Encryption

The Axigen Solution: Overview & Architecture

Axigen provides a variety of security options related to authentication and encryption for all connections established by/with the mail server.

Secure/Plain connections and authentication methods

Axigen supports TLS enabled connections. TLS-enabled connections are connections that support the Transport Layer Security, a standard providing encryption and authentication service that can be negotiated during the startup phase of many Internet protocols, including SMTP, POP3 and IMAP, and used for general communication authentication and encryption over TCP / IP networks.

All Axigen mail services (SMTP, IMAP, POP3) provide an AllowStartTLS parameter that you can enable and have the server advertise TLS capability.

Authentication methods are available both for TLS-enabled connections and plain connections (non TLS-enabled). The methods supported by Axigen are: PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5 and GSSAPI.

The PLAIN mechanism consists of a single message from the client to the server, in which the client sends the authorization identity (identity to login as), the authentication identity (identity whose password will be used) and the clear-text password. If left empty, the authorization identity is the same as the authentication identity. The PLAIN authentication mechanism is not recommended for use over an unencrypted network connection.

The LOGIN mechanism is a non-standard mechanism, and is similar to the PLAIN mechanism except that this mechanism lacks the support for authorization identities.

The CRAM-MD5 is a challenge-response mechanism that transfers hashed passwords instead of clear text passwords. For insecure channels (e.g., when TLS is not used), it is safer than PLAIN.

The DIGEST-MD5 is the required authentication mechanism for LDAP v3 servers.

The Digest-MD5 is based on the HTTP Digest Authentication. In Digest-MD5, the LDAP server sends data that includes various authentication options that it is willing to support plus a special token to the LDAP client. The client responds by sending an encrypted response that indicates the authentication options that it has selected. The response is encrypted in such a way that proves that the client knows its password. The LDAP server then decrypts and verifies the client's response.

GSSAPI is the Generic Security Services Application Programming Interface. Its primary use today is with Kerberos authentication. Kerberos is the primary authentication mechanism in Windows Active Directory.

Also, for all Axigen services, authentication error control parameters are available. That is, if on attempting to connect, clients fail to authenticate correctly a number of times, the connection is dropped.

SSL Parameters

Axigen supports SSL-enabled connections, providing advanced SSL parameters for TCP Listener configuration available for all its TCP Services (SMTP, IMAP, POP3, WebMail, CLI and WebAdmin). See SSL Parameters for Listeners for information on these parameters and how to configure them using WebAdmin.

Also, for all Axigen services, authentication error control parameters are available. That is, if on attempting to connect, clients fail to authenticate correctly a number of times, the connection is dropped. For information on these parameters, see the Connection Error Control sections for each module in Configuring Axigen using WebAdmin.

Kerberos is the primary authentication mechanism in Windows Active Directory. Within the Axigen mail server, it is used as an authentication method through GSSAPI (Generic Security Services Application Programing Interface). In order to enable Kerberos authentication for your installed Axigen solution, please follow the steps described below.

1. Create an account named "axigen_SERVICE" in Active Directory corresponding to each service you want to authenticate on from Axigen. Three accounts will be used for all Axigen supported services: axigen_smtp, axigen_imap and axigen_pop.

2. Export the keys using the KTPASS utility:

  • Generate a key for the SMTP service:
  • Generate a key for the IMAP service:
  • Generate keys for the POP3 service:
  • In all commands shown above you must replace:
  1. "axigen.hostname"
    1. with the domain Axigen users should use to login to
  2. "REALM"
    1. with the Kerberos realm, which is the uppercase name of the Active Directory domain (which should be the same with the Axigen domain name)
  3. "PASSWORD"
    1. with the password for the corresponding "axigen_SERVICE" account, which you have previously created.
  • Please note that the Axigen IP address must reverse point to the same hostname you have specified above as "axigen.hostname".

3. Copy the exported key files on the Axigen machine in the /etc directory and merge them using the "ktutil" application. Simply type "ktutil" and issue the following commands in the application's subshell:

  • load the needed "keytab" files, according to the services you want to use GSSAPI authentication with:
  • write the new "/etc/krb5.keytab" file:
  • exit the "ktutil" shell:
  • At this moment, all necessary keys will be saved in the "/etc/krb5.keytab" file.

Prerequisites and Settings for Each Active Directory User Defined for Axigen

The Axigen domain name must be the same as the full Active Directory domain name. Also, the accounts for which you want to use Kerberos authentication must be created within the Axigen messaging solution.

Example:

The example below shows how to set up the Windows version of the Mozilla Thunderbird email client to use Kerberos authentication with in an Active Directory environment: