Please enable JavaScript to view this site.

Initial situation:

The customer wishes to change the function of its existing on premises SEPPmail Secure E-Mail Gateway from parallel operation to inline operation.

 

Preparations

 

If not already available, create a DNS PTR record for the public IP address of the SEPPmail MSP appliance.
 

Set the TTL of the DNS records SPF and MX to 300s (at least 1 day before the changeover).
 

Check the following settings of your SEPPmail Secure E-Mail Gateway and adjust these settings accordingly if necessary:

oMail System > Outgoing Server > Use built-in mail transport agent (is activated)

oMail System > SMTP Settings > SMTP server banner string (PTR record entered)

oMail System > SMTP Settings > SMTP server HELO string (PTR record entered)

oMail System > Managed Domains > Send internal mails (between two managed domains) to the smarthost of the sending managed domain: [Use Domain settings]

oClick Save to confirm.

 

Create a new Extended Field for a possible preempt at Customer Domain level via Mail Processing > Extended Fields:

oName: disable_delivery

oType: boolean

oDefault Value: false

oAssigned Tenants: -

oAssigned managed domains: -
 

Create a new custom command via Mail Processing > Custom macros and commands for all e-mails BEFORE processing:

 

Zeile

Code

01

internal();

02

incoming();

03

if (compare_extended_field('disable_delivery','eq:r','true')) {

04

log (1,'temporary disabled delivery from recipient');

05

drop('422','Service temporary not available');

06

}

07

if (compare_extended_field('disable_delivery','eq:s','true')) {

08

log (1,'temporary disabled delivery from sender');

09

drop('422','Service temporary not available');

10

}

11

if (compare_extended_field('disable_delivery','eq','true')) {

12

log (1,'temporary disabled delivery');

13

drop('422','Service temporary not available');

14

}

Code

 

 

Migration

 

A. The following changes are to be made on your SEPPmail Secure E-Mail Gateway for the Customer Domain to be migrated:

 

Mail System > Managed Domain Settings [domain] > Send ALL outgoing mails from this domain to the following SMTP server (optional): this field needs to remain empty
 

Configure the Extended Field disable_delivery with the value <%OEM-OPEN-QUOTE%true" in the Customer Settings for the Managed Domain to be migrated via Customers > Extended Fields

 

 

B. The following changes are to be made in the customer's Exchange Online:

 

Deleting the Transport Rules with the SEPPmail365 Powershell Module (Parallel)

 

Deleting the connectors with the SEPPmail365 Powershell Module (Parallel)

 

Create 2 new partner connectors (inbound and outbound)

 

 

C.  The following change is to be made in the DNS of the customer:

 

MX record must be set to the PTR record of SEPPmail Secure E-Mail Gateway

 

 

Completion of works

 

If the migration was completed successfully, the delivery must be reactivated by configuring the Extended Field disable_delivery with the value "false". The change must be made in the Customer Settings under Customers > Extended Fields.

 

 

Possible problems

 

Internal mail handling without outgoing smarthosts

 

The Managed Domain is inline. T2T Encryption will not work if the Managed Domain setting Send ALL outgoing mails from this domain to the following SMTP server (optional) is empty. In inline mode it is necessary to leave the field empty because there is no smarthost.

 

 

Note on DKIM

 

If the DKIM signature is activated in Exchange Online, the custom command must be implemented on the SEPPmail Secure E-Mail Gateway as described here.

 

In addition, a DKIM key should be created on the SEPPmail Secure E-Mail Gateway for the customer domains in inline mode.

 

 

Instructions for connecting the Partner Connectors

 

A. Add a connector for the connection from Office 365 in the direction of the partner organisation
[SEPPMAIL] EXCHANGEONLINE -> APPLIANCE (INLINE)        

 

1. New connector with the settings "Office 365" and "Partnerorganisation".

 

2. Enter a unique connector name, for example "[SEPPMAIL] EXCHANGEONLINE -> APPLIANCE (INLINE)".

 

3. Set connector usage to "Nur wenn E-Mails an diese Domäne gesendet werden" (only if emails are sent to this domain).

 

4. Set routing to "E-Mail über die diese Smarthosts weiterleiten" (forwarding email for these smarthosts) and edit the data.

 

5. Set the security settings to "Immer TLS..." (always TLS), option "Von einer vertrauenswürdigen Zertifizierungsstelle..." (from a valid certification authority).

 

6. Enter the check email address.

 

Note: During the check there will always be an error message. Please ignore it.

 

empty

 

Result:

Screenshot passend zum Text

 

 

Transport Rule

Regelname (rule name): [SEPPmail] - 200 Route outgoing e-mails to SEPPmail

Modus: Enforce

Schweregrad (severity): Low

Absenderadresse (sender address): Matching Header

Bei Regelverarbeitungsfehlern (in case of rule processing errors): Ignore

 

Configure Regelbeschreibung (rule description) to get the following resulting configuration:

 

Diese Regel anwenden wenn: (apply this rule if)

 

Is sent to 'Outside the organization'

and sender's address domain portion belongs to any of these domains:

'secmail365.de'

and Is received from 'Inside the organization'

 

Gehen Sie wie folgt vor: (proceed as follows)

 

Route the message using the connector named '[SEPPmail] ExchangeOnline -> Appliance'

and Set audit severity to 'Low'

and set message header 'X-SM-maildirection' with the value 'outbound'

 

Außer wenn (except for)

 

Has a spam confidence level (SCL) that is greater than or equal to '9'

 

 

Result:

Screenshot fitting to the text

 

 

B. Add connector from partner organisation into the direction of Office 365

 

1. New connector with the setting "Partnerorganisation".

 

2. Enter a unique connector name, for example "[SEPPMAIL] APPLIANCE -> EXCHANGEONLINE", and select option "Aktivieren" (activate).

 

3. For "Gesendete E-Mail wird authentifiziert" (sent email will be authenticated), set the option "Durch Überprüfung, ob die Absenderdomäne mit einer der folgenden Domänen übereinstimmt" (by checking whether the sender domain matches one of the following domains) and enter the data.

 

4. Set the security settings to "E-Mails zurückweisen, wenn sie nicht über TLS gesendet werden" (reject emails if they are not sent via TLS), option "Und anfordern, dass der Antragstellername..." (and request that the applicant name...), and enter the data. The host name to be selected here depends on the SSL certificate of the SEPPmail Secure E-Mail Gateway:

 

FQDN, for example secure.secmail365.com

*.yourdomain.tld (if a wildcard certificate is in use)

 

Result:

Screenshot fitting to the text

 

Configuration of the CBC SSL certificate on the SEPPmail gateway

 

Under Mail System Settings > Edit managed domain <name> > SSL Certificate:

Screenshot fitting to the text

 

The certificate must match the configured host name in the CN attribute of the

security restriction of the connector [SEPPmail] Appliance -> ExchangeOnline.

 

This completes the partner connectors setup.

 
  

Keyboard Navigation

F7 for caret browsing
Hold ALT and press letter

This Info: ALT+q
Topic Header: ALT+t
Topic Body: ALT+b
Contents: ALT+c
Search: ALT+s
Exit Menu/Up: ESC