advertisement
37
5 SEPPmail - IronPort connection
Attentio n:
It is important to understand the current policy of the IronPort Systems before changes are made.
Suggested configuration
All incoming emails are received by IronPort and checked for spam and viruses. All emails certified as far will be forwarded to SEPPmail, where they are, if necessary, decrypted and sent back to IronPort.
There, all the emails are (now decrypted), again virus and spam tested and passed to the internal groupware system, e.g. MS Exchange or Lotus Notes., passed
Alternatively, it is possible to recognize the encrypted and/or signed emails on the IronPort system and redirect only those to SEPPmail. All other emails will be forwarded directly to the internal groupware system.
The internal groupware system sends the outgoing emails to IronPort. This forwards outgoing email in every case further to SEPPmail. There, the ruleset will maintain, which emails are to be signed and encrypted. Subsequently, the outgoing emails are sent from the SEPPmail system back to the
IronPort system, which as the only system, sends emails towards the Internet.
The »problem« with this configuration is that SEPPmail must stay in the relay list of IronPort Systems, as the SEPPmail system tries to send the outgoing emails towards the Internet. For all hosts in the relay list of IronPort always automatically applies the »Outgoing Mail Policy«. According to the current
»Outgoing Policy«, no virus scan is taking place there, and therefore the SEPPmail connection as such provides no additional benefit.
There are two s o lutio ns to this :
1. You build the »Outgoing Mail Policy« on the IronPort system so, that they look similar to the
»Incoming Policy«. But this is an »ugly« solution.
2. You configure a specific listener via which the SEPPmail delivers incoming emails. The SEPPmail must not be registered in the relay list in this listener. This listener can, for example, be bound to the existing IP address 192.168.1.11 on a specific port (e.g. 10025) or to another IP address in the
IP network 192.168.1.0/24.
The redirectio n can be implemented in two way s :
1. by Content Filter
2. by Message Filter
The difference between Message Filter and Content Filter is that a Message Filter is always applied to the entire email. If an email has, for example, multiple recipients, then the action applies to all recipients. In a Content Filter you can split the email via different policy entries. That should not play any role in our case. Another difference is, that you can see in the message filter, whether an email is encrypted or signed, so that only this email can redirect to SEPPmail.
To make the solution simple and clearly structured, we recommend all outgoing emails to be forwarded to SEPPmail (not just emails to be encrypted or signed) and to work with a Content Filter.
© 2014 SEPPmail AG
38
Configuration
Iro nP o rt
Existing Listener with SEPPmail in the Relay List
New listener Incoming SEPPmail with SEPPmail not in the Relay list
Inco ming Co ntentfilter : Inco mingSEP P mail
(usually not required: Receiving Listener = IncomingMail AND)
Remote IP IS NOT \[IP from SEPPmail 1\]
AND
Remote IP IS NOT \[IP from SEPPmail 2\]
(optional, if you only have one of your domains on SEPPmail want to let operate: AND Envelope Recipient ends with @securemailcustomer.ch
)
Action: Send to Alternate Destination Host: \[Cluster IP of both SEPPmail\]
SEP P mail
The SEPPmail s y s tem is s et up s o that inco ming emails are s ent to the inco ming
SEP P mail lis tener.
Mail menu s y s tem: see
58
M anaged D o mai ns s ecti o n
The problem here is that in the SEPPmail configuration, only a single IP address can be specified, to where the incoming emails are forwarded, but not both incoming IP addresses of your IronPort. For this reason, it is necessary to generate a (fictitious) DNS entry, which can be dissolved in both IP addresses of the IronPort. Enter this DNS name as »Server IP Address« of the email domain.
Outgoing email sent SEPPmail to the exis ting lis tener:
See
Controlling Outgoing Email Traffic
58
O utgo i ng Ser v er s ecti o n
© 2014 SEPPmail AG
The IP address of the listener shall be specified here, i.e. a host name as above, which will dissolve on both listeners.
For both IP addresses of IronPort system the SEPPmail system registers the relay permission. See
61 .
39
R elay i ng s ecti o n
The configuration description for the SEPPmail IronPort connection was provided us by courtesy of:
AVANTEC AG
Badenerstrasse 281
CH-8003 Zürich http://www.avantec.ch
© 2014 SEPPmail AG
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 7 Foreword
- 8 Introduction
- 9 Secure email communication through encryption
- 11 Digital email signatures
- 11 Central Business Email Disclaimer
- 12 Email content check by Virus, Spam and Phishing Protection (VSPP)
- 12 Compatibility with other secure email systems
- 12 Remote administration using a web portal
- 13 Commissioning of the Secure Email Gateway Appliance
- 13 Before starting
- 13 Integration of the appliance in your email environment (default configuration)
- 15 Required information for commissioning
- 17 Connecting SEPPmail appliance
- 17 Setting up Firewall / Router
- 19 Network settings and System Registration
- 19 Setting up installation PC
- 20 Logging in as Administrator
- 20 Network settings of the SEPPmail appliance
- 21 Assigning host and domain names
- 21 Checking the network configuration
- 22 Bringing the system to the latest version
- 22 Registering the system
- 23 Important safety measures
- 23 Changing Administrator Password
- 23 Setting the HTTPS protocol for secure access to the system
- 23 Creating backup user
- 24 Next steps
- 24 Converting email data flow
- 26 Using email clients
- 27 Microsoft Outlook Add-In
- 27 Introduction
- 27 System requirements
- 28 Download
- 28 Installation
- 29 Installation with a user interface
- 31 Installation without a user interface
- 32 Uninstallation of Microsoft Outlook Add-In
- 33 Registry entries of the Microsoft Outlook Add-In
- 33 HKEY_LOCAL_MACHINE
- 35 HKEY_CURRENT_USER
- 36 Sending emails
- 37 SEPPmail - IronPort connection
- 40 Reference of the menu items
- 40 Configuration Overview
- 41 "Login" menu item
- 42 "Home" menu item
- 44 "System" menu item
- 44 Overview of "System" menu item
- 50 Forwarding email logs to a central syslog server
- 50 Setting the date and time and setting up NTP synchronization
- 51 Enabling SNMP
- 52 Menu item "Mail System"
- 52 Overview of the "Mail System" menu item
- 58 Setting up for managing email domains
- 58 Controlling outgoing email traffic
- 58 Setting up per domain TLS encryption
- 61 SMTP settings
- 61 Mail Relaying
- 62 Anti-spam settings
- 63 Managing Blacklists / Whitelists
- 65 "Mail Processing" menu item
- 65 GINA web mail interface
- 66 Creating GINA domains
- 66 Deleting GINA domains
- 66 Managing GINA Domains
- 72 Managing GINA Layout
- 75 Managing GINA language support
- 78 GINA self registration through web mail portal
- 79 Managing GINA Accounts
- 80 GINA Self Service Password Management
- 80 GINA internal encryption
- 81 GINA S/MIME and PGP key search via GINA Portal
- 82 Managing rules for the processing of GINA messages
- 84 Managing GINA SMS password transmission
- 87 Managing Disclaimer
- 88 Managing email templates (Templates)
- 89 Managing rulesets
- 102 Viewing and loading rulesets
- 103 "SSL" menu item
- 103 Creating self SSL device certificate
- 105 Requesting SSL device certificate from a public CA
- 106 Using existing SSL Device Certificate
- 106 Backing up SSL device Certificate
- 108 "CA" menu item
- 108 Managing internal CA settings
- 109 Setting up CA certificate
- 109 Securing CA certificate
- 109 Setting up a connection to the external CA S-Trust
- 110 Setting up a connection to the external CA Signtrust
- 110 Setting up a connection to the external CA SwissSign
- 112 "Administration" menu item
- 112 Registering SEPPmail appliance
- 112 Importing license file
- 113 Checking appliance for available updates
- 114 Backup and restore settings of the appliance
- 115 Rebooting or shutting down the appliance
- 116 Reseting the appliance to factory settings
- 116 Import existing user or key
- 117 Establishing Outgoing Support Connection
- 118 "Cluster" menu item
- 118 General
- 118 High Availability Cluster
- 121 Load Balancing Cluster
- 127 Geo Cluster
- 128 Frontend-Backend Cluster
- 129 Setting up a Cluster Configuration
- 131 Overview
- 131 Safety notes
- 133 Configuration of the VMware ESX environment
- 134 Setting up the basic settings of a SEPPmail system
- 134 Setting up the SEPPmail cluster systems
- 134 Downloading cluster identification
- 136 Setting up SEPPmail cluster
- 139 Setting up High Availability Cluster
- 141 Setting up Load Balancing cluster
- 143 Setting up Geo Cluster
- 143 Setting up Frontend-Backend cluster
- 145 "Logs" menu item
- 147 Viewing email messages in the queue
- 148 "Statistics" menu item
- 151 "Users" menu item
- 151 Overview of the "Users" menu item
- 151 Creating internal user
- 152 Managing Internal Users
- 156 "Groups" menu item
- 156 Overview of the "Groups" menu item
- 158 Creating groups
- 158 Managing groups
- 158 Assigning and removing users
- 160 "GINA accounts" menu item
- 160 Overview of the "GINA accounts" menu item
- 162 Blocking GINA user accounts
- 162 Removing GINA user accounts
- 162 Managing GINA user accounts
- 166 "PGP public keys" menu item
- 166 Overview of the "PGP public keys" menu item
- 166 Importing OpenPGP key
- 166 Downloading or deleting OpenPGP key
- 167 "X.509 Certificates" menu item
- 167 Overview of the "X.509 Certificates" menu item
- 167 Importing S/MIME user certificate
- 168 Downloading or deleting S/MIME user certificate
- 169 "X.509 Root Certificates" menu item
- 169 Overview of the "X.509 Root Certificates" menu item
- 170 Importing X.509 root certificates
- 170 Downloading and deleting X.509 root certificates
- 171 Trusting X.509 root certificates
- 171 Automatically importing X.509 root certificates
- 172 "Domain keys" menu item
- 172 Overview of the "Domain Keys" menu item
- 173 Importing OpenPGP domain keys
- 173 Downloading or deleting OpenPGP domain keys
- 174 Importing S/MIME domain keys
- 174 Downloading or deleting S/MIME domain keys
- 174 Managing domain keys
- 175 "Customers" menu item
- 176 Creating new customers
- 176 Managing existing customers
- 178 Deleting existing customers
- 179 Reference of the set of rules statements
- 179 Control structures - if/else statements
- 180 General commands
- 180 add_rcpt()
- 181 authenticated()
- 182 compare()
- 184 compareattr()
- 185 comparebody()
- 185 disclaimer()
- 186 from_managed_domain()
- 187 incoming()
- 188 log()
- 189 logheader()
- 190 normalize_header()
- 191 notify()
- 192 replace_rcpt()
- 193 replace_sender()
- 194 rmatch()
- 195 rmatchsplit()
- 196 rmheader()
- 197 setheader()
- 198 logsubject()
- 198 tagsubject()
- 200 User management commands
- 200 createaccount()
- 201 member_of()
- 201 setuserattr()
- 203 Certificate management commands
- 203 attachpgpkey()
- 203 has_smime_key()
- 203 smime_create_key()
- 204 smime_revoke_keys()
- 204 swisssign_create_key()
- 206 Message handling commands
- 206 archive()
- 206 bounce()
- 207 deliver()
- 208 drop()
- 209 reprocess()
- 211 Encryption and decryption commands
- 211 decrypt_pgp()
- 211 decrypt_domain_pgp()
- 211 domain_pgp_keys_avail()
- 212 decrypt_smime()
- 212 decrypt_domain_smime()
- 212 domain_smime_keys_avail()
- 213 delete_smime_sig()
- 213 encrypt_pgp()
- 214 encrypt_domain_pgp()
- 215 encrypt_smime()
- 215 encrypt_domain_smime()
- 216 encrypt_webmail()
- 216 pgp_encrypted()
- 217 pgp_keys_avail()
- 217 pgp_secret_keys_avail()
- 217 smime_keys_avail()
- 218 sign_smime()
- 218 smime_signed()
- 219 smime_encrypted()
- 219 validate_smime_sig()
- 220 webmail_keys_avail()
- 220 webmail_keys_gen()
- 221 pack_mail()
- 222 unpack_mail()
- 223 LDAP commands (access to external sources)
- 223 ldap_compare()
- 224 ldap_read
- 225 ldap_getcerts()
- 226 ldap_getpgpkeys()
- 228 Content management commands
- 228 iscalendar()
- 228 isspam()
- 229 partoftype()
- 230 vscan()
- 231 File types
- 231 List of file types
- 233 Groups of file types