local e-mail CA • converting logs to ASCII format

25.16.1. Setting up the automatic backup In the web management at

179

System → Backup you can execute a manual backup as well as setting up an automatic backup. The backup is performed automatically every night at 1:42 am. Thereby the following backup file is created: /var/backup/backup > /var/backup/Backup-2011.06.21-01.42.01.tgz You can fetch this backup file yourself or the gateway can export it. For the automatic export you can choose between the following methods: • E-mail to: The backup file will be sent by E-Mail. • FTP The backup file will be exported on a FTP server. • SCP The backup file will be exported on a SCP server. For the single configuration details of the different methods please read the online help.

25.16.2. Setting up the automatic export of CRLs and logs In contrast to the backup the automatic export of CRLs and log files cannot be configured in the web management. The configuration has to be done on the command line "by hand". • Use your SSH software (i.e. Putty) to log onto your administrator PC. Edit the file: /etc/rc.config To move to the /etc/ folder, enter: cd /etc/ To open the rc.config file, enter: vi rc.config • Press i to activate write mode. To set up the automatic export, you must edit these lines: • EXPORT_CRL_DESTINATION="" EXPORT_LOG_DESTINATION=""

180

FTP or SCP can be used for the export. The correct entry for the "destination" appears in both quotation marks and in this format: ftp://[login[:password]@]server[:port]/path scp://[[email protected]]server:/path/ EXPORT_CRL_DESTINATION= „ftp://[login[:password]@]server[:port]/path” • As shown in this example, enter the "Destination" for CRL and LOG. For more details about possible values and the prerequisites for login please read the comments in these scripts: /usr/bin/Gateway/exportfiles-ftp /usr/bin/Gateway/exportfiles-scp You must also follow the instructions about the ftp and SCP command line tools! To save and close the rc.config file, enter: esc:x We recommend to test whether the automatic export of CRL and LOG has been carried out successfully. To test this via the shell, call these commands: export-crl export-log If you want to delete successfully exported logs from your SafeGuard MailGateway, set the EXPORT_LOG_DELETE_AFTER_EXPORT variable to YES. Please note: you should not have a second copy of the log if you want it to be deleted after a successful export and be removed from the export server. Unless you do this, the logs in your SafeGuard MailGateway will be present in their original binary format but in their converted ASCII format on the export server. After the test is completed successfully and you have finished working on the rc.config file, copy the file from here to this location: /gateway/chroot/webmgnt/conf/default/rc.config Use this command to do this:

181

cp /etc/rc.config /gateway/chroot/webmgnt/conf/default/rc.config Please note that the /etc/rc.config file is overwritten by the /gateway/chroot/webmgnt/conf/default/rc.config file as soon as you configure your SafeGuard MailGateway via Webmanagement. If you do not enter a "Destination" for an export script, it will still be called every night by the cron service, and, of course, it will not be exported. After installation, this standard configuration is also entered in the log.

If any problems arise when you configure the export, you should test the base exportfiles-… script manually by exporting any of the files.

We recommend to regularly check that the CRL and LOG are exporting correctly. If you change your configuration (not only SafeGuard MailGateway, but also the server or the network), this may mean that an export configuration which has worked correctly until now no longer works. Your SafeGuard MailGateway will warn you if this happens!

25.17. Upgrading to a new version To upgrade to a new version (for example, from version 5.60 to 5.XX) you must reinstall the software. In each case this means your SafeGuard MailGateway is put into a pre-defined initial state. Of course, you do not want to lose any existing configurations or any of the certificates and keys you generated or imported. In this section we describe what is involved in migration. These instructions describe how you can transfer your existing configuration from the "old" system to the "new" system.

25.17.1. Migrating to a new version of SafeGuard MailGateway This section describes how you migrate from an old version of your SafeGuard MailGateway to the latest version of SafeGuard MailGateway.

We recommend to install the latest gateway version on new hardware.

• Make a back up of the old version of your SafeGuard MailGateway. To do so, go to web management and click the main menu item System. Then open the window Backup and click the button Backup. Please store this backup on your admin PC.

182

• Install the latest gateway version on new hardware. See Chapter 11 • Start the file transfer software (for example Winscp) and copy the prepared backup to the /var/tmp. • Start your console access and log on as the root user with the appropriate password. • Use this command to switch to the /var/tmp directory: cd /var/tmp • Then, to launch the migration to the new gateway version, enter this command: migrate --in oldbackup.tgz -–out newbackup.tgz If you want to migrate from version 5.30 to a newer version of the gateway, you are then prompted to confirm which rules (secure e-mail) you want to transfer. You may then need to make a few additional settings to your set of rules. You now have converted a backup of an old version into one of the current version. You can new restore this backup as described in Section 25.11. Then, log on to web management from your admin PC. There, check all the settings and make any modifications needed for the secure e-mail rules.

25.18. Licensing Your SafeGuard MailGateway only performs cryptographic operations for an internal user when that user is licensed. An internal user is licensed if there is an S/MIME certificate or an OpenPGP key for them. If the rules for internal users permit the generating of certificates and keys, then the system will normally generate certificates and keys for these users as soon as an e-mail is sent over the SafeGuard MailGateway. Here, whether or not the e-mail has been encrypted or signed is not relevant. This automatic generation of certificates and keys is only performed for senders of e-mails (internal users). The license file limits the generation of certificates and keys. For example, if the maximum number of licenses for internal users is exceeded, then the license file takes decisive action, affecting the SafeGuard MailGateway. In some circumstances no more certificates and keys will be generated by your SafeGuard MailGateway. If the number of licensed users is exceeded, all e-mails will be blocked. Your SafeGuard MailGateway then automatically switches to runlevel 2. As the operator of your SafeGuard MailGateways you will be informed in advance about when a test licence is due to expire (number of days) or if the test licenses are exceeded (number of users). You can configure this in web management (see Monitoring → Settings → Details).

183

25.18.1. Exchanging the license file The license file is an ASCII file that releases the functionality you have purchased on your SafeGuard MailGateway. You can upload the license file in the web management at: System → License The ASCII file as well as the .zip archive are supported here.

25.18.2. The licensed_users.txt file Not every internal user who is to use the cryptographic functions provided by your SafeGuard MailGateway has had a certificate or a key assigned to them via their e-mail address. This occurs in the following situations: • An internal user only uses PrivateCrypto or PDFMail and not S/MIME or OpenPGP. • A domain key has been assigned to the internal user via the set of rules defined for the secure e-mail service. • The internal user did so far not have any valid certificate or OpenPGP key assigned to him. You should check whether a certificate or an OpenPGP key should be generated for this internal user. To do so, as operator of the SafeGuard MailGateway, you have the option of controlling which users can use the functions provided by the SafeGuard MailGateway, and also ensuring that the license check is carried out correctly, by creating the licensed_users.txt file. In it you can list all internal users for whom the cryptographic functionality is to be used. The system performs encryption for all internal users who are listed in this file with their email address, if they do not exceed the (total) number of users permitted in the license file. All other users will be blocked. If you want to ensure that the cryptographic functionality of your SafeGuard MailGateway is to be used for 300 users specified by you, and not users selected randomly by the SafeGuard MailGateway, then you create the licensed_users.txt file and enter the relevant user names in it. You must store the licensed_users.txt file in these folders: /etc/Gateway/ /gateway/chroot/webmgnt/etc/Gateway Please note that you must store two identical copies of the file, one in each of these folders. The licensed_users.txt is a US-ASCII file which may contain one e-mail address per line. No other characters or blank spaces are permitted in the line.



184

If you have created this file and put it in the folders mentioned above then your SafeGuard MailGateway performs a linear check of this file and compares the e-mail address with the contents of the individual lines it contains. This check does not differentiate between upper and lower case letters. If the licensed_users.txt file is not present on the SafeGuard MailGateway, the system interprets this as follows: • A certificate or an OpenPGP key can be generated for each internal user as long as this is not prevented by other factors (number of licensed users, set of rules). • An internal user to whom no certificate or OpenPGP key has been assigned is handled as an unlicensed user. The consequence is that this user is not permitted to use a domain key (with a private key on the SafeGuard MailGateway), a certificate, or PrivateCrypto, or PDFMail.

25.19. Exchanging PDF Reply certificates When your SafeGuard MailGateway is installed, a certificate is generated for the PDF Reply website. You can then exchange this PDF Reply certificate. To do so, you should request a certificate from a TrustCenter. SafeGuard MailGateway supports the certificate formats PKCS#12 and PEM. To exchange the PDF Reply certificate generated by your SafeGuard MailGateway with another certificate, click on the menu item Network in the main menu bar on the left, and there click the tab PDF-Reply. Before you can import the server certificate, you have to select the certificate format and in case of format PKCS#12 you also have to enter the PKCS#12 password. Afterwards, click on Browse (or equivalent button, depending on which browser you are using), select your own server certificate you want to import and then click on Import. Save the PDF Reply server certificate import. You can now use the new certificate for PDF Reply.

25.20. Translating messages From time to time your SafeGuard MailGateway sends e-mails to the users. They include, for example: • E-mails that contain a PrivateCrypto or a PDFMail password • E-mails that contain error messages These e-mails and error messages have all been written in English. They are all contained in one file so that they can be translated into other languages easily.

185

In this file you should note the following: Each text is framed by two tags, @BEGIN at the start and @END at the end. The e-mails and error messages can contain different placeholders which you must not change, for example $$RCPT$$. So, for example, a complete error message that is sent by the SafeGuard MailGateway looks like this:

@BEGIN CmdEncryptionNotAllowed ISO-8859-15 Subject command enforces encryption for <$$RCPT$$>, but this is not possible/allowed. @END CmdEncryptionNotAllowed

This is an example of what a complete e-mail that is sent by the SafeGuard MailGateway looks like:

@BEGIN _PDFencryptedEmail ISO-8859-15 This e-mail is secured by Sophos SafeGuard MailGateway with an encrypted PDF document. @END _PDFencryptedEmail

In this example we have marked everything that you can change in bold text:

@BEGIN CmdEncryptionNotAllowed ISO-8859-15 Subject command enforces encryption for <$$RCPT$$>, but this is not possible/allowed. @END CmdEncryptionNotAllowed

Below you can find out how to change the texts in error messages and e-mails: On the console, log on to the SafeGuard MailGateway as the root user, using the appropriate password. You must now enter a command so that the SafeGuard MailGateway generates a file that contains the error messages and e-mails. At the same time you can also specify where this file is to be saved and what it is to be called. In our example we want the file to be saved in the /tmp folder with the name messages.txt. • Now enter this command: generate_secure-mail-messages.sh /tmp/messages.txt • Run your file transfer software (for example, Winscp) and change to the /tmp folder.

186

In that folder you will find the messages.txt file that you have generated. Copy this file onto your admin PC and open it with Wordpad. To ensure that your SafeGuard MailGateway can also process this file again, you should only modify the file in Wordpad. The file also contains all the information you need to modify it (in English). Now you can use Wordpad to change all error messages, as shown in the example above. Then, you must save the file as message.txt again. • After changing or translating the texts, copy the file back to the folder from which you took it, /tmp. Now you must install the changed file. To do so, on the console, enter this command: install_secure-mail-messages.sh /tmp/messages.txt If you are using your SafeGuard MailGateway in a cluster you must install this changed file on all SafeGuard MailGateways in the cluster. If you have migrated your SafeGuard MailGateway, it may be that there are new error messages and e-mails that are sent to the user. If so, you must regenerate the file again. This newly generated file contains the translations that you created earlier. You will only need to translate the new error messages.

187

188

26 Customer Service If you have any questions about our products, please first contact your sales partner from whom you purchased the product. They are the people with the best knowledge of your specific situation. Sophos also provides general information about its products on the World Wide Web. Our maintenance contracts also provide you a solid framework of support if you have questions about our products. This includes access to regular update individual support either on site or by telephone. If you do not have a maintenance contract you can always use the expertise of our customer service for a fee. Any user of our products is welcome to take part in our training courses. We also offer services such as security consultation and implementation support. Do not hesitate to contact us if you are interested in our training courses or in our services. Please do not call our hotline until you have studied the system administrator manual and attempted to solve the problem yourself. Before you actually call the hotline, please make a few preparations. You require: • the version number of your gateway software • the current patch level • information about your network configuration We recommend to fill out the data sheet in the documentation folder on your installation CDROM when you install the software. This then means you have all the most important information at your fingertips if you require support. Our website lists contact addresses for all other countries. http://www.sophos.com

189

190

Glossary A "a.b.c.d" format

Format in which IP addresses are displayed or input.

"a.b.c.d/e" format

Format in which network addresses are displayed or input.

ASCII

ASCII (American Standard Code for Information Interchange). Character set table with country-specific modifications. Codes (32-127) include printable characters as they appear, for example, in e-mails. ASCII is a standardized character set used by computers and other communications equipment to display text. It is based on the Latin alphabet as used in modern English.

Asymmetrical encryption

Two different keys are used in asymmetrical encryption, unlike in symmetrical encryption. The sender encrypts the message using the recipient's public key. Only the recipient can use their private key to decrypt it. Asymmetrical encryption can also be used for digital signatures. The asymmetrical encryption processes is a vital element of a Public Key Infrastructure (PKI).

B Binary format

Binary format is a file format that cannot necessarily be viewed by all generally-available programs. It is not usually line-based and can contain all the characters in a character set, including the nonprintable control characters. These properties mean that binary formats always require special editors.

C CDP (CRL point)

distribution

If a user certificate has the X.509 extension for the CRL distribution point (CDP) the SafeGuard MailGateway can evaluate this automatically to find the block status. The prerequisite for this is that the CDP must be unique i.e. all URLs should refer to one and the same CRL.

Central e-mail security

Means that all e-mails can be encrypted and also decrypted at one central location. Central e-mail security can be implemented completely independently of e-mail client type.

Certificate

A certificate consists of a public key, an "identity" and a signature from a Certificate Authority. The Certificate Authority certi-

191

fies that this public key belongs to the named identity. The user can be confident that only this identity is in possession of the associated private key. The "identity" can be the unique description of a person, a computer or an e-mail address. Certificate Authority

A Certificate Authority (CA) issues certificates for users or subordinate CAs (sub-CAs). These certificates are signed by the CA's private key. The CA's public key is used to check the genuineness of these certificates. The CA can revoke a certificate's validity before its expiration date. This is published in a Certificate Revocation List (CRL) or be queried online via OCSP.

Certificate Policy

A note that describes, or refers to, certification guidelines.

Certificate List

A list of certificates, signed and issued by a Certificate Authority, which have been declared invalid by the CA before they actually expire. Each CA can only revoke those certificates it issued itself.

Revocation

Client

A system that makes use of a service provided by another system (a server).

CN

Abbreviation of Common Name.

Common Name

The "usual" name of a certificate's owner (person or machine). As a common name is not unique, it can be extended to become a unique Distinguished Name.

CPS

Certificate Practice Statement (CPS). This is a set of guidelines that govern how certificates are created.

CRL

Certificate Revocation List.

CryptoServer

A hardware security module produced by Sophos.

D DER

DER is a binary format used to exchange certificates without private keys. It is an alternative to PEM.

Designated Revoker

Higher-level revocation key that can revoke keys issued by your e-mail CA. This functionality is only used for OpenPGP.

Digital Signature

The asymmetrical encryption process is used for digital signatures. A document only ever be signed by the private key's owner. The public key can then be used to verify this signature.

Distinguished Name

Distinguished Name (DN) is a naming convention used worldwide to assign unique names to persons and equipment. This naming should ensure that different people are never issued with

192

certificates of the same name. All PKI participants require this unique name. Distinguished Names are defined in the ISO/ITU X.500 standard. DNS

The Domain Name Service (DNS) is a service that converts host names into IP addresses and back again. In the DNS, names are arranged hierarchically in DNS domains.

DNS cluster

A server cluster made up of DNS servers.

DNS domain

A DNS domain is a group that contains additional DNS domains and host names or IP addresses.

DNS server

The Domain Name Service (DNS) converts host names into IP addresses (forward resolution) or IP addresses into host names (reverse resolution). Each DNS server can resolve particular domains and/or particular IP networks. Redundant DNS servers can be installed.

E E-mail CA

The e-mail CA is a Certificate Authority that is installed on your SafeGuard MailGateway. It can automatically create certificates for internal users in accordance with the security guidelines set out by the administrator. As a result these certificates no longer have to be created manually by an external PKI.

ESMTP

An extended version of the Simple Mail Transport Protocol (SMTP).

