Import public key from downstream MTA for Prevent Email integration

This article will illustrate how to pull the public TLS certificate to Prevent Email using openssl on Linux. There is an openssl package for Windows but it requires installing software. If that's not available, any Linux system can do this.

If you are using TLS for prevent email and need to get the next hop's TLS public certificate, this is much faster than trying to get it from the hosting provider. If you're ''not'' on the Prevent Email server, any Linux system will work for this, you'll just need a way to copy the public certificate or text from the console window.

1.Check keys:
a. SSH to NPE Detection server as appuser
 
b. sudo su - protect
 
c. Locate keytool directory
 
SDLP 15.5
cd /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin
 
SDLP 15.0 and older
cd /opt/SymantecDLP/jre/bin/
 
c. keytool.exe -list -v -keystore ../../Protect/keystore/prevent.ks
 
<password: protect or dummypass  or changeit>
 
or
 
./keytool -list -v -keystore /opt/Symantec/DataLossPrevention/DetectionServer/15.5/Protect/keystore/prevent.ks
 
<password: protect or dummypass  or changeit>
 
**If "/opt/Symantec/DataLossPrevention/DetectionServer/15.5/Protect/keystore/prevent.ks" does not exsist that you are in default state without TLS
 
or
 
To view the cert you want to import to check it before the import
./keytool -printcert -file /tmp/yourcert.pem
 


1. In Prevent Email as the protect user:

openssl s_client -connect <SERVER_HOST_OR_IP>:25 -starttls smtp | openssl x509 -text

This opens a connection so once you get the data, hit CTRL-C to kill the connection.

This example is truncated output, you'll see more information about the certificate above this block you can use to verify you're on the right server. <br />
Change <SERVER_HOST_OR_IP> to the IP or FQDN of the server you're trying to send mail to. If the system is not accepting mail on port 25, change it to the correct port. The rest of the command will not need to be modified for port changes.

2. You'll want to copy the data starting with -----BEGIN CERTIFICATE and ending with END CERTIFICATE-----

Make sure there are not spaces before or after the required data in the file you're saving!

Example:
 -----BEGIN CERTIFICATE-----
 MIIDEDCCAfigAwIBAgIQQyOcKZQPhbhDU2o35dSoCzANBgkqhkiG9w0BAQUFADAU
 MRIwEAYDVQQDEwlkb21haW5zdnIwHhcNMTMwMjA2MTM0NDIxWhcNMTgwMjA2MTM0
 NDIxWjAUMRIwEAYDVQQDEwlkb21haW5zdnIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
 DwAwggEKAoIBAQCrtST2EFpUQM1cT23H+h+2OZMDS6Ch28kinbnod1ztH62/n+Fv
 21O1h5yd7MULfIXmlZJjhoLZlRbWdCgAEBfbwhv889Nw6NBTF1wi5EV2uywdjdX+
 I4N34yhdlwLYxqnyx1hZ6WzDcAaUrejGiBLRWmSqrbsWK4syEg8B28Ogw/ukZggD
 0JaRopm39Mob4W7DpfAkMiYq/1SmmIsK7khnUhMGPLxPVbvjBNlqMFftD5RtCse8
 H8pqr86uygZjMWn8ax63WlPjJkktibUWjaUm9KcI2FUGf6OqFtbfLRR62Dq91O3t
 N+IRPSHL7tIgkWNUfwokxp1rPvB6wMTCkAyRAgMBAAGjXjBcMA4GA1UdDwEB/wQE
 AwIFoDAnBgNVHREEIDAegglkb21haW5zdnKCEWRvbWFpbnN2ci5sYWIuY29tMBMG
 A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQAD
 ggEBABpRlFdRKnQnNOl3AkY+/Ocw14XlzQUcyeCldSRr4ZDZziO5L/X1lSszZvDr
 Y2cvAJEVqGJBVUDpGM9NuDjKwmHE26B0yozNQNNcbvVSscRYnKCo19wSI/xZC0zv
 dWfy1wH12/gqvQx7HVaDLAH4KoquUS44gczl12TmMoTZGb1168QQmydun5ylXbAo
 GDCM1ky9gJW0RkDICgn8UAX6a6NGSZY09nMB9gyGyZ3eNuHKtHmYJwjoKtk+WvRJ
 EM8y78vClBXqrbIzL+slcZWtWG5A/EEa7/uTfpRqt4aILLw8Kn9nGXiFNApt3ydd
 ksVCv7H928rRG3MmEZ7TO+dJWBI=
 -----END CERTIFICATE-----

3. Now save this in a file on the Prevent Email system. You can copy/paste using VI or Emacs. Save as something meaningful with the .pem extension.
If you need to move this file to the Prevent Email system, do so now.

4. As the protect user, import the file into the DLP keystore:

cd /opt/Symantec/Protect/jre/bin

./keytool -importcert -alias <NAME> -file /home/protect/<FILE_NAME>.pem -keystore ../../Protect/keystore/prevent.ks

 

**To create a new keystore "prevent.ks" file, simply run the import command above and instead of prevent.ks use a new name like preventNew.ks. Then backup the old prevent.ks file and rename the new preventNew.ks to prevent.ks

./keytool -importcert -alias <NAME> -file /home/protect/<FILE_NAME>.pem -keystore ../../Protect/keystore/preventNew.ks



Where -alias <NAME> is whatever you want to call it (something meaningful is a good idea) in Prevent Email and <FILE_NAME>.pem is the path with file name where you saved it. In this example I saved it in the protect users home directory.

You'll be asked for the keystore password (dummypass by default). It will also display information about the certificate before import and ask if you want to import. Type yes. At this point you should be good to go.

 

5. Update the keystore password on Enforce Management Web Console > NPE > Configure

 

6. Recycle the Detection server via the Enforce Management Web Console > NPE

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.