Quantcast
Channel: Sophos User Bulletin Board
Viewing all articles
Browse latest Browse all 14361

[HOW TO] Email Encryption using External Mail Server

$
0
0
Hi All

I've decided to write this tutorial to show how to configure your SMTP proxy to work with external email server in order to get email encryption to work (and provide the ability for the email system to automatically extract S/MIME certificates from incoming emails )

Assumptions:
  1. External Domain is test.org
  2. UTM should have a FQDN hostname
  3. test.org should not be configured for pop3 proxy

General Settings
  1. Create a DNS host object called mail.external.server which points to the real address of the mail server

Configure SMTP proxy
  • SMTP>Global TAB
  1. Leave this Default (Simple Mode)
  • SMTP>Routing TAB
  1. Add the test.org to the Domains under Email Protection>>SMTP>>Routing. Select Route by: Static host list and add the mail.external.server under the Host list
  2. Set Recipient Verification to recommended value
  • SMTP>Antivirus TAB
  1. Leave default or check the manual for the required settings
  • SMTP>AntiSpam TAB
  1. Leave default or check the manual for the required settings
  • SMTP>Relaying TAB
  1. Set mail.external.server as Upstream hosts/networks. You want to add your mail server here so to disable some Antispam features like greylisting for that host (which wouldn't make sense).
  2. Host-based relay>Allowed hosts/networks >Add the internal networks (NEVER have this set to "any" as it will result in an open relay)
  • SMTP> Advanced TAB
  1. Set the smart host under the Smarthost settings section

NOTE:These are the minimum configuration on the SMTP tab required


Configure Mail Encryption
  1. Enable mail encryption

Encryption > options
  1. Enable the following:
    • Sign outgoing email
    • Encrypt outgoing email
    • Verify incoming email
    • Decrypt incoming email
  2. Enable automatic S/MIME certificate extraction
  3. Set OpenPGP Keyserver as MIT PGP Key Server (this is useful if you will be using openpgp instead of S/MIME) -You can add another Keyserver if you want to
  4. Create Internal users (Email address should be <name>@test.org). More information about setting up email encryption can be found here
  5. Enable S/MIME or openpgp for the user (If both are enabled S/MIME will be used by default). If you don't have your own openpgp key- S/MIME certificate then the system will automatically create one for you

Configure Domain via Cpanel
  1. Login to your cpanel (for test.org domain) and navigate to MX entry. It should like:
  2. Select Local Mail Exchanger under Email Routing for the specific domain as per below (most users will have default setting which is Automatically Detect Configuration (recommended))

  3. Create a new MX record pointing to your UTM with lowest number and then delete the existing one.Existing one should be something like

Code:

Priority      Destination
0            test.org

Once you do this you will be able to confirm the status by logging in to your UTM and execute host test.org (you should only see your UTM address) or check Use intodns.com as checker and pay attention to MX records section.

At that point your UTM should receive and process all incoming mail via the SMTP proxy and forward it to the Real mail server.

Troubleshooting SMTP issue
  1. Monitor the SMTP log and make sure that the email is going out/recevied via SMPT proxy
  2. Sending an email from the <name>@test.org account configured (look at step 3 under Email encryption) to another user (i.e gmail account etc) should have an openpgp or S/MIME along with the SMTP Antivirus check footer (can be configured under SMTP>Antivirus tab)
  3. Receiving email from an external account to your <name>@test.org should also have the SMTP Antivirus check footer (if configured) and SMTP log should have the relevant info

Email Encryption troubleshooting
  1. Assuming emails are being processed by the SMTP proxy and an external user is sending you an email (external user is using S/MIME) , email encryption system will automatically extract S/MIME certificates from incoming email if:

    CA authority signing the user (sender) certificate exists under Encryption>S/MIME Authorities

Thanks

Let me know if I've missed anything :)

Viewing all articles
Browse latest Browse all 14361

Trending Articles