Setup O365

Enable Soft bounce

Setting up Office 365 (O365) and CipherMail involves multiple steps. If the CipherMail gateway fails to deliver emails to O365 — such as when O365 blocks the gateway’s IP address from sending emails—messages may be returned as undeliverable

To avoid the CipherMail gateway from bouncing emails, it is recommended to enable the Postfix soft_bounce setting. When soft_bounce is enabled, permanent SMTP errors (e.g., 5XX errors) will be handled as temporary errors (i.e., 4XX).

To enable soft_bounce, follow these steps:

  1. Log into CipherMail gateway.

  2. Open “MTA config” page MTA ‣ Settings ‣ Actions ‣ Edit Main Config

  3. Add the following line to the end of postfix config file:

    soft_bounce = yes
    
  4. Click Save

Note

If the integration of CipherMail and O365 is confirmed to be successful and stable, you may consider turning off the soft_bounce setting.

Allow O365 IP range

Since the CipherMail gateway is configured as a mail filter for O365, the gateway should only allow incoming email from the O365 IP range.

To configure postfix to only allow email from O365, add the following condition to the postfix configuration settings smtpd_recipient_restrictions and smtpd_relay_restrictions MTA ‣ Settings ‣ Actions ‣ Edit Main Config:

check_client_access cidr:/etc/postfix/maps.d/cidr-spf.protection.outlook.com.map

The smtpd_recipient_restrictions and smtpd_relay_restrictions settings should now look like:

smtpd_recipient_restrictions =
    check_recipient_access hash:/etc/postfix/system-check-recipient-access
    check_recipient_access hash:/etc/postfix/maps.d/hash-check-recipient-access.map
    permit_mynetworks
    check_client_access cidr:/etc/postfix/maps.d/cidr-spf.protection.outlook.com.map
    reject_unauth_destination
    ${ciphermail_reject_unverified_recipient? reject_unverified_recipient}

smtpd_relay_restrictions =
    permit_mynetworks
    check_client_access cidr:/etc/postfix/maps.d/cidr-spf.protection.outlook.com.map
    reject_unauth_destination

With the above changes, the CipherMail gateway will only accept email from the O365 IP range.

Note

The CipherMail Enterprise Gateway contains a module that periodically writes the IP range used by O365 to the mapping file /etc/postfix/maps.d/cidr-spf.protection.outlook.com.map

Enable client side cert auth

To allow relaying via O365, client side certificate authentication should be enabled:

Uncomment the following line from the Postfix main config file MTA ‣ Settings ‣ Actions ‣ Edit Main Config:

smtp_tls_cert_file = $smtpd_tls_cert_file

Add O365 incoming connector

To relay email from the CipherMail gateway to O365, add a new mail flow connector:

  1. Log into Exchange admin center

  2. Add a new connector Mail flow ‣ Connectors ‣ Add a connector

  3. In from field, select Your organization's email server

  4. In to field, select Office 365. Click Next

  5. Give the connector a name (for example Accept from CipherMail) and optionally a description.

  6. Under What do you want to do after connector is saved?, select Turn it on and select Retain internal Exchange email headers

  7. Click Next

  8. In How should Office 365 identify email from your email server?, select By verifying that the subject name on the certificate ... and provide the domain name of the gateway TLS certificate.

  9. Click Create connector.

Add O365 outgoing connector

To relay email from O365 to the CipherMail gateway, add a new mail flow connector:

  1. Log into Exchange admin center

  2. Add a new connector Mail flow ‣ Connectors ‣ Add a connector

  3. In from field, select Office 365

  4. In to field, select Your organization's email server. Click Next

  5. Give the connector a name (for example Relay via CipherMail) and optionally a description.

  6. Under What do you want to do after connector is saved?, select Turn it on and select Retain internal Exchange email headers

  7. Click Next

  8. Select Only when I have a transport rule set up that redirects messages to this connector. Click Next

  9. Add a new smart host by clicking +

  10. Specify the fully qualified hostname of the CipherMail gateway (for example ciphermail.example.com). Click Save and Click Next

  11. Make sure Always use Transport Layer Security (TLS) to secure the connection and Issued by a trusted certificate authority (CA) is selected. For additional security, you can optionally enable domain name validation. Click Next

  12. In the next step, the connector will be validated by sending an email from Office 365 via the connector. Add a valid email address on which you will receive a test email and click Validate

  13. After a successful validation, click Save.

Configure mandatory TLS

To make sure that the connection from the CipherMail gateway to O365 is protected with TLS, use the following procedure:

  1. Login to CipherMail admin GUI

  2. Open the MTA Maps page MTA ‣ Maps

  3. Click tls-policy

  4. Add the following line:

    [<your-o365-domain>.mail.protection.outlook.com]:25 verify match=mail.protection.outlook.com
    
  5. Click Save

Note

<your-o365-domain> should be replaced by your default Office 365 domain name with “.” characters replaced by “-”

Example: if your default Office 365 hosted domain is ciphermail.example.com, set “relay host” field to ciphermail-example-com.mail.protection.outlook.com

Relay via O365

All emails sent from the gateway, whether intended for internal or external recipients, must be securely relayed through O365. To achieve this, configure both the internal and external relay host settings on the gateway to point to the O365 mail relay address.

  1. On the “MTA settings” page MTA ‣ Settings, set External Relay Host to:

    <your-o365-domain>.mail.protection.outlook.com
    
  2. Set Internal Relay Host to:

    <your-o365-domain>.mail.protection.outlook.com
    
  3. Click Save

All outgoing emails from the CipherMail gateway will now be routed through O365.

Test relay via O365

To verify if email can be relayed through O365, follow these steps:

  1. Login to CipherMail admin GUI

  2. Open “Send Mail” page MTA ‣ Queue ‣ MTA ‣ Actions ‣ Send Mail

  3. On the “Send Mail” page, set Subject and Body

  4. Set from and sender to an internal user

  5. Set recipients to an external email address

  6. Click Send

  7. Check whether email is delivered

Note

If the email fails to deliver, review the MTA log file for additional details.

Repeat the above procedure but now set from and sender to an external user and recipients to an internal user.

Skip internal email

Create a rule to bypass sending emails to the CipherMail gateway for messages exchanged between internal users.

Note

In a standard configuration, emails exchanged between internal users are not processed by the CipherMail gateway, as they will neither be encrypted nor signed. If you would like internal emails to also be routed through the gateway, please reach out to us to explore the available options.

To skip internal email, add the following mail flow rule:

  1. In Exchange Admin, open the mail flow Rules page mail flow ‣ Rules and create a new rule:

  2. Set Name: Skip internal to internal

  3. Apply this rule if: The sender is internal/external, select inside the organzation

  4. Click + to add an additional rule

  5. And: The recipient is internal/external, select inside the organzation

  6. Do the following: Modify the message properties, select set a message header

  7. Set the message header name to X-CipherMail-Internal and value to True

  8. In Set rule settings, select Stop processing more rules

  9. Click Next and finish

  10. Enable the rule.

Add header after processing email

An email should be sent to the CipherMail Gateway only the first time it is processed by O365. To achieve this, the CipherMail Gateway should add a unique header to the email to indicate it has already been processed. If this unique header is present, O365 should skip sending the email to the CipherMail Gateway.

To indicate that an email is processed by the gateway, a special header should be added by using the following procedure:

  1. Login to the CipherMail console as the sa user

  2. Execute the following cli commands

    ciphermail-cli property global set --name post-processing-header-internal --value "X-CipherMail-Processed: <PROCESSED-SECRET>"
    ciphermail-cli property global set --name post-processing-header-external --value "X-CipherMail-Processed: <PROCESSED-SECRET>"
    

Note

Replace <PROCESSED-SECRET> by a secret value

The CipherMail gateway will now include the header X-CipherMail-Processed : <PROCESSED-SECRET> in every email it processes.

Add Authorization header

The CipherMail gateway is configured to accept emails only from the O365 IP range. However, relying solely on IP-based filtering is not fully secure, because any O365 customer could potentially create a mail connector that targets your CipherMail gateway. This can expose your system to unauthorized relaying attempts from external O365 tenants.

To ensure that only messages originating from your own O365 domains are accepted, it is recommended to implement an additional layer of authentication. Configure your O365 to include a secret authentication header in all outbound emails destined for the CipherMail gateway. This header should contain a unique and confidential value known only to your organization.

On the CipherMail gateway, set up a rule to accept and relay emails only if they include the required secret authentication header with the correct value. Messages missing the header or using an incorrect secret should be rejected.

Configure O365 to add a secret header

  1. In Exchange Admin, open the mail flow Rules page mail flow ‣ Rules) and create a new rule:

  2. Set Name: Add X-CipherMail-Relay-Secret

  3. Apply this rule if: Apply to all messages

  4. Select: Do the Following: Modify the message properties

  5. Select: set a message header

  6. Set message header to X-CipherMail-Relay-Secret

  7. Set message header value to <RELAY-HEADER-SECRET>

  8. Except if: The message headers, includes any of these words

  9. Set header name to: X-CipherMail-Processed and value to <PROCESSED-SECRET>

  10. Click Save

  11. Enable the rule.

Note

Replace <RELAY-HEADER-SECRET> by a secret value selected by you and replace <PROCESSED-SECRET> by the value selected in the previous step

Every email sent by O365 will now include the secret header value, unless it has already been processed by the CipherMail gateway.

Check authorization header

The CipherMail gateway should be configured to only allow relay if the authorization header is set.

  1. Login to the CipherMail console as the sa user

  2. Execute the following cli commands

    ciphermail-cli property global set --name mta-relay-header-secrets --value '[{\"id\":\"1\", \"relayHeaderSecret\":\"<RELAY-HEADER-SECRET>\"}]'
    ciphermail-cli property global set --name mta-check-relay-header --value true
    

Note

Replace <RELAY-HEADER-SECRET> by the value selected in the previous step

The CipherMail gateway will now only allow relaying email if the submitted email contains the following header:

X-CipherMail-Relay-Secret: <RELAY-HEADER-SECRET>

Relay external email via the CipherMail gateway

To configure O365 to relay email to external recipients via the CipherMail gateway do the following:

  1. In Exchange Admin, open the mail flow Rules page mail flow ‣ Rules and create a new rule:

  2. Set Name: Relay via CipherMail Gateway

  3. Apply this rule if: The recipient is internal/external, select outside the organzation

  4. Do the Following: Redirect the message to

  5. Select: the following connector

  6. Select the Relay via CipherMail connector which was created in the previous steps

  7. Except if: The message headers, includes any of these words

  8. Set header name to: X-CipherMail-Processed and value to <PROCESSED-SECRET>

  9. Click Save

  10. Enable the rule.

Now all email from O365 sent to an external recipient will be relayed by the CipherMail gateway.

Remove processed header

To make sure the CipherMail processed header value is not leaked, the header should be removed by O365.

  1. In Exchange Admin, open the mail flow Rules page mail flow ‣ Rules and create a new rule:

  2. Set Name: Remove CipherMail Handled header

  3. Apply this rule if: Apply to all messages

  4. Do the Following: Modify the message properties

  5. Select: remove a message header

  6. Set message header to X-CipherMail-Processed

  7. Click Save

  8. Enable the rule.

Note

The order of the mail flow rules is important. The rule to remove the processed header should be executed after the previous rules.

Relay incoming email via the CipherMail gateway

With the above configuration, only emails sent to external recipients are processed through the CipherMail gateway. However, to enable the decryption of S/MIME or PGP encrypted emails, messages sent to internal recipients should also be routed through the gateway. To process all emails, both internal and external, the rule Relay external email via the CipherMail gateway needs to be updated to relay emails for both internal and external recipients.

  1. In Exchange Admin, edit the rule Relay external email via the CipherMail gateway mail flow ‣ Rules:

  2. Change the ‘Apply this rule if’ clause from The recipient is internal/external to Apply to all messages

  3. Click Save

Every email received by O365 will now be relayed through the CipherMail gateway, unless it has already been processed by the CipherMail gateway or the sender and recipient are both internal (refer to the Skip internal email rule).