Please enable JavaScript to view this site.

Procedure:

Generally, it is recommended using a relay server for sending emails to the Internet. Such relay server should be used both by the backend as well as by the GINA satellite system (see Mail System Outgoing server).

 

Additionally, the following preparations are to be made on both systems:

SSL
Create (Request or create new certificate...) or import an existing certificate (Import existing certificate...)

o(only necessary if a direct connection between the backend and the GINA satellite system and vice versa can and is to be established)
Fingerprint  
Note down the fingerprint for the later use in the counterpart system for setting up the TLS connection

 

Backend system

Mail System

oManaged Domains
Open the individual Domain name by clicking on the respective name

EDIT MANAGED DOMAIN

Settings GINA domain
Selection on "[default]"
If "- disabled -" is selected, the GINA forwarding is supressed for the respective Managed domain.
 

empty

anchor link Note:

In the case of client-capable installations, the error message appears here that the [default]GINA domain is used by more than one client:

GINA domain [default] used by more than one customer.

This can be ignored here, because the GINA client separation takes place on the GINA satellite (and also must be configured there!).

 

Fetch mail from remote POP3 server.Interval in minutes: activate and set the value to "1".

 

o(the additional securing of the connection between the backend and the GINA satellite system via TLS is only possible if a direct connection can be established)
TLS settings Add TLS Domain , next menu Add TLS Domain under

Domain info

Domain name (use a leading "." to include all subdomains)
Entry "customer.pseudo"
(this is the domain which is later used for the email address under Use remote GINA server, reachable under the following email address.

 

Optional forwarding server address
remains empty if the Domain name is resolved by means of DNS; otherwise, the IP address of the GINA satellite system is to be entered
 

TLS settings
Select Fingerprint Only send mail if TLS is possible and the fingerprint of the server certificate has the following fingerprint
The input field below is to be filled with the fingerprint(s) of the certificate(s) from the SSL of the GINA satellite systems.
 

Mail Processing Ruleset generator

oGeneral settings Log message metadata
Deactivate
 

oCustom Commands Custom macros and commands for all e-mails BEFORE processing

Line

Code

01

# Begin: Custom macros and commands for all e-mails BEFORE processing

02

log(1,'Begin: Custom macros and commands for all e-mails BEFORE processing');

 

 

03

if (compare('to', 'match', 'GINA@customer.pseudo')) {

04

log(1, 'unpacking satellite mail');

05

unpack_mail();

06

logsubject();

07

log(1, 'deliver satellite mail unchanged');

08

deliver();

09

}

10

# metadata setting is disabled in ruleset generator

11

logsubject();

 

 

12

log(1,'End: Custom macros and commands for all e-mails BEFORE processing');

13

# End: Custom macros and commands for all e-mails BEFORE processing

Code

 

oAdvanced options Use remote GINA server, reachable under the following email address
Indicate an email address with an email domain which cannot be reached under any circumstances (for example: "GINA@customer.pseudo" (see also Domain name (use a leading "." to include all subdomains)

 

CA

oCreate the CA via Request or create new certificate authority...

 

oBackup
Download the root certificate by means of Download certificate for the subsequent import in the GINA satellite system under X.509 Root Certificates
 

Users
To be able to collect emails generated on the GINA satellite system (usually "GINA replies and password emails") via POP3(s) on the backend system for further processing, a user with a password is to be created via Create new user account in the next menu CREATE USER ACCOUNT (in the example "GINA@customer.pseudo") (see USER 'USER@DOMAIN.TLD'). Subsequently, the detail menu USER 'USER@DOMAIN.TLD' of the newly created user appears. Here, the input fields of the section Remote POP3 are to be filled in correspondingly, in accordance with the example

oUser ID
According to the example, this would be "GINA@customer.pseudo"
 

oMail server
Enter the IP address, the host name or the MX entry of the GINA satellite system
 

oOptions Use SSL instead of STARTTLS
Activate
 

Domain Certificates S/MIME domain certificates..., next menu Domain Certificates Managed S/MIME domain certificates Import S/MIME certificate..., next menu Import X.509 certificate

oDomain name
Enter the "customer.pseudo"
 

oCertificate Data
Import of the domain certificate created previously by the GINA satellite system for the Managed domain "customer.pseudo" generated there (please also refer to EDIT MANAGED DOMAIN S/MIME domain encryption)
 

GINA Domains
A GINA Domain is not mandatory

 

GINA satellite system

Administration Bulk Import Import X.509 keys and certificates Import
To enable the signing of GINA carrier e-mails, the import of at least one PKCS#12 key pair and the resulting automatic creation of a User is required.
If different GINA Domains are to be used, the import of one PKCS#12 key pair for each GINA Domains may be advisable. Here, as applicant of the certificate from the PKCS#12, one email address each with a generally valid name part, if possible, and the or one of the allocated Managed Domains should be indicated in the domain part, for example "securemail@managed-domain1.tld", "securemail@managed-domain2.tld", "securemail@managed-domainn.tld".
These email addresses are then used in the configuration of the corresponding GINA Domain (see next point)

 

GINA Domains
Configuration of the [default] GINA, and/or set-up of the necessary GINA Domains

oDomains

GINA name
Open the respective GINA
Implement the desired settings in the subsequent menu Change GINA Settings for.
For signing the GINA carrier emails

Extended settings Force sending of GINA mails from this address:
Enter the email address which matches the corresponding GINA Domains (see point above)
 

Mail System

oManaged Domains

Create S/MIME domain keys for managed domain encryption and send public key to vendor pool
Set to "Off for all domains".
 

Verify recipient addresses using SMTP lookups
Deactivate

 

Set up the email domain of the email address indicated under Use remote GINA server, reachable under the following email address of the backend system via Add managed domain....
Implement the desired settings in the subsequent menu Add managed domain Settings

Domain name
Entry in the example "customer.pseudo"
 

Forwarding server
Input "[127.0.0.1]"
 

Open the Managed domain

EDIT MANAGED DOMAIN S/MIME domain encryption

oClick on Generate S/MIME key
 

oOpen the newly generated certificate by clicking on SHA1:... under Fingerprint

In the submenu now opening, download the certificate via Download certificate.... This certificate is to be integrated into the backend system under Domain Certificates for the target domain (according to the example "customer.pseudo").
 

Create all Managed Domains which are present on the backend system by means of Add managed domain....
Implement the desired settings in the subsequent menu Add managed domain Settings

Domain name
Enter the domains from the backend system, separated by commas
 

Forwarding server
Input "[127.0.0.1]"

 

oIf applicable, allocate the desired GINA to the corresponding Managed domains
(see EDIT MANAGED DOMAIN Settings GINA domain).
 

o(only possible if a direct connection with the backend system can be established)
TLS settings Add TLS Domain , subsequent menu under

Domain info

Domain name (use a leading "." to include all subdomains)

Enter the name of the backend system

 

Optional forwarding server address
remains empty if the Domain name is resolved by means of DNS; otherwise, the IP address of the backend system is to be entered
 

TLS settings
Select Fingerprint Only send mail if TLS is possible and the fingerprint of the server certificate has the following fingerprint
The input field below is to be filled with the fingerprint(s) of the certificate(s) from the SSL menu of the backend machine(s).
 

oSMTP Settings max. message size (KB) (Note: cannot exceed xxxxxxx KB)
Take over the restriction from the backend system and/or email server
 

oRelaying
Enter the IP address(es) of the backend system(s)
 

Mail Processing

oRuleset generator

General settings
Remove the checkmarks of the options

Do not touch mails with the following text in subject
 

Reprocess mails sent to reprocess@decrypt.reprocess
 

User creation
Select Create accounts for all users
 

Encryption

Incoming emails
Apply the settings of the backend system
 

Outgoing e-mails
These settings are irrelevant since an Encryption Policy in which GINA is enforced is used.
 

Signing
Remove all checkmarks
 

Advanced options

This is a remote GINA server
Activate
 

oRelay for domain:
Enter all Managed domains of the backend system as regular expressions
 

oRelay email address:
Enter the address from the option Use remote GINA server, reachable under the following email address of the backend system, for example "GINA@customer.pseudo"
 

oRelay domain key fingerprint:
remains empty.
 

oUse custom delivery method:"
Input of continue'); if (!pack_mail('GINA@customer.pseudo', true)) { log(1, 'pack_mail() failed'); drop(500, 'pack_mail() failed'); } deliver('
 

Clicking on Edit policy table... in the subsequent menu Encryption Policy via Create new encryption policy..., a new policy is created.
In the subsequent menu Add Encryption Policy, the following parameters are to be set in the Settings:
 

oPolicy name
Enter a unique name, for example "GINA".
 

oPolicy domains
Selection of all Managed domains except "customer.pseudo"
 

oEncryption mode
Select "GINA-only"
 

oGINA options
remains empty

 

SSL
Create (Request or create new certificate...) or import an existing certificate (Import existing certificate...)
 
(only necessary if a direct connection between the backend and the GINA satellite system and vice versa can and is to be established)

oFingerprint  
Note down the fingerprint for the later use in the backend system for setting up the TLS connection

 

User
To be able to collect emails generated on the GINA satellite system (usually "GINA@ replies and password emails") via POP3(s) on the backend system for further processing, a user with a password is to be created via Create new user account in the subsequent menu CREATE USER ACCOUNT (see USER 'USER@DOMAIN.TLD').
According to the example, this would be "GINA@customer.pseudo"

 

X.509 Root Certificates
Import the root certificate of the backend system via Import S/MIME root certificate...
 

Domain Certificates
If the satellite system cannot obtain the domain keys of the Managed domains of the backend system automatically via Managed Domain Service, these are to be imported individually via S/MIME domain certificates... in S/MIME domain certificates Managed S/MIME domain certificates Import S/MIME certificate....
 

Restrictions

Large File Transfer (LFT)
LFT is only possible with restrictions.
For instance, variant 1, which is described in Large File Transfer (LFT) (via email client only) is not possible.
For variant 2 (delivery via GINA - or for LFT to internal), internal users would have to be created via the Administration Bulk Import Import GINA Users (CSV) or via REST interface (please also refer to Groups legacyappadmin), as GINA accounts.
Variant 3 has the same requirements as variant 2.
 

Protection Pack (PP)
Set as required. If applicable, a diversion to an external protection instance is possible via Custom commands (please also refer to Sophos UTM: Another Virus Scan After Decryption). However, this is usually not necessary since the protection mechanisms of the backend system apply.

 
  

Keyboard Navigation

F7 for caret browsing
Hold ALT and press letter

This Info: ALT+q
Topic Header: ALT+t
Topic Body: ALT+b
Contents: ALT+c
Search: ALT+s
Exit Menu/Up: ESC