Initial situation:
The SEPPmail Secure E-Mail Gateway is operated with client capability. This implies that special security measures are taken.
Question:
What should be explicitly considered in client-capable environments?
Answer:
For securing the route between SEPPmail Secure E-Mail Gateway and the email servers of the customers (and back), usually TLS is used on the level of Fingerprint or Secure, but at least Verify.
The options for configuring the TLS connection to the email servers of the customers in SEPPmail Secure E-Mail Gateway are available in the settings of the respective Managed domain (see ) under TLS settings. To ensure that only connections secured by TLS are accepted by the SEPPmail Secure E-Mail Gateway, the option Mail System SMTP Settings Require TLS encryption should also be activated.
The secure connection from the email server to the SEPPmail Secure E-Mail Gateway must be configured on the respective email server.
In this context, the article Admin: Manage Multiple SMTP Authentications might be relevant.
If applicable, the connection may also be secured via a VPN tunnel. However, this must be realised via external components. The SEPPmail Secure E-Mail Gateway does not natively provide the option to create a VPN tunnel.
As further security measure, per Managed domain the relaying must be restricted under Settings Allowed sending servers for this domain (leave empty to allow all relaying networks). Note: Entering an address here does not automatically allow relaying, or if applicable, the Header check must also be enabled.
Even with active setting Exchange Online Integration, the entry Allowed sending servers for this domain is mandatory. As a rule, these might be IP addresses of additional servers authorized for the relaying within the Managed domain outside of Exchange online - for example a webserver that is allowed to send emails. If no additional server is allowed to relay, an entry must still be made here. In this case, a private (pseudo) IP must be entered, which ensures that it can never be routed to the SEPPmail Secure E-Mail Gateway.
Further recommended under Mail Processing Ruleset generator Protection pack is the option Reject incoming emails with spoofed sender domain the. When using this option, in the menu Mail System the Relaying (or in mixed infrastructures also Exchange Online Relaying) IPs are additionally to be entered under Manual blocklisting / welcomelisting with the "action" accept.
In pure Exchange Online infrastructures, it is imperative to ensure that the SEPPmail Secure E-Mail Gateway can only be reached by the Exchange Online Relaying IPs via port 25. If the SEPPmail Secure E-Mail Gateway is MS-Azure hosted, this can be realised via the filters of the virtual machine (see also second warning under Exchange Online Configuration).
