SafeGuard MailGateway - Manual for System Administrators - Sophos [PDF]

SafeGuard MailGateway Manual for System Administrators

SafeGuard MailGateway: Manual for System Administrators

Table of Contents 1 Introduction ........................................................................................................................ 1 1.1 About this Manual for System Administrators ......................................................... 1 1.2 Overview of this manual ......................................................................................... 1 2 Quick Start ......................................................................................................................... 3 3 Basics of E-mail Encryption/E-mail Signature ................................................................... 5 3.1 Certificates .............................................................................................................. 5 3.1.1 X.509 certificates ......................................................................................... 5 3.1.2 CA Certificates ............................................................................................. 6 3.1.3 Sub-CA certificates ...................................................................................... 6 3.1.4 User certificates ........................................................................................... 7 3.2 Checking the validity and trustworthiness of S/MIME certificates ........................... 9 3.2.1 Certificate Revocation List (CRL) ............................................................... 10 3.2.2 OCSP ......................................................................................................... 10 3.3 OpenPGP keys ..................................................................................................... 11 3.4 Checking the validity and trustworthiness of OpenPGP keys ............................... 11 3.4.1 Web of Trust .............................................................................................. 12 3.5 Exchanging S/MIME certificates or OpenPGP keys ............................................. 13 3.5.1 LDAP .......................................................................................................... 14 3.5.2 HKP key servers ........................................................................................ 14 3.6 Public Key Infrastructures (PKIs) .......................................................................... 14 3.7 The public key procedure ..................................................................................... 15 3.7.1 Encryption using the public key procedure ................................................ 15 3.7.2 Digital signature with the public key procedure .......................................... 16 4 Standards used in E-mail Encryption .............................................................................. 17 4.1 Common attributes of S/MIME and OpenPGP ..................................................... 17 4.2 S/MIME ................................................................................................................. 17 4.3 OpenPGP .............................................................................................................. 18 4.4 OpenPGP/MIME compared with OpenPGP/Inline ................................................ 18 4.4.1 OpenPGP/Inline ......................................................................................... 18 4.4.2 OpenPGP/MIME ......................................................................................... 19 4.4.3 How does SafeGuard MailGateway handle MIME e-mails with OpenPGP/Inline? ................................................................................................. 20 4.5 PrivateCrypto ........................................................................................................ 20 4.6 PDFMail ................................................................................................................ 21 4.7 Password Management in PrivateCrypto and PDFMail ........................................ 22 4.7.1 Password handling ..................................................................................... 22 4.7.2 Self-registration .......................................................................................... 22 4.7.3 Using an SMS Gateway ............................................................................ 23 5 Central E-mail Security .................................................................................................... 25 6 SafeGuard MailGateway Functional Integration .............................................................. 27 6.1 Use as an internal SafeGuard MailGateway ........................................................ 27 6.2 Integrating the SafeGuard MailGateway in your firewall ....................................... 29 6.3 The SafeGuard MailGateway with routing ............................................................ 29 6.4 DNS connection .................................................................................................... 30 6.4.1 The SafeGuard MailGateway as a DNS client ........................................... 31 6.4.2 No access to DNS server .......................................................................... 31 6.5 High availability/load distribution/clusters .............................................................. 31

iii

6.5.1 Cluster with internal EXPORT_LOG_DESTINATION=""

180

FTP or SCP can be used for the export. The correct entry for the "destination" appears in both quotation marks and in this format: ftp://[login[:password]@]server[:port]/path scp://[login@]server:/path/ EXPORT_CRL_DESTINATION= „ftp://[login[:password]@]server[:port]/path” • As shown in this example, enter the "Destination" for CRL and LOG. For more details about possible values and the prerequisites for login please read the comments in these scripts: /usr/bin/Gateway/exportfiles-ftp /usr/bin/Gateway/exportfiles-scp You must also follow the instructions about the ftp and SCP command line tools! To save and close the rc.config file, enter: esc:x We recommend to test whether the automatic export of CRL and LOG has been carried out successfully. To test this via the shell, call these commands: export-crl export-log If you want to delete successfully exported logs from your SafeGuard MailGateway, set the EXPORT_LOG_DELETE_AFTER_EXPORT variable to YES. Please note: you should not have a second copy of the log if you want it to be deleted after a successful export and be removed from the export server. Unless you do this, the logs in your SafeGuard MailGateway will be present in their original binary format but in their converted ASCII format on the export server. After the test is completed successfully and you have finished working on the rc.config file, copy the file from here to this location: /gateway/chroot/webmgnt/conf/default/rc.config Use this command to do this:

