Veritas Enterprise Vault™ Setting up SMTP Archiving

Last Published:
Product(s): Enterprise Vault (12.1)
  1. About this guide
    1.  
      Introducing this guide
    2. Where to get more information about Enterprise Vault
      1.  
        Enterprise Vault training modules
  2. Introducing Enterprise Vault SMTP Archiving
    1.  
      About Enterprise Vault SMTP Archiving
    2.  
      About SMTP Journaling
    3.  
      About Selective SMTP Journaling
    4.  
      About SMTP Mailbox Journaling
    5.  
      Configuring SMTP Journaling and SMTP Mailbox Journaling
    6.  
      Configuring Selective SMTP Journaling and SMTP Mailbox Journaling
    7.  
      Using Exchange Server to journal messages to Enterprise Vault
  3. Installing SMTP Archiving
    1.  
      About installing Enterprise Vault SMTP Archiving components
    2.  
      Reporting
    3.  
      Monitoring
  4. Configuring SMTP Archiving
    1.  
      Steps to configure SMTP Archiving
    2.  
      Creating archives for SMTP messages
    3. Configuring retention categories and SMTP policies
      1. About X-Headers
        1.  
          About X-Kvs X-Headers
        2.  
          Searching archives for messages with specific X-Headers
    4. Configuring the Enterprise Vault SMTP Servers in the site
      1.  
        Entering the name or IP address of connecting hosts
      2.  
        Obtaining an SSL/TLS certificate
    5. Adding SMTP target addresses
      1.  
        Additional configuration for Selective SMTP Journaling or SMTP Mailbox Journaling
      2.  
        Adding a large number of SMTP target addresses
    6. Adding an SMTP Archiving task
      1.  
        About the SMTP holding folder
      2.  
        Keeping safety copies of archived messages
      3.  
        Task summary reports
  5. Configuring target address rewriting
    1.  
      About target address rewriting
    2.  
      Steps to configure target address rewriting
    3.  
      Adding SMTP target addresses
    4.  
      Adding target address aliases
  6. PowerShell cmdlets
    1.  
      About the PowerShell cmdlets for SMTP Archiving

Obtaining an SSL/TLS certificate

The following types of certificate are supported for SMTP connection security:

  • Commercial certificate that is signed by a trusted third-party or Certification Authority (CA)

  • Windows PKI-generated certificate (Microsoft Certificate Services)

  • Private (self-signed) certificate

  • Subject Alternative Name (SAN) certificate

  • Wildcard certificate

You can use any suitable tool to request a certificate from a recognized certificate authority (CA). For example, you can use OpenSSL, which is installed in the Enterprise Vault installation folder.

If you request a certificate from Veritas, you should specify "Microsoft" as the server platform. In this case, the certificate you receive contains all the intermediate certificates you need for clients to establish a chain of trust to a root CA.

The server's certificate and private key must be presented in a PFX or PKCS#12 file. This file should be encrypted using a password.

To obtain an SSL/TLS certificate

  1. If there is only one SMTP server in the site, go to Step 6.
  2. Make a backup copy of openssl.cnf which is in the Enterprise Vault installation folder, for example C:\Program Files (x86)\Enterprise Vault.
  3. Open openssl.cnf for editing.
  4. Uncomment the following line in openssl.cnf by removing the # from the start of the line:

    # req_extensions = v3_req # The extensions to add to a certificate request

  5. Add lines to the [ v3_req ] section of openssl.cnf as shown in the following example, to specify all the SMTP servers in the site:
    subjectAltName = @alt_names
                
[alt_names]
DNS.1 = evserver1.example.local
DNS.2 = evserver2.example.local
DNS.3 = evserver3.example.local
DNS.4 = evserver4.example.local
  6. Use the following OpenSSL syntax to create a certificate request and a key:

    openssl req -config openssl.cnf -new -nodes -keyout server.key -out server.csr

    where server.key is the name of the file that will contain the certificate key and server.csr is the name of the file that will contain the certificate signing request (CSR).

    You are prompted to enter information about your organization. To leave an optional field blank, enter a period. The fields are as follows:

    • Country Name is the country in which your organization is based.

    • State or Province Name is the state in which your organization is based. Optional.

    • Locality Name is the town or city in which your organization is based. Optional.

    • Organization Name is the name of your organization.

    • Organizational Unit Name is the requesting department in your organization. Optional.

    • Common Name is the fully qualified domain name of the alias of the Enterprise Vault server to which MTAs will make SMTP connections.

    • Email Address is your email address. Optional.

    • Challenge password is an extra attribute to be sent with the certificate request. Optional

    • Optional company name is the name of the company. Optional.

    Two files are generated. You should send the CSR file to the CA, and retain the key file.

  7. Next use the private key to sign the CSR.

    If there is only one SMTP server in the site, use the following command to sign the CSR:

    openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365

    If there is more than one SMTP server in the site, use the following command to sign the CSR:

    openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 -extensions v3_req -extfile openssl.cnf

    The folder should now contain a file called server.pem, which is the server's certificate.

  8. Use the following command to export the certificate and key into a PKCS#12 (.p12) file, and encrypt the file:

    openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -descert

    When prompted, enter a password to protect the file.