Introduction

The CipherMail email encryption gateway is a mail transfer agent (MTA) designed to encrypt and decrypt both incoming and outgoing emails. As a general SMTP email server, it seamlessly integrates with any existing email infrastructure and can be positioned before or after current email servers. Typically configured as a “store and forward” server, the gateway temporarily holds emails until they are forwarded to their final destination.

The CipherMail gateway provides several methods for sending email securely, including S/MIME, OpenPGP, PDF encryption, and Webmail Messenger Pro/Ent only. S/MIME and OpenPGP ensure authentication, message integrity, non-repudiation, and encryption-based protection against message interception. Both methods rely on a public key infrastructure (PKI) for encryption and digital signatures.

PDF encryption offers a simpler alternative to S/MIME and OpenPGP by automatically converting emails and attachments into password-protected PDF files.

CipherMail Webmail Messenger acts as a secure webmail pull delivery add-on for the CipherMail encryption gateway. When encryption rules dictate that a message needs to be secured, but S/MIME, OpenPGP, or PDF encryption cannot be used, the email is stored locally on the gateway. The recipient is notified of the new message and, upon receiving their first message, is prompted to choose a secure password. Recipients can access and reply to messages through any web browser.

Note

Some features are exclusively available in the professional edition of the CipherMail gateway. If a feature is limited to the professional edition, the icon Pro/Ent only will be displayed next to it.

A standard setup of the CipherMail gateway involves the following components:

  • Back-end service

  • Portal back-end service

  • Admin UI

  • Portal UI

  • Database

  • MTA (Postfix)

  • IMAP (required only for Webmail Messenger)

The back-end services expose a REST API, which can be utilized by a React-based user interface to manage the gateway. Additionally, a command-line interface (CLI) tool is available to configure the system directly from the command line. This CLI tool can also be used for scripting changes remotely, as it communicates with the REST API.

Tip

The majority of daily tasks can be handled through the web-based UI or via the command line using the CLI tool. However, certain advanced tasks are exclusively manageable through the CLI tool, which also supports remote functionality.

The gateway features a comprehensive permission model, where each action and setting is tied to a specific permission. Permissions can be grouped into roles, and administrators can be assigned multiple roles.

Network architecture

The CipherMail gateway is commonly installed as a store-and-forward server. It can be integrated into the existing infrastructure in various ways. The following configurations are the most common:

After content scanner

In this configuration, the CipherMail gateway is positioned between the content scanner and the Internet. This enables outgoing emails to be scanned—such as for viruses, SPAM, or sensitive and confidential information—before being encrypted, and allows incoming emails to be scanned after decryption.

Note

These are the most common setups. However, other setups are also supported as long as the connected systems utilize SMTP.

Encryption after content scanner, decryption before content scanner

Content scanner with redirect

In this configuration, the CipherMail gateway is positioned below the content scanner. When the content scanner determines that an email needs to be encrypted, such as through deep email inspection, it forwards the email to the CipherMail gateway for encryption. Once the CipherMail gateway encrypts the email, it returns it to the content scanner, which then delivers it to the final recipient. For incoming emails that are encrypted with S/MIME or PGP, they are first directed to the CipherMail gateway for decryption. The decrypted email is then sent back to the content scanner for review, and if approved, it is delivered to the internal user’s inbox.

Encryption and decryption controