Setup Google Workspace

Enable Soft bounce

Setting up Google Workspace (GWS) and CipherMail involves multiple steps. If the CipherMail gateway fails to deliver emails to GWS, such as when GWS blocks the gateway’s IP address from sending emails, messages may be returned as undeliverable

To avoid the CipherMail gateway from bouncing emails, it is recommended to enable the Postfix soft_bounce setting. When soft_bounce is enabled, permanent SMTP errors (e.g., 5XX errors) will be handled as temporary errors (i.e., 4XX).

To enable soft_bounce, follow these steps:

  1. Log into CipherMail gateway.

  2. Open “MTA config” page MTA ‣ Settings ‣ Actions ‣ Edit Main Config

  3. Add the following line to the end of postfix config file:

    soft_bounce = yes
    
  4. Click Save

Note

If the integration of CipherMail and GWS is confirmed to be successful and stable, you may consider turning off the soft_bounce setting.

Allow Google Workspace IP range

Since the CipherMail gateway is configured as a mail filter for Google Workspace, the gateway should only allow incoming email from the Google Workspace IP range.

To configure postfix to only allow email from GWS, add the following condition to the postfix configuration settings smtpd_recipient_restrictions and smtpd_relay_restrictions MTA ‣ Settings ‣ Actions ‣ Edit Main Config:

check_client_access cidr:/etc/postfix/maps.d/cidr-gmail.com.map

The smtpd_recipient_restrictions and smtpd_relay_restrictions settings should now look like:

smtpd_recipient_restrictions =
    check_recipient_access hash:/etc/postfix/system-check-recipient-access
    check_recipient_access hash:/etc/postfix/maps.d/hash-check-recipient-access.map
    permit_mynetworks
    check_client_access cidr:/etc/postfix/maps.d/cidr-gmail.com.map
    reject_unauth_destination
    ${ciphermail_reject_unverified_recipient? reject_unverified_recipient}

smtpd_relay_restrictions =
    permit_mynetworks
    check_client_access cidr:/etc/postfix/maps.d/cidr-gmail.com.map
    reject_unauth_destination

With the above changes, the CipherMail gateway will only accept email from the GWS IP range.

Note

The CipherMail Enterprise Gateway contains a module that periodically writes the IP range used by GWS to the mapping file /etc/postfix/maps.d/cidr-gmail.com.map

Add CipherMail hosts to GWS

To ensure that email traffic is properly routed through the gateway, you must add the gateway’s hostname to the list of approved hosts in GWS. This allows GWS to recognize the gateway as a trusted system for handling email delivery.

  1. Log into Google Admin

  2. Open the Gmail app page (Apps ‣ Google Workspace ‣ Gmail)

  3. On the Gmail app page, click Hosts

  4. On the “Hosts” page, click Add route

  5. On the “Add mail route” page, select a name for the route (for example: Route to CipherMail Gateway)

  6. If you have multiple CipherMail gateway’s select Multiple hosts, if not, select Single host

  7. Enter hostname or IP of the ciphermail gateway(s) and set port to 25

  8. Under options, Select Require mail to be transmitted via a secure (TLS) connection, Require CA signed certificate and Validate certificate hostname

  9. Click Test TLS connection and check whether the TLS connection succeeds

  10. Click Save

Route email via CipherMail Gateway

CipherMail Gateway should be set up as a mail filter. This means that Google Workspace (GWS) will initially receive all incoming email, and then forward each message to the CipherMail Gateway for processing. Once processing is complete, the gateway will return the message to GWS. To avoid mail loops, it is important to ensure that GWS only sends each message to the gateway once.

The recommended method is to have the CipherMail Gateway add a unique header to any message it processes. When GWS receives a message, it can check for the presence of this header. If the header exists, GWS should not forward the message to the gateway again.

Attention

Unfortunately GWS does not support removing headers after processing. The unique header can therefore not be kept secret. This means that a sender could potentially add this header to their message to bypass processing by CipherMail. Although this does not pose a direct security threat under most circumstances, it could allow a sender to intentionally avoid decryption or filtering by CipherMail.

Add header after processing email

To indicate that an email is processed by the gateway, a special header should be added by using the following procedure:

  1. Login to the CipherMail console as the sa user

  2. Execute the following cli commands

    ciphermail-cli property global set --name post-processing-header-internal --value "X-CipherMail-Processed: <PROCESSED-ID>"
    ciphermail-cli property global set --name post-processing-header-external --value "X-CipherMail-Processed: <PROCESSED-ID>"
    

    where <PROCESSED-ID> should be replaced by a unique value selected by you.

    Tip

    You can use the command line pwgen utility to generate a sufficiently long random value:

    sudo dnf install pwgen
    pwgen -N 1 30
    

The CipherMail gateway will now include the header X-CipherMail-Processed : <PROCESSED-ID> in every email it processes.

