Logo
1.0.0

Gateway Administration

  • Introduction
    • CipherMail Gateway
    • Network architecture
      • After content scanner
      • Content scanner with redirect
      • Office 365 integration
      • Google workspace integration
  • Quick setup
    • Initial setup wizard
      • Send test email
    • Without wizard
      • Send test email
  • Admin
    • Administrators
      • Roles
    • Network
      • Network interfaces
      • Hostname
      • DNS
      • Hosts
      • NTP
    • MTA
      • Configuration
        • Relay domains
        • My Networks
        • My Hostname
        • Match subdomains
        • SMTP Helo Name
        • Reject unverified recipient
        • Unverified Recipient Reject Code
        • External relay host
        • Internal relay host
        • Before filter message size limit
        • After filter message size limit
        • MTA config file
      • SASL
      • MTA Client access list
      • Email forwarding
      • Header checks
      • RBL
        • Static black-list
        • Static white-list
      • MTA lookup tables
      • SMTP transports
    • System
      • Gateway
        • Restart
        • Reboot
        • Shutdown
      • Web Server
      • MTA
    • Backup
      • Backup configuration
        • SMB share settings
        • Automatic backup
        • General
        • Example Cron Expressions
    • Log export
      • Log export configuration
        • SMB share settings
        • Automatic log export
        • General
        • Example Cron Expressions
    • Reporting
    • SSL/TLS
      • Web
      • SMTP
      • CSR
        • Certificate request procedure
    • Company logo
    • SMS gateway
    • Cluster settings
    • Extract text
    • Fetchmail
      • Settings
      • Adding a new Fetchmail account
    • Licenses
    • Logger levels
    • Monitoring
      • Supported services
    • Notification
    • PEM to PFX
    • Proxy
    • Send email
  • Settings
    • Introduction
    • Users
    • Domains
    • Sender and receiver settings
    • General
      • Created
      • Comment
      • Locality
      • Encrypt mode
      • Encryption notification
      • Skip calendar messages
    • S/MIME
      • Enabled
      • Strict mode
      • Max. message size
      • Encryption algorithm
      • Encryption scheme
      • Signing algorithm
      • Auto select certificates
      • Always use freshest signing certificate
      • Auto request certificate
      • Add user
      • Encrypt headers
      • Remove signature
      • Skip calendar messages
      • Skip signing calendar messages
      • Add additional certificates
      • Auto import certificates from email
      • Skip import of untrusted certificates
      • Check for invalid 7bit chars
      • Abort decrypt on invalid 7bit chars
    • PGP
      • Enabled
      • PGP encoding to external
      • Enable PGP/INLINE to internal
      • Max. message size
      • Signing algorithm
      • Encryption algorithm
      • Compression algorithm
      • Convert HTML to text
      • Add integrity packet
      • Key size
      • Auto publish
      • Auto request
      • Remove signature
      • Import keys from email
      • Remove keys from email
      • Scan HTML for PGP
      • Skip non PGP extensions
      • PGP partitioned fix-up
      • Skip signing only
      • Auto update email addresses
    • PDF
      • PDF enabled
      • OTP enabled
      • Generate password to originator
      • Max. message size
      • Only if mandatory
      • Sign email
      • Deep scan
      • Reply allowed
      • Send CC to replier
      • Reply validity interval
      • Reply URL
      • Reply sender
      • Use reply sender
      • Add cover page
      • Cover page
      • Auto rename attachments
      • Attachments to rename
      • Keyword to add to renamed attachments
      • Reply Max. attachment size
      • Reply Max. number of attachments
      • Attach original message as RFC822 (.eml)
      • Background color
    • Password
      • Password
      • Password ID
      • Validity interval
      • Generated length
      • Date last generated
    • Encryption subject trigger
      • Trigger
      • Enabled
      • Regular expr.
      • Remove match
    • Signing
      • Only sign when encrypt
    • Encryption header trigger
      • Force encrypt allowed
      • Force encrypt trigger
    • Signing header trigger
      • Force signing allowed
      • Force signing trigger
    • Signing subject trigger
      • Trigger
      • Enabled
      • Regular expr.
      • Remove match
    • One time password (OTP)
      • OTP URL
    • Security info
      • Add security info
      • Decrypted tag
      • Signed tag
      • Signed by tag
      • Invalid signature tag
      • Mixed content tag
    • Subject filter
      • Enabled
      • Filter
    • CA
      • Last used pfx password
    • Post processing
      • Header internal
      • Header external
    • Other
      • Server secret
      • Client secret
      • Auto create client secret
      • System mail secret
    • Custom
    • Subject triggers
    • Header triggers
    • Portal
      • Password
      • Min. password strength
      • Enabled
      • Auto invite
      • Base URL
    • DLP
      • Enable pattern scanning
      • Quarantine URL
      • DLP managers
      • Quarantine on failed encryption
      • Quarantine on error
      • Warning to originator
      • Warning to DLP managers
      • Quarantine to originator
      • Quarantine to DLP managers
      • Block to originator
      • Block to DLP managers
      • Error to originator
      • Error to DLP managers
      • Release to originator
      • Release to DLP managers
      • Delete to originator
      • Delete to DLP managers
      • Expire to originator
      • Expire to DLP managers
      • Allow download
      • Allow release
      • Allow release encrypt
      • Allow release as-is
      • Allow delete
    • SMS
      • Phone number
      • Send SMS (S)
      • Receive SMS
      • Phone number allowed
      • Default country code
    • DKIM
      • Generate new key
      • Upload key
      • Download private key
      • DKIM signing enabled
      • Signature template
      • System key
    • Webmail
      • Enabled
      • Read receipt
      • Only if mandatory
      • OTP enabled
      • Webmail recipient
      • Webmail sender
    • Certificate request by mail
      • Enabled
      • Subject trigger
      • Must be signed
    • Licensing
      • Auto assign license
  • Templates
    • Template format
    • Default templates
      • Encrypted PDF
      • Encrypted PDF via SMS
      • Encrypted PDF OTP
      • Encrypted PDF OTP invite
      • Encryption failed notification
      • Encryption notification
      • Passwords notification
      • SMS with password
      • SMS PFX password
      • PFX email
      • DLP warning
      • DLP quarantine
      • DLP block
      • DLP error
      • DLP release notification
      • DLP delete notification
      • DLP expire notification
      • Custom 1
      • Custom 2
      • Custom 3
  • S/MIME
    • Introduction
    • X.509 certificate
      • Public Key
      • Subject
      • Email address
      • Issuer
      • Serial Number
      • Not Before
      • Not After
      • Key Usage
      • Extended Key Usage
      • Thumbprint
    • Certificate store
    • Root store
    • Revocation checking
    • Certificate selection
      • Color coding
      • Encryption certificate selection
      • Signing certificate selection
    • Additional certificates
    • CRL
    • CTL
      • CTL inheritance
      • CTL icons
    • Certificate Authority
      • Built-in CA
      • CA configuration
      • Certificate Request Handlers
        • Built-in certificate request handler
        • EJBCA certificate request handler
        • CSR request handler
        • GlobalSign EPKI certificate request handler
        • GlobalSign Atlas certificate request handler
        • Intellicard certificate request handler
      • Create new end-user certificate
        • Advanced settings
      • Select default CA
      • Pending requests
      • Bulk requests
        • CSV format
      • Create CRL
      • Send Certificates
  • PGP
    • Introduction
    • PGP keys
      • Key details
      • Key trust
      • Publish public key
      • Email addresses
      • Revoke key
    • Importing keys
    • Create keyring
    • Search keys
    • Key servers
    • Key selection
      • Encryption key selection
      • Signing key selection
  • PDF Messenger
    • Introduction
      • PDF messenger features
    • Password modes
    • Portal
    • Password mode config
      • Static password
      • Generate password to originator
      • Send password by SMS
      • One Time Password (OTP)
    • Configure PDF reply
  • DLP
    • Introduction
    • Express setup
    • Patterns
      • Pattern
      • Groups
      • Import
      • Export
    • Text normalization
      • Skip list
    • Selecting patterns
    • DLP settings
      • Enable pattern scanning
      • Quarantine URL
      • DLP managers
      • Quarantine on failed encryption
      • Quarantine on error
      • Warning to originator
      • Warning to DLP managers
      • Quarantine to originator
      • Quarantine to DLP managers
      • Block to originator
      • Block to DLP managers
      • Error to originator
      • Error to DLP managers
      • Release to originator
      • Release to DLP managers
      • Delete to originator
      • Delete to DLP managers
      • Expire to originator
      • Expire to DLP managers
      • Allow download
      • Allow release
      • Allow release encrypt
      • Allow release as-is
      • Allow delete
    • Quarantine
      • Expiration
  • Webmail Messenger
    • Introduction
    • Architecture
    • Configuration
  • Wizards
    • Introduction
    • Initial setup wizard
    • Encryption setup wizard
    • TLS/SSL import wizard
    • Webmail Messenger setup wizard
  • Queues
    • MTA queue
      • Manage MTA queue
      • Filter
      • Email content
    • MPA queue
    • SMS queue
    • DLP quarantine queue
  • Logs
    • MTA logs
    • MPA logs
  • LDAP
    • LDAP certificate lookup
      • Configuration
      • Test
      • Finsh
    • LDAP certificate publish
      • Install
      • Configure
        • Example settings
      • Test
      • Finsh
  • Community Edition notes
    • Community Edition updates
      • Updating the virtual appliance
        • Create a backup on the old VM
        • Install the new VM
        • Import the backup
      • Updating the packages
        • Major changes in version 5.0
        • Core OS package
        • PAM authentication
        • systemd
  • Other
    • SMTP TLS Policy
      • Policy line
        • DOMAIN
      • Examples
        • Only allow TLS for incoming and outgoing
    • Domain to domain encryption
      • Setup S/MIME domain to domain encryption
      • Setup PGP domain to domain encryption
    • System status
    • Port usage
      • External → Internal
      • Internal → External
    • State diagram
    • Sender Rewriting Scheme
      • SRS Configuration

Gateway Installation

  • Introduction
    • Requirements
    • Core OS package
  • Ubuntu/Debian
    • Install required packages
    • Install CipherMail packages
    • Configure back-end
      • Install back-end packages
      • Configure database
      • Configure Postfix
    • Configure front-end
      • Install Web-GUI package
      • Install Tomcat
    • Finish
  • RedHat/CentOS
    • SELinux
    • Configure firewall
    • CipherMail packages
    • Configure back-end
      • Install back-end packages
      • Configure database
      • Configure Postfix
      • Configure logrotate
      • Configure rsyslog
    • Configure front-end
      • Install Web-GUI package
      • Install Servlet engine
    • Finish
  • SUSE
    • Configure firewall
    • Install required packages
    • CipherMail packages
    • Configure back-end
      • Install back-end packages
      • Configure database
      • Configure Postfix
      • Configure logrotate
      • Configure rsyslog
    • Configure front-end
      • Install Web-GUI package
      • Install Tomcat
    • Finish
  • MySQL/MariaDB
    • Configure max_allowed_packet
      • Ubuntu/Debian
      • RedHat/CentOS
    • Configure database
    • Configure CipherMail
    • Restart services
      • Ubuntu/Debian
      • RedHat/CentOS
  • Oracle DB
    • Configure database
    • Configure CipherMail
      • Disable backup page
        • Ubuntu/Debian
        • RedHat/CentOS
    • Restart services
      • Ubuntu/Debian
      • RedHat/CentOS

Webmail Messenger Administration

  • Introduction
    • Webmail Messenger
    • Network architecture
      • Add-on mode
      • Stand-alone mode
  • Quick setup
    • Add-on mode
    • Stand-alone mode
  • Admin
    • Administrators
      • Roles
    • Network
      • Network interfaces
      • Hostname
      • DNS
      • Hosts
      • NTP
    • MTA
      • Authorized recipients
      • Configuration
        • Relay domains
        • My Networks
        • My Hostname
        • Match subdomains
        • SMTP Helo Name
        • Reject unverified recipient
        • Unverified Recipient Reject Code
        • External relay host
        • Webmail relay host
        • Internal relay host
        • Before filter message size limit
        • After filter message size limit
        • MTA config file
      • SASL
      • MTA Client access list
      • Email forwarding
      • Header checks
      • RBL
        • Static black-list
        • Static white-list
      • MTA lookup tables
      • SMTP transports
    • System
      • Gateway
        • Restart
        • Reboot
        • Shutdown
      • Web Server
      • MTA
    • Backup
      • Backup configuration
        • SMB share settings
        • Automatic backup
        • General
        • Example Cron Expressions
    • Log export
      • Log export configuration
        • SMB share settings
        • Automatic log export
        • General
        • Example Cron Expressions
    • Reporting
    • SSL/TLS
      • Web
      • SMTP
      • CSR
        • Certificate request procedure
    • Company logo
    • SMS gateway
    • Cluster settings
    • Licenses
    • Logger levels
    • Monitoring
      • Supported services
    • Notification
    • PEM to PFX
    • Proxy
    • Send email
  • Settings
    • Introduction
    • Users
      • Mailbox
        • Mailbox filter
      • User cleanup
    • Domains
    • Settings
      • Location
      • Disk usage
      • Quota
      • Created
      • Last login
      • Password is set
      • Password is not set
    • General
      • Comment
      • Default portal login action
      • Use notification sender
      • Login allowed
      • Relay recipient
      • Portal base URL
      • Notification sender
      • Webmail error recipient
      • Portal password policy
      • Portal password policy URL
      • Initial login allowed
      • Server secret
      • Client secret
      • Signup link validity
      • Password reset link validity
    • Webmail
      • Webmail enabled
      • Read receipt
      • Rewrite reply sender
      • Reply sender address
      • Send new mail notification
    • PDF
      • Reply allowed
      • Send CC to replier
      • Reply sender
      • Use reply sender
      • Password length
      • Reply validity interval
      • Reply URL
      • Deep scan
      • Add cover page
      • Cover page
      • Auto rename attachments
      • Attachments to rename
      • Keyword to add to renamed attachments
      • Reply Max. attachment size
      • Reply Max. number of attachments
      • Attach original message as RFC822 (.eml)
      • Background color
    • SMS
      • Phone number
    • Other
      • Server mode
      • Signup URL
      • Password reset URL
      • Webmail login URL
      • Password reset enabled
      • System mail secret
    • Post processing
      • Header external
    • Custom properties
    • Quota
      • User quota
    • Portal authentication settings
      • 2FA secret key
      • 2FA secret key issuer
      • Authentication mode
      • SMS authentication enabled
      • Password mode allowed
      • User override allowed
      • Signup SMS optional
    • Webmail settings
      • Max attachment size
    • Auto cleanup
      • Auto mailbox cleanup
        • Auto cleanup enabled
        • Cleanup interval
      • Auto account cleanup
        • Auto cleanup enabled
    • DKIM
      • System key
    • Licensing
      • Auto assign license
  • Templates
    • Template format
    • Default templates
      • Sign up
      • New mail
      • Forgot password
      • Encrypted PDF OTP
      • Encrypted PDF OTP invite
      • Sender not licensed
      • SMS verification code
      • Notification
      • Custom 1
      • Custom 2
      • Custom 3
  • PDF Messenger
    • Introduction
      • PDF messenger features
    • Password modes
    • Portal
    • One Time Password (OTP)
    • Configure PDF reply
  • Wizards
    • Introduction
    • Initial setup wizard
    • TLS/SSL import wizard
    • Webmail Messenger relay signing certificate import wizard
  • Queues
    • MTA queue
      • Manage MTA queue
      • Filter
      • Email content
    • MPA queue
    • SMS queue
  • Logs
    • MTA logs
    • MPA logs
  • Other
    • SMTP TLS Policy
      • Policy line
        • DOMAIN
    • PKI
      • Certificates
      • Roots
      • CRLs
    • System status
    • Port usage
      • External → Internal
      • Internal → External
    • Sender Rewriting Scheme
      • SRS Configuration

Virtual Appliance

  • Introduction
    • Requirements
  • VMWare
    • Import virtual appliance
  • Hyper-V
  • Azure
    • Download virtual appliance
    • Upload to Azure storage
    • Create image
    • Create VM
    • Resize disk
    • Configure Cockpit
      • Open port 9090
      • Unlock sa user
  • Virtual Appliance configuration
    • File menu
      • Open shell
      • Mount share
      • Unmount share
      • Exit
    • Config menu
      • Network
      • IP Filter
      • Timezone
      • Password
      • Configure Keyboard
    • Backup menu
      • Backup
      • Restore
    • Other menu
      • Reboot
      • Shutdown
      • Restart
      • Update
  • Cockpit Management App
  • Minor updates
  • Major upgrades
    • Upgrading the Gateway
      • Install new virtual appliance
      • Export current database
      • Trust SSH key of new appliance
        • Print the new SSH public key
        • Import the SSH public
      • Download database export
      • Import database
      • Restart back-end
      • Configure missing settings
    • Upgrading Webmail Messenger
      • Install new virtual appliance
      • Export current database
      • Trust SSH key of new appliance
        • Print the new SSH public key
        • Import the SSH public
      • Download database export
      • Import database
      • Restart back-end
      • Configure missing settings
      • Import existing email

Office 365 Integration

  • Introduction
    • Requirements
  • Enable Soft bounce
  • Encrypt outgoing email
    • Office 365 IP range lookup table
    • List of valid sending domains
    • Configure postfix restrictions
    • Configure Office 365 relay connector
    • Setup a transport rule
    • Configure Office 365 incoming connector
    • Configure CipherMail to relay via Office 365
      • Mandatory TLS
      • Test relay
  • Decrypt incoming email

Google Workspace Integration

  • Introduction
    • Requirements
  • Enable Soft bounce
  • Encrypt outgoing email
    • Google Workspace IP range lookup table
    • List of valid sending domains
    • Configure postfix restrictions
    • Add email host to Google Workspace
    • Configure Google Workspace Inbound gateway
    • Add Content compliance rule
    • Configure Google Workspace SMTP relay service
      • Mandatory TLS
      • Test relay
  • Decrypt incoming email

HSM Integration

  • Introduction
    • Requirements
  • Install CipherMail HSM module
  • nCipher
    • Configure nCipher tools
    • Configure PKCS#11
    • Configure nCipher
    • Restart
  • SafeNet ProtectServer
    • Configure PKCS#11
    • Configure ProtectServer
    • Restart
  • SafeNet Luna
    • Configure CipherMail
    • Configure Luna settings
    • Restart
  • Utimaco CryptoServer
    • Configure CryptoServer
    • Configure PKCS#11
    • Configure CryptoServer
    • Additional CipherMail settings
    • Restart
  • Securosys Primus
    • Configure CipherMail
    • Configure Primus settings
    • Restart

Cluster Administration

  • Introduction
    • Requirements
  • Cluster setup
    • Requirements
    • Hostname mapping
    • Configure cluster
      • Configure SSH authentication
        • Log in to each node over SSH
        • Obtain the SSH public keys
        • Authorize the SSH keys for root login
        • Test passwordless login
      • Configure which hosts should be managed
      • Enable the MariaDB Galera cluster
      • Run the Ansible playbook
    • Troubleshooting
  • Bootstrapping the cluster
    • Check node status
    • Check back-end log
    • Starting other nodes
    • Check node status
    • Check back-end log
  • Recovery
    • Failure scenarios
      • One node is gracefully stopped
      • Two nodes are gracefully stopped
      • All nodes are gracefully stopped
      • One node is terminated
      • Two nodes are terminated
      • All nodes are terminated
      • Connection failure between one node and the other nodes
      • Connection failure between all nodes
    • Recovery procedure
      • Check cluster status
      • Recover cluster
        • Only some nodes are down
        • All nodes are down
  • Updates

EJBCA Integration

  • Introduction
  • Configure CipherMail Gateway
  • Configure EJBCA
    • Add a new CA
    • Add a new Certificate Profile
    • Add a new End Entity Profile
    • Finish

CipherMail for Android

  • Reference Guide
    • Introduction
    • Features
    • Main screen
    • Compose message
      • Signing the message
      • Encrypting the message
      • Bcc to self

