This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOW TO] Email Encryption using External Mail Server

Hi All

I've decided to write this tutorial to show how to configure your SMTP proxy to work with external email server in order to get email encryption to work (and provide the ability for the email system to automatically extract S/MIME certificates from incoming emails )

Assumptions:

  1. External Domain is test.org
  2. UTM should have a FQDN hostname
  3. test.org should not be configured for pop3 proxy


General Settings

  1. Create a DNS host object called mail.external.server which points to the real address of the mail server


Configure SMTP proxy

  • SMTP>Global TAB
  1. this Default (Simple Mode)
  • SMTP>Routing TAB
  1. Add the test.org to the Domains under Email Protection>>SMTP>>Routing. Select Route by: Static host list and add themail.external.server under the Host list
  2. Set Recipient Verification to recommended value
  • SMTP>Antivirus TAB
  1. Leave default or check the manual for the required settings
  •  SMTP>AntiSpam TAB
  1. Leave default or check the manual for the required settings
  • SMTP>Relaying TAB
  1. Set mail.external.server as Upstream hosts/networks. You want to add your mail server here so to disable some Antispam features like greylisting for that host (which wouldn't make sense).
  2. Host-based relay>Allowed hosts/networks >Add the internal networks (NEVER have this set to "any" as it will result in an open relay)
  • SMTP> Advanced TAB
  1. Set the smart host under the Smarthost settings section

 

NOTE:These are the minimum configuration on the SMTP tab required



Configure Mail Encryption

  1. Enable mail encryption


Encryption > options

  1. Enable the following:
    • Sign outgoing email
    • Encrypt outgoing email
    • Verify incoming email
    • Decrypt incoming email
  1. Enable automatic S/MIME certificate extraction
  2. Set OpenPGP Keyserver as MIT PGP Key Server (this is useful if you will be using openpgp instead of S/MIME) -You can add another Keyserver if you want to
  3. Create Internal users (Email address should be <name>@test.org). More information about setting up email encryption can be found here
  4. Enable S/MIME or openpgp for the user (If both are enabled S/MIME will be used by default). If you don't have your own openpgp key- S/MIME certificate then the system will automatically create one for you


Configure Domain via Cpanel

  1. Login to your cpanel (for test.org domain) and navigate to MX entry. It should like:
  2. Select Local Mail Exchanger under Email Routing for the specific domain as per below (most users will have default setting which is Automatically Detect Configuration (recommended))
  3. Create a new MX record pointing to your UTM with lowest number and then delete the existing one.Existing one should be something like

 

Code:

Priority      Destination
0                test.org

 

 

 

Once you do this you will be able to confirm the status by logging in to your UTM and execute host test.org (you should only see your UTM address) or use intodns.com as checker and pay attention to MX records section.

At that point your UTM should receive and process all incoming mail via the SMTP proxy and forward it to the Real mail server.

Troubleshooting SMTP issue

  1. Monitor the SMTP log and make sure that the email is going out/recevied via SMPT proxy
  2. Sending an email from the <name>@test.org account configured (look at step 3 under Email encryption) to another user (i.e gmail account etc) should have an openpgp or S/MIME along with the SMTP Antivirus check footer (can be configured under SMTP>Antivirus tab)
  3. Receiving email from an external account to your <name>@test.org should also have the SMTP Antivirus check footer (if configured) and SMTP log should have the relevant info


Email Encryption troubleshooting 

  1. Assuming emails are being processed by the SMTP proxy and an external user is sending you an email (external user is using S/MIME) , email encryption system will automatically extract S/MIME certificates from incoming email if:

    CA authority signing the user (sender) certificate exists under Encryption>S/MIME Authorities


Thanks

Please PM me if you need me to add more information on this document



This thread was automatically locked due to age.
Parents
  • I realized that I originally hadn't read wingman's solution precisely enough.  I've changed my two posts above to explain the difference in our approaches.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I realized that I originally hadn't read wingman's solution precisely enough.  I've changed my two posts above to explain the difference in our approaches.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data