General Information

Introduction

Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) Email Gateway that provides Spam, Virus and Malware protection, full in-transit and at-rest email encryption as well as email archiving.

Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization.

It can be deployed to protect your in-house email solution as well as cloud email solutions such as Google Mail and Microsoft Office 365.

Getting Started

Access Hermes SEG Administrator Console

Using a browser, access the Hermes SEG Administrator Console at https://<IP_ADDRESS>/admin/ where <IP_ADDRESS> is the IP address of your server.

If you have recently rebooted your system, you may get a 500 Internal Server Error when attempting to access the Hermes SEG Administrator Console. This usually means that the Authentication Server has not initialized yet. This error usually goes away on its own. Wait a couple of minutes and try refreshing your browser again.

Login with the following default credentials

    Set Network Settings

    Figure 2

    image-1638453135015.png

    Set System Certificates

    Hermes SEG Community Version

    Hermes SEG Community Version will allow you to create Certificate Signing Requests to submit to 3rd party CAs and import certificates from 3rd party CAs.

    Figure 3

    image-1642889433326.png

    Hermes SEG Pro Version

    Hermes SEG Pro Version will allow you to create Certificate Signing Requests to submit to 3rd party CAs, import certificates from 3rd party CAs as well as Request Lets Encrypt (Acme) Certificates.

    If you wish to import a 3rd party CA certificate, please follow the Hermes SEG Community instructions above to import a certificate. If you wish to request a Lets Encrypt (Acme) certificate, follow the instructions below:

    Before requesting Acme Certificates ensure that BOTH ports TCP 80 and TCP 443 are open to Hermes SEG from the Internet and the domain you are requesting the certificate is pointing to the Internet accessible IP address of your Hermes SEG machine. We recommend that you test using the Acme Staging server first to ensure the request works before attempting to use Acme Production. The reason we initially Request Acme Certificate utilizing the Acme Staging server is because Lets Encrypt is much more lenient with rate limits with failed requests in their staging environment than their production environment, click here for details.

    Figure 4

    image-1642890261401.png

    Figure 5

    image-1642946921688.png

    Figure 6

    image-1642947557037.png

    Set Console Settings

    The Hermes SEG Console Settings sets the method you wish to access Hermes SEG machine which includes the Admin Console, User Console and the Ciphermail Console. By default, the Console Mode is set to IP Address, however, an IP address is not contusive to using SSL certificates. Therefore, if you plan to use a SSL certificate to access the Hermes SEG machine without getting certificate errors, you must set the Console Mode to Host Name. The Host Name you set does NOT necessarily have to the the same Host Name you set in Network Settings above. The Host Name and Primary Domain Name you set in the Network settings is used for SMTP transactions such as SMTP TLS and it's not related to Hermes SEG console access.

    Figure 7

    image-1642868434350.png

    Figure 8

    image-1642948341819.png

    Figure 9

    image-1642948755741.png

    After clicking the Submit button and you changed the Console Mode from IP Address to Host Name, your browser will NOT automatically redirect you to the new console address. Ensure you enter the new address in your browser as https://<HOST_NAME>/admin/ where <HOST-NAME> is the new Host Name you set above.

    Figure 10

    image-1642949292124.png

    Figure 11

    image-1642950621363.png

    If you follow the above recommendations, you should be able to achieve an A+ rating on the Qualys SSL Labs SSL Server Test (Figure 12):

    Figure 12

    image-1642950749753.png

    Set SMTP TLS Settings

    It's important to set SMTP TLS in order to transmit e-mail messages between your Hermes SEG machine and other e-mail servers using TLS encryption.

    Before you can set SMTP TLS, you must first have either imported or requested a SSL Certificate in the Set System Certificates section above for the Hostname and Primary Domain Name you set in the Set Network Settings above.

    Figure 13

    image-1642971499398.png

    Figure 14

    image-1642971616360.png

    Change admin System Account Password

    Figure 15

    image-1638464625312.png

    Figure 16

    image-1638464785188.png

    Setup Domains

    In order for Hermes SEG to deliver email, you must first set the domain(s) that Hermes SEG will process email for along with their corresponding destination email server(s). You can add as many domains and destination email servers as required. An email server can be configured as an IP address or a Host Name as long as the Hermes SEG can reach it over the TCP port you set. Multiple domains can be pointed to the same email server if necessary.

    Figure 17

    image-1651055813253.png

    Figure 18

    image-1651058901781.png

    Add Internal Recipients

    If you have setup any domains in the Setup Domains section above with the Recipient Delivery field set to SPECIFIED, then you MUST add either Internal Recipients or Virtual Recipients in order to process incoming e-mail and relay that email to the correct recipient mailboxes which are located on the destination email server(s) for the domain(s) you setup in the Setup Domains section above. This section will guide you with adding Internal Recipients.

    Figure 19

    image-1638454933344.png

    In the Add Internal Recipient(s) page, in the Recipient(s) field, enter an e-mail address each in each own line, select the appropriate options in the SVF Policy to Assign, Quarantine Reports, Quarantine Report Frequency, Train Bayes Filter from User Portal, Download Messages from User Portal, PDF encryption, S/MIME Encryption, S/MIME SIGNATURE, PGP Encryption drop-downs and click the Submit button (Figure 20):

    Figure 20

    image-1638455551356.png

     

    Set Postmaster, Admin E-mail Address and TimeZone

    Figure 21

    image-1654430781791.png

    Set Relay Networks

    In addition to inbound email, if the email server(s) you added will also be sending outbound email through the Hermes SEG (recommended), you must allow their IP address(es) to send (relay) email through the Hermes SEG.

    Figure 22

    Figure8.jpg

    Figure 23

    2020_11_17_17_58_57_Select_Vivaldi.png

    Figure 24

    apply_settings.jpg

    Initialize Pyzor

    Pyzor is a collaborative, networked system to detect and block spam using digests of messages. Vipul's Razor is a distributed, collaborative, spam detection and filtering network.

    Hermes SEG uses both of these components for better spam detection. Both of these components must be initialized before Hermes SEG can use them.

    Figure 25

    Initialize Vipul's Razor

    Before attempting to initialize Vipul's Razor, ensure the Hermes SEG has outbound Internet access. Initialization can take a few minutes to complete, so please be patient.

    Figure 26

    Clear Bayes Database

    The Bayes Database tries to identify spam by looking at what are called tokens; words or short character sequences that are commonly found in spam or ham.

    On a new Hermes SEG installation, it's always best to ensure a clean Bayes Database before you start processing email.

    Figure 27

    Set Encryption Settings

    Figure 28

    image-1638464057826.png

    Change the Ciphermail admin Account Password

    Figure 29

    Figure 30

    Figure 31

    Recommendations

    Register for Barracuda Central Account

    Hermes SEG comes pre-configured to use the Barracuda RBL (Realtime Block List), however you must first register for an account and provide your DNS Server IPs at Barracuda Central before you will be allowed to use it.

    Upgrade and Migrate Hermes SEG 18.04 to 20.04

    Introduction

    Hermes SEG version 18.04 is based on Ubuntu Server 18.04 LTS (Bionic Beaver). On May 31, 2023, Ubuntu will reach the end of the standard five year maintenance window for Long Term Support (LTS) for 18.04 which means there will be no more bug fixes or security patches unless you opt to upgrade to Ubuntu Pro which will extend support to 2028 or upgrade your Ubuntu installation to a higher version. Consequently, Hermes SEG is no longer supported on Ubuntu 18.04 LTS.

    Fortunately, if you have an existing Hermes SEG installation on Ubuntu 18.04 LTS, you can perform a release upgrade to Ubuntu Server 20.04 LTS (Focal Fossa) which will extend the standard maintenance window to May 31, 2028. 

    Ensure that you have a recent and valid backup of your Hermes SEG installation before attempting any of the steps below. These instructions are offered with absolutely no warranty or guarantee of any kind. We cannot be held liable for any damage that my occur to your system by following the instructions below!

    Install the latest updates and patches on Ubuntu Server 18.04 LTS

    sudo su
    apt-get update && apt-get dist-upgrade -y && apt-get auto-remove -y

    Perform a release upgrade of Ubuntu Server 18.04 LTS to Ubuntu Server 20.04 LTS

    do-release-upgrade
    Third party sources disabled
    
    Some third party entries in your sources.list were disabled. You can
    re-enable them after the upgrade with the 'software-properties' tool
    or your package manager.
    
    To continue please press [ENTER]
    
    Do you want to start the upgrade?
    
    
    18 installed packages are no longer supported by Canonical. You can
    still get support from the community.
    
    20 packages are going to be removed. 190 new packages are going to be
    installed. 752 packages are going to be upgraded.
    
    You have to download a total of 616 M. This download will take about
    2 minutes with your connection.
    
    Installing the upgrade can take several hours. Once the download has
    finished, the process cannot be canceled.
    
     Continue [yN]  Details [d]
    

    Figure 1

    image.png

    Figure 2

    image.png

    Run the Hermes SEG Migrate 18.04 to 20.04 Script

    During the release upgrade, several obsolete packages are removed including packages that Hermes SEG requires to operate correctly. You must run the Hermes SEG Migrate 18.04 to 20.04 script in order to install newer versions of those packages and migrate the necessary settings.

    rm -rf Hermes-Secure-Email-Gateway/
    git clone https://github.com/deeztek/Hermes-Secure-Email-Gateway.git
    cd Hermes-Secure-Email-Gateway/
    chmod +x hermes_migrate_1804_2004.sh
    ./hermes_migrate_1804_2004.sh

    Hermes SEG Pro installations will display an INVALID license after the release upgrade due to a mismatch in the device ID. Please send your serial number to support@deeztek.com and we can help you re-activate it.

    Issues

    If you run into any issues with the upgrade, you can post your question on our Github Issues page or our Matrix Community Chat channel.


    Requirements and Recommendations

    1. junk@office365.microsoft.com
    2. phish@office365.microsoft.com
    3. not_junk@office365.microsoft.com

    and redirect them to e-mail address(es) of your choice so that you can take action.

    More information on this topic can be found in the article below:

    Take Action on E-mail Based on Headers in Hermes SEG



    OVA/Hyper-V Appliance URL and Default Credentials

    The following URL and default credentials are provided for reference, backup, restore and migration operations of the OVA/Hyper-V appliance. It's highly recommended that the default credentials are changed on the OVA/Hyper-V appliances.

     

    MySQL Root

    MySQL Hermes Database

    MySQL Ciphermail/Djigzo Database

    MySQL Syslog Database

    MySQL Opendmarc Database

    Lucee Server and Web Administrator

    The Lucee Server and Web Administrator should NOT be accessible from the Internet

    Hermes SEG Administration Console

    Djigzo/Ciphermail Web GUI

    Hermes SEG E-mail Flow

    Incoming Normal Mail Flow

    Postfix TCP/25 --> SPF --> DKIM(Milter) TCP/8891 --> (Reinject)Postfix TCP/10026 --> DMARC TCP/54321 --> Amavis TCP/10021 --> James SMTP(Ciphermail) TCP/10025 --> (Reinject)Postfix TCP/10027 --> Postfix TCP/25 --> Destination

    Incoming Bypassed Sender Mail Flow

    Postfix TCP/25 --> SPF --> DKIM(Milter) TCP/8891 --> (Reinject)Postfix TCP/10026 --> DMARC TCP/54321 --> Amavis TCP/10030 --> James SMTP(Ciphermail) TCP/10025 --> (Reinject)Postfix TCP/10027 --> Postfix TCP/25 --> Destination

    Encryption

    Hermes SEG leverages the capabilities of Ciphermail in order to perform encryption/decryption of email messages. Ciphermail comes already installed and configured with the Hermes SEG appliance. Hermes SEG and Ciphermail have their very own Web GUI based approaches on managing encryption. We feel that our Web GUI is simpler and easier to manage, however if you prefer to utilize Ciphermail's Web GUI, it can be easily accessed at the following URL:

    https://<IP_ADDRESS>/ciphermail/

    where <IP_ADDRESS> is the IP address of your Hermes SEG appliance.

    The Ciphermail Web GUI credetnails should had been changed if you followed the Getting Started guide. If not, ensure you change them right away.

    Hermes SEG utilizes three methods for encrypting email:

    S/MIME - S/MIME is a method for encrypting emails along with associated attachments as well as a method of digitally signing emails. Encrypting emails keeps them safe from unwanted access while digitally signing emails ensures that the sender of the email is legitimate thus reducing the effectiveness of phishing attacks. S/MIME is based on asymmetric cryptography, meaning that two separate keys are used. A private key which is used for decrypting the email and a public key which is used for encrypting and digitally signing the email.

    PGP Encryption - PGP encryption encrypts and signs messages using asymetric key pairs which are uniquely created for each user. Public keys can be exchanged with others users via many means including public key servers. In this regard, PGP encryption is very similar to S/MIME encryption.

    PDF Encryption - PDF Encryption converts the email along with any attachments to a PDF which in turn is encrypted with a password. This method is the easiest to implement because no special email clients that must support S/MIME have to be used. PDF readers are almost universally installed on user PCs.

     

    Hermes SEG makes a distinction between two types of recipients:

    Internal Recipients - These are internal recipients that have been created in Hermes SEG under Gateway --> Internal Recipients.

    External Recipients - These are recipients that are not internal to Hermes SEG, in other words any recipient that the system does handle email for.