ESMTP proxy

In the SafeGuard MailGateway, the ESMTP Proxy is responsible for accepting e-mails from the internal and external e-mail server.

European Bridge CA

An association of European companies that work together for the mutual recognition of their PKIs.

External users

An external user is a communications partner with whom you (i.e. your internal users) want to communicate via the SafeGuard MailGateway. If your SafeGuard MailGateway owns a public key for an external user, the SafeGuard MailGateway can encrypt outgoing e-mails for them and check the signature of incoming e-mails.

F Fingerprint

Cryptographic checksum of a key, calculated using a hash function. Each key has its own individual fingerprint. It is a random character string that occurs only once and uniquely identifies a key. This digital fingerprint is comparable to a human fingerprint.

193

Firewall

A firewall is a system that separates two or more IP networks from each other and, unlike a router, only allows checked, i.e. secure, communication between these networks.

FTP

The File Transfer Protocol (FTP) is used for the unprotected (insecure) exchange of files between computers via a network connection. A secure alternative is Secure Copy (SCP).

G GMT

Greenwich Mean time (GMT) - winter time in Greenwich, London, UK. All the world's time zones are based on GMT. The hardware clock on the SafeGuard MailGateway is set to GMT.

H Hardware security module

A hardware security module (HSM) is a device which carries out cryptographic functions, in a secure environment, by means of hardware implementation. This type of module can be installed in a server (for example, a SafeGuard MailGateway), to provide added protection for especially sensitive data (private keys). The CryptoServer by Sophos is a hardware security module.

HKP

The "Horowitz Key Protocol", or HKP, named after Marc Horowitz who programmed and implemented the very first key server.

Host name

Every computer in an IP network is uniquely identified by its IP address. However, because most people prefer not to work with large numbers, computers usually have one or more host names. These names are easier to remember and can be converted into IP addresses by the DNS.

HTTP/HTTPS

The Hypertext Transport Protocol (HTTP) is used to transfer web pages and other contents. HTTPS is a protected variant of HTTP (protected by SSL).

I Internal user

Your internal users communicate with your communications partners (i.e. with external users) via your SafeGuard MailGateway. If your SafeGuard MailGateway owns a private key for your internal users, the SafeGuard MailGateway can sign their outgoing e-mails and decrypt their incoming e-mails.

IP address

Every computer in a TCP/IP network has at least one IP address. The IP address (IP Version 4) is a 32 bit number that uniquely specifies each individual computer. IP addresses are displayed

194

split into 4 bytes, where each byte is shown as a decimal number. Individual bytes are separated by a period. Example: 192.168.1.1

K Key Encryption Key

A (symmetrical) key used to encrypt and therefore protect other secret or private keys. This procedure is used if you implement CryptoServer as your hardware security module.

Key ID

The key ID is a short (8-digit) hexadecimal number which must be stored on every OpenPGP key. One OpenPGP key can have several key IDs. The last figures of the fingerprint are often used as the key ID.

L LDAP

The Lightweight Directory Access Protocol (LDAP) is a standardized interface for folders (hierarchical databases). This type of folder is used by PKIs to publish the certificates and revocation lists from Certificate Authorities.

Log

You can note all the important events on your SafeGuard MailGateway in the log. In web management you can define how detailed and therefore how big the log is to be.

log2ascii

A program used to convert the SafeGuard MailGateway logs from their internal binary format into a readable ASCII format. It also has a wide range of setting options that allow you to define how log entries are to be displayed.

M Mail Server

An e-mail server is a computer whose task is to organize the distribution of e-mails from one central point.

MIME

Multipurpose Internet Mail Extensions or Multimedia Internet Message Extensions, MIME for short, is a coding standard that defines the structure of e-mails and other Internet messages. MIME is also used to declare the contents of various Internet protocols, for example in HTTP.

MTA

The MTA (Mail Transfer Agent) uses DNS to specify the e-mail server for each e-mail recipient.

Multi-domain ability

You can use Sophos' SafeGuard MailGateway to administer a number of domains or sub-domains. To do so, the SafeGuard MailGateway supports more than one e-mail server.

