Setup O365
Enable Soft bounce
Setting up Office 365 (O365) and CipherMail involves multiple steps. If the CipherMail gateway fails to deliver emails to O365 — such as when O365 blocks the gateway’s IP address from sending emails—messages may be returned as undeliverable
To avoid the CipherMail gateway from bouncing emails, it is recommended to enable the Postfix soft_bounce setting. When soft_bounce is enabled, permanent SMTP errors (e.g., 5XX errors) will be handled as temporary errors (i.e., 4XX).
To enable soft_bounce, follow these steps:
Log into CipherMail gateway.
Open “MTA config” page
Add the following line to the end of postfix config file:
soft_bounce = yes
Click Save
Note
If the integration of CipherMail and O365 is confirmed to be successful and stable, you may consider turning off the soft_bounce setting.
Allow O365 IP range
Since the CipherMail gateway is configured as a mail filter for O365, the gateway should only allow incoming email from the O365 IP range.
To configure postfix to only allow email from O365, add the following condition to the postfix configuration settings
smtpd_recipient_restrictions
and smtpd_relay_restrictions
:
check_client_access cidr:/etc/postfix/maps.d/cidr-spf.protection.outlook.com.map
The smtpd_recipient_restrictions
and smtpd_relay_restrictions
settings should now look like:
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/system-check-recipient-access
check_recipient_access hash:/etc/postfix/maps.d/hash-check-recipient-access.map
permit_mynetworks
check_client_access cidr:/etc/postfix/maps.d/cidr-spf.protection.outlook.com.map
reject_unauth_destination
${ciphermail_reject_unverified_recipient? reject_unverified_recipient}
smtpd_relay_restrictions =
permit_mynetworks
check_client_access cidr:/etc/postfix/maps.d/cidr-spf.protection.outlook.com.map
reject_unauth_destination
With the above changes, the CipherMail gateway will only accept email from the O365 IP range.
Note
The CipherMail Enterprise Gateway contains a module that periodically writes the IP range used by O365 to the
mapping file /etc/postfix/maps.d/cidr-spf.protection.outlook.com.map
Enable client side cert auth
To allow relaying via O365, client side certificate authentication should be enabled:
Uncomment the following line from the Postfix main config file
:smtp_tls_cert_file = $smtpd_tls_cert_file
Add O365 incoming connector
To relay email from the CipherMail gateway to O365, add a new mail flow connector:
Log into Exchange admin center
Add a new connector
In from field, select
Your organization's email server
In to field, select
Office 365
. Click NextGive the connector a name (for example Accept from CipherMail) and optionally a description.
Under
What do you want to do after connector is saved?
, selectTurn it on
and selectRetain internal Exchange email headers
Click Next
In
How should Office 365 identify email from your email server?
, selectBy verifying that the subject name on the certificate ...
and provide the domain name of the gateway TLS certificate.Click Create connector.
Add O365 outgoing connector
To relay email from O365 to the CipherMail gateway, add a new mail flow connector:
Log into Exchange admin center
Add a new connector
In from field, select
Office 365
In to field, select
Your organization's email server
. Click NextGive the connector a name (for example Relay via CipherMail) and optionally a description.
Under
What do you want to do after connector is saved?
, selectTurn it on
and selectRetain internal Exchange email headers
Click Next
Select
Only when I have a transport rule set up that redirects messages to this connector
. Click NextAdd a new smart host by clicking +
Specify the fully qualified hostname of the CipherMail gateway (for example ciphermail.example.com). Click Save and Click Next
Make sure
Always use Transport Layer Security (TLS) to secure the connection
andIssued by a trusted certificate authority (CA)
is selected. For additional security, you can optionally enable domain name validation. Click NextIn the next step, the connector will be validated by sending an email from Office 365 via the connector. Add a valid email address on which you will receive a test email and click Validate
After a successful validation, click Save.
Configure mandatory TLS
To make sure that the connection from the CipherMail gateway to O365 is protected with TLS, use the following procedure:
Login to CipherMail admin GUI
Open the MTA Maps page
Click tls-policy
Add the following line:
[<your-o365-domain>.mail.protection.outlook.com]:25 verify match=mail.protection.outlook.com
Click Save
Note
<your-o365-domain>
should be replaced by your default Office 365 domain name with “.” characters replaced by “-”
Example: if your default Office 365 hosted domain is ciphermail.example.com
, set “relay host” field to ciphermail-example-com.mail.protection.outlook.com
Relay via O365
All emails sent from the gateway, whether intended for internal or external recipients, must be securely relayed through O365. To achieve this, configure both the internal and external relay host settings on the gateway to point to the O365 mail relay address.
On the “MTA settings” page
, set External Relay Host to:<your-o365-domain>.mail.protection.outlook.com
Set Internal Relay Host to:
<your-o365-domain>.mail.protection.outlook.com
Click Save
All outgoing emails from the CipherMail gateway will now be routed through O365.
Test relay via O365
To verify if email can be relayed through O365, follow these steps:
Login to CipherMail admin GUI
Open “Send Mail” page
On the “Send Mail” page, set
Subject
andBody
Set
from
andsender
to an internal userSet
recipients
to an external email addressClick Send
Check whether email is delivered
Note
If the email fails to deliver, review the MTA log file for additional details.
Repeat the above procedure but now set from
and sender
to an external user and recipients
to an
internal user.
Skip internal email
Create a rule to bypass sending emails to the CipherMail gateway for messages exchanged between internal users.
Note
In a standard configuration, emails exchanged between internal users are not processed by the CipherMail gateway, as they will neither be encrypted nor signed. If you would like internal emails to also be routed through the gateway, please reach out to us to explore the available options.
To skip internal email, add the following mail flow rule:
In Exchange Admin, open the mail flow Rules page
and create a new rule:Set Name: Skip internal to internal
Apply this rule if:
The sender is internal/external
, selectinside the organzation
Click + to add an additional rule
And:
The recipient is internal/external
, selectinside the organzation
Do the following:
Modify the message properties
, selectset a message header
Set the message header name to
X-CipherMail-Internal
and value toTrue
In Set rule settings, select
Stop processing more rules
Click Next and finish
Enable the rule.
Add header after processing email
An email should be sent to the CipherMail Gateway only the first time it is processed by O365. To achieve this, the CipherMail Gateway should add a unique header to the email to indicate it has already been processed. If this unique header is present, O365 should skip sending the email to the CipherMail Gateway.
To indicate that an email is processed by the gateway, a special header should be added by using the following procedure:
Login to the CipherMail console as the
sa
userExecute the following cli commands
ciphermail-cli property global set --name post-processing-header-internal --value "X-CipherMail-Processed: <PROCESSED-SECRET>" ciphermail-cli property global set --name post-processing-header-external --value "X-CipherMail-Processed: <PROCESSED-SECRET>"
Note
Replace <PROCESSED-SECRET>
by a secret value
The CipherMail gateway will now include the header X-CipherMail-Processed
: <PROCESSED-SECRET>
in every email it processes.
Relay external email via the CipherMail gateway
To configure O365 to relay email to external recipients via the CipherMail gateway do the following:
In Exchange Admin, open the mail flow Rules page
and create a new rule:Set Name: Relay via CipherMail Gateway
Apply this rule if:
The recipient is internal/external
, selectoutside the organzation
Do the Following:
Redirect the message to
Select:
the following connector
Select the
Relay via CipherMail
connector which was created in the previous stepsExcept if:
The message headers
,includes any of these words
Set header name to:
X-CipherMail-Processed
and value to<PROCESSED-SECRET>
Click Save
Enable the rule.
Now all email from O365 sent to an external recipient will be relayed by the CipherMail gateway.
Remove processed header
To make sure the CipherMail processed header value is not leaked, the header should be removed by O365.
In Exchange Admin, open the mail flow Rules page
and create a new rule:Set Name: Remove CipherMail Handled header
Apply this rule if:
Apply to all messages
Do the Following:
Modify the message properties
Select:
remove a message header
Set
message header
to X-CipherMail-ProcessedClick Save
Enable the rule.
Note
The order of the mail flow rules is important. The rule to remove the processed header should be executed after the previous rules.
Relay incoming email via the CipherMail gateway
With the above configuration, only emails sent to external recipients are processed through the CipherMail gateway. However, to enable the decryption of S/MIME or PGP encrypted emails, messages sent to internal recipients should also be routed through the gateway. To process all emails, both internal and external, the rule Relay external email via the CipherMail gateway needs to be updated to relay emails for both internal and external recipients.
In Exchange Admin, edit the rule
Relay external email via the CipherMail gateway
:Change the ‘Apply this rule if’ clause from
The recipient is internal/external
toApply to all messages
Click Save
Every email received by O365 will now be relayed through the CipherMail gateway, unless it has already been processed by the CipherMail gateway or the sender and recipient are both internal (refer to the Skip internal email rule).