Enable Soft bounce
Configuring Office 365 and CipherMail requires a number of steps. If for whatever reason the CipherMail appliance cannot deliver email to Office 365, for example because Office 365 does not allow the gateway’s IP address to send email via Office 365, the email might get bounced (if Office 365 reports this as a 500 permanent error).
To prevent the CipherMail appliance from bouncing email, it is advised to enable the postfix soft_bounce setting. If soft_bounce is enabled, permanent SMTP errors, i.e., 5XX errors, will be treated as temporary errors, i.e., 4XX.
To enable soft_bounce, follow these steps:
Log into CipherMail appliance.
Open “MTA config file” page (, then click MTA config file)
Add the following line to the end of postfix config file:
soft_bounce = yes
Click Apply
Note
If it is confirmed that the integration of CipherMail and Office 365 is successful and has been proven to be stable, you might consider disabling the soft_bounce setting.
Encrypt outgoing email
To setup encryption for outgoing email from Office 365 to external recipients, the following steps must be taken:
Create lookup table for the Office 365 IP range
Create a list of valid sender domains
Configure postfix to only allow incoming email from Office 365 for valid domains
Configure Office 365 connector to relay email from Office 365 to CipherMail appliance
Setup a transport rule to relay via CipherMail appliance
Configure Office 365 incoming connector to accept email from CipherMail appliance
Configure the CipherMail appliance to relay email to the final recipients via Office 365.
Office 365 IP range lookup table
The CipherMail appliance should only relay email to external recipients if the request comes from an IP address used by Office 365. The CipherMail appliance contains a module which uses a Microsoft web service to retrieve the IP range used by Office 365.
To load the Office 365 IP range, follow these steps:
Login to CipherMail admin GUI
Open “MTA client access list providers” page ()
Click on the “cog” icon for the “Office 365 SMTP endpoints” entry
On the “Client access list for Office 365 SMTP endpoints” page, click the Load list button. The CipherMail appliance will now connect to the Microsoft web service to retrieve the Office 365 IP range
Click Copy to lookup table to save the IP range to the “cidr-o365-ip-range.map” map file.
List of valid sending domains
To make sure the CipherMail appliance will only relay email for your domains, all of your Office 365 hosted domains should be added to the list of authorized sending domains.
Login to CipherMail admin GUI
Open ” MTA lookup tables” page ()
Click Add lookup table to open the “Add MTA lookup table” page
Set “Map Type” to “hash”
Set “Name” to “exchange-online-authorized-senders”
Add the following line to allow validation emails from Office 365
<> exchange_online_checksTip
This entry can optionally be removed after the relay connector is validated (see Configure Office 365 relay connector)
For each of the hosted Office 365 domains, add a line that maps your domain to a postfix restriction class:
example.comexchange_online_checkswhere example.com should be replaced by your Office 365 hosted domain.
Click Add to add the new lookup table.
Note
The postfix restriction class exchange_online_checks, which will be added in a later step, is used to restrict incoming IP addresses to the Office 365 IP range.
Configure postfix restrictions
Postfix should now be configured to allow relaying from Office 365.
Log into CipherMail appliance
Open “MTA config file” page (, then click MTA config file)
Add the following check_client_access line to smtpd_recipient_restrictions setting:
check_client_access cidr:${maps_d_dir}/cidr-o365-ip-range.mapResulting smtpd_recipient_restrictions should look like:
smtpd_recipient_restrictions = permit_mynetworks check_client_access cidr:${maps_d_dir}/cidr-o365-ip-range.map reject_unauth_destination check_client_access hash:/etc/postfix/client-whitelist check_client_access hash:/etc/postfix/client-blacklist ${djigzo_rbl_clients} ${djigzo_reject_unverified_recipient? reject_unverified_recipient}Add the following check_sender_access line to smtpd_relay_restrictions setting:
check_sender_access hash:${maps_d_dir}/hash-exchange-online-authorized-senders.mapResulting smtpd_relay_restrictions should look like:
smtpd_relay_restrictions = permit_mynetworks check_sender_access hash:${maps_d_dir}/hash-exchange-online-authorized-senders.map permit_sasl_authenticated reject_unauth_destinationAdd restriction class for Office 365
Add the following lines to the end of postfix config file:
smtpd_restriction_classes = exchange_online_checks exchange_online_checks = check_client_access cidr:${maps_d_dir}/cidr-o365-ip-range.mapClick Apply
Configure Office 365 relay connector
To relay email from Office 365 via the CipherMail appliance, add a new mail flow connector.
Log into “Exchange admin center”
Click mail flow (lef-hand side menu)
Click connectors (top menu)
Add a new connector by clicking +
In from field, select “Office 365”
In to field, select “Your organization’s email server”. Click Next
Give the connector a name (for example “Relay via CipherMail”) and optionally a description. Click Next
Select “Only when I have a transport rule set up that redirects messages to this connector”. Click Next
Add a new smart host by clicking +
Specify the fully qualified hostname of the CipherMail appliance (for example ciphermail.example.com). Click Save and Click Next
Make sure “Always use Transport Layer Security (TLS) to secure the connection” and “Issued by a trusted certificate authority (CA)” is selected. For additional security, you can optionally enable domain name validation. Click Next
In the next step, the connector will be validated by sending an email from Office 365 via the connector. Add a valid email address on which you will receive a test email and click Validate
After a successful validation, click Save.
Setup a transport rule
Because we selected “Only when I have a transport rule set up that redirects messages to this connector” in the previous section, we need to add a transport rule which triggers the redirect.
Tip
A rule will only be active when the rule is triggered. This allows you to be selective which emails are handled by the CipherMail appliance. There are various ways a rule can be triggered. For example, the rule can be triggered if:
the subject contains a certain keyword
the email is sent by a specfic user
the email recipient matches some domain
the email contains some header
In this example we will trigger the rule if the subject contains the keyword [secure].
Log into “Exchange admin center”
Click mail flow (lef-hand side menu)
Click rules (top menu)
Add a new rule by clicking + and selecting Create a new rule… from the pull-down menu
On the “new rule” dialog, give the rule a name. For example: “Relay via CipherMail”
In the “Apply this rule if..” field, select “The recipient is located…” and then select “Outside the organization”. Click OK
Because we need to add an additional trigger, we need to view more options. Click More options…
Click add condition, select “The subject or body…” and then select “subject includes any of these words”
Add the subject keyword that triggers the rule. For this example we will set it to:
[secure]. Click + to add the keyword. Click OKIn the “Do the following…” field, select “Redirect the message to…” and select “the following connector”
Select the connector we added in section Configure Office 365 relay connector. Click OK
Click add exception
Select “The sender IP address is in any of these ranges or exactly matches”
Specify the IP address of the CipherMail gateway. Click + and then OK
Leave the other settings to the default values. Click Save.
Now every email sent from Office 365 for which the subject contains the keyword [secure] will be delivered via the CipherMail appliance.
Configure Office 365 incoming connector
Warning
Microsoft recently locked down access to the incoming connector. By default you are no longer allowed to enable an incoming connector which is used to send email to external recipients. If you try to enable the connector, the following error message will be shown:
‘’’ Error executing request. For this service offering, you can’t enable an inbound connector. Please contact Support to enable it. Organization ‘…’, Service Offering: ‘O365_BUSINESS_ESSENTIALS’. ‘’’
Unfortunately only Microsoft can lift this block. Please contact Microsoft support to allow the incoming connector to be enabled.
If Microsoft is not willing to enable the connector, you should use some other relay option like for Example Amazon SES. Please contact us if you need help setting up Amazon SES with the CipherMail Appliances.
While it’s possible to let the CipherMail appliance deliver email to the final recipients, it’s better to use the Office 365 SMTP infrastructure to deliver email to the final recipients.
We therefore need to setup a connector in Office 365 which accepts incoming connections from the CipherMail appliance.
Log into “Exchange admin center”
Click mail flow (lef-hand side menu)
Click connectors (top menu)
Add a new connector by clicking +
In from field, select “Your organization’s email server”
In to field, select “Office 365”. Click Next
Give the connector a name (for example “Accept from CipherMail”) and optionally a description. Leave other settings to the default value. Click Next
In “How should Office 365 identify email from your email server?” select “By verifying that the IP address…”. Click + and add the IP address of the CipherMail appliance. Click OK, Click Next
On the final page, click Save.
