Table of Contents
This Script allows Users to query Encryption Keys (S/MIME and PGP) for internal Users of totemomail. (https://www.totemo.com/en/products/email-encryption). The main goal is, to give 3rd partys the possibility to send encrypted emails to internals users to provide a secure communication channel, even on the first email exchange.
Totemo itself does also provide this functionality, but it does require to specify the own email as well as the recipients email and does send the public keys per email. This makes it uncomfortable to use. (for example, in the email signature).
The Script/Package will spin up a webserver and provides a webinterface to query for public keys. It will also obtain certificates automatically from LetsEncrypt.
To install the package, you simply have to download the repository to a Server where docker and docker-compose is installed. You also need to allow inbound Traffic on Port 80 and 443 from the internet.
You also need to specify a A-Record with your desired FQDN of the totemo-keyserver which has to resolve to the public ip address of the server.
- DNS-Record
- Firewall Rules / NAT
- Enabling Totemo mail API
- User / Password for API User.
For secutiry purposes, you have to restrict the access of the API Users in the RBAC model of totemo to just allow the user of the script to manage the User certificates.
See the Screenshot for the necessary permissions:
To install the script, you have to modify the enviroment Variables in the docker-compose file of the package, which are here specified as tbd. The NGINX Server configuration automatically uses the SERVER_NAME variable, so this is the only config file to edit.
version: "3.7"
services:
flask:
build: ./flask
container_name: flask
restart: unless-stopped
env_file:
- ./creds.env
ports:
- 8080:8080
nginx:
image: jonasal/nginx-certbot:latest
restart: unless-stopped
environment:
- CERTBOT_EMAIL=tbd
- STAGING=0 #1=Use Lets Encrypt Test CA / 0 Use Lets Encrypt Productive CA (with rate-limits)
- NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx/user_conf.d/ # More information: https://hub.docker.com/_/nginx
- SERVER_NAME=keyserver.eizi.at
ports:
- 443:443
- 80:80
volumes:
- nginx_secrets:/etc/letsencrypt
- type: bind
source: ./nginx/nginx.conf.template
target: /etc/nginx/templates/nginx.conf.template
volumes:
You also need to create a file called creds.env in the same directory where the docker-compose.yaml is located. It is a separate file, specified in .gitignore to prevent commit to github.
TOTEMO_USERNAME=tbd
TOTEMO_PASSWORD=tbd
TOTEMO_BASEURL=tbd
- Add Readme
- Add possibility to specify email in URL to query - makes it easier for one click email signatures
See the open issues for a full list of proposed features (and known issues).
Distributed under the MIT License. See LICENSE.txt for more information.
Max Eizenberger - max.eizenberger@nts.eu