195

N Network address

An IP network consists of a series of computers that are all connected with each other. The first part of the IP address is the same for every computer and refers to the network. The second part is unique to each computer. This can be compared to people who all live in the same street. They all have the same street name in their address. However, they each have a different house number. The neighborhood is described by the street name. An IP network's address consists of the part that is the same for all IP addresses. The second part is set to 0. To make this clear, the number of bits that is the same for all the computers is attached specifically to the address with a "/". For example the network address of computers with the IP addresses 192.168.1.0 to 192.168.1.255 is 192.168.1.0/24. The Internet has, in its entirety, the network address 0.0.0.0/0 because every address can be used in the Internet.

Network Time Protocol

The Network Time Protocol (NTP) allows a client to synchronize their system clock with the exact time used on a server. The SafeGuard MailGateway can run as an NTP client, because it needs accurate timekeeping to check digital signatures.

NTP

The free NTP (Network Time Protocol) software package is an implementation of the TCP/IP protocol of the same name that is used to synchronize devices in a network.

O OCSP

The Online Certificate Status Protocol (OCSP) allows you to query the validity of a certificate online from the PKI responsible for it, if this PKI offers this service. OCSP is therefore an alternative to checking using a Certificate Revocation List. Sophos' SafeGuard MailGateway supports OCSP.

OID (Object Identifier)

The Object Identifier gives digital objects unique and permanent identification.

OpenPGP

OpenPGP is an encryption software standard based on PGP 5.x. OpenPGP is an Internet standard and defined in RFC 2440. This document describes the data format that must be used to store encrypted information and to generate digital signatures. It also defines the format that must be used for keys (actual certificates).

OpenSSL

OpenSSL is an open source version of the SSL/TLS protocol which provides a range of additional certificate administration functions and various different cryptographic functions. It is based on the SSLeay package originally created by Eric A.

196

Young and Tim Hudson and currently being further developed by an independent group. OpenSSL includes various applications, for example, for generating certificates, for certificate applications and for encryption. These applications are combined to form the command line program "openssl".

P Pattern

In information technology "patterns" are used for the variable description of character strings.

PDFMail

PDFMail is a solution developed by Sophos to provide external communications partners with an easy way to exchange encrypted e-mails. The procedure is based on the PDF file format.

PEM

Privacy Enhanced Mail is an obsolete standard for protected messages. Nowadays, part of this standard is still used for storing certificates with or without a private key. It is therefore an ASCII alternative to binary formats such as PKCS#12 or DER. In Microsoft environments PEM is also called "Base 64".

PGP

Pretty Good Privacy is a procedure used to protect messages and documents. There are numerous free and commercial implementations of this procedure. OpenPGP is a public and formal standard for PGP.

PKCS#12

PKCS#12 is a format used to exchange certificates and private keys. It is an alternative to PEM. Unlike PEM and DER, PKCS#12 can be protected by a password.

PKI

A Public Key Infrastructure (PKI) is the entire system used to implement and administer certificates and private keys. The components of a PKI include: • Certificate Authorities • Directory services (for example, LDAP) • OCSP services

Port

In order to clearly identify the TCP and UDP connections between two computers, a port number is assigned to both the sender and recipient computers in addition to their IP addresses. This is a number between 0 and 65535.

Postfix

The Postfix service is responsible for sending processed e-mails in the SafeGuard MailGateway. It sends e-mails both within the organization and outside it.

197

Postmaster key

The Postmaster key is a special OpenPGP key used on the SafeGuard MailGateway. It has two tasks: To sign OpenPGP keys, created by SafeGuard MailGateway for internal users. OpenPGP keys from external users and the "Postmaster key" from external OpenPGP servers are signed with the local Postmaster key to mark them as valid. If, in OpenPGP, a Postmaster key is used only to sign other keys, a hierarchical trust structure is created, like the one used in S/ MIME. In this situation the Postmaster key functions in the same way as a root CA (S/MIME) and represents the starting point of trust.

Primary address

At least one IP address must be assigned to each network connection. The first assigned IP address is the standard IP address which is therefore called the primary IP address to differentiate it from alias IP addresses.

PrivateCrypto

A software product by Sophos that groups files and directories in an archive that is then encrypted or decompressed and decrypted. This archive is then symmetrically encrypted. The symmetrical key is generated from a password.

Private key

A private key is used in asymmetrical encryption. Unlike the public key, only its owner knows what it is. He uses it to communicate with other people who know their public key. Do not confuse a private key with the secret key that is used in symmetrical encryption.

Proxy

Communications from a client pass through a proxy server before they reach the actual server. A proxy can carry out a range of tasks. These include transferring, converting, buffering and checking communications.

Public key

A public key is used in asymmetrical encryption. In contrast to a private key, this is publicly known and is used to communicate with the owner of the private key.

Public key procedure

An asymmetrical procedure used to encrypt a pair of keys (private key/public key).

R Role-based tion

198

administra-

A SafeGuard MailGateway administrator can have one or more roles assigned to them. These roles have fixed functions that cannot be changed. This means administration tasks can be assigned to several people who each have different roles.

root

"root" is the login name for the administrator in a UNIX system. It corresponds to the "Administrator" in Windows systems.

Root CA

A root CA is a Certificate Authority (CA) that is not subordinate to any other CA. It represents the root of a chain of CAs and therefore the starting point in the chain of trust. For this reason the public certificate of a root CA is signed by its own private key and not by a higher-level CA. In this respect even a signature cannot confer trustworthiness on a root CA. You must always trust a root CA directly.

Router/Routing

Routers are devices with two or more network connections. They connect IP networks. Before a computer (for example, your SafeGuard MailGateway) can access computers in other IP networks, it must know which router to use to send its data.

Runlevel

The SafeGuard MailGateway can run in various modes. These are called run levels (operating states).

S S/MIME

"Secure" MIME is an extension of the MIME standard and permits a MIME object (message or file) to be given a digital signature, or to be encrypted. S/MIME uses X.509 certificates for asymmetrical encryption.

SCP

Secure Copy (SCP) is a part of SSH. Secure Copy, unlike FTP, enables the protected (i.e. encrypted and authenticated) transfer of files over a network.

SCSI

The Small Computer Standard Interface (SCSI) is a standard that is used to connect hard disks, tape drives and other devices to a computer.

Secret key

The symmetrical encryption process uses a secret key to encrypt and then decrypt messages. Both the sender and recipient must know the secret key. But no one else is permitted to know it. Do not confuse this expression with the private key that is used in asymmetrical encryption (PKI).

Secure E-mail

In the SafeGuard MailGateway the Secure E-mail service is responsible for the cryptographic processing (signing, verifying, encrypting and decrypting) of e-mails.

Server

A server is a computer that provides a service to another computer (client).

199

Server cluster

A server cluster consists of a group of servers that have the same configuration. They can share the work and take over if one of them fails. Compared to a single server, a server cluster provides higher performance and greater reliability.

Simple Mail Protocol

Transport

The Simple Mail Transport Protocol (SMTP) transfers e-mails from a client to a server or from one server to another. SMTP has no in-built security. Security must be provided by other procedures (for example, OpenPGP, S/MIME, SSL).

SMTP

Abbreviation of Simple Mail Transport Protocol.

SMTP relay server

An SMTP proxy.

SSH

Secure Shell or SSH is both a program and a network protocol which is used, for example, to log in to a remote computer over the Internet and run programs on it. SSH was developed in 1995 by Tatu Ylönen. It permits a secure authenticated and encrypted connection between two computers via an insecure network. It can be used to authenticate SSH passwords and asymmetrical keys. Other information can also be transferred via the SSH protocol. For example, Secure Copy (SCP) is one way in which you can transfer files via an SSH connection.

SSL

Secure Socket Layer (SSL) is a standard used to secure (encrypt and authenticate) a generic TCP network connection. It uses X.509 certificates for asymmetrical encryption.

Sub CA

A sub CA is a Certificate Authority that is subordinate to another CA. Its certificate is signed by it. The validity of a sub CA can be checked automatically by means of its subordinate CA.

Subject line control

Subject line control, which can be used from every e-mail client, is a means of overriding the SafeGuard MailGateway's central set of rules. The person sending an e-mail can enter a command in curly brackets in the subject line. This command is then evaluated by the SafeGuard MailGateway. The user can decide whether the command is to stand at start or at the end of the subject line.

Symmetrical encryption

In the case of symmetrical encryption, in contrast to asymmetrical encryption, only one key is used: the secret key. With this secret key, you can encrypt a message and then decrypt it again. You should not confuse the secret key with the private key: that is used for asymmetrical encryption.