Configure CipherMail to relay via Office 365
Because we want Office 365 to deliver all email to final recipients, we need to configure CipherMail to relay all email via Office 365.
Log into CipherMail appliance
Open “MTA config” page ()
Set “Internal relay host” field to
<your-o365-domain>.mail.protection.outlook.comSet “External relay host” field to
<your-o365-domain>.mail.protection.outlook.comClick Apply.
Note
<your-o365-domain> should be replaced by your default Office 365 domain name with “.” characters replaced by “-”
Example: if your default Office 365 hosted domain is ciphermail.example.com, set “Internal relay host” field to ciphermail-example-com.mail.protection.outlook.com
Mandatory TLS
To make sure email sent from the CipherMail appliance to Office 365 cannot be intercepted, we need to configure mandatory TLS for the connection to Office 365.
Login to CipherMail admin GUI
Open ” MTA lookup tables” page ()
Click Add lookup table to open the “Add MTA lookup table” page
Set “Map Type” to “hash”
Set “Name” to “tls-policy”
Add the following line
[<your-o365-domain>.mail.protection.outlook.com]:25 verify match=mail.protection.outlook.comClick Add to add the new lookup table
Open “MTA config file” page (, then click MTA config file)
Add the following lines to the end of postfix config file:
smtp_tls_policy_maps = hash:${maps_d_dir}/hash-tls-policy.mapClick Apply
Note
<your-o365-domain> should be replaced by your default Office 365 domain name with “.” characters replaced by “-”
Example: if your default Office 365 hosted domain is ciphermail.example.com, set “Internal relay host” field to ciphermail-example-com.mail.protection.outlook.com
Test relay
Test whether relaying via Office 365 is correctly setup and allowed:
Log into CipherMail appliance
Open the “Compose a test email” page ()
On the “Compose a test email” page, set “To” to a valid external recipient
Select a valid “Subject”
Click “More” to enable additional settings
Set “Sender” to a valid sender from your Office 365 domain
Provide a body text
Click Send
Open the MTA log () and check whether the email was successfully relayed via Office 365.
Decrypt incoming email
With Office 365, email for your domain is delivered to Office 365 (assuming your MX records are setup for Office 365). If you want the CipherMail gateway to decrypt incoming S/MIME or PGP encrypted email, incoming email should, at some point, be handled by the CipherMail gateway.
Note
You only need to setup incoming email encryption if you use the CipherMail gateway and use S/MIME or PGP. If you only use PDF encryption or Webmail Messenger, you can skip this part.
One option is to re-configure your MX records so that email for your domains is directly delivered to your CipherMail gateway. The CipherMail gateway should then deliver the email to Office 365.
Another option is to configure Office 365 to deliver incoming email to the CipherMail gateway which will then sends it back to Office 365 after decryption. To prevent a mail loop, Office 365 should only forward the email to the CipherMail gateway if the email was not already handled by the CipherMail gateway. The main benefit of this setup, is that Office 365 will be the first entry point for your email and can therefore check incoming email for viruses or spam.
To configure forwarding incoming email to CipherMail gateway for decryption, the following steps are required:
Log into “Exchange admin center”
Click mail flow (lef-hand side menu)
Click rules (top menu)
Add a new rule by clicking + and selecting Create a new rule… from the pull-down menu
Give the rule a name. For example: “CipherMail decrypt”
In the “Apply this rule if..” field, select “The recipient is located…” and then select “Inside the organization”. Click OK
Click More options…
In the “Do the following…” field, select “Redirect the message to…” and select “the following connector”
Select the connector we added in section Configure Office 365 relay connector. Click OK
Click add exception
Select “The sender is located…” and then select “Inside the organization”. Click OK
Click add exception
Select “The sender IP address is in any of these ranges or exactly matches”
Specify the IP address of the CipherMail gateway. Click + and then OK
Leave the other settings at their default value and click Save
In the Ciphermail appliance, add all the Office 365 domains to the “Relay domain” list.
Log into CipherMail appliance
Open “MTA config” page ()
For each of your Office 365 hosted domains, add the domain as a “Relay Domain”
Click Apply