Setup Google Workspace

Enable Soft bounce

Setting up Google Workspace (GWS) and CipherMail involves multiple steps. If the CipherMail gateway fails to deliver emails to GWS, such as when GWS blocks the gateway’s IP address from sending emails, messages may be returned as undeliverable

To avoid the CipherMail gateway from bouncing emails, it is recommended to enable the Postfix soft_bounce setting. When soft_bounce is enabled, permanent SMTP errors (e.g., 5XX errors) will be handled as temporary errors (i.e., 4XX).

To enable soft_bounce, follow these steps:

Log into CipherMail gateway.
Open “MTA config” page MTA ‣ Settings ‣ Actions ‣ Edit Main Config
Add the following line to the end of postfix config file:
soft_bounce = yes
Click Save

Note

If the integration of CipherMail and GWS is confirmed to be successful and stable, you may consider turning off the soft_bounce setting.

Allow Google Workspace IP range

Since the CipherMail gateway is configured as a mail filter for Google Workspace, the gateway should only allow incoming email from the Google Workspace IP range.

To configure postfix to only allow email from GWS, add the following condition to the postfix configuration settings smtpd_recipient_restrictions and smtpd_relay_restrictions MTA ‣ Settings ‣ Actions ‣ Edit Main Config:

check_client_access cidr:/etc/postfix/maps.d/cidr-gmail.com.map

The smtpd_recipient_restrictions and smtpd_relay_restrictions settings should now look like:

smtpd_recipient_restrictions =
    check_recipient_access hash:/etc/postfix/system-check-recipient-access
    check_recipient_access hash:/etc/postfix/maps.d/hash-check-recipient-access.map
    permit_mynetworks
    check_client_access cidr:/etc/postfix/maps.d/cidr-gmail.com.map
    reject_unauth_destination
    ${ciphermail_reject_unverified_recipient? reject_unverified_recipient}

smtpd_relay_restrictions =
    permit_mynetworks
    check_client_access cidr:/etc/postfix/maps.d/cidr-gmail.com.map
    reject_unauth_destination

With the above changes, the CipherMail gateway will only accept email from the GWS IP range.

Note

The CipherMail Enterprise Gateway contains a module that periodically writes the IP range used by GWS to the mapping file /etc/postfix/maps.d/cidr-gmail.com.map

Add CipherMail hosts to GWS

To ensure that email traffic is properly routed through the gateway, you must add the gateway’s hostname to the list of approved hosts in GWS. This allows GWS to recognize the gateway as a trusted system for handling email delivery.

Log into Google Admin
Open the Gmail app page (Apps ‣ Google Workspace ‣ Gmail)
On the Gmail app page, click Hosts
On the “Hosts” page, click Add route
On the “Add mail route” page, select a name for the route (for example: Route to CipherMail Gateway)
If you have multiple CipherMail gateway’s select Multiple hosts, if not, select Single host
Enter hostname or IP of the ciphermail gateway(s) and set port to 25
Under options, Select Require mail to be transmitted via a secure (TLS) connection, Require CA signed certificate and Validate certificate hostname
Click Test TLS connection and check whether the TLS connection succeeds
Click Save

Route email via CipherMail Gateway

CipherMail Gateway should be set up as a mail filter. This means that Google Workspace (GWS) will initially receive all incoming email, and then forward each message to the CipherMail Gateway for processing. Once processing is complete, the gateway will return the message to GWS. To avoid mail loops, it is important to ensure that GWS only sends each message to the gateway once.

The recommended method is to have the CipherMail Gateway add a unique header to any message it processes. When GWS receives a message, it can check for the presence of this header. If the header exists, GWS should not forward the message to the gateway again.

Attention

Unfortunately GWS does not support removing headers after processing. The unique header can therefore not be kept secret. This means that a sender could potentially add this header to their message to bypass processing by CipherMail. Although this does not pose a direct security threat under most circumstances, it could allow a sender to intentionally avoid decryption or filtering by CipherMail.

Add header after processing email

To indicate that an email is processed by the gateway, a special header should be added by using the following procedure:

Login to the CipherMail console as the sa user

Execute the following cli commands

ciphermail-cli property global set --name post-processing-header-internal --value "X-CipherMail-Processed: <PROCESSED-ID>"
ciphermail-cli property global set --name post-processing-header-external --value "X-CipherMail-Processed: <PROCESSED-ID>"

where <PROCESSED-ID> should be replaced by a unique value selected by you.

Tip

You can use the command line pwgen utility to generate a sufficiently long random value:

sudo dnf install pwgen
pwgen -N 1 30

The CipherMail gateway will now include the header X-CipherMail-Processed : <PROCESSED-ID> in every email it processes.

Relay email via CipherMail Gateway

The CipherMail gateway is configured to accept emails only from the GWS IP range. However, relying solely on IP-based filtering is not fully secure, because any GWS customer could potentially create a mail connector that targets your CipherMail gateway. This can expose your system to unauthorized relaying attempts from external GWS tenants.

To ensure that only messages originating from your own GWS domains are accepted, it is recommended to implement an additional layer of authentication. Configure your GWS to include a secret authentication header in all outbound emails destined for the CipherMail gateway. This header should contain a unique and confidential value known only to your organization.

On the CipherMail gateway, set up a rule to accept and relay emails only if they include the required secret authentication header with the correct value. Messages missing the header or using an incorrect secret should be rejected.

Open the Gmail app page (Apps ‣ Google Workspace ‣ Gmail)
Open the Compliance page by clicking Compliance
On the Compliance page, under “Content compliance” click Configure
On the “Add setting” page
- Set description to “Route via CipherMail Gateway”
- Under “Email messages to affect”, select Inbound and Outbound
- Under “Add expressions that describe …”, select If ANY of the following match the message
- Click Add to add an expression, select Advanced content match, under “Location”, select Full headers, under “Match type”, select Not contains text, under “Content”, paste a secret value <PROCESSED-ID>, Where <PROCESSED-ID> should be replaced by the same secret value from the previous steps.
- Under “If the above expressions match, do the following”, select “Modify message”, select Add custom header, click Add and add the following header:
  X-CipherMail-Relay-Secret: <RELAY-HEADER-SECRET>
  Where <X-CipherMail-Relay-Secret> should be replaced by a secret value selected by you.
  Tip
  
  You can use the command line pwgen utility to generate a sufficiently long random secret:
  
  pwgen -N 1 30
- Under “Route” select Change route and select the route which was setup in the previous step (Route to CipherMail Gateway)
- Under “Encryption” select Require secure transport (TLS)`
- Click Save

Every email sent by GWS will now include the secret header values.

Check authorization header

The CipherMail gateway should be configured to only allow relay if the authorization header is set.

Login to the CipherMail console as the sa user

Execute the following cli commands

ciphermail-cli property global set --name mta-relay-header-secrets --value '[{\"id\":\"1\", \"relayHeaderSecret\":\"<RELAY-HEADER-SECRET>\"}]'
ciphermail-cli property global set --name mta-check-relay-header --value true

Note

Replace <RELAY-HEADER-SECRET> by the value selected in the previous step

The CipherMail gateway will now only allow relaying email if the submitted email contains the following header:

X-CipherMail-Relay-Secret: <RELAY-HEADER-SECRET>

Configure GWS SMTP relay service

Rather than sending email directly to external recipients, we will use the Google SMTP service to handle outbound email delivery. To enable this, you must configure the Google SMTP relay service to accept connections from the gateway’s IP address.

Important

Gmail requires all senders to authenticate with either SPF or DKIM. Make sure that SPF and DKIM is correctly configured.

Log into Google Admin
Open the Gmail app page (Apps ‣ G Suite ‣ Gmail)
Click Routing
Under “SMTP relay service”, click Configure
Set “Allowed Senders” to Any addresses…
Set the description to “Allow CipherMail gateway”
Under “Authentication”, select Only accept mail from the specified IP addresses
Add the IP address of the CipherMail gateway.
Select Require TLS encryption
Click Save

Configure HELO

The CipherMail gateway use the SMTP relay service to relay to external recipients.

GWS requires that the HELO SMTP name is set to the domain name hosted by GWS

(see https://support.google.com/a/answer/2956491?hl=en)

Login to CipherMail admin GUI
Open the MTA Setting page MTA ‣ Settings
Set “Helo Name” to the fqdn of your email domain
Click Save

Configure mandatory TLS

To make sure that the connection from the CipherMail gateway to GWS is protected with TLS, use the following procedure:

Login to CipherMail admin GUI
Open the MTA Maps page MTA ‣ Maps
Click tls-policy
Add the following line:
```
[smtp-relay.gmail.com]:587 verify
```
Click Save

Relay via GWS

All emails sent from the gateway, whether intended for internal or external recipients, must be securely relayed through GWS. To achieve this, configure both the internal and external relay host settings on the gateway to point to the GWS mail relay address.

On the “MTA settings” page MTA ‣ Settings, set External Relay Host to:
```
[smtp-relay.gmail.com]:587
```
Set Internal Relay Host to:
```
[smtp-relay.gmail.com]:587
```
Click Save

All outgoing emails from the CipherMail gateway will now be routed through GWS.