This submenu is called up from Mail System Managed domains by clicking on a Domain name to be edited and/or via Add managed domain... for the creation of a new Managed domain.
(new in 13.0.0)
Clicking the Edit mailprocessing groups... opens the submenu , which enables a more granular configuration of individual options for certain user groups.
Sections on this page:
Parameters |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
Name of the email domain for which emails are to be accepted and processed by the SEPPmail Secure E-Mail Gateway. This setting is only editable when creating a new Managed domain - that is when the menu was opened via the Add managed domain... button (see Settings). |
|||||||||
Name of the email server to which the incoming emails for the above-mentioned Domain name are to be forwarded after processing by the SEPPmail Secure E-Mail Gateway .
The following is accepted as input:
When specifying an IP address, a host name or an MX name, there is the option to additionally enter an individual port. The port is entered directly afterwards, separated by a colon ":", that is "[IP address]:port", "[hostname]:port" or "MX name:port". If no port is specified, the standard SMTP port TCP25 is used. |
|||||||||
Under Mails from this domain must have a header, an X header can be indicated, whose expected value is entered under with the following value:. If an attempt is now made to send an email from the current Managed domain, it must contain the X header specified here with the corresponding value (case sensitive!). Otherwise, the email will be rejected. The corresponding X header is removed after testing. |
|||||||||
(changed in 12.1.16) By entering the Microsoft 365 Tenant ID (see also Search for your Microsoft 365 Tenant ID) the relaying from Microsoft 365 (see Exchange Online Relaying) for the respective Managed domain is limited to the specific Microsoft 365 tenant.
|
|||||||||
|
(new in 12.1.6)
|
To check the identity of the sender domain, the header X-OriginatorOrg set by Microsoft 365 is used. By comparing the header value with the respective SEPPmail Managed domain, the relaying from Microsoft 365 (see Exchange Online Relaying) for the respective Managed domain is limited to the specific Microsoft 365 tenant. Any further alias domains can alternatively be maintained manually.
|
|||||||
(changed in 12.1.16) |
A Microsoft 365 Tenant ID displayed here (see also Search for your Microsoft 365 Tenant ID) is only for information. |
||||||||
|
(new in 13.0.15) |
For a parallel connection with Exchange Online ("Forwarding Server" corresponds to "Send ALL outgoing mails from this domain to the following SMTP server (optional)" (see also Connecting Exchange Online with ATP / EOP), this option must be set. Otherwise, the direction of the mail may not be recognised correctly.
|
|||||||
(new in 12.1.1) |
If the Submission Port has been activated, by default, for a User signed in via STARTTLS, only emails can be delivered that originate from their own SMTP email address. However, if, for example, an external email server is to send all or part of its email traffic via a connector that connects via STARTTLS with the SEPPmail Secure E-Mail Gateway, this can be done using the following two options. Usually, first a dedicated User for the connection has to be created. |
||||||||
|
Entry of a regular expression that represents all email addresses that are allowed to use the above connection. |
||||||||
|
Specification of the CN (Common Name) in the applicant of the certificate used when establishing the connection. |
||||||||
(leave empty to allow all relaying networks, unless an originator org is specified above) |
At this point, the IP address(es) or subnet(es) that are allowed to send on behalf of the respective Managed domain can be entered. This prevents, for example, that a client can send emails in the name of another in client-capable systems. If no entry is made here, any address listed under Mail System Relaying is allowed to send emails from this Managed domain. Usually, the input corresponds to the IP address(es) of the entered Forwarding server (see table under Mail System Managed domains Column Server IP Address). (changed in 13.0.8) It is possible to enter the network 0.0.0.0/0 as the relaying network to enable the sending of e-mails from an external web server, for example. Please use with care.
