Enterprise Vault™ Setting up SMTP Archiving
- About this guide
- Introducing Enterprise Vault SMTP Archiving
- Installing SMTP Archiving
- Configuring SMTP Archiving
- Configuring the Enterprise Vault SMTP Servers in the site
- Adding an SMTP Archiving task and holding folder
- Configuring retention categories and retention plans
- Creating SMTP policies
- Configuring archives for SMTP messages
- Provisioning users for SMTP Group or SMTP Mailbox Journaling
- Using the SMTP dashboard
- PowerShell cmdlets
- Appendix A. Configuring target address rewriting
Obtaining an SSL/TLS certificate
The following types of certificate are supported for SMTP connection security:
Commercial certificate that is signed by a trusted third-party or Certification Authority (CA)
Windows PKI-generated certificate (Microsoft Certificate Services)
Private (self-signed) certificate
Subject Alternative Name (SAN) certificate
You can use any suitable tool to request a certificate from a recognized certificate authority (CA). For example, you can use OpenSSL, which is installed in the Enterprise Vault installation folder.
Ensure that the certificate you request contains all the intermediate certificates you need for clients to establish a chain of trust to a root CA.
The server's certificate and private key must be presented in a PFX or PKCS#12 file. This file should be encrypted using a password.
To obtain an SSL/TLS certificate
- If there is only one SMTP server in the site, go to Step 6.
- Make a backup copy of
openssl.cnfwhich is in the Enterprise Vault installation folder, for example
C:\Program Files (x86)\Enterprise Vault.
- Uncomment the following line in
openssl.cnfby removing the # from the start of the line:
# req_extensions = v3_req # The extensions to add to a certificate request
- Add lines to the [ v3_req ] section of
openssl.cnfas shown in the following example. Specify all the SMTP servers in the site:
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = evserver1.example.local DNS.2 = evserver2.example.local DNS.3 = evserver3.example.local DNS.4 = evserver4.example.local
- Use the following OpenSSL syntax to create a certificate request and a key:
openssl req -config openssl.cnf -new -nodes -keyout server.key -out server.csr
Where server.key is the name of the file that will contain the certificate key and server.csr is the name of the file that will contain the certificate signing request (CSR).
You are prompted to enter information about your organization. To leave an optional field blank, enter a period. The fields are as follows:
Country Name is the country in which your organization is based.
State or Province Name is the state in which your organization is based. Optional.
Locality Name is the town or city in which your organization is based. Optional.
Organization Name is the name of your organization.
Organizational Unit Name is the requesting department in your organization. Optional.
Common Name is the fully qualified domain name of the alias of the Enterprise Vault server to which MTAs will make SMTP connections.
Email Address is your email address. Optional.
Challenge password is an extra attribute to be sent with the certificate request. Optional
Optional company name is the name of the company. Optional.
Two files are generated. You should send the CSR file to the CA, and retain the key file.
- Next use the private key to sign the CSR.
If there is only one SMTP server in the site, use the following command to sign the CSR:
openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365
If there is more than one SMTP server in the site, use the following command to sign the CSR:
openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 -extensions v3_req -extfile openssl.cnf
The folder should now contain a file called
server.pem, which is the server's certificate.
- Use the following command to export the certificate and key into a PKCS#12 (.p12) file, and encrypt the file:
openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -descert
When prompted, enter a password to protect the file.