AppSuite:OX Guard Upgrade 2 10
Upgrading OX Guard to 2.10 from 2.6/2.8
Introduction
With OX Guard 2.10.0 the experience for external recipients has changed significantly. Pre 2.10, there was a guest reader HTML package that allowed recipients to decrypt and reply to PGP emails. This has now changed. External recipients now have an Appsuite Guest account created, similar to a file share, with an pseudo inbox that lists all of the encrypted emails sent to them. The recipient will still be able to reply to emails sent to them, but will not be able to create new emails.
Bringing external users into Appsuite presents additional upsell opportunity as well as advertising options.
Changes
This section covers the changes introduced with OX Guard 2.10.0.
Guest Users
All Guest users must have guard capability in order to read encrypted emails. To do this, the following configuration file /opt/open-xchange/etc/share.properties
needs to be modified.
Assuming the guestCapabilityMode is set to static, please add guard to the staticGuestCapabilities
com.openexchange.share.guestCapabilityMode=static com.openexchange.share.staticGuestCapabilities=guard
Also, make sure that the guest sessions are not treated as transient
com.openexchange.share.transientSessions=false
WebKey Service
Optional WebKey server was added in 2.10. This allows external users to look up the public PGP keys of Guard users as described here. To enable this ability, an additional ProxyPass needs to be added to the proxy_http.conf file
ProxyPass /.well-known/openpgpkey/hu balancer://oxguard/hu
Reader Package
The package com.openexchange.guard.reader is no longer required, but recommended for those upgrading from an earlier version. The package no longer contains a full guest reader, rather it redirects old Guard guest share links to the new appsuite guest. This package will be required for as long as old guest emails should remain functional.
Configuration Changes
Guest Configuration
Encrypted emails sent to external recipients was previously cached for a period of time, defaulting to 90 days. After this time, the reader would not function unless the user uploaded the attachment sent with their emails.
This has changed in 2.10. Now, a Guest user has a virtual inbox, listing the encrypted emails sent to them. A new configuration setting has been added
com.openexchange.guard.guestCleanedAfterDaysOfInactivity=365
This configuration cleans up a Guest account after the configured number of days if the user has not logged in. All emails for the guest account will be purged, and the Guest accounts removed from appsuite. A setting of 0 disables the cleaning completely.
Trust Levels
Some PGP Public keys can be trusted more than others. Guard now displays if the key is trusted or not by changing the color of the key next to a recipients email address, and provides details if the user hovers over the key. The trust level can be configured in the guard-core.properties file
com.openexchange.guard.keySources.trustThreshold=4 # The trust level for keys created by OX Guard com.openexchange.guard.keySources.trustLevelGuard=5 # The trust level for keys uploaded by a user com.openexchange.guard.keySources.trustLevelGuardUserUploaded=4 # The trust level for keys uploaded by a user and shared among users in the same context com.openexchange.guard.keySources.trustLevelGuardUserShared=3 # The trust level for keys fetched from public HKP servers com.openexchange.guard.keySources.trustLevelHKPPublicServer=1 # The trust level for keys fetched from HKP servers marked as trusted com.openexchange.guard.keySources.trustLevelHKPTrustedServer=5 # The trust level for keys fetched from HKP servers queried via SRV DNS record com.openexchange.guard.keySources.trustLevelHKPSRVServer=4 # The trust level for keys fetched from HKP servers queried via DNSSEC protected SRV DNS record com.openexchange.guard.keySources.trustLevelHKPSRVDNSSECServer=4
Guest PIN
The option of adding an additional 4 digit pin to new Guest emails was completely re-written in 2.10. The prior config-cascade value of com.openexchange.capability.guard-pin is now used to specify at the user/context level if the PIN should be offered.
A new configuration com.openexchange.guard.pinEnabled was added to guard-core.properties file. This enabled the actual service. Please be sure to set to true if you want a PIN checked for new Guests.
Both of these need to be set to true for the PIN service to function properly