181

cp /etc/rc.config /gateway/chroot/webmgnt/conf/default/rc.config Please note that the /etc/rc.config file is overwritten by the /gateway/chroot/webmgnt/conf/default/rc.config file as soon as you configure your SafeGuard MailGateway via Webmanagement. If you do not enter a "Destination" for an export script, it will still be called every night by the cron service, and, of course, it will not be exported. After installation, this standard configuration is also entered in the log.

If any problems arise when you configure the export, you should test the base exportfiles-… script manually by exporting any of the files.

We recommend to regularly check that the CRL and LOG are exporting correctly. If you change your configuration (not only SafeGuard MailGateway, but also the server or the network), this may mean that an export configuration which has worked correctly until now no longer works. Your SafeGuard MailGateway will warn you if this happens!

25.17. Upgrading to a new version To upgrade to a new version (for example, from version 5.60 to 5.XX) you must reinstall the software. In each case this means your SafeGuard MailGateway is put into a pre-defined initial state. Of course, you do not want to lose any existing configurations or any of the certificates and keys you generated or imported. In this section we describe what is involved in migration. These instructions describe how you can transfer your existing configuration from the "old" system to the "new" system.

25.17.1. Migrating to a new version of SafeGuard MailGateway This section describes how you migrate from an old version of your SafeGuard MailGateway to the latest version of SafeGuard MailGateway.

We recommend to install the latest gateway version on new hardware.

• Make a back up of the old version of your SafeGuard MailGateway. To do so, go to web management and click the main menu item System. Then open the window Backup and click the button Backup. Please store this backup on your admin PC.

182

• Install the latest gateway version on new hardware. See Chapter 11 • Start the file transfer software (for example Winscp) and copy the prepared backup to the /var/tmp. • Start your console access and log on as the root user with the appropriate password. • Use this command to switch to the /var/tmp directory: cd /var/tmp • Then, to launch the migration to the new gateway version, enter this command: migrate --in oldbackup.tgz -–out newbackup.tgz If you want to migrate from version 5.30 to a newer version of the gateway, you are then prompted to confirm which rules (secure e-mail) you want to transfer. You may then need to make a few additional settings to your set of rules. You now have converted a backup of an old version into one of the current version. You can new restore this backup as described in Section 25.11. Then, log on to web management from your admin PC. There, check all the settings and make any modifications needed for the secure e-mail rules.

25.18. Licensing Your SafeGuard MailGateway only performs cryptographic operations for an internal user when that user is licensed. An internal user is licensed if there is an S/MIME certificate or an OpenPGP key for them. If the rules for internal users permit the generating of certificates and keys, then the system will normally generate certificates and keys for these users as soon as an e-mail is sent over the SafeGuard MailGateway. Here, whether or not the e-mail has been encrypted or signed is not relevant. This automatic generation of certificates and keys is only performed for senders of e-mails (internal users). The license file limits the generation of certificates and keys. For example, if the maximum number of licenses for internal users is exceeded, then the license file takes decisive action, affecting the SafeGuard MailGateway. In some circumstances no more certificates and keys will be generated by your SafeGuard MailGateway. If the number of licensed users is exceeded, all e-mails will be blocked. Your SafeGuard MailGateway then automatically switches to runlevel 2. As the operator of your SafeGuard MailGateways you will be informed in advance about when a test licence is due to expire (number of days) or if the test licenses are exceeded (number of users). You can configure this in web management (see Monitoring → Settings → Details).

183

25.18.1. Exchanging the license file The license file is an ASCII file that releases the functionality you have purchased on your SafeGuard MailGateway. You can upload the license file in the web management at: System → License The ASCII file as well as the .zip archive are supported here.

25.18.2. The licensed_users.txt file Not every internal user who is to use the cryptographic functions provided by your SafeGuard MailGateway has had a certificate or a key assigned to them via their e-mail address. This occurs in the following situations: • An internal user only uses PrivateCrypto or PDFMail and not S/MIME or OpenPGP. • A domain key has been assigned to the internal user via the set of rules defined for the secure e-mail service. • The internal user did so far not have any valid certificate or OpenPGP key assigned to him. You should check whether a certificate or an OpenPGP key should be generated for this internal user. To do so, as operator of the SafeGuard MailGateway, you have the option of controlling which users can use the functions provided by the SafeGuard MailGateway, and also ensuring that the license check is carried out correctly, by creating the licensed_users.txt file. In it you can list all internal users for whom the cryptographic functionality is to be used. The system performs encryption for all internal users who are listed in this file with their email address, if they do not exceed the (total) number of users permitted in the license file. All other users will be blocked. If you want to ensure that the cryptographic functionality of your SafeGuard MailGateway is to be used for 300 users specified by you, and not users selected randomly by the SafeGuard MailGateway, then you create the licensed_users.txt file and enter the relevant user names in it. You must store the licensed_users.txt file in these folders: /etc/Gateway/ /gateway/chroot/webmgnt/etc/Gateway Please note that you must store two identical copies of the file, one in each of these folders. The licensed_users.txt is a US-ASCII file which may contain one e-mail address per line. No other characters or blank spaces are permitted in the line.

184

If you have created this file and put it in the folders mentioned above then your SafeGuard MailGateway performs a linear check of this file and compares the e-mail address with the contents of the individual lines it contains. This check does not differentiate between upper and lower case letters. If the licensed_users.txt file is not present on the SafeGuard MailGateway, the system interprets this as follows: • A certificate or an OpenPGP key can be generated for each internal user as long as this is not prevented by other factors (number of licensed users, set of rules). • An internal user to whom no certificate or OpenPGP key has been assigned is handled as an unlicensed user. The consequence is that this user is not permitted to use a domain key (with a private key on the SafeGuard MailGateway), a certificate, or PrivateCrypto, or PDFMail.

25.19. Exchanging PDF Reply certificates When your SafeGuard MailGateway is installed, a certificate is generated for the PDF Reply website. You can then exchange this PDF Reply certificate. To do so, you should request a certificate from a TrustCenter. SafeGuard MailGateway supports the certificate formats PKCS#12 and PEM. To exchange the PDF Reply certificate generated by your SafeGuard MailGateway with another certificate, click on the menu item Network in the main menu bar on the left, and there click the tab PDF-Reply. Before you can import the server certificate, you have to select the certificate format and in case of format PKCS#12 you also have to enter the PKCS#12 password. Afterwards, click on Browse (or equivalent button, depending on which browser you are using), select your own server certificate you want to import and then click on Import. Save the PDF Reply server certificate import. You can now use the new certificate for PDF Reply.

25.20. Translating messages From time to time your SafeGuard MailGateway sends e-mails to the users. They include, for example: • E-mails that contain a PrivateCrypto or a PDFMail password • E-mails that contain error messages These e-mails and error messages have all been written in English. They are all contained in one file so that they can be translated into other languages easily.

185

In this file you should note the following: Each text is framed by two tags, @BEGIN at the start and @END at the end. The e-mails and error messages can contain different placeholders which you must not change, for example $$RCPT$$. So, for example, a complete error message that is sent by the SafeGuard MailGateway looks like this:

@BEGIN CmdEncryptionNotAllowed ISO-8859-15 Subject command enforces encryption for , but this is not possible/allowed. @END CmdEncryptionNotAllowed

This is an example of what a complete e-mail that is sent by the SafeGuard MailGateway looks like:

@BEGIN _PDFencryptedEmail ISO-8859-15 This e-mail is secured by Sophos SafeGuard MailGateway with an encrypted PDF document. @END _PDFencryptedEmail

In this example we have marked everything that you can change in bold text:

@BEGIN CmdEncryptionNotAllowed ISO-8859-15 Subject command enforces encryption for , but this is not possible/allowed. @END CmdEncryptionNotAllowed

Below you can find out how to change the texts in error messages and e-mails: On the console, log on to the SafeGuard MailGateway as the root user, using the appropriate password. You must now enter a command so that the SafeGuard MailGateway generates a file that contains the error messages and e-mails. At the same time you can also specify where this file is to be saved and what it is to be called. In our example we want the file to be saved in the /tmp folder with the name messages.txt. • Now enter this command: generate_secure-mail-messages.sh /tmp/messages.txt • Run your file transfer software (for example, Winscp) and change to the /tmp folder.

186

In that folder you will find the messages.txt file that you have generated. Copy this file onto your admin PC and open it with Wordpad. To ensure that your SafeGuard MailGateway can also process this file again, you should only modify the file in Wordpad. The file also contains all the information you need to modify it (in English). Now you can use Wordpad to change all error messages, as shown in the example above. Then, you must save the file as message.txt again. • After changing or translating the texts, copy the file back to the folder from which you took it, /tmp. Now you must install the changed file. To do so, on the console, enter this command: install_secure-mail-messages.sh /tmp/messages.txt If you are using your SafeGuard MailGateway in a cluster you must install this changed file on all SafeGuard MailGateways in the cluster. If you have migrated your SafeGuard MailGateway, it may be that there are new error messages and e-mails that are sent to the user. If so, you must regenerate the file again. This newly generated file contains the translations that you created earlier. You will only need to translate the new error messages.

187

188

26 Customer Service If you have any questions about our products, please first contact your sales partner from whom you purchased the product. They are the people with the best knowledge of your specific situation. Sophos also provides general information about its products on the World Wide Web. Our maintenance contracts also provide you a solid framework of support if you have questions about our products. This includes access to regular update individual support either on site or by telephone. If you do not have a maintenance contract you can always use the expertise of our customer service for a fee. Any user of our products is welcome to take part in our training courses. We also offer services such as security consultation and implementation support. Do not hesitate to contact us if you are interested in our training courses or in our services. Please do not call our hotline until you have studied the system administrator manual and attempted to solve the problem yourself. Before you actually call the hotline, please make a few preparations. You require: • the version number of your gateway software • the current patch level • information about your network configuration We recommend to fill out the data sheet in the documentation folder on your installation CDROM when you install the software. This then means you have all the most important information at your fingertips if you require support. Our website lists contact addresses for all other countries. http://www.sophos.com

189

190

Glossary A "a.b.c.d" format

Format in which IP addresses are displayed or input.

"a.b.c.d/e" format

Format in which network addresses are displayed or input.

ASCII

ASCII (American Standard Code for Information Interchange). Character set table with country-specific modifications. Codes (32-127) include printable characters as they appear, for example, in e-mails. ASCII is a standardized character set used by computers and other communications equipment to display text. It is based on the Latin alphabet as used in modern English.

Asymmetrical encryption

Two different keys are used in asymmetrical encryption, unlike in symmetrical encryption. The sender encrypts the message using the recipient's public key. Only the recipient can use their private key to decrypt it. Asymmetrical encryption can also be used for digital signatures. The asymmetrical encryption processes is a vital element of a Public Key Infrastructure (PKI).

B Binary format

Binary format is a file format that cannot necessarily be viewed by all generally-available programs. It is not usually line-based and can contain all the characters in a character set, including the nonprintable control characters. These properties mean that binary formats always require special editors.

C CDP (CRL point)

distribution

If a user certificate has the X.509 extension for the CRL distribution point (CDP) the SafeGuard MailGateway can evaluate this automatically to find the block status. The prerequisite for this is that the CDP must be unique i.e. all URLs should refer to one and the same CRL.

Central e-mail security

Means that all e-mails can be encrypted and also decrypted at one central location. Central e-mail security can be implemented completely independently of e-mail client type.

Certificate

A certificate consists of a public key, an "identity" and a signature from a Certificate Authority. The Certificate Authority certi-

191

fies that this public key belongs to the named identity. The user can be confident that only this identity is in possession of the associated private key. The "identity" can be the unique description of a person, a computer or an e-mail address. Certificate Authority

A Certificate Authority (CA) issues certificates for users or subordinate CAs (sub-CAs). These certificates are signed by the CA's private key. The CA's public key is used to check the genuineness of these certificates. The CA can revoke a certificate's validity before its expiration date. This is published in a Certificate Revocation List (CRL) or be queried online via OCSP.

Certificate Policy

A note that describes, or refers to, certification guidelines.

Certificate List

A list of certificates, signed and issued by a Certificate Authority, which have been declared invalid by the CA before they actually expire. Each CA can only revoke those certificates it issued itself.

Revocation

Client

A system that makes use of a service provided by another system (a server).

CN

Abbreviation of Common Name.

Common Name

The "usual" name of a certificate's owner (person or machine). As a common name is not unique, it can be extended to become a unique Distinguished Name.

CPS

Certificate Practice Statement (CPS). This is a set of guidelines that govern how certificates are created.

CRL

Certificate Revocation List.

CryptoServer

A hardware security module produced by Sophos.

D DER

DER is a binary format used to exchange certificates without private keys. It is an alternative to PEM.

Designated Revoker

Higher-level revocation key that can revoke keys issued by your e-mail CA. This functionality is only used for OpenPGP.

Digital Signature

The asymmetrical encryption process is used for digital signatures. A document only ever be signed by the private key's owner. The public key can then be used to verify this signature.

Distinguished Name

Distinguished Name (DN) is a naming convention used worldwide to assign unique names to persons and equipment. This naming should ensure that different people are never issued with

192

certificates of the same name. All PKI participants require this unique name. Distinguished Names are defined in the ISO/ITU X.500 standard. DNS

The Domain Name Service (DNS) is a service that converts host names into IP addresses and back again. In the DNS, names are arranged hierarchically in DNS domains.

DNS cluster

A server cluster made up of DNS servers.

DNS domain

A DNS domain is a group that contains additional DNS domains and host names or IP addresses.

DNS server

The Domain Name Service (DNS) converts host names into IP addresses (forward resolution) or IP addresses into host names (reverse resolution). Each DNS server can resolve particular domains and/or particular IP networks. Redundant DNS servers can be installed.

E E-mail CA

The e-mail CA is a Certificate Authority that is installed on your SafeGuard MailGateway. It can automatically create certificates for internal users in accordance with the security guidelines set out by the administrator. As a result these certificates no longer have to be created manually by an external PKI.

ESMTP

An extended version of the Simple Mail Transport Protocol (SMTP).

ESMTP proxy

In the SafeGuard MailGateway, the ESMTP Proxy is responsible for accepting e-mails from the internal and external e-mail server.

European Bridge CA

An association of European companies that work together for the mutual recognition of their PKIs.

External users

An external user is a communications partner with whom you (i.e. your internal users) want to communicate via the SafeGuard MailGateway. If your SafeGuard MailGateway owns a public key for an external user, the SafeGuard MailGateway can encrypt outgoing e-mails for them and check the signature of incoming e-mails.

F Fingerprint

Cryptographic checksum of a key, calculated using a hash function. Each key has its own individual fingerprint. It is a random character string that occurs only once and uniquely identifies a key. This digital fingerprint is comparable to a human fingerprint.

193

Firewall

A firewall is a system that separates two or more IP networks from each other and, unlike a router, only allows checked, i.e. secure, communication between these networks.

FTP

The File Transfer Protocol (FTP) is used for the unprotected (insecure) exchange of files between computers via a network connection. A secure alternative is Secure Copy (SCP).

G GMT

Greenwich Mean time (GMT) - winter time in Greenwich, London, UK. All the world's time zones are based on GMT. The hardware clock on the SafeGuard MailGateway is set to GMT.

H Hardware security module

A hardware security module (HSM) is a device which carries out cryptographic functions, in a secure environment, by means of hardware implementation. This type of module can be installed in a server (for example, a SafeGuard MailGateway), to provide added protection for especially sensitive data (private keys). The CryptoServer by Sophos is a hardware security module.

HKP

The "Horowitz Key Protocol", or HKP, named after Marc Horowitz who programmed and implemented the very first key server.

Host name

Every computer in an IP network is uniquely identified by its IP address. However, because most people prefer not to work with large numbers, computers usually have one or more host names. These names are easier to remember and can be converted into IP addresses by the DNS.

HTTP/HTTPS

The Hypertext Transport Protocol (HTTP) is used to transfer web pages and other contents. HTTPS is a protected variant of HTTP (protected by SSL).

I Internal user

Your internal users communicate with your communications partners (i.e. with external users) via your SafeGuard MailGateway. If your SafeGuard MailGateway owns a private key for your internal users, the SafeGuard MailGateway can sign their outgoing e-mails and decrypt their incoming e-mails.

IP address

Every computer in a TCP/IP network has at least one IP address. The IP address (IP Version 4) is a 32 bit number that uniquely specifies each individual computer. IP addresses are displayed

194

split into 4 bytes, where each byte is shown as a decimal number. Individual bytes are separated by a period. Example: 192.168.1.1

K Key Encryption Key

A (symmetrical) key used to encrypt and therefore protect other secret or private keys. This procedure is used if you implement CryptoServer as your hardware security module.

Key ID

The key ID is a short (8-digit) hexadecimal number which must be stored on every OpenPGP key. One OpenPGP key can have several key IDs. The last figures of the fingerprint are often used as the key ID.

L LDAP

The Lightweight Directory Access Protocol (LDAP) is a standardized interface for folders (hierarchical databases). This type of folder is used by PKIs to publish the certificates and revocation lists from Certificate Authorities.

Log

You can note all the important events on your SafeGuard MailGateway in the log. In web management you can define how detailed and therefore how big the log is to be.

log2ascii

A program used to convert the SafeGuard MailGateway logs from their internal binary format into a readable ASCII format. It also has a wide range of setting options that allow you to define how log entries are to be displayed.

M Mail Server

An e-mail server is a computer whose task is to organize the distribution of e-mails from one central point.

MIME

Multipurpose Internet Mail Extensions or Multimedia Internet Message Extensions, MIME for short, is a coding standard that defines the structure of e-mails and other Internet messages. MIME is also used to declare the contents of various Internet protocols, for example in HTTP.

MTA

The MTA (Mail Transfer Agent) uses DNS to specify the e-mail server for each e-mail recipient.

Multi-domain ability

You can use Sophos' SafeGuard MailGateway to administer a number of domains or sub-domains. To do so, the SafeGuard MailGateway supports more than one e-mail server.

195

N Network address

An IP network consists of a series of computers that are all connected with each other. The first part of the IP address is the same for every computer and refers to the network. The second part is unique to each computer. This can be compared to people who all live in the same street. They all have the same street name in their address. However, they each have a different house number. The neighborhood is described by the street name. An IP network's address consists of the part that is the same for all IP addresses. The second part is set to 0. To make this clear, the number of bits that is the same for all the computers is attached specifically to the address with a "/". For example the network address of computers with the IP addresses 192.168.1.0 to 192.168.1.255 is 192.168.1.0/24. The Internet has, in its entirety, the network address 0.0.0.0/0 because every address can be used in the Internet.

Network Time Protocol

The Network Time Protocol (NTP) allows a client to synchronize their system clock with the exact time used on a server. The SafeGuard MailGateway can run as an NTP client, because it needs accurate timekeeping to check digital signatures.

NTP

The free NTP (Network Time Protocol) software package is an implementation of the TCP/IP protocol of the same name that is used to synchronize devices in a network.

O OCSP

The Online Certificate Status Protocol (OCSP) allows you to query the validity of a certificate online from the PKI responsible for it, if this PKI offers this service. OCSP is therefore an alternative to checking using a Certificate Revocation List. Sophos' SafeGuard MailGateway supports OCSP.

OID (Object Identifier)

The Object Identifier gives digital objects unique and permanent identification.

OpenPGP

OpenPGP is an encryption software standard based on PGP 5.x. OpenPGP is an Internet standard and defined in RFC 2440. This document describes the data format that must be used to store encrypted information and to generate digital signatures. It also defines the format that must be used for keys (actual certificates).

OpenSSL

OpenSSL is an open source version of the SSL/TLS protocol which provides a range of additional certificate administration functions and various different cryptographic functions. It is based on the SSLeay package originally created by Eric A.

196

Young and Tim Hudson and currently being further developed by an independent group. OpenSSL includes various applications, for example, for generating certificates, for certificate applications and for encryption. These applications are combined to form the command line program "openssl".

P Pattern

In information technology "patterns" are used for the variable description of character strings.

PDFMail

PDFMail is a solution developed by Sophos to provide external communications partners with an easy way to exchange encrypted e-mails. The procedure is based on the PDF file format.

PEM

Privacy Enhanced Mail is an obsolete standard for protected messages. Nowadays, part of this standard is still used for storing certificates with or without a private key. It is therefore an ASCII alternative to binary formats such as PKCS#12 or DER. In Microsoft environments PEM is also called "Base 64".

PGP

Pretty Good Privacy is a procedure used to protect messages and documents. There are numerous free and commercial implementations of this procedure. OpenPGP is a public and formal standard for PGP.

PKCS#12

PKCS#12 is a format used to exchange certificates and private keys. It is an alternative to PEM. Unlike PEM and DER, PKCS#12 can be protected by a password.

PKI

A Public Key Infrastructure (PKI) is the entire system used to implement and administer certificates and private keys. The components of a PKI include: • Certificate Authorities • Directory services (for example, LDAP) • OCSP services

Port

In order to clearly identify the TCP and UDP connections between two computers, a port number is assigned to both the sender and recipient computers in addition to their IP addresses. This is a number between 0 and 65535.

Postfix

The Postfix service is responsible for sending processed e-mails in the SafeGuard MailGateway. It sends e-mails both within the organization and outside it.

197

Postmaster key

The Postmaster key is a special OpenPGP key used on the SafeGuard MailGateway. It has two tasks: To sign OpenPGP keys, created by SafeGuard MailGateway for internal users. OpenPGP keys from external users and the "Postmaster key" from external OpenPGP servers are signed with the local Postmaster key to mark them as valid. If, in OpenPGP, a Postmaster key is used only to sign other keys, a hierarchical trust structure is created, like the one used in S/ MIME. In this situation the Postmaster key functions in the same way as a root CA (S/MIME) and represents the starting point of trust.

Primary address

At least one IP address must be assigned to each network connection. The first assigned IP address is the standard IP address which is therefore called the primary IP address to differentiate it from alias IP addresses.

PrivateCrypto

A software product by Sophos that groups files and directories in an archive that is then encrypted or decompressed and decrypted. This archive is then symmetrically encrypted. The symmetrical key is generated from a password.

Private key

A private key is used in asymmetrical encryption. Unlike the public key, only its owner knows what it is. He uses it to communicate with other people who know their public key. Do not confuse a private key with the secret key that is used in symmetrical encryption.

Proxy

Communications from a client pass through a proxy server before they reach the actual server. A proxy can carry out a range of tasks. These include transferring, converting, buffering and checking communications.

Public key

A public key is used in asymmetrical encryption. In contrast to a private key, this is publicly known and is used to communicate with the owner of the private key.

Public key procedure

An asymmetrical procedure used to encrypt a pair of keys (private key/public key).

R Role-based tion

198

administra-

A SafeGuard MailGateway administrator can have one or more roles assigned to them. These roles have fixed functions that cannot be changed. This means administration tasks can be assigned to several people who each have different roles.

root

"root" is the login name for the administrator in a UNIX system. It corresponds to the "Administrator" in Windows systems.

Root CA

A root CA is a Certificate Authority (CA) that is not subordinate to any other CA. It represents the root of a chain of CAs and therefore the starting point in the chain of trust. For this reason the public certificate of a root CA is signed by its own private key and not by a higher-level CA. In this respect even a signature cannot confer trustworthiness on a root CA. You must always trust a root CA directly.

Router/Routing

Routers are devices with two or more network connections. They connect IP networks. Before a computer (for example, your SafeGuard MailGateway) can access computers in other IP networks, it must know which router to use to send its data.

Runlevel

The SafeGuard MailGateway can run in various modes. These are called run levels (operating states).

S S/MIME

"Secure" MIME is an extension of the MIME standard and permits a MIME object (message or file) to be given a digital signature, or to be encrypted. S/MIME uses X.509 certificates for asymmetrical encryption.

SCP

Secure Copy (SCP) is a part of SSH. Secure Copy, unlike FTP, enables the protected (i.e. encrypted and authenticated) transfer of files over a network.

SCSI

The Small Computer Standard Interface (SCSI) is a standard that is used to connect hard disks, tape drives and other devices to a computer.

Secret key

The symmetrical encryption process uses a secret key to encrypt and then decrypt messages. Both the sender and recipient must know the secret key. But no one else is permitted to know it. Do not confuse this expression with the private key that is used in asymmetrical encryption (PKI).

Secure E-mail

In the SafeGuard MailGateway the Secure E-mail service is responsible for the cryptographic processing (signing, verifying, encrypting and decrypting) of e-mails.

Server

A server is a computer that provides a service to another computer (client).

199

Server cluster

A server cluster consists of a group of servers that have the same configuration. They can share the work and take over if one of them fails. Compared to a single server, a server cluster provides higher performance and greater reliability.

Simple Mail Protocol

Transport

The Simple Mail Transport Protocol (SMTP) transfers e-mails from a client to a server or from one server to another. SMTP has no in-built security. Security must be provided by other procedures (for example, OpenPGP, S/MIME, SSL).

SMTP

Abbreviation of Simple Mail Transport Protocol.

SMTP relay server

An SMTP proxy.

SSH

Secure Shell or SSH is both a program and a network protocol which is used, for example, to log in to a remote computer over the Internet and run programs on it. SSH was developed in 1995 by Tatu Ylönen. It permits a secure authenticated and encrypted connection between two computers via an insecure network. It can be used to authenticate SSH passwords and asymmetrical keys. Other information can also be transferred via the SSH protocol. For example, Secure Copy (SCP) is one way in which you can transfer files via an SSH connection.

SSL

Secure Socket Layer (SSL) is a standard used to secure (encrypt and authenticate) a generic TCP network connection. It uses X.509 certificates for asymmetrical encryption.

Sub CA

A sub CA is a Certificate Authority that is subordinate to another CA. Its certificate is signed by it. The validity of a sub CA can be checked automatically by means of its subordinate CA.

Subject line control

Subject line control, which can be used from every e-mail client, is a means of overriding the SafeGuard MailGateway's central set of rules. The person sending an e-mail can enter a command in curly brackets in the subject line. This command is then evaluated by the SafeGuard MailGateway. The user can decide whether the command is to stand at start or at the end of the subject line.

Symmetrical encryption

In the case of symmetrical encryption, in contrast to asymmetrical encryption, only one key is used: the secret key. With this secret key, you can encrypt a message and then decrypt it again. You should not confuse the secret key with the private key: that is used for asymmetrical encryption.

200

Symmetrical encryption is less flexible than asymmetrical encryption. However, as it is very quick and very secure, it is often used in combination with asymmetrical encryption.

T TCP

The Transmission Control Protocol (TCP) is an agreement (protocol) about how data should be exchanged between computers. All computers involved in data exchange know this agreement and comply with it. This makes it a reliable, connection-oriented transport protocol in computer networks. It is part of the TCP/IP protocol family. TCP was developed by Robert E. Kahn and Vinton G. Cerf. Their research work, which they began in 1973, lasted several years. For this reason the first standardization of TCP did not occur until 1981, as RFC 793. TCP creates a virtual channel between two end points on a network connection (sockets). Data can be transferred in both directions on this channel. Usually TCP is based on the IP (Internet protocol). It is located in layer 4 of the OSI reference model.

U UID

A UID is the user ID of an OpenPGP key in which information about the user and also his e-mail address are usually stored.

URL

A Universal Resource Locator (URL) identifies a piece of information in the world wide web, in an LDAP Directory, or in another source of information.

User management

The SafeGuard MailGateway assigns one or more S/MIME certificates or OpenPGP keys to each e-mail user. These S/MIME certificates or OpenPGP keys are administered in the user management both for internal users and external users.

UTC

Universal Time Coordinated (UTC) is another name for GMT.

V Verification

During verification, the signature of the sender is checked with the public certificate/key.

W Web administrator

The web administrator can use the web management system to administer the SafeGuard MailGateway. The web administrator

201

has his own login name and password. He also needs an SSL certificate in order to create a protected https connection to the SafeGuard MailGateway. The web administrator does not need to be the same as "root". Web of Trust

In cryptography, a "Web of Trust" is the idea behind ensuring the genuineness of digital keys (for OpenPGP) via a network of mutual confirmations (signatures). It is a decentral alternative to the hierarchical trust structure used in S/MIME.

Web management

The web management system is a web-based interface to your SafeGuard MailGateway. You can use it to administer and configure your SafeGuard MailGateway.

Wildcards

Wildcard is a technical term used in computing, which means a placeholder for other characters. Many command line interpreters allow the use of such placeholders, for example to enable groups of files or files with forgotten names to be addressed. Text editors can also handle placeholders of this kind, which are used to make it easier to find strings in text. Wildcards can be used in patterns.

X X.509

202

X.509 is a standard for the structure and contents of a certificate.