Enterprise Vault™ Setting up SMTP Archiving

Last Published:
Product(s): Enterprise Vault (14.2)
  1. About this guide
    1.  
      Introducing this guide
    2. Where to get more information about Enterprise Vault
      1.  
        Enterprise Vault training modules
  2. Introducing Enterprise Vault SMTP Archiving
    1. About Enterprise Vault SMTP Archiving
      1.  
        SMTP Archiving configurations
      2.  
        SMTP Archiving components
    2.  
      About SMTP Journaling
    3.  
      About SMTP Group Journaling
    4.  
      About SMTP Mailbox Journaling
    5.  
      About SMTP Archiving licensing
    6.  
      Journaling messages to Enterprise Vault from Exchange Server or Office 365
  3. Installing SMTP Archiving
    1.  
      About installing Enterprise Vault SMTP Archiving components
    2.  
      Reporting
    3.  
      Monitoring
  4. Configuring SMTP Archiving
    1.  
      Steps to configure SMTP Archiving
    2.  
      Planning your configuration
    3. Configuring the Enterprise Vault SMTP Servers in the site
      1.  
        Entering the name or IP address of connecting hosts
      2.  
        Obtaining an SSL/TLS certificate
      3.  
        Configuring message tracking for SMTP messages
    4. Adding an SMTP Archiving task and holding folder
      1.  
        About the SMTP holding folder
      2.  
        Keeping safety copies of archived messages
      3.  
        Task summary reports
    5. Adding an SMTP Archiving task and holding folder
      1.  
        About the SMTP holding folder
      2.  
        Keeping safety copies of archived messages
      3.  
        Task summary reports
    6. Configuring retention categories and retention plans
      1.  
        Managing cascading retention settings on multiple archives
      2.  
        About changing retention on SMTP Group Journaling provisioning groups
    7. Creating SMTP policies
      1. About X-Headers
        1.  
          About X-Kvs X-Headers
        2.  
          Searching archives for messages with specific X-Headers
    8. Configuring archives for SMTP messages
      1.  
        Assigning multiple archives to spread the archiving load across servers
    9.  
      Adding SMTP routing addresses
    10.  
      Checking settings for SMTP Journaling
    11.  
      Additional configuration for Compliance Accelerator
  5. Provisioning users for SMTP Group or SMTP Mailbox Journaling
    1.  
      About SMTP provisioning groups
    2.  
      Adding an SMTP Group Journaling provisioning group
    3.  
      Adding an SMTP Mailbox Journaling provisioning group
    4.  
      Changing the order of the SMTP provisioning groups
    5.  
      Deleting an SMTP provisioning group
    6.  
      Adding or deleting an SMTP Provisioning task
    7.  
      SMTP Provisioning task summary reports
    8.  
      Configuring the SMTP site setting, Selective Journal Archiving
    9.  
      Adding SMTP target addresses manually
  6. Using the SMTP dashboard
    1.  
      About the SMTP dashboard
    2.  
      Using the Summary page
    3.  
      Using the Search page
    4.  
      Using the SMTP Archiving page
  7. PowerShell cmdlets
    1.  
      About the PowerShell cmdlets for SMTP Archiving
  8. Appendix A. Configuring target address rewriting
    1.  
      About target address rewriting
    2.  
      Steps to configure target address rewriting
    3.  
      Adding SMTP target addresses
    4.  
      Adding target address aliases

Obtaining an SSL/TLS certificate

The following types of certificate are supported for SMTP connection security:

  • Commercial certificate that is signed by a trusted third-party or Certification Authority (CA)

  • Windows PKI-generated certificate (Microsoft Certificate Services)

  • Private (self-signed) certificate

  • Subject Alternative Name (SAN) certificate

  • Wildcard certificate

You can use any suitable tool to request a certificate from a recognized certificate authority (CA). For example, you can use OpenSSL, which is installed in the Enterprise Vault installation folder.

Ensure that the certificate you request contains all the intermediate certificates you need for clients to establish a chain of trust to a root CA.

The server's certificate and private key must be presented in a PFX or PKCS#12 file. This file should be encrypted using a password.

To obtain an SSL/TLS certificate

  1. If there is only one SMTP server in the site, go to Step 6.
  2. Make a backup copy of openssl.cnf which is in the Enterprise Vault installation folder, for example C:\Program Files (x86)\Enterprise Vault.
  3. Open openssl.cnf for editing.
  4. Uncomment the following line in openssl.cnf by removing the # from the start of the line:

    # req_extensions = v3_req # The extensions to add to a certificate request

  5. Add lines to the [ v3_req ] section of openssl.cnf as shown in the following example. Specify all the SMTP servers in the site:
    [ v3_req ]
# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names
                
[alt_names]
DNS.1 = evserver1.example.local
DNS.2 = evserver2.example.local
DNS.3 = evserver3.example.local
DNS.4 = evserver4.example.local
  6. Use the following OpenSSL syntax to create a certificate request and a key:

    openssl req -config openssl.cnf -new -nodes -keyout server.key -out server.csr

    Where server.key is the name of the file that will contain the certificate key and server.csr is the name of the file that will contain the certificate signing request (CSR).

    You are prompted to enter information about your organization. To leave an optional field blank, enter a period. The fields are as follows:

    • Country Name is the country in which your organization is based.

    • State or Province Name is the state in which your organization is based. Optional.

    • Locality Name is the town or city in which your organization is based. Optional.

    • Organization Name is the name of your organization.

    • Organizational Unit Name is the requesting department in your organization. Optional.

    • Common Name is the fully qualified domain name of the alias of the Enterprise Vault server to which MTAs will make SMTP connections.

    • Email Address is your email address. Optional.

    • Challenge password is an extra attribute to be sent with the certificate request. Optional

    • Optional company name is the name of the company. Optional.

    Two files are generated. You should send the CSR file to the CA, and retain the key file.

  7. Next use the private key to sign the CSR.

    If there is only one SMTP server in the site, use the following command to sign the CSR:

    openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365

    If there is more than one SMTP server in the site, use the following command to sign the CSR:

    openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 -extensions v3_req -extfile openssl.cnf

    The folder should now contain a file called server.pem, which is the server's certificate.

  8. Use the following command to export the certificate and key into a PKCS#12 (.p12) file, and encrypt the file:

    openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -descert

    When prompted, enter a password to protect the file.

    Note:

    Create a single SAN certificate that includes the fully qualified domain names of all the Enterprise Vault servers in the site. The Common Name for the SAN certificate can be the fully qualified domain name of the alias of any Enterprise Vault server in the site. When you import the SAN certificate to any one of the servers in the site, Enterprise Vault installs the certificate on the other servers.