This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOW TO] Email Encryption using External Mail Server

Hi All

I've decided to write this tutorial to show how to configure your SMTP proxy to work with external email server in order to get email encryption to work (and provide the ability for the email system to automatically extract S/MIME certificates from incoming emails )

Assumptions:

  1. External Domain is test.org
  2. UTM should have a FQDN hostname
  3. test.org should not be configured for pop3 proxy


General Settings

  1. Create a DNS host object called mail.external.server which points to the real address of the mail server


Configure SMTP proxy

  • SMTP>Global TAB
  1. this Default (Simple Mode)
  • SMTP>Routing TAB
  1. Add the test.org to the Domains under Email Protection>>SMTP>>Routing. Select Route by: Static host list and add themail.external.server under the Host list
  2. Set Recipient Verification to recommended value
  • SMTP>Antivirus TAB
  1. Leave default or check the manual for the required settings
  •  SMTP>AntiSpam TAB
  1. Leave default or check the manual for the required settings
  • SMTP>Relaying TAB
  1. Set mail.external.server as Upstream hosts/networks. You want to add your mail server here so to disable some Antispam features like greylisting for that host (which wouldn't make sense).
  2. Host-based relay>Allowed hosts/networks >Add the internal networks (NEVER have this set to "any" as it will result in an open relay)
  • SMTP> Advanced TAB
  1. Set the smart host under the Smarthost settings section

 

NOTE:These are the minimum configuration on the SMTP tab required



Configure Mail Encryption

  1. Enable mail encryption


Encryption > options

  1. Enable the following:
    • Sign outgoing email
    • Encrypt outgoing email
    • Verify incoming email
    • Decrypt incoming email
  1. Enable automatic S/MIME certificate extraction
  2. Set OpenPGP Keyserver as MIT PGP Key Server (this is useful if you will be using openpgp instead of S/MIME) -You can add another Keyserver if you want to
  3. Create Internal users (Email address should be <name>@test.org). More information about setting up email encryption can be found here
  4. Enable S/MIME or openpgp for the user (If both are enabled S/MIME will be used by default). If you don't have your own openpgp key- S/MIME certificate then the system will automatically create one for you


Configure Domain via Cpanel

  1. Login to your cpanel (for test.org domain) and navigate to MX entry. It should like:
  2. Select Local Mail Exchanger under Email Routing for the specific domain as per below (most users will have default setting which is Automatically Detect Configuration (recommended))
  3. Create a new MX record pointing to your UTM with lowest number and then delete the existing one.Existing one should be something like

 

Code:

Priority      Destination
0                test.org

 

 

 

Once you do this you will be able to confirm the status by logging in to your UTM and execute host test.org (you should only see your UTM address) or use intodns.com as checker and pay attention to MX records section.

At that point your UTM should receive and process all incoming mail via the SMTP proxy and forward it to the Real mail server.

Troubleshooting SMTP issue

  1. Monitor the SMTP log and make sure that the email is going out/recevied via SMPT proxy
  2. Sending an email from the <name>@test.org account configured (look at step 3 under Email encryption) to another user (i.e gmail account etc) should have an openpgp or S/MIME along with the SMTP Antivirus check footer (can be configured under SMTP>Antivirus tab)
  3. Receiving email from an external account to your <name>@test.org should also have the SMTP Antivirus check footer (if configured) and SMTP log should have the relevant info


Email Encryption troubleshooting 

  1. Assuming emails are being processed by the SMTP proxy and an external user is sending you an email (external user is using S/MIME) , email encryption system will automatically extract S/MIME certificates from incoming email if:

    CA authority signing the user (sender) certificate exists under Encryption>S/MIME Authorities


Thanks

Please PM me if you need me to add more information on this document



This thread was automatically locked due to age.
  • Wingman,

    Would you please define how to appropriately use he smart host with the asg when routing smtp traffic through the asg from the ISP?
    Thanks.
  • If you want to use the UTM as the relay for outgoing mail from the external mail server, you must configure the mail server to use the ASG as its Smart Host.  In the ASG, you must put a Host object for the mail server into 'Allowed hosts/networks' on the 'Relaying' tab.

    Note that wingman's recipe is for having the UTM send the mail directly, skipping the mail server.

    For mail inbound to your domain where the FQDN of the ASG is the content of the public MX record of your domain, you will want to configure the mail server to see the ASG as an 'Upstream host', if possible.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello thank you for this HOW TO guide it helped allot.

    My outgoing emails were all being bounced back after following the steps in "Configure SMTP proxy"

    I then removed the smart host settings completely and now the outgoing emails are being proxied by my UTM.
  • jm, the approach I described here is not wingman's as his gives you: 

    Client -> UTM SMTP Proxy -> Recipient


    my approach is:

    Client -> External Mailserver -> UTM SMTP Proxy -> Recipient


    and that would require having a DNS Host for mail.external.server instead of "Internal (Network)" on the 'Relaying' tab.

    That ensures that there's a copy of the sent email on the Mailserver.  It also assures you that the sender has authenticated against the Mailserver and is not just a spamming trojan.  Even though you're not using Exchange, Exchange with SMTP Proxy will help you.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I realized that I originally hadn't read wingman's solution precisely enough.  I've changed my two posts above to explain the difference in our approaches.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I am confused about what problem you are solving.  

    Your mail server to their mail server,

    Routing their incoming mail through your UTM, or

    Routing your mail clients to tbeir msil server.

    I am guessing the first, because the other two require the other system to trust you in ways that are not typically viable.

    For the first option, I am unclear about the advanrage of configuring the remote domain as if it was internal rather than using the mx record tp handle it as an external domain.