This article will illustrate how to pull the public TLS certificate to Prevent Email using openssl on Linux. There is an openssl package for Windows but it requires installing software. If that's not available, any Linux system can do this.
If you are using TLS for prevent email and need to get the next hop's TLS public certificate, this is much faster than trying to get it from the hosting provider. If you're ''not'' on the Prevent Email server, any Linux system will work for this, you'll just need a way to copy the public certificate or text from the console window.
1. In Prevent Email as the protect user:
openssl s_client -connect <SERVER_HOST_OR_IP>:25 -starttls smtp | openssl x509 -text
This opens a connection so once you get the data, hit CTRL-C to kill the connection.
This example is truncated output, you'll see more information about the certificate above this block you can use to verify you're on the right server. <br />
Change <SERVER_HOST_OR_IP> to the IP or FQDN of the server you're trying to send mail to. If the system is not accepting mail on port 25, change it to the correct port. The rest of the command will not need to be modified for port changes.
2. You'll want to copy the data starting with -----BEGIN CERTIFICATE and ending with END CERTIFICATE-----
Make sure there are not spaces before or after the required data in the file you're saving!
3. Now save this in a file on the Prevent Email system. You can copy/paste using VI or Emacs. Save as something meaningful with the .pem extension.
If you need to move this file to the Prevent Email system, do so now.
4. As the protect user, import the file into the DLP keystore:
./keytool -importcert -alias <NAME> -file /home/protect/<FILE_NAME>.pem -keystore ../../Protect/keystore/prevent.ks
**To create a new keystore "prevent.ks" file, simply run the import command above and instead of prevent.ks use a new name like preventNew.ks. Then backup the old prevent.ks file and rename the new preventNew.ks to prevent.ks
./keytool -importcert -alias <NAME> -file /home/protect/<FILE_NAME>.pem -keystore ../../Protect/keystore/preventNew.ks
Where -alias <NAME> is whatever you want to call it (something meaningful is a good idea) in Prevent Email and <FILE_NAME>.pem is the path with file name where you saved it. In this example I saved it in the protect users home directory.
You'll be asked for the keystore password (dummypass by default). It will also display information about the certificate before import and ask if you want to import. Type yes. At this point you should be good to go.
5. Update the keystore password on Enforce Management Web Console > NPE > Configure
6. Recycle the Detection server via the Enforce Management Web Console > NPE
TIP: Issue below commands if telnet connection is established:
3. Issue below commands if telnet connection is established:
EHLO <your mail server domain>
If desired, type message text, press ENTER, type a period (.), and then press ENTER again.
If mail is working properly, you should see a response similar to the following indicating that mail is queued for delivery.