200

Symmetrical encryption is less flexible than asymmetrical encryption. However, as it is very quick and very secure, it is often used in combination with asymmetrical encryption.

T TCP

The Transmission Control Protocol (TCP) is an agreement (protocol) about how data should be exchanged between computers. All computers involved in data exchange know this agreement and comply with it. This makes it a reliable, connection-oriented transport protocol in computer networks. It is part of the TCP/IP protocol family. TCP was developed by Robert E. Kahn and Vinton G. Cerf. Their research work, which they began in 1973, lasted several years. For this reason the first standardization of TCP did not occur until 1981, as RFC 793. TCP creates a virtual channel between two end points on a network connection (sockets). Data can be transferred in both directions on this channel. Usually TCP is based on the IP (Internet protocol). It is located in layer 4 of the OSI reference model.

U UID

A UID is the user ID of an OpenPGP key in which information about the user and also his e-mail address are usually stored.

URL

A Universal Resource Locator (URL) identifies a piece of information in the world wide web, in an LDAP Directory, or in another source of information.

User management

The SafeGuard MailGateway assigns one or more S/MIME certificates or OpenPGP keys to each e-mail user. These S/MIME certificates or OpenPGP keys are administered in the user management both for internal users and external users.

UTC

Universal Time Coordinated (UTC) is another name for GMT.

V Verification

During verification, the signature of the sender is checked with the public certificate/key.

W Web administrator

The web administrator can use the web management system to administer the SafeGuard MailGateway. The web administrator

201

has his own login name and password. He also needs an SSL certificate in order to create a protected https connection to the SafeGuard MailGateway. The web administrator does not need to be the same as "root". Web of Trust

In cryptography, a "Web of Trust" is the idea behind ensuring the genuineness of digital keys (for OpenPGP) via a network of mutual confirmations (signatures). It is a decentral alternative to the hierarchical trust structure used in S/MIME.

Web management

The web management system is a web-based interface to your SafeGuard MailGateway. You can use it to administer and configure your SafeGuard MailGateway.

Wildcards

Wildcard is a technical term used in computing, which means a placeholder for other characters. Many command line interpreters allow the use of such placeholders, for example to enable groups of files or files with forgotten names to be addressed. Text editors can also handle placeholders of this kind, which are used to make it easier to find strings in text. Wildcards can be used in patterns.

X X.509

202

X.509 is a standard for the structure and contents of a certificate.

Loading...

SafeGuard MailGateway - Manual for System Administrators - Sophos

SafeGuard MailGateway Manual for System Administrators SafeGuard MailGateway: Manual for System Administrators Table of Contents 1 Introduction ...

3MB Sizes 0 Downloads 4 Views

Recommend Documents

Manual for system administrators - Netpresenter
System changes after Player/Screensaver installation . .... This manual is written to aid the system administrator who h

Documentation for system administrators
Nov 18, 2013 - This information comes from the documentation section in Limoncelli's book Time Management for System Adm

Python for system administrators - IBM
Sep 4, 2007 - Managing users, disk space, processes, devices, and backups can cause many system administrators to lose t

Job Descriptions for System Administrators
Particular attention was paid to addressing some of the titles originating in the Windows environment and to mapping the

MKS TOOLKIT FOR SYSTEM ADMINISTRATORS
MKS Toolkit® for System Administrators is a powerful administration suite that gives users the ability to remotely admi

Time Management for System Administrators: Amazon.co.uk: Thomas
Buy Time Management for System Administrators 1 by Thomas A. Limoncelli (ISBN: 8601400898789) from Amazon's Book Store.

Managing System Administrators - Cisco
User Guide for Cisco Secure Access Control System 5.3. OL-24201-01. Chapter 16 Managing System Administrators. Understan

time management for system administrators - Download Unlimited
Time Management For System Administrators by. Read and Download Online Unlimited eBooks, PDF Book, Audio Book or Epub fo

Time Management For System Administrators Ebook | vortexgaming.co
Document about Time Management For System Administrators is available on print and digital edition. This pdf ebook is on

Time Management for System Administrators 1st Edition
Sep 13, 2017 - Time Management For System Administrators 1st Edition PDF. School Management Software-School Management S