After saving, a further input field is displayed.
|
||||||||
|
By entering a target server (input format identical to Mail System Managed domain Settings Forwarding server IP or MX name), for the respective Managed domain the Outgoing server (see Mail System) is overridden (sender based routing). Any possibly required TLS settings can be made under Mail System TLS Settings Add TLS Domain . |
||||||||
(new in 13.0.8) An SSL certificate can be specified here for each managed domain, which is used as an identification certificate for sending via this managed domain. The configuration is done in the same way as for GINA domains, see SSL. If no certificate is configured, the default certificate configured under SSL is used.
|
|||||||||
If an email address is entered here, it will be used as the sender (from-header) for sending bounce and notification emails of the respective Managed domain. |
|||||||||
Depending on the global selection under Mail System Managed domain Create S/MIME domain keys for managed domain encryption and send public key to vendor pool:, different statuses are displayed. |
|||||||||
|
This is displayed if the global setting On for all domains has been selected. |
With this setting, the participation in the Managed Domain Service is activated or deactivated.
With the activation, for the corresponding Managed domain, a self-signed X.509 S/MIME domain certificate (see S/MIME domain encryption) is created automatically and transferred to the central SEPPmail licence and/or key server. The corresponding newly created S/MIME domain certificate (that means only the public key!) is then automatically distributed to all SEPPmail Secure E-Mail Gateways so that all companies operating a SEPPmail Secure E-Mail Gateway can exchange emails without any further effort among each other, at least on a domain-encrypted basis. This service is already included in the basic licence and does not require any additional encryption licences.
|
|||||||
|
By default, this option is inactive This is displayed if the global setting Use domain settings has been selected. |
||||||||
This is displayed if the global setting Off for all domains has been selected.
|
|||||||||
|
(new in 13.0.4) |
The option "Send internal mails (between two managed domains) to the configured smarthost" applies to the routing of internal mails, if the general setting Use domain settings is selected. |
||||||||
|
(changed in 12.0) |
For using the Central Disclaimer Management (CDM), a corresponding licence is necessary. Disclaimers and/or personalised footers can be created and edited via the menu Mail System Edit mail disclaimer.... If a licence is available, the disclaimer is attached in accordance with the following selection.
|
||||||||
|
Selection of the disclaimer for new outgoing emails. |
||||||||
|
(new in 12.0) |
Selection of the disclaimer for outgoing email replies.
|
||||||||
Via the selection, the GINA settings to be used for the entered email domain can be selected. These can be created and edited via the menu GINA Domains Domains. If "-DISABLED-" is selected here, for the selected Managed domain no GINA technology is available. This also means that if encryption is requested and the recipient's public key is missing, the email is rejected (bounced) (see also Bounce templates No public key). For client-capable systems, the GINA domain(s) specifically set up for the customer must be selected here, provided that the GINA technology has not been disabled by means of "-DISABLED-".
(new in 14.0.0) In the following parameters, the LFT use can be specified. If not specified, the default values are inherited. |
|||||||||
|
Defines the global quota for this domain. LFT will not exceed this value. |
||||||||
|
The default is "80,90,95". If the global quota exceeds one of these values, a notification email is sent. |
||||||||
|
If activated, the global quota is strictly adhered to. If not, then only a warning is issued if the global quota is overwritten. Possible values are "true", "false" and "reset to default values". |
||||||||
|
|
Defines the quota per user of this managed domain. |
|||||||
|
Allows specifying if the user may use LFT. Possible values are "true", "false" and "reset to default values". |
||||||||
|
(only for client-capable systems) |
Allocation to a customer who has already been created under Customers in a client-capable system. The allocation to a customer is only possible when creating a new Managed domain - that is when the menu was opened via the button Add managed domain.... |
||||||||
In this section you can specify individualised bounce templates that were previously created using the menu Mail System Edit mail templates....
Parameters |
Description |
||
|---|---|---|---|
By default, bounce_noauth is selected. Shows the selected bounce template for requested encryption/signatures by non-existent users (Users). |
|||
By default, bounce_noenc is selected. Shows the selected bounce template for failed encryption.
|
|||
By default, bounce_noseckey is selected. Displays the selected bounce template if the key material of the internal sender is missing.
|
|||
By default, bounce_policy is selected. Generally, this template is used for all rejections due to an provided that no other template has been explicitly selected in the corresponding . Thus, if an is used for more than one Managed domain, the template of the corresponding Managed domain is used instead of a template obtained via the . The order is then ascending: •Default template •Domain template •Policy template.
|
|||
By default, sendpgpkeys is selected. If applicable, the template selected here overrides the global selection of the option Mail Processing Miscellaneous options Send new OpenPGP public keys to users when a key is created with template. |
Section External Authentication
Defines the settings for authentication at the GINA interface using external user data.
