How-to: Configuring OX Drive, OX Guard (PGP) and S/MIME

Knowledge Base Community
, , , ,
1

How to:

This article explains how to configure various Open-Xchange (OX) features on Univention Corporate Server (UCS), including disabling OX Drive, managing OX Guard’s PGP functions, enabling S/MIME, importing a Certificate Authority (CA), and assigning it to users. All configuration changes are performed using the Univention Configuration Registry (UCR) or OX CLI tools.

Disabling OX Drive

To disable the OX Drive functionality, set the following UCR variable:

ucr set ox/cfg/drive.properties/com.openexchange.capability.drive='false'

This setting is saved in the file /opt/open-xchange/etc/drive.properties.

Disabling PGP Functions in OX Guard

To selectively disable PGP-related features of OX Guard, set these UCR variables:

ucr set ox/cfg/guard-api.properties/com.openexchange.capability.guard='false'
ucr set ox/cfg/guard-api.properties/com.openexchange.capability.guard-mail='false'
ucr set ox/cfg/guard-api.properties/com.openexchange.capability.guard-drive='false'

These settings are applied in /opt/open-xchange/etc/guard-api.properties and deactivate the respective PGP components.

Enabling S/MIME Support in OX Guard

Enable S/MIME support by setting the following UCR variable:

ucr set ox/cfg/guard-api.properties/com.openexchange.capability.smime='true'

This configuration is also stored in guard-api.properties, enabling S/MIME encryption and signing features.

Importing a Certificate Authority (CA) for S/MIME

A trusted CA must be imported to use S/MIME. Use the command below:

/opt/open-xchange/sbin/smime -A oxadminmaster -P $(< /etc/ox-secrets/master.secret) -a /etc/univention/ssl/ucsCA/CAcert.pem --grpId 326

Note on --grpId:
This group ID is an internal OX identifier and not related to LDAP group IDs. It can be chosen arbitrarily but should be unique and must later be assigned to users.

To list existing OX groups and their IDs, run:

/opt/open-xchange/sbin/listgroup -c 10 -A oxadmin -P $(< /etc/ox-secrets/context10.secret)

Example output:

326,73,137,183,635,640

Assigning the CA Group to Users

After importing the CA, assign the group ID to a user to enable S/MIME certificate use:

/opt/open-xchange/sbin/changeuser -c 10 -i 635 -A oxadmin -P $(< /etc/ox-secrets/context10.secret) --config/com.openexchange.smime.caGroupId=326
  • -c 10 is the OX context ID.
  • -i 635 is the internal user ID (not the LDAP UID).
  • --config/com.openexchange.smime.caGroupId=326 links the user to the CA group.

To find internal user IDs, use:

/opt/open-xchange/sbin/listuser -c 10 -A oxadmin -P $(< /etc/ox-secrets/context10.secret)

Additional Notes

  • The oxadmin binary mentioned in some OX documentation does not exist in the UCS environment. Use oxadminmaster or the appropriate context admin tools instead.
  • Changes made via UCR usually take effect automatically; a service restart may be necessary in some cases.
  • For further information, consult: