NTACurrent en:Installation of Cryptshare Mail Gateway

Aus Cryptshare Documentation
Wechseln zu:Navigation, Suche


This page describes the installation and configuration of the core component of Cryptshare for NTA 7516, the Cryptshare Mail Gateway.


  1. Please make sure that the system, which will be used to install Cryptshare Mail Gateway (hereafter referred to as "the server"), fulfils all of the requirements specified in the System Requirements. In particular, storage encryption and name server configuration.
  2. If not already done, install the sudo package and add the user who performs the installation to the sudo group:
    su -
    apt install sudo -y
    usermod -aG sudo <username>
    (Replace <username> with the actual username.)
  3. Logout and login again.

Installation Steps

Provision the Certificates (only for Let's Encrypt! certificates)

The setup program detects LetsEncrypt! certificates that have been created using CertBot, more precisely, the files that are stored in subdirectories of /etc/letsencrypt/live) and performs all of the necessary server TLS setup. Please make sure that if you use CertBot, the certificates have been created and are up-to-date.

If other certificates are used (without CertBot), TLS has to be configured later (see Server TLS).

Start the Setup Program

  1. Copy the installation package file to your home directory.
  2. Extract the installation package with the following command:
    tar -xzf cmg-setup-<version>.tar.gz
    <version> is the version of the product.
  3. Elevate your privileges to root using:
    sudo su
  4. Cd into the extracted directory and start the setup program:
    cd cmg-setup

Setup Questions

  1. "Will you be using Microsoft 365 to send emails through the Cryptshare Mail Gateway?"
    • Choose yes, if emails are routed from Exchange Online on Microsoft 365 ("M365") to the Cryptshare Mail Gateway for further delivery. This will configure the Cryptshare Mail Gateway to fetch IP mail server addresses from a Microsoft web service and allow relaying only for these hosts. In addition incoming messages from these hosts are checked to have a header that contains your tenant ID.
    • Choose no, if you have a stand-alone Microsoft Exchange Server (outside Microsoft 365) or another mail server product.
  2. "Please enter the 'Tenant ID' for your Microsoft 365 tenant" (shows up only for M365 installations): The tenant ID is required to allow only messages from your tenant to be processed by the Cryptshare Mail Gateway. You can find your tenant ID on the "Azure Active Directory Overview" page.
  3. "Would you like to enable 'Header Authentication'?" (not shown in M365 installations)
    • Choose yes, if outgoing messages have to have a header with a certain value to be relayed. This adds security if you use the Cryptshare Mail Gateway together with a multi-tenant mail server, where the IP address alone is insufficient for deciding which hosts can relay. The header name and value are shown at the end of the setup process.
    • Choose no, if the permission to relay can be given based on the IP address of your mail server. This is usually the case for on-premise installations.
  4. "Please enter email address that will be used to send notifications to the users": This email address is used to send a notification to the users. For example, if the message was marked as "confidential", but it wasn't possible to send the message securely, the original sender will get a message from this address.
  5. "FQDN for this machine": The fully qualified domain name of the server.
  6. "IP address or FQDN for the destination mail server": The IP address of the mail server that accepts messages for the mail domain (see Overview and Configuration of the Mail Server). Incoming (NTA 7516) messages that are received by the Cryptshare Mail Gateway will be forwarded to this address.
  7. "IP address(es) in CIDR format that should be allowed to relay mail through your gateway" (not shown in M365 installations): A list of IP addresses or address ranges (CIDR expressions). This is a comma or space separated list. SMTP clients (including other mail servers) whose IP address matches one of the specified addresses or address ranges are allowed to send e-mails via the Cryptshare Mail Gateway to foreign domains.
  8. "Mail domain that this server will handle": The mail domain of the emails that are being routed through the Cryptshare Mail Gateway. If you have more than one email domain, please enter the primary domain and configure the remaining domains later.
  9. "DKIM selector that you will be using": This corresponds to the DKIM DNS setup. A selector can be any alphanumeric string, but it must match the corresponding DNS entry for DKIM (see DNS Setup). Because it is recommended to update the DKIM key regularly (monthly), the DKIM selector should have a date reference. Example: nta7516feb2021.
  10. "Certificate to use in the mail server configuration": If Let's Encrypt! certificates have been detected, you can select the correct certificate to use for server TLS.