Parameters |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
If the GINA technology is also used internally, for example for Large File Transfer (LFT) or internal email encryption (IME), this option enables the authentication of the users of the respective Managed domain against an external LDAP in the organisation-internal network (for example Active Directory). This also enables users from the corresponding Managed domain to directly login at the GINA portal with their email address and the password stored in the LDAP (that means in the case of AD, the Windows password).
Operating mode: If, due to the above-mentioned configuration, the email address (the main address, no email alias!) of the registering user (GINA account) and thus their DN is found in the LDAP database, another connection attempt is made with this DN and the password entered by the user in the GINA portal. If this attempt is successful, the authentication at the GINA portal is also successful. Here, the SEPPmail Secure E-Mail Gateway runs its own counter for incorrect password entries. If the external authentication fails more frequently than the maximum admissible number, the account is locally temporarily disabled. Here, there is no interaction with the external server anymore. The deactivation is thus exclusively local. This means that a SEPPmail Secure E-Mail Gateway administrator can always reactivate or finally disable a deactivated GINA Account in the SEPPmail Secure E-Mail Gateway administration interface. Additionally, there is an option of excluding individual GINA Accounts from external authentication. In this case, the local password is used for the login again (please also refer to GINA Accounts User Data External Authentication). |
|||||||||
|
|
By default, this option is inactive. Activates the "external LDAP authentication". |
|||||||
|
By default, this option is inactive. If this option is enabled, a GINA Account is automatically created upon successful authentication via LDAP, unless one already exists. The registration process for the initial registration is thus not necessary for the GINA user. One precondition is that the GINA Domain), to which the respective user logs in, is also allocated to this Managed domain.
If this option is not enabled, the GINA Accounts (unless there is also no alternative IDP setting active) still need to be registered on the SEPPmail Secure E-Mail Gateway. Here, a local password must be set. However, this password is not used for authentication as long as authentication via IDP is active. A corresponding message is displayed during the initial registration of the account. If, when logging in at the GINA portal, the local password is used instead of the IDP password (in this case only!), the user receives a corresponding note (see GINA Domains Domain GINA Edit Language Settings Edit Translations Edit translation file Advanced view Edit translation file msgid "ext_auth_enabled").
If the option is deactivated retrospectively, the already existing GINA users will be asked to register when they next log in.
|
||||||||
Indication of the LDAP server(s) against which an authentication is to be realised. The hostname or IP address is accepted as input.
Several servers can be entered, separated by spaces. The servers are processed in the specified order until one of them returns either OK or INVALID_CREDENTIALS (incorrect password). For all other responses (or errors in the connection establishment), the next server in the list is tried. |
|||||||||
By default, this is set to 636 Specifies the port on which the external LDAP server receives requests. The standard LDAP port is 389, and 636 for LDAPS (see also TLS required). |
|||||||||
By default, this option is active. Enforces the encryption of the connection to the LDAP server by means of TLSv1 or higher (LDAPS or LDAPS+STARTTLS). |
|||||||||
Indication of the full distinguished name (DN) of the read-only account which is entitled to search under External user attributes Search base Email attribute in the LDAP database. |
|||||||||
Password for the authentication of the account entered under Bind DN. |
|||||||||
|
|||||||||
|
|||||||||
|
To prevent a disclosure of the type of authentication process to a potential external attacker, the link "Forgot password?" will be displayed even if external authentication in the GINA login mask is activated. |
Section Internal authentication
(new in 13.0.14)
Parameters |
Description |
|---|---|
By default, this option is inactive. Activate if local users should be able to log in at GINA.
Select the condition: •If you select the mail processing groups, only users who belong to one of the selected mail processing groups are allowed to do so. •If no mail processing group is selected, all users of the managed domain may authenticate themselves.
The method with which a user originally was created can be analysed with the Show users created by authentication filter. |
Section OpenPGP Domain Encryption
(changed in 12.1)
This section shows the OpenPGP domain keys, if any.
Key ID |
Subkey ID(s) (new in 12.1) |
User ID |
Issued on |
Expires on |
|---|---|---|---|---|
Displays the key ID of the OpenPGP domain key(s) |
Displays the key IDs of all existing subkeys. |
Displays the user ID associated with the key ID. If the key was generated by the appliance, it is usually the key OpenPGP Domain Encryption <domain-confidentiality-authority@yourdomain.tld> |
Date of issue of the key YYYY-MM-DD |
Expiration date of the key YYYY-MM-DD |
By clicking on the Key ID, a submenu with details on the key will be opened. This offers the option of downloading the public key and/or deleting the key pair.
Clicking the Import OpenPGP Key button can be used to import an already existing key pair (see submenu ).
Clicking the Generate new OpenPGP key button offers the possibility to generate a new key pair on the appliance. (changed in 12.1) The validity period (Validity in days) of the key generated in this way can be freely defined and is preset to 825 days.
Section S/MIME domain encryption
(changed in 12.1)
This section shows the S/MIME domain keys, if any.
Fingerprint |
Issued on |
Expires on |
Managed Domain Encryption |
||
|---|---|---|---|---|---|
Displays the fingerprint(s) of the S/MIME domain key(s).
 If, under Settings in the section S/MIME domain keys, one of the options Globally on or Create S/MIME domain keys for managed domain encryption for this domain and send public key to vendor pool is activated, at least one certificate is displayed. |
Date of issue of the key YYYY-MM-DD |
Expiration date of the key YYYY-MM-DD |
Displays whether a key has been released and is used.
Possible status: •managed by SEPPmail •unmanaged
|
Clicking on Fingerprint will open a submenu with details about the key (see ). This provides the option to download the public key (certificate) or to revoke or delete the key pair.
|
If, in the certificate details under Key usage, the checkmark is removed at the Allow signing option, the corresponding certificate is not listed in a certificate search in GINA (please also refer to Extended settings Allow download of public domain keys/domain certificates). |
Clicking the Import S/MIME Key button can be used to import an already existing key pair (see submenu ).
The key exchange between SEPPmail Secure E-Mail Gateways is automatically implemented upon activation of the option Automatically create and publish S/MIME domain keys for all domains via the Managed Domain Service. This ensures that all SEPPmail Secure E-Mail Gateways communicate with each other in a domain-encrypted manner.
Clicking the Generate S/MIME key button offers the possibility to generate a new key pair on the appliance. (changed in 12.1) The validity period (Validity in days) of the key generated in this way can be freely defined and is preset to 825 days.
.
|
If the internal CA was already set up before generating the domain certificate, the attributes entered there are used when creating it. This can be particularly useful if a communication partner with a gateway from another manufacturer requests more detailed information in the domain certificate even if this is not necessary according to RFC.
Generally, SAN certificates are generated for which, in the Subject Alternative Name initially the domain name and, subsequently, the email address is entered, for example mycompany.tld domain-confidentiality-authority@mycompany.tld |
Section Internal Mail Encryption
(changed in 12.1)
Fingerprint |
Issued on |
Expires on |
|---|---|---|
Displays the fingerprint(s) of the S/MIME domain key(s) which is/are required for the internal email encryption as of IME 2.0. |
Date of issue of the key YYYY-MM-DD |
Expiration date of the key YYYY-MM-DD |
Clicking the Import S/MIME Key button can be used to import an already existing key pair (see submenu ).
Generate new S/MIME key generates a new key pair for internal mail encryption. (changed in 12.1) The validity period (Validity in days) of the key generated in this way can be freely defined and is preset to 825 days.
Once the key pair has been created, the certificate can be exported by clicking on the fingerprint.