Frequenly Asked Questions

  • General FAQ
  • S/MIME
    • What exactly is a certificate?
    • What is a root certificate?
    • What is an intermediate certificate?
    • What is an end-user certificate?
    • How can a certificate have ‘child’ certificates?
    • Do ‘child’ certificates share keys with the parent?
    • Why do certificates expire?
    • How does the gateway handle expired certificates?
    • What is the difference between a signature and an encryption certificate?
    • How does the gateway handle key usage and extended key usage?
    • Do we need separate signing and encryption certificates?
    • Can we use a self-signed root certificate or should it be issued by a trusted CA?
    • What does it mean when a certificate is revoked?
    • What is a certificate Trust List (CTL)?
    • What does the key usage nonRepudiation mean?
  • PGP
    • Does the gateway support the web of trust?
    • Is a key trusted by default?
    • Which keys are used for encryption?
    • Why is Incoming PGP/INLINE not enabled by default?
    • What is “Auto update email addresses”?
    • What happens if I click “refresh public keys”?
  • PDF Encryption
    • What is PDF email encryption?
    • With PDF encryption, are attachments encrypted as well?
    • Is PDF encryption safe? Some companies claim they can crack PDFs?
    • With PDF encryption, how can the recipient securely reply ?
    • The PDF does not contain the reply link. What do I have to do to enable the reply functionality?
    • There are different password modes for PDF encryption. Which mode is the most secure?
      • Static password
      • Random password via SMS
      • Random password, sent back to sender
      • One Time Password (OTP) using the online portal
    • With the One Time Password (OTP) mode, a recipient can be invited. Is this not insecure? What happens if the invite is intercepted?
  • DLP
    • I would like to quarantine an outgoing email when the To and CC header contains a large number of recipients. How can I do this?
    • Can the DLP module detect all information leakage?
    • I have added a sentence to the list of patterns but somehow the sentence is not matched. Why is the sentence not matched?
    • What is the skip list?
    • I would like to match a word if the word contains uppercase characters but not when it contains lowercase characters. Is this possible?
    • If my pattern contains uppercase letters, it never matches any text. Why is that?
    • Are there any pre-defined patterns?
    • Are attachments also scanned?
    • I cannot delete certain patterns. Why is that?
    • Are email headers scanned?
  • Gateway
    • Incoming encrypted email is not decrypted. Why is that?
    • Email received by the gateway contain X-Djigzo-Info headers. What are these?
    • The certificates from incoming digitally signed email are not stored in the certificates store?
    • What is the difference between the gateway back-end Web GUI?
    • If I try to login immediately after starting the gateway I get an exception. Why is that?
    • Is it possible to authenticate the admin against LDAP or Active directory?
    • Where should the CipherMail gateway be placed?
    • Is the gateway an on-premises or a cloud based application?
    • Can the gateway be used as a milter?
    • Does the gateway support Let’s Encrypt?
  • Webmail Messenger
    • What are the requirements for a recipient?
    • Can I change the color scheme of the Webmail Messenger portal?
    • Do I need the Gateway to use Webmail Messenger?
    • Is Webmail Messenger an on-premises or a cloud based application?
    • If I use Webmail Messenger in add-on mode, I need to setup an S/MIME connection between the gateway and Webmail Messenger. Why is that?
    • Can I use the community edition of the gateway with Webmail Messenger?
    • Does Webmail Messenger support 2-factor authentication?
    • Are emails stored on Webmail Messenger indefinitely?
    • Does Webmail Messenger support PDF encryption?
    • Does Webmail Messenger support Let’s Encrypt?
  • Cluster
    • Why do I need at least three nodes for a cluster?
    • Can a node run in a different data center than the other nodes?
    • If two nodes are running in data center A and one node in data center B and the connection between the data centers fail, can I make sure that CipherMail is functional in both data centers?
  • Virtual Appliance
    • What are the default admin GUI login credentials?
    • What are the default SSH and console login credentials?
    • I forgot the GUI admin password. How can I reset the password?
      • CipherMail Gateway
      • Webmail Messenger
    • The gateway comes with no certificates installed. Why is that?
    • What is the root password of the Virtual appliance?
  • Support policy and EOL statements
CipherMail Documentation
  • »
  • S/MIME

S/MIME

  • What exactly is a certificate?
  • What is a root certificate?
  • What is an intermediate certificate?
  • What is an end-user certificate?
  • How can a certificate have ‘child’ certificates?
  • Do ‘child’ certificates share keys with the parent?
  • Why do certificates expire?
  • How does the gateway handle expired certificates?
  • What is the difference between a signature and an encryption certificate?
  • How does the gateway handle key usage and extended key usage?
  • Do we need separate signing and encryption certificates?
  • Can we use a self-signed root certificate or should it be issued by a trusted CA?
  • What does it mean when a certificate is revoked?
  • What is a certificate Trust List (CTL)?
  • What does the key usage nonRepudiation mean?
Previous Next

© Copyright 2019-2023, CipherMail B.V.