Relay email via CipherMail Gateway

The CipherMail gateway is configured to accept emails only from the GWS IP range. However, relying solely on IP-based filtering is not fully secure, because any GWS customer could potentially create a mail connector that targets your CipherMail gateway. This can expose your system to unauthorized relaying attempts from external GWS tenants.

To ensure that only messages originating from your own GWS domains are accepted, it is recommended to implement an additional layer of authentication. Configure your GWS to include a secret authentication header in all outbound emails destined for the CipherMail gateway. This header should contain a unique and confidential value known only to your organization.

On the CipherMail gateway, set up a rule to accept and relay emails only if they include the required secret authentication header with the correct value. Messages missing the header or using an incorrect secret should be rejected.

  1. Open the Gmail app page (Apps ‣ Google Workspace ‣ Gmail)

  2. Open the Compliance page by clicking Compliance

  3. On the Compliance page, under “Content compliance” click Configure

  4. On the “Add setting” page

    • Set description to “Route via CipherMail Gateway”

    • Under “Email messages to affect”, select Inbound and Outbound

    • Under “Add expressions that describe …”, select If ANY of the following match the message

    • Click Add to add an expression, select Advanced content match, under “Location”, select Full headers, under “Match type”, select Not contains text, under “Content”, paste a secret value <PROCESSED-ID>, Where <PROCESSED-ID> should be replaced by the same secret value from the previous steps.

    • Under “If the above expressions match, do the following”, select “Modify message”, select Add custom header, click Add and add the following header:

      X-CipherMail-Relay-Secret: <RELAY-HEADER-SECRET>
      

      Where <X-CipherMail-Relay-Secret> should be replaced by a secret value selected by you.

      Tip

      You can use the command line pwgen utility to generate a sufficiently long random secret:

      pwgen -N 1 30
      
    • Under “Route” select Change route and select the route which was setup in the previous step (Route to CipherMail Gateway)

    • Under “Encryption” select Require secure transport (TLS)`

    • Click Save

Every email sent by GWS will now include the secret header values.

Check authorization header

The CipherMail gateway should be configured to only allow relay if the authorization header is set.

  1. Login to the CipherMail console as the sa user

  2. Execute the following cli commands

    ciphermail-cli property global set --name mta-relay-header-secrets --value '[{\"id\":\"1\", \"relayHeaderSecret\":\"<RELAY-HEADER-SECRET>\"}]'
    ciphermail-cli property global set --name mta-check-relay-header --value true
    

Note

Replace <RELAY-HEADER-SECRET> by the value selected in the previous step

The CipherMail gateway will now only allow relaying email if the submitted email contains the following header:

X-CipherMail-Relay-Secret: <RELAY-HEADER-SECRET>

Configure GWS SMTP relay service

Rather than sending email directly to external recipients, we will use the Google SMTP service to handle outbound email delivery. To enable this, you must configure the Google SMTP relay service to accept connections from the gateway’s IP address.

Important

Gmail requires all senders to authenticate with either SPF or DKIM. Make sure that SPF and DKIM is correctly configured.

  1. Log into Google Admin

  2. Open the Gmail app page (Apps ‣ G Suite ‣ Gmail)

  3. Click Routing

  4. Under “SMTP relay service”, click Configure

  5. Set “Allowed Senders” to Any addresses…

  6. Set the description to “Allow CipherMail gateway”

  7. Under “Authentication”, select Only accept mail from the specified IP addresses

  8. Add the IP address of the CipherMail gateway.

  9. Select Require TLS encryption

  10. Click Save

Configure HELO

The CipherMail gateway use the SMTP relay service to relay to external recipients.

GWS requires that the HELO SMTP name is set to the domain name hosted by GWS

(see https://support.google.com/a/answer/2956491?hl=en)

  1. Login to CipherMail admin GUI

  2. Open the MTA Setting page MTA ‣ Settings

  3. Set “Helo Name” to the fqdn of your email domain

  4. Click Save

Configure mandatory TLS

To make sure that the connection from the CipherMail gateway to GWS is protected with TLS, use the following procedure:

  1. Login to CipherMail admin GUI

  2. Open the MTA Maps page MTA ‣ Maps

  3. Click tls-policy

  4. Add the following line:

    [smtp-relay.gmail.com]:587 verify
    
  5. Click Save

Relay via GWS

All emails sent from the gateway, whether intended for internal or external recipients, must be securely relayed through GWS. To achieve this, configure both the internal and external relay host settings on the gateway to point to the GWS mail relay address.

  1. On the “MTA settings” page MTA ‣ Settings, set External Relay Host to:

    [smtp-relay.gmail.com]:587
    
  2. Set Internal Relay Host to:

    [smtp-relay.gmail.com]:587
    
  3. Click Save

All outgoing emails from the CipherMail gateway will now be routed through GWS.