To be able to use the certificate with the SEPPmail Microsoft Outlook Add-In later, usually, a contact with the email address from the CN of this IME certificate and this certificate itself is created in the "global address list (GAL)" of the Exchange server. In most cases, this adds the certificate of the contact into the machine-related certificate memory of the clients under "Other persons" "Certificates".
|
By default, the folder "Other persons" is only created in the certificate memory once a certificate has been imported for a contact in the Outlook address book or once an entry has been created in Exchange in the Global Address List (GAL). The contact to generally be created in the GAL should start with a special character, for example with an underscore character "_". This is due to the fact that the SEPPmail Microsoft Outlook Add-In automatically searches for this entry when starting MS Outlook. If the entry is listed towards the end of the GAL due to the alphabetical sorting, this search may take a very long time. Consequentially, the start of MS Outlook would be delayed accordingly. This in turn could lead to an automatic deactivation of the SEPPmail Microsoft Outlook Add-In unless the corresponding configuration measures are taken to prevent this. |
Section DKIM Settings (optional)
Parameters |
Description |
||
|---|---|---|---|
By default, this option is inactive. Placing a check mark and subsequently clicking on Save changes generates a DKIM key pair for the corresponding managed domain. As of this point in time, all outgoing emails of the Managed domain will bear a DKIM signature. |
|||
|
(new in 13.0.0) |
By default, this option is set to "default".
|
(new in 13.0.8)
Section ARC Settings (optional)
ARC sealing/signing of emails is possible. Especially in conjunction with Exchange Online connections, this can reduce/eliminate false positives in spam detection by Microsoft.
Parameters |
Description |
|---|---|
By default, this option is inactive. Placing a check mark and subsequently clicking on Save changes activates the ARC seal, based on the key source set below. |
|
|
|
By default, this option is set to "Use the DKIM key". This is the DKIM key of the managed domain.
Alternatively, a Master ARC key or a separate ARC key for this managed domain can be used. The Master ARC key is defined in Mail Settings. |
Section TLS Settings (optional)
If a TLS encrypted connection is to be established for the downstream groupware system for an email domain (see table under Mail System Managed domains Column Server IP Address), the TLS encryption can be configured at this point.
Setting up TLS connections is described in the chapter on the submenu .
(new in 13.0.0)
See Mail Processing .
Active |
Name |
Value |
Type |
|---|---|---|---|
Displays whether the "Extended Field" is in status "Active" or "Inactive" and therefore ready to use or not. |
Displays the name of the respective "Extended Fields" as set up under Mail Processing Extended Fields Name . |
Displays the value of the respective "Extended Fields". If this corresponds to the one under Mail Processing Extended Fields Default value, then behind the entry field default value is displayed, otherwise domain specific value |
Displays the Type of the respective "Extended Fields" as entered under Mail Processing Extended Fields. |
(changed in 12.1)
In this statistics, only the cryptography technologies which have already been used on the SEPPmail Secure E-Mail Gateway are displayed.
Parameters |
Description |
|---|---|
Number of users created on the SEPPmail Secure E-Mail Gateway (corresponds to user licences). |
|
|
emails sent |
Number of emails sent that were encrypted using the S/MIME technology. |
|
emails received |
Number of emails received that were encrypted using the S/MIME technology. |
Number of emails sent that were encrypted using the OpenPGP technology. |
|
Number of emails received that were encrypted using the OpenPGP technology. |
|
Number of emails sent which were domain-encrypted by means of the S/MIME technology. |
|
Number of emails received which were domain-encrypted by means of the S/MIME technology. |
|
Number of emails sent which were domain-encrypted by means of the OpenPGP technology. |
|
Number of emails received that were domain-encrypted by means of the OpenPGP technology. |
|
|
emails sent |
Number of emails sent that were signed by means of the S/MIME technology. |
|
emails received |
Number of emails received that were signed by means of the S/MIME technology. |
|
emails sent |
Number of emails sent that were encrypted by means GINA technology |
All changes made are saved via the Save changes button.
Deleting a domain can be done with Delete domain.
|
If the domain has a domain key (see S/MIME domain encryption and/or OpenPGP Domain Encryption), a corresponding warning appears in the status bar, and the deletion is to be confirmed again by pressing Delete domain.
|