Additional Configuration Steps

Perform all steps with the root user.

Server TLS

These steps are only required if no Let's Encrypt! certificates are found during setup.
  1. Copy the following files to a directory of your choice:
    1. A file containing the certificate chain (the server certificate, the certificate of all intermediate CAs and the root CA certificate) in PEM format.
    2. A file containing the private key of the server certificate. The private keys must not be secured by a passphrase.
  2. Make sure that the private key file has appropriate access permissions (restrict read access to root, for example).
  3. Configure Postfix to use the certificate chain:
    postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/certificate-chain.pem"
    "/etc/ssl/certs/certificate-chain.pem" is the certificate chain file.
  4. Configure Postfix to use the certificate's private key:
    postconf -e "smtpd_tls_key_file = /etc/ssl/private/private-key.pem"
    "/etc/ssl/private/private-key.pem" is the certificate's private key file.
  5. Apply the new configuration.
    postfix reload

Client TLS

Some NTA 7516 compliant organisations require the authentication with a client certificate during SMTP communication. While these steps may not be necessary for all communication partners, they are recommended to gain full interoperability.

  1. Copy the TLS client certificate chain file (which includes the private key), that your organization received during the licensing process, to a directory of your choice. For example: /etc/ssl/private/nta7516-client-chain-with-key.pem.
  2. Make sure that the file has appropriate access permissions (restrict read access to root, for example).
  3. Configure Postfix to use the certificate chain:
    postconf -c /etc/postfix-nta7516 -e "smtp_tls_chain_files = /etc/ssl/private/nta7516-client-chain-with-key.pem"
    "/etc/ssl/private/nta7516-client-chain-with-key.pem" is the certificate chain file.
  4. Apply the new configuration.
    postfix reload


To add a DKIM signature to every outgoing email, Cryptshare Mail Gateway uses the OpenDKIM mail filter. OpenDKIM requires a key pair, whose public key must be published in DNS (see DNS Setup).

  1. Generate a keypair:
    opendkim-genkey -r -d <domain>
    "<domain>" must be replaced by the actual domain.
  2. Move the generated private key to the key directory:
    mv default.private /etc/dkimkeys/dkim.key
  3. Set "opendkim" as group and owner for the private key file:
    chown opendkim:opendkim /etc/dkimkeys/dkim.key
  4. Limit access to the private key file:
    chmod 600 /etc/dkimkeys/dkim.key
  5. Please note: normally, you would have to restart OpenDKIM for the changes to apply, however this step is skipped here, because the service is automatically restarted by the cmg-filter service later (see below).
  6. Use the keypair generated output (file "default.txt") to set up DKIM in DNS accordingly.

Nameserver Configuration

This step is only required if the server's network settings are configured using DHCP.

During setup, Cryptshare for NTA 7516 adds a local resolver to the system (PowerDNS) that is capable of handling DNSSEC requests and allows very fast lookups. As a result, DNS requests need to be issued to localhost ( instead of an external nameserver. Therefore, the setup process also installs the [1] package, and adds a nameserver directive to the configuration file (/etc/resolvconf/resolv.conf.d/head).

However, if DHCP is used, the local configuration may be overridden by the nameserver configuration that is fetched via DHCP. To prevent this, the following steps are required:

  1. Open /etc/dhcp/dhclient.conf in an editor.
  2. Remove domain-name-servers from the list of updated configuration attributes of the request directive.
  3. Append the following line to the end of the file:
    prepend domain-name-servers;
  4. Execute dhclient so that the settings are applied:

See the Debian network configuration wiki for more information.

Complete the installation

Start the cmg-filter Service

During startup, the service will detect the changes made in its configuration regarding the trusted hosts/networks and restart the services that depend on that setting automatically (Postfix, OpenDKIM and OpenDMARC).

systemctl start cmg-filter