37

5 SEPPmail - IronPort connection

Attentio n:

It is important to understand the current policy of the IronPort Systems before changes are made.

Suggested configuration

All incoming emails are received by IronPort and checked for spam and viruses. All emails certified as far will be forwarded to SEPPmail, where they are, if necessary, decrypted and sent back to IronPort.

There, all the emails are (now decrypted), again virus and spam tested and passed to the internal groupware system, e.g. MS Exchange or Lotus Notes., passed

Alternatively, it is possible to recognize the encrypted and/or signed emails on the IronPort system and redirect only those to SEPPmail. All other emails will be forwarded directly to the internal groupware system.

The internal groupware system sends the outgoing emails to IronPort. This forwards outgoing email in every case further to SEPPmail. There, the ruleset will maintain, which emails are to be signed and encrypted. Subsequently, the outgoing emails are sent from the SEPPmail system back to the

IronPort system, which as the only system, sends emails towards the Internet.

The »problem« with this configuration is that SEPPmail must stay in the relay list of IronPort Systems, as the SEPPmail system tries to send the outgoing emails towards the Internet. For all hosts in the relay list of IronPort always automatically applies the »Outgoing Mail Policy«. According to the current

»Outgoing Policy«, no virus scan is taking place there, and therefore the SEPPmail connection as such provides no additional benefit.

There are two s o lutio ns to this :

1. You build the »Outgoing Mail Policy« on the IronPort system so, that they look similar to the

»Incoming Policy«. But this is an »ugly« solution.

2. You configure a specific listener via which the SEPPmail delivers incoming emails. The SEPPmail must not be registered in the relay list in this listener. This listener can, for example, be bound to the existing IP address 192.168.1.11 on a specific port (e.g. 10025) or to another IP address in the

IP network 192.168.1.0/24.

The redirectio n can be implemented in two way s :

1. by Content Filter

2. by Message Filter

The difference between Message Filter and Content Filter is that a Message Filter is always applied to the entire email. If an email has, for example, multiple recipients, then the action applies to all recipients. In a Content Filter you can split the email via different policy entries. That should not play any role in our case. Another difference is, that you can see in the message filter, whether an email is encrypted or signed, so that only this email can redirect to SEPPmail.

To make the solution simple and clearly structured, we recommend all outgoing emails to be forwarded to SEPPmail (not just emails to be encrypted or signed) and to work with a Content Filter.

© 2014 SEPPmail AG

38

Configuration

Iro nP o rt

Existing Listener with SEPPmail in the Relay List

New listener Incoming SEPPmail with SEPPmail not in the Relay list

Inco ming Co ntentfilter : Inco mingSEP P mail

(usually not required: Receiving Listener = IncomingMail AND)

Remote IP IS NOT \[IP from SEPPmail 1\]

AND

Remote IP IS NOT \[IP from SEPPmail 2\]

(optional, if you only have one of your domains on SEPPmail want to let operate: AND Envelope Recipient ends with @securemailcustomer.ch

)

Action: Send to Alternate Destination Host: \[Cluster IP of both SEPPmail\]

SEP P mail

The SEPPmail s y s tem is s et up s o that inco ming emails are s ent to the inco ming

SEP P mail lis tener.

Mail menu s y s tem: see

Managing Email Domains Setup

58

M anaged D o mai ns s ecti o n

The problem here is that in the SEPPmail configuration, only a single IP address can be specified, to where the incoming emails are forwarded, but not both incoming IP addresses of your IronPort. For this reason, it is necessary to generate a (fictitious) DNS entry, which can be dissolved in both IP addresses of the IronPort. Enter this DNS name as »Server IP Address« of the email domain.

Outgoing email sent SEPPmail to the exis ting lis tener:

See

Controlling Outgoing Email Traffic

58

O utgo i ng Ser v er s ecti o n

© 2014 SEPPmail AG

The IP address of the listener shall be specified here, i.e. a host name as above, which will dissolve on both listeners.

For both IP addresses of IronPort system the SEPPmail system registers the relay permission. See

Mail Relaying

61 .

39

R elay i ng s ecti o n

The configuration description for the SEPPmail IronPort connection was provided us by courtesy of:

AVANTEC AG

Badenerstrasse 281

CH-8003 Zürich http://www.avantec.ch

[email protected]

© 2014 SEPPmail AG