• For administrators
  • Set up SalaX Secure Mail

Install Sec@GW

Install operating system

  • Hardware requirements: the minimum recommended virtual hardware is 4 CPU cores (2GHz), 8 GB RAM, and 146 GB HDD.

  • Supported OS versions: EL9.

  • Select minimal software packages.

  • Create /server partition that has appropriate amount of diskspace, most of data is saved on this partition.

Install the Sec@GW software

Create a pre-configuration

You must have certain configuration values at hand to create the pre-configuration. Copy and paste the below tables into, for example, a Notepad file and fill in the value data.

Table 1 Required values
VariableExplanation
<company>Full company name
<fqdn>The full name of the Sec@GW server machine which is usually in the form of secure.company.com
<instance>One string in lowercase letters (for example, customer)
<node_ip>Node IP address
<node_nmask>Netmask
<node_gw>Gateway
<node_interface>Node interface for node IP address (for example, ens3)
<smtp_gw_ip>IP address of mail servers (separated by comma) that are allowed to handle outgoing mail
<maildomains>Allowed mail domains separated by comma
<dns_server_ip>IP addresses for DNS service
<dns_server_ip2>IP addresses for DNS service
Table 2 Optional values
VariableExplanation
<new_dcenter_IP_address>IP address for Admin Center (D-Center) (different from the cluster)
<dcenter_netmask>CIDR Netmask (for example, 24)
<interface_adapter>Admin Center (D-Center) IP address adapter (for example, ens3)
<dcenter_port>Port number for Admin Center (D-Center) (for example, 443)

To get values from environment, run the following commands:

  • <node_nmask>, <nodeip> and <node_interface>:

    ifconfig

  • <node_gw>:

    route -n

  • <dns_server_ip> and <dns_server_ip2>:

    cat /etc/resolv.conf

    NOTE. If there is only one name server available, enter the same IP address for both ip1 and ip2.

Install the software

NOTE 1. The installation script changes the hostname. If you want to keep the same name, write it down so that you can change it back after installation.

NOTE 2. The installation script changes what processes start on server restart. If you need other services to start on, restart after installation.

  1. Update all packages:

    dnf update -y

  2. Check that correct packages are installed

    dnf install -y cronie-anacron apr apr-util attr audit aide audit-libs basesystem bash bc binutils bzip2 bzip2-devel bzip2-libs chkconfig coreutils cpio cpp cracklib cracklib-dicts crontabs dbus dbus-devel dbus-glib dbus-libs python3-dbus device-mapper device-mapper-multipath diffstat diffutils dmidecode dos2unix dosfstools e2fsprogs e2fsprogs-devel e2fsprogs-libs ed elfutils elfutils-libelf elfutils-libelf-devel elfutils-libs ethtool expat expat-devel file filesystem findutils fontconfig-devel gawk gcc glib2 glib2-devel glibc glibc-common glibc-devel glibc-headers gmp gmp-devel gnupg2 grep gzip hdparm info initscripts iproute iptables iputils irqbalance kbd kernel kernel-headers keyutils-libs keyutils-libs-devel kpartx krb5-devel krb5-libs krb5-workstation less libpng-devel logrotate lsof lvm2 mailcap make man-db man-pages mcstrans mdadm microcode_ctl kmod nano ncurses ncurses-devel net-tools nspr nspr-devel nss nss-devel openssh openssh-clients openssh-server openssl openssl-devel pam pam-devel passwd patch pcre perl-DBD-MySQL perl-devel perl-ExtUtils-MakeMaker perl-ExtUtils-ParseXS perl-Test-Harness policycoreutils popt postfix procps-ng psmisc python3 python3-iniparse python3-dateutil readline readline-devel redhat-logos redhat-rpm-config rootfiles rpm rpm-build rpm-devel rpm-libs python3-rpm rsync sed setup shadow-utils sqlite sqlite-devel sudo symlinks sysstat tar tcpdump telnet time tmpwatch traceroute tree tzdata systemd unzip usermode util-linux vim-common vim-minimal wget which yum zip zlib zlib-devel expect httpd mod_ssl mariadb perl postfix wget bind-utils gd gcc-c++ perl-libwww-perl libstdc++ fontconfig-devel libpng-devel liberation-serif-fonts selinux-policy selinux-policy-targeted setroubleshoot-server perl-XML-LibXML rng-tools lzop rsyslog-gnutls perl-JSON setools-console checkpolicy libgpg-error-devel perl-Module-Build python3-lxml gd-devel perl-Sys-Syslog mariadb-server mariadb-connector-c-devel mod_security libgcrypt libgcrypt-devel libsysfs libdb-devel libfontenc ttmkfdir xorg-x11-fonts-Type1 xorg-x11-fonts-75dpi ghostscript rsync-daemon qpdf-libs mariadb-server-utils lzo glibc-langpack-en glibc-langpack-fi glibc-langpack-sv glibc-langpack-nb glibc-langpack-da glibc-langpack-ru glibc-langpack-et glibc-langpack-lv glibc-langpack-lt glibc-langpack-de ipcalc libnsl2

