Procedure:
Generally, it is recommended using a relay server for sending emails to the Internet. Such relay server should be used both by the backend as well as by the GINA satellite system (see Mail System Outgoing server).
Additionally, the following preparations are to be made on both systems:
•(only necessary if a direct connection between the backend and the GINA satellite system and vice versa can and is to be established)
SSL
Create (Request or create new certificate...) or import an existing certificate (Import existing certificate...)
oFingerprint
Note down the fingerprint for the later use in the counterpart system for setting up the TLS connection
•CA
oCreate the CA via Request or create new certificate authority...
oBackup
Download the root certificate by means of Download certificate for the subsequent import in the counterpart system under X.509 Root Certificates
•X.509 Root Certificates
Import the root certificate of the counterpart system via Import S/MIME root certificate...
Backend system
oManaged Domains
Open the individual Domain name by clicking on the respective name
▪
•Settings GINA domain
Selection on "[default]"
If "- disabled -" is selected, the GINA forwarding is supressed for the respective Managed domain.
•S/MIME domain encryption
Open the subsequent domain certificate menu by clicking on Fingerprint SHA1:....
oFingerprint
Note down the value from SHA256
This fingerprint must be entered in the satellite system under Relay domain key fingerprint:.
If the domain certificate to be used has a different status under Domain encryption than the status "managed" and/or the satellite system cannot check the participation in the Managed Domain Service, the certificates are to be exported for the subsequent import on the satellite system:
oDownload certificate
o(the connection between the two systems can only be additionally secured via TSL if a direct connection can be made)
TLS settings Add TLS domain... , subsequent menu under
•Domain name (use a leading "." to include all subdomains)
Entry "customer.pseudo"
(this is the domain which is later used for the email address under Use remote GINA server, reachable under the following email address.
•Optional forwarding server address
remains empty if the domain name is resolved by means of DNS; otherwise, the IP address of the GINA satellite system is to be entered
▪TLS Settings
Selection of Fingerprint: Only send mail if TLS is possible and the fingerprint of the server certificate has the following fingerprint
The input field below is to be filled with the fingerprint(s) of the certificate(s) from the SSL menu of the GINA satellite systems.
•Mail Processing Ruleset generator
oGeneral settings Log message meta data
Deactivate
oAdvanced options Use remote GINA server, reachable under the following email address
Indicate an email address with an email domain which cannot be reached under any circumstances (for example: "GINA@customer.pseudo" (please also refer to Domain name (use a leading "." to include all subdomains)
•Domain Certificates S/MIME domain certificates..., subsequent menu Manual S/MIME domain certificates Import S/MIME certificate..., subsequent menu
oDomain name
In the example "customer.pseudo"
oCertificate Data
Import of the domain certificate created previously by the GINA satellite system for the Managed domain "customer.pseudo" generated there (please also refer to S/MIME domain encryption)
•GINA domains
Creating a GINA domain is not absolutely necessary
GINASatellite system
•Administration Bulk import Import X.509 keys and certficates Import
To enable the signing of GINA carrier emails, the import of at least one PKCS#12 key pair and the resulting automatic creation of a User are necessary.
If different GINA domains are to be used, the import of one PKCS#12 key pair for each GINA domain may be advisable. Here, under applicant of the certificate from the PKCS#12, one email address each with a generally valid name part, if possible, and the, or one of the allocated Managed domain(s) should be indicated in the domain part, for example "securemail@managed-domain1.tld", "securemail@managed-domain2.tld", "securemail@managed-domainn.tld".
These email addresses are then used in the configuration of the corresponding GINA domain (see next point)
•GINA domains
Configuration of the [default] GINA, and/or set-up of the necessary GINA domains
▪GINA name
Open the corresponding GINA
Implement the desired settings in the subsequent menu .
For signing the GINA carrier emails
•Extended settings Force sending of GINA mails from this address:
Enter the email address which matches the corresponding GINA domains (see point above)
▪Create S/MIME domain keys for managed domain encryption and send public key to vendor pool
Set to "Off for all domains"
▪Set up the email domain of the email address indicated under Use remote GINA server, reachable under the following email address of the backend system via Add managed domain....
In the subsequent menu Settings
•Domain name
Input in the example "customer.pseudo"
▪Enter the IP address, the host name or the MX entry of the backend system
Open the Managed domain just created again
oClick on Generate S/MIME key
oOpen the newly generated certificate by clicking onSHA1:... under Fingerprint
▪In the submenu now opening, download the certificate via Download certificate.... This certificate is to be integrated into the backend system under Domain Certificates for the target domain (according to the example "customer.pseudo").
Create all Managed domains which are present on the backend system by means of Add managed domain....
In the subsequent menu Settings
▪Domain name
Enter the domains from the backend system, separated by commas
▪Forwarding server
Enter the IP address, the hostname or the MX of the backend system
oIf applicable, allocate the desired GINA to the corresponding Managed domains
(see Settings GINA domain).
o(only possible if a direct connection with the backend system can be established)
TLS settings Add TLS domain..., subsequent menu under
•Domain name (use a leading "." to include all subdomains)
Enter the name of the backend system
•Optional forwarding server address
remains empty if the domain name is resolved by means of DNS; otherwise, the IP address of the backend system is to be entered
▪TLS Settings
Selection of Fingerprint: Only send mail if TLS is possible and the fingerprint of the server certificate has the following fingerprint
The input field below is to be filled with the fingerprint(s) of the certificate(s) from the SSL menu of the backend machine(s).
oSMTP settings max. message size (KB) (Note: cannot exceed xxxxxxx KB)
Take over the restriction from the backend system and/or email server
oRelaying
Enter the IP address(es) of the backend system(s)
▪General settings
Remove the checkmarks of the options
•Do not touch mails with the following text in subject
•Reprocess mails sent to reprocess@decrypt.reprocess
▪User creation
Selection of Create accounts for all users
•Incoming emails
Apply the settings of the backend system
•Outgoing emails
These settings are irrelevant since an in which GINA is enforced is used.
▪Signing
Remove all checkmarks
•This is a remote GINA server
Activate
oRelay for domain:
Enter all Managed domains of the backend system as regular expressions
oRelay email address:
Enter the address from the option Use remote GINA server, reachable under the following email address of the backend system, e.g. "GINA@customer.pseudo"
oRelay domain key fingerprint:"
Enter the fingerprints of the domain encryption certificates from the corresponding Managed domains of the backend system (see S/MIME domain encryption) to be used, corresponding to the input made under Relay for domain:.
oUse custom delivery method:"
Enter continue'); if (!pack_mail(‘GINA@customer.pseudo', true)) { log(1, 'pack_mail() failed'); drop(500, 'pack_mail() failed'); } deliver('
The option Edit policy table... in the subsequent menu enables the creation of a new policy via Create new encryption policy....
In the subsequent menu , the following parameters are to be set in the Settings:
oPolicy name
Enter a unique name, e.g. "GINA".
oPolicy domains
Selection of all Managed domains except "customer.pseudo"
oEncryption mode
Selection of "GINA-only"
oGINA options
remains empty
•Domain Certificates
If the satellite system cannot obtain the domain keys of the Managed domains of the backend system automatically via Managed Domain Service, these are to be imported individually via S/MIME domain certificates... in Manual S/MIME domain certificates Import S/MIME certificate....
Restrictions
Large File Transfer (LFT)
LFT is only possible with restrictions.
For instance, variant 1, which is described in Large File Transfer (LFT) (exclusively via the email client), is impossible.
If applicable, variant 2 (delivery per GINA - and/or to internal for LFT) would require internal users to be created and maintained on the machine via Administration Bulk import Import GINA Users (CSV) or via REST interface (please also refer to Groups legacyappadmin), as GINA accounts.
Variant 3 has the same requirements as variant 2.
Protection Pack (PP)
Set as required. If applicable, a diversion to an external protection instance via Custom commands is possible (please also refer to Sophos UTM: Another Virus Scan After Decryption). However, this is usually not necessary since the protection mechanisms of the backend system apply.
