|
It is important to understand the current policy of the IronPort system before making any changes. |
Configuration suggestion
All incoming emails are received by IronPort and scanned for SPAM and viruses. All emails checked to this extent will be forwarded to the SEPPmail Secure E-Mail Gateway where they are decrypted, if applicable, and returned to IronPort. There, all emails (now also the decrypted ones) are checked again for viruses and SPAM and forwarded to the internal groupware system, for example Microsoft Exchange or IBM Domino.
Alternatively, the IronPort system can be prompted to recognise encrypted and/or signed emails and only redirect them to the SEPPmail Secure E-Mail Gateway. All other emails are forwarded directly to the internal groupware system.
Outgoing emails are sent from the internal groupware system to the IronPort, which always forwards outgoing emails to the SEPPmail Secure E-Mail Gateway. There, the ruleset which determines which emails are to be signed and encrypted is maintained. Subsequently, the outgoing emails are returned to the IronPort system by the SEPPmail Secure E-Mail Gateway, as the IronPort is the only system that sends email to the Internet.
The problem with this configuration is the fact that the SEPPmail Secure E-Mail Gateway must be indicated in the relay list of the IronPort system since the SEPPmail Secure E-Mail Gateway will attempt to send outgoing emails to the Internet. All hosts in the IronPort relay list are forced to comply with the outgoing email policy automatically. According to the current outgoing policy, no virus scan is implemented there so that the SEPPmail Secure E-Mail Gateway connection does not have any additional use.
There are two solutions:
1.The outgoing email policy on the IronPort system is modified to look similar to the incoming policy. However, this is not a perfect solution.
2.You configure a special listener, via which the SEPPmail Secure E-Mail Gateway delivers incoming emails. The SEPPmail Secure E-Mail Gateway must not be entered in the relay list on this listener. For example, this listener can be bound to a special port (e.g. 10025) on the existing IP address 192.168.1.11 or to another IP address in the IP network 192.168.1.0/24.
The redirection can be implemented in two ways:
3.via content filter
4.via message filter
The difference between the message filter and the content filter is that a message filter is always applied to the entire email. For example, if an email has more than one recipient, the action applies to all recipients. With a content filter, you can split the email using different policy entries. This should not play a role in our case. Another difference is that you can recognise in the message filter whether an email is encrypted or signed and can therefore redirect only this email to the SEPPmail Secure E-Mail Gateway.
To make the solution simple and clear, we recommend forwarding all outgoing emails to the SEPPmail Secure E-Mail Gateway (not only the emails to be encrypted or signed) and to work with a content filter.
Configuration
IronPort
•Existing listener with SEPPmail Secure E-Mail Gateway in the relay list
•New listener incoming SEPPmail Secure E-Mail Gateway with SEPPmail Secure E-Mail Gateway not in the relay list
Incoming Content filter : IncomingSEPPmail Secure E-Mail Gateway
(usually not necessary: Receiving Listener = IncomingMail AND)
Remote IP IS NOT \[IP from SEPPmail Secure E-Mail Gateway 1\]
AND
Remote IP IS NOT \[IP from SEPPmail Secure E-Mail Gateway 2\]
(optional, if you only want to operate one of your domains via SEPPmail Secure E-Mail Gateway
: AND Envelope Recipient
ends with @securemailcustomer.ch )
Action: Send to Alternate Destination Host: \[Cluster IP of both SEPPmail Secure E-Mail Gateway\]
SEPPmail Secure E-Mail Gateway
The SEPPmail Secure E-Mail Gateway is to be set up in such a way that incoming emails are sent to the Incoming SEPPmail Secure E-Mail Gateway Listener.
Menu Mail System: See Setting Up Email Domains To Be Managed.
Section Managed domains
The problem here is the fact that only a single IP address can be entered in the SEPPmail Secure E-Mail Gateway configuration to which incoming emails are to be forwarded, i.e. not both incoming IP addresses of your IronPorts. For this it is necessary to create a (fictitious) DNS entry which can be resolved into both IP addresses of the IronPorts. This fictitious DNS name is entered as the " Server IP address" of the email domain.
Outgoing emails are sent by the SEPPmail Secure E-Mail Gateway to the existing listener:
See Controlling Outgoing Email Traffic.
Section Outgoing server
The IP address of the listener must be specified here, or, as above, a hostname which is resolved to both listeners.
The relay permission is to be entered in the SEPPmail Secure E-Mail Gateway for both IP addresses of the IronPort systems. See Mail Relaying.
Section Relaying
The configuration description for the SEPPmail Secure E-Mail Gateway - IronPort connection was provided to us with the permission by:
AVANTEC AG
Badenerstrasse 281
CH-8003 Zurich