  3. Install the SecAtGW-perl_modules and SecAtGW-cdrom RPM packages:

    • Create /etc/yum.repos.d/deltagon.repo with the following content:
    [deltagon]
name=Deltagon Update Repository
baseurl=https://updates.ssh.net/el9
enabled=0
gpgcheck=1
sslverify=1

[collabx]
name=Deltagon Update Repository
baseurl=https://updates.ssh.net/collabx
enabled=0
gpgcheck=1
sslverify=1
    • Install RPM packages:
    echo "195.20.116.133 updates.ssh.net" >> /etc/hosts
rpm --import https://updates.ssh.net/el9/SecAtGW.asc
dnf install -y --enablerepo=deltagon SecAtGW-perl_modules SecAtGW-cdrom

  4. Run the software installer script:

    cd /root/cdrom/; chmod 750 -R *; perl install.pl
    General Settings
=========================
Enter total number of nodes: 1
Enter node (1 or 2): 1
Enter company name: <company>
Enter FQDN: <fqdn>
Enter maildomains: <maildomains>
Enter Gateway IP: <node_gw>
Enter cluster ip: <node_ip>
Enter this server's node ip: <node_ip>
Enter this server's local ip: 127.0.0.1
Enter node netmask: <node_nmask>
Enter local netmask: 255.255.255.0
Enter primary DNS server IP: <dns_server_ip>
Enter secondary DNS server IP: <dns_server_ip2>
Enter SMTP gateway: <smtp_gw_ip>
Enter Master interface (ex. ens3:0 or eth0:0): <node_interface>
Enter node interface (ex. ens9 or eth1): lo
Enter master instance (ex. deltagon): <instance>
STIV instance(0 or 1): <0 if not installing TL IV environment>

Add xxx.xxx.xxx.xxx nftables for SSH? (Type yes to add xxx.xxx.xxx.xxx OR give IP-address OR press ENTER for nothing):

S/MIME & SSL Settings
=========================
Enter country code XX (ex. FI):
Enter state or providence (ex. Uusimaa):
Enter city:
Enter unit (ex IT):
Enter email: leave blank by pressing enter

Run system hardening y/n: y
Install CRM y/n: n
Enable IPv6 support y/n: n

  5. Before the first reboot, complete the following steps.

    • Check /etc/NetworkManager/system-connections/ that your configurations for network interface are correct.

    • If the server is running AWS Firewall, AWS tools need to be enabled, go through the following steps.

      Add following 2 lines to /etc/sysconfig/nftables.conf

      #AWS cloud processes
add rule filter OUTPUT ip daddr 169.254.169.254 tcp dport 80 meta skuid root ct state new accept

      Enable needed services for AWS

      systemctl enable cloud-config
systemctl enable cloud-final
systemctl enable cloud-init-local
systemctl enable cloud-init

    • If the server is running Azure Firewall, Azure tools need to be enabled, go through the following changes.

      Add following 2 lines to /etc/sysconfig/nftables.conf

      #Azure cloud processes
add rule filter OUTPUT ip daddr 168.63.129.16 tcp dport {80,443,32526} ct state new accept

      Enable needed services for Azure

      systemctl enable waagent
systemctl enable waagent-network-setup

  6. Reboot the server:

    reboot

  7. Create a new instance:

    /root/cdrom/install_instance.pl

    Step result:

    Do you want to reboot now (1 or 0): 1

  8. Run the following script after server has restarted to finish the installation.

    /root/cdrom/after_install.pl

    Step result:

    Do you want to reboot now (1 or 0): 1

  9. Check out the supplemental information section for more information on configuring amavisd and Admin Center (D-Center) IP address.

What's next?

After installing Sec@GW, you can move on to install Secure Mail.

Was this page helpful?