Jump to: navigation, search

Deploying an E-Mail System in Secured Mode

This section describes how to configure an e-mail system to work in secured mode using TLS/SSL. This applies to POP3, IMAP4, and SMTP. The purpose is to generate and install a public/private key pair.

Configuring TLS/SSL for E-mail Server

This section describes procedures for configuring your E-mail Server application to work with TLS/SSL.


Prerequisites:

  • The corporate e-mail server is configured to work in secured mode.


  1. From the certificate on the Corporate E-mail Server, extract the public key. The following is an example of extracting a public key using keytool:
    keytool -export -v -alias hostname.example.com -file 
    <certificate_name>.cer -keystore <certificate_name>.truststore 
    -storepass <certificate_password>
    keytool -import -alias hostname.example.com -file 
    <certificate_name>.cer -keystore client.truststore -storepass 
    <certificate_password>
    At this point, the client.truststore file contains the public key.
  2. Copy it to the host on which E-mail Server is running.

Prerequisites:

  • The .truststore file has been created.
  1. Open JavaEmailServerDriver.ini in a text editor.
  2. In the [JavaArgs] section, add the following: -Djavax.net.ssl.trustStore=<path to certificate>
  3. Save and close the file.

Prerequisites:

  • The .truststore file has been created.
  1. Locate the E-mail Server startup file (emailServer.sh).
  2. Open the file in a text editor and modify the startup command line so E-mail Server can locate the .truststore file. For example: java -Djavax.net.ssl.trustStore=”<path to certificate>” --Xmx512M ....
  3. Save and close the file.

Prerequisites:

  • The .truststore file has been generated and E-mail Server's startup command line has been modified.
  1. In Configuration Manager or Genesys Administrator, open the properties for your E-mail Server application.
  2. In the Options tab, locate the [pop-client] section for IMAP and configure the type, port, and enable-ssl options. For example:
    [pop-client1]
    type = IMAP
    port = 993 (the default SSL port for IMAP)
    pop-connection-security = ssl-tls
  3. Locate the [pop-client] section for POP3 and configure the type, port, and enable-ssl options. For example:
    [pop-client2]
    type = POP3
    port = 995 (the default SSL port for POP3)
    pop-connection-security = ssl-tls
  4. Locate the [smtp-client] section and configure the port and enable-ssl options. For example:
    port = 465 (the default SSL port for SMTP)
    smtp-connection-security = ssl-tls
  5. Save your changes.
  6. (Optional) If the application has already started, restart the application to apply the changes.

Configuring the Corporate E-mail Server

Configure TLS/SSL in the Corporate E-mail Server. Follow the constructor recommendations to generate a certificate and configure TLS/SSL on ports POP3, IMAP and SMTP.

The following is an example of generation of a certificate with keytool (keytool is a Java utility that is available with the JRE. The utility can be found in <eServices_Install_Dir>/jre/bin for Unix operating systems, and in <eServices_Install_Dir>\jre\bin for Windows operating systems):

keytool -genkey -v -alias hostname.example.com 
-dname “CN=hostname.example.com,OU=IT,O=ourcompany,C=FR” -keypass 
<certificate_password> 
-keystore <certicate_name>.keystore -storepass <certificate_password>
-keyalg “RSA” -sigalg “SHA1withRSA” -keysize 2048 -validity 3650

The arguments used in this command are the following:

  • -alias—Defines an alias in keystore, to store the key.
  • -dname—Distinguished Name, a comma-separated list made up of the following, in the following order:
    • CN—Common Name. This must be the name of the host where the corporate e-mail server is running. It must be the host name used in E-mail Server's settings; for example, if connecting to a POP 3 server, the option server in the pop-client section must have this value.
    • OU—Organizational Unit Name
    • O—Organization Name
    • L—Locality Name (city)
    • S—State
    • C—Country Name
Important
  • The abbreviations are not case-sensitive.
  • Only CN is required.
  • -keypass—Password of the key of the certificate.
  • -keystore—Specifies the keystore used.
  • -storepass—Password of the keystore.
  • -keyalg—Algorithm used to generate the key. Possible values are DSA and RSA. More information is available at http://docs.oracle.com/javase.
  • -sigalg—Specifies the algorithm used to sign the key.
  • -keysize—Specifies the size of the key.
  • -validity—Defines the validity of the certificate, in days. The value in the example is 3,650 days, or 10 years.
  • This page was last modified on October 1, 2014, at 05:29.

    Feedback

    Comment on this article:

    blog comments powered by Disqus