This article shows you how to set up a web service that integrates with your existing authentication system to issue SPX passwords. The passwords are based on supplied email address/password combinations. These passwords are required for decryption of messages that have been encrypted using the Email Appliance's SPX encryption.
Note: Sophos Technical Support does not officially support the development of custom web services. For additional assistance with customization, contact your account manager to receive guidance from Sophos Professional Services.
Copyright (c) 2009, Sophos Group
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Sophos Group nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- IIS Server 7 on Windows 2008 server
- IIS server with the full ASP.NET and ISAPI roles installed, set up, and ready to deploy (see the Microsoft website for more information).
- A comma-separated (CSV) file containing a list of email addresses and their associated passwords.
Configuring the email appliance to issue passwords using a web service requires a number major steps, each of which is described in detail below. You must add the web service application to IIS, configure IIS to use the service, configure HTTPS (recommended), set up authentication, configure the web service application, configure the appliance to use the service, and test the service.
I - Adding the Application to IIS
- Extract the contents of
PasswordService.zip into a directory under C:\inetpub\wwwroot. For this example, use C:\inetpub\wwwroot\SpxPasswordService.
- Right-click on each of the files in the
SpxPasswordService directory (including files in the
bin directory), and select Properties.
- Click Unblock.
- Click OK.
II - Configuring IIS to Use the Service
- Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.
- In the directory tree, click YourServerName > Sites > Default Web Site.
- Right-click Default Web Site, and select Add Application.
- In the Alias text box, enter
- In the Physical Path text box, enter
- Click OK.
III - Configuring HTTPS
Although it is possible to perform authentication without HTTPS, Sophos recommends that it be enabled.
- If necessary, install a certificate.
- Right-click Default Web Site.
- Select Edit Bindings.
- Click Add.
- Add https to the list.
IV - Setting up Anonymous Authentication
Note: SPX configuration in the Email Appliance has support for Basic Access Authentication using Active Directory or Anonymous Authentication, both with the option of using HTTPS. This example covers Anonymous Authentication only. For information about Basic Access Authentication on IIS Server 7, see the Microsoft documentation.
- In the directory tree, on the left side, click
- In the middle pane, under IIS, double-click Authentication.
- Right-click Anonymous Authentication, and select enable (if it is not already enabled).
- The password service is now running at
https://localhost/SpxPasswordService/PasswordService.asmx. If you open your web browser to this URL, the following is displayed:
V - Configuring the Application
The application can be integrated with most authentication infrastructures, whether it be database (MSSQL, MYSQL, Oracle, etc), LDAP (Active Directory, OpenLDAP, etc), or other means (for example, text files). The only requirement is that the passwords can be retrieved and transmitted to the Email Appliance for use with encrypted messages.
In this example, the script will attempt to retrieve passwords from a CSV file containing one email address and password combination on each line. In each entry, the two values must be separated by a comma, and there should be no spaces. For example:
- To specify the CSV file, edit
C:\inetpub\wwwroot\spxpasswordservice\Web.config. There will be a section in the file that looks like this:
<add key="csvFile" value="C:\passwords.csv" />
C:\passwords.csv with the path to your CSV file.
- Ensure that both the the file name and the Windows permissions allow only the IIS user to read this file. The file must
be in a location for which the IIS user has read access.
VI - Configuring and Testing the Web Service Password Service
- Log in to the Email Appliance.
- Select Configuration > Policy > Encryption.
- Click the SPX Encryption tab, and then click Add.
- Configure cover page options, and click Next.
- From the Password service drop-down list, select Use a Custom remote authentication service to assign passwords.
- Enter the URL of the IIS 7 web service, along with the domain path. For this example, the URL is
- If you opted for Basic Access Authentication instead of Anonymous Authentication, enter the username and password for the web service.
- Enter a sample email address and password from the CSV file that you created earlier (For example, firstname.lastname@example.org Password=somepassword), and click Test. SPX will authenticate using the web server, and a "Password Matched" message is displayed on the Appliance's status bar if the operation is successful.
- Proceed through the SPX Template wizard, and save your template. Your Web Service Password Authentication is now complete.