Email (OTP, Alerts, Notifications)
  Download PDF

1. Overview

This guide will show how to set up the email settings for sending MAIL OTP or getting email alerts. If one needs to change or to add Localized Message then navigate to the following documentation Message Templates.

2. Configure Mail Server

SMTP mail servers can be used by WebADM for sending emails. Therefore, add your mail server settings in the following configuration file /opt/webadm/conf/servers.xml. If no server is specified, WebADM will use the local mailer in /usr/sbin/sendmail to send emails.

-bash-4.2# vi /opt/webadm/conf/servers.xml
<?xml version="1.0" encoding="UTF-8" ?>

<Servers>

<!--
******************************************
***  WebADM Remote Server Connections  ***
******************************************
...
<!--
SMTP mail servers can be used by WebADM for sending emails.
If no server is specified, WebADM will use the local mailer
in /usr/sbin/sendmail to send emails.
-->

<!--
<MailServer name="SMTP Server"
        host="localhost"
        port="25"
        user=""
        password=""
        encryption="NONE"
        ca_file="" />
-->
        
</Servers>

Please remove <!-- and --> to activate the MailServer configuration. Replace the default settings with your SMTP mail server settings. Finally, restart WebADM with /opt/webadm/bin/webadm restart. Have a look below for an example.

-bash-4.2# vi /opt/webadm/conf/servers.xml
<?xml version="1.0" encoding="UTF-8" ?>

<Servers>

<!--
******************************************
***  WebADM Remote Server Connections  ***
******************************************
...
<!--
SMTP mail servers can be used by WebADM for sending emails.
If no server is specified, WebADM will use the local mailer
in /usr/sbin/sendmail to send emails.
-->

<MailServer name="SMTP Server"
        host="mail.example.local"
        port="25"
        user="mailer"
        password="{wcrypt}YFLnusBxE5ST6MTBDxbB8zbQTMM8noCuFFvRASPOFn8="
        encryption="TLS"
        ca_file="/opt/webadm/conf/smtp-ca.crt" />
        
</Servers>

-bash-4.2# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server...... Ok
Stopping WebADM PKI server... Ok
Stopping WebADM Session server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

Found Trial Enterprise license (RCDEVSSUPPORT)
Licensed by RCDevs SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR

Starting WebADM Session server... Ok
Starting WebADM PKI server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 
Connected LDAP server: LDAP Server (192.168.3.80)
Connected SQL server: SQL Server (192.168.3.80)
Connected PKI server: PKI Server (192.168.3.80)
Connected Mail server: SMTP Server (78.141.172.203)
Connected Push server: Push Server (91.134.128.157)
Connected Session server: Session Server (192.168.3.80)
Connected License server: License Server (91.134.128.157)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Push service access... Ok
Checking License service access... Ok

Cluster mode enabled with 4 nodes (I'm master)
-bash-4.2#

In this example, the password has been encrypted.

The encryption mechanism is bound to secret data in your encoded license file and is available for Enterprise licenses only. Please follow this documentation RCDevs Utilities and Command Line Tools for WebADM.

3. Configure and test email

3.1 Test Email

First, select the testuser1 on the left side. It has no email address, add it under Add Attribute add Email Address.

Now, the testuser1 has got an email address.

Let’s check if WebADM is able to send an email. Therefore, we click under Application Actions on Secure Password Reset.

This is the default output, let’s continue with changing the sender’s email.

3.2 Sender Email

To configure the sender email, edit the WebADM configuration file /opt/webadm/conf/webadm.conf and edit the setting named org_from.

-bash-4.2# vi /opt/webadm/conf/webadm.conf
#
# WebADM Server Configuration
#
...
# Personalization options
# You can customize your organization's name, logo file and website URL.
# The logo file must be a PNG image under conf/ with a size of 100x50 pixels.
#org_name "RCDevs SA"
#org_logo "rcdevs.webp"
#org_site "https://www.rcdevs.com/"
org_from "noreply@rcdevs.com"
...

Restart WebADM services to apply the changes.

4. Configure Alerts

Alerts are always recorded to the SQL Alert log. Additionally, when alert_email is defined, the alerts are also sent by email. To activate this feature, edit the configuration file of WebADM /opt/webadm/conf/webadm.conf by removing the # in front of alert_email and replacing the default email. Save the changes and restart WebADM with /opt/webadm/bin/webadm restart.

-bash-4.2# vi /opt/webadm/conf/webadm.conf
#
# WebADM Server Configuration
#
...
# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# or alert_mobile is defined, the alerts are also sent by email/SMS.
#alert_email "me@mydomain.com"
#alert_mobile "+33 12345678"
...

-bash-4.2# vi /opt/webadm/conf/webadm.conf
#
# WebADM Server Configuration
#
...
# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# or alert_mobile is defined, the alerts are also sent by email/SMS.
alert_email "testmail@rcdevs.com"
#alert_mobile "+33 12345678"
...

Let’s engage an alert recorded to the SQL Alert log by setting a wrong time clock on the server. Do the following steps from this documentation NTP (Network Time Protocol). Afterward, restart WebADM.

Utilize the User Alert Setting feature to notify users via email when a certificate or Active Directory domain password is approaching its expiration date :

The templates for alerting users via email when a login certificate or ActiveDirectory domain password is near expiration are defined by ldap_expire_xxx and cert_expire_xxx in /opt/webadm/conf/webadm.conf. There, the messages can be changed, and additional variables can be added. A notification email will be sent 5 days before the user’s password expiration and afterward every day until the password has been changed. The value is hard-coded.

-bash-4.2# vi /opt/webadm/conf/webadm.conf
#
# WebADM Server Configuration
#
...
# End-user message templates
# The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME%
# Additional variables are available depending on the context: %APPNAME%, %APPID%, %TIMEOUT%, %EXPIRES%
app_unlock_subject "Unlocked access to %APPNAME%"
app_unlock_message "Hello %USERNAME%,\r\n\r\nYou have a one-time access to the %APPNAME%.\r\nYour access will automatically expire %EXPIRES%."
ldap_expire_subject "Login password near expiration"
ldap_expire_message "Hello %USERNAME%,\r\n\r\nYour login password will expire %EXPIRES%.\r\nPlease reset your password before expiration!\r\n\r\nRegards"
cert_expire_subject "Login certificate near expiration"
cert_expire_message "Hello %USERNAME%,\r\n\r\nYour login certificate will expire %EXPIRES%.\r\nPlease renew your certificate before expiration!\r\n\r\nRegards"

Finally, save the changes and restart WebADM with /opt/webadm/bin/webadm restart.

5. Configure User Notifications

User notification regarding Password expiration or account blocking can be configured to be sent through email using:

  1. Under OpenOTP global configuration,
  2. Under OpenOTP group settings configuration,
  3. Under OpenOTP user settings configuration,

The following user notification settings can be configured:

  • Password Expired Notification: send a notification email/SMS to the user when his LDAP password or OTP Token expired. The SMS sender number is defined in the SMS OTP Settings.
  • Account Blocking Notification: send a notification email/SMS to the user when his account gets blocked.
  • Weak Password Notification: send a notification email/SMS to the user when the user password is too weak or listed as leaked.
  • Send Self-Registration Links: automatically send a self-registration email/SMS if the user has no Token registered or Token expired.
  • Send Password Reset Links: automatically send a password reset email/SMS if the user password expired or must be changed.

As an example, we utilize option 3, which involves configuring the related settings on the user object. To do this, select an activated user account from the Tree panel. In the Object Details box, click the CONFIGURE button.

Configure the settings in section User Notifications.

6. Configure Mail OTP

To receive a one-time password (OTP) through email, the user needs to have a configured email address in either the ‘mail’ or ‘othermail’ attributes. There are several methods to enable OTP by email:

  1. Under OpenOTP global configuration,
  2. Under OpenOTP group settings configuration,
  3. Under OpenOTP user settings configuration,
  4. Under OpenOTP client policy configuration,

The OTP Type setting must be configured as MAIL. In the scenarios described in Chapter 6, we utilize option 3, which involves configuring the WebADM user settings on the user object.

To do this, select an activated user account from the Tree panel. In the Object Details box, click the CONFIGURE button.

Choose MFA Authentication Server from the Applications box and set OTP Type to MAIL.

Note

MAIL OTP may require longer timeouts, therefore enable and properly configure the option Challenge Session Timeout.

Mail OTP can be sent in three different ways (Email Delivery Mode setting):

  • Ondemand: A new OTP is sent when the user starts an authentication process.
  • Prefetch: The next OTP is sent after the user preformed an authentication.
  • Approve: A one-time access link is sent with a click-to-approve button.

6.1 Ondemand (or Prefetch)

In this example we will set up Email Delivery Mode setting to Ondemand in the user settings.

Let’s test the Mail OTP by clicking MFA Authentication Server under Application Actions.

Now click on Test OTP & FIDO Authentication.

Type in your LDAP password if the Login Mode is set to LDAPOTP. Click the Start button.

Now, switch to your email client and check your mail.

Finally, enter your OTP from the email and click Continue.

Magic Links can be set up to send users an email containing a link to a page where they can choose to authenticate or decline. We then set up Email Delivery Mode setting to Approve in the user settings.

Let’s test the Mail OTP by clicking MFA Authentication Server under Application Actions.

Now click on Test OTP & FIDO Authentication.

Type in your LDAP password if the Login Mode is set to LDAPOTP. Click the Start button.

Now, switch to your email client and check your mail.

You can then click on or scan the QR code, so this opens the Approval page in your browser.

Click on Login to complete the authentication process (or on Cancel if you do not wish to approve the authentication).

If you open the Magic Link after timeout, Approval page will provide you with an OTP.

Enter your OTP from the Approval page and click Continue.

7. Encrypt Mail OTP

To do this, select an activated user account from the Tree panel. In the Object Details box, click the CONFIGURE button.

Choose MFA Authentication Server from the Applications box and enable the option Use Secure Email.

Now, create a certificate through WebADM for the user in question. In this example, select the testuser1 on the left side and click on Create certificate.

Enable Secure Email (s/mime) setting in Extended Key Usage section, then click the Create Cert button.

Click the Download button to download the user’s certificate. Import the certificate into your mail client.

Let’s verify if the email is encrypted. Do the same steps as in the previous chapter for the Test User Authentication.

In the header of the email, you can see that it has been encrypted.