The migration of an existing SEPPmail Secure E-Mail Gateway into seppmail.cloud consists of the following steps, which must be carried out in the order described.
Sections on this page:
Preparatory tasks
On the side of the existing SEPPmail Secure E-Mail Gateway
- SEPPmail Secure E-Mail Gateway must be operated in multi-tenant mode.
If the SEPPmail Secure E-Mail Gateway is not yet multi-tenant-capable, this must be enabled by SEPPmail Support. Please share the device IDs of the affected SEPPmail Secure E-Mail Gateway. If the multi-tenancy has been freshly activated, it is recommended to name the customers (tenants) in the SEPPmail Secure E-Mail Gateway the same as in the seppmail.cloud. For this, enter the same names in the SEPPmail Secure E-Mail Gateway in the field "Customer (free text field)" and in the seppmail.cloud in the field "Tenant ID = Tenant". For the next steps in the SEPPmail Secure E-Mail Gateway please refer to the SEPPmail Secure E-Mail Gateway manual, chapter Migration Preparation from SEPPmail Secure E-Mail Gateway on premises to seppmail.cloud / MSP, sections a) to j).
- The SEPPmail Secure E-Mail Gateway from which the export should take place should be on the newest software version.
- Please report to the SEPPmail Support any policies, custom commands or settings that deviate from the default so that further migration steps can be planned for them, if necessary.
- If domain certificates of communication partners were manually imported into the appliance, these must be submitted separately to SEPPmail Support.
On the side of seppmail.cloud
- Create tenant and managed domain on the seppmail.cloud as in the case of other connections. Afterwards, all services must be in the status "provisioned" (possibly with the exception of SC-SIGENC due to hostname transfer for GINA). In many cases it is desirable that the previously existing GINA users still can decrypt their older messages. For this, the hostname must be same in the seppmail.cloud as in the existing SEPPmail Secure E-Mail Gateway. Usually, in the seppmail.cloud "securemail.kunde.tld" is used as hostname for GINA. If in a specific case another hostname should be used, please inform the support@seppmail.com.
- Test the mail flow from/via/to seppmail.cloud as in the case of other connections.
- Reduce the TTLs of the DNS entries to e.g. 300 seconds.
At the time of migration
On the side of the existing SEPPmail Secure E-Mail Gateway
- Export of the tenant (customer) from the existing appliance by the partner.
We recommend to do the export shortly before the migration. Otherwise, internal or GINA users that are created between export and import will be missing in the new environment.
On the side of seppmail.cloud
- Stop of the mail flow in the seppmail.cloud.
- Upload the export file as described under Partner Portal - Self Service Import.
In the import, the internal users and the GINA user, the domain certificates of the own domain and the "collected" S/MIME certificates of the tenant are imported. - If necessary, change of the DNS entries for the GINA hostname and the deployment of GINA by the SEPPmail Support.
- Switch the mail flow from/via/to seppmail.cloud as in the case of other connections.
After the import, all settings must be checked by the Tenant administrator via login.seppmail.cloud.
After the migration
- Any ongoing MPKI contract with a certificate issuer (e.g. SwissSign, Quovadis, etc.) should be terminated at a suitable time after the migration. Since the seppmail.cloud has a global MPKI contract, a separate contract is no longer necessary.
- The logs of the previous appliance(s) should be checked regularly for a while to discover any mailflows that were not previously known / switched (for example, a sporadically occurring mailflow such as a weekly dispatch by a special application or similar). Afterwards, the previous infrastructure can first be switched off and then dismantled. We recommend keeping the backups/exports from the appliance for a certain period of time.
