This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integration with Zix Gateway

Has anyone setup secure email integration with a Zix Gateway?  

I have this vendor that I am trying to setup secure email with their Zix Gateway.   From what I have been able to gather the way this works is that the vendor has a non-secure system which is setup with their public MX records.  Then they have a different mail system for secure messages.  It seems like the secure system forces TLS.  I imagine there is something more secure on the vendor side as well.  

In my research I found some references that said I could rewrite messages from user@vendor.local to user@zixvpm.vendor.local.  I verified the vendor had MX records on zixvpm.vendor.local.  When I send messages to user@zixvpm.vendor.local it is successful from my side but my contact never sees the message.  The person I am talking to says the to address has to be user@vendor.local to work.  It seems rewriting the address isn't going to work.

My next idea was to use DNS to override whatever there default MX records point to.  Unfortunately their public mail servers use gmail so I can't override that.   

At this point my only ideas are to override the vendors MX records in DNS which is harder than overriding A records.  I also haven't come up with a maintainable way to handle it yet.  

My other idea is to setup an Exchange connector to forward all email to vendor.local to their secure mail server.  I am not a big fan of this because our Exchange servers don't currently have direct access to the internet and because it will bypass DKIM on the SEA.



This thread was automatically locked due to age.
Parents
  • In very general terms if you wish to have different layers of email traffic flow such as redirections and additional scanning..

    The best approach is usually separating your mail traffic..

    For example:

    Your hardware licence also comes with vm ‘s you may need to contact your account manager to get a vm activation code.

    Next step is to deply thenew vm infront of your exisitng one, dont cluster it.

    You will need to design some rules for your enviroment  but they should all fall into the additional or data control rule sets.

    Ie

    If mail arrives to x.mydomian add header internal with the action of redirect to another server (your sea)

    If mail arrives to  x.secure.domain append header secure and redirect to zix

    You could make some other rules as needed perhaps by ip or recipient or even reject the mail..

    you will also have to address spam and av .. the issuse here is that the original mta will not be comnectingto the downstream applaince.. you will need to do spam/av and dns checks from the front appliance.. set the actions to add headers and send to the downstream sea... then make rules to quaranitne ... this will ensure you dontend up with 2 quarantines  (inthe case of virus action is delete with an additional action of reject)

    For out ound mail you can have exchange look at the headers and deliver it to the approiate device.

    This kind of configuration is cheating in that your using the appliance as a postfix box.. as far as mail is conserned its just another hop.. the other key here is that your not changing message content or rewriting addresses your just having postfix redirect the mail.

    Ideally a dedicate postfix box is the “best” solution .. that would ultimately give you the flexibility you need without mickymouseing an appliance..

    The other note is that you could technically accomplish the same thing with the single appliance however Its much cleaner and predictable this way imo

    Just set up the rules with the action of redirect

Reply
  • In very general terms if you wish to have different layers of email traffic flow such as redirections and additional scanning..

    The best approach is usually separating your mail traffic..

    For example:

    Your hardware licence also comes with vm ‘s you may need to contact your account manager to get a vm activation code.

    Next step is to deply thenew vm infront of your exisitng one, dont cluster it.

    You will need to design some rules for your enviroment  but they should all fall into the additional or data control rule sets.

    Ie

    If mail arrives to x.mydomian add header internal with the action of redirect to another server (your sea)

    If mail arrives to  x.secure.domain append header secure and redirect to zix

    You could make some other rules as needed perhaps by ip or recipient or even reject the mail..

    you will also have to address spam and av .. the issuse here is that the original mta will not be comnectingto the downstream applaince.. you will need to do spam/av and dns checks from the front appliance.. set the actions to add headers and send to the downstream sea... then make rules to quaranitne ... this will ensure you dontend up with 2 quarantines  (inthe case of virus action is delete with an additional action of reject)

    For out ound mail you can have exchange look at the headers and deliver it to the approiate device.

    This kind of configuration is cheating in that your using the appliance as a postfix box.. as far as mail is conserned its just another hop.. the other key here is that your not changing message content or rewriting addresses your just having postfix redirect the mail.

    Ideally a dedicate postfix box is the “best” solution .. that would ultimately give you the flexibility you need without mickymouseing an appliance..

    The other note is that you could technically accomplish the same thing with the single appliance however Its much cleaner and predictable this way imo

    Just set up the rules with the action of redirect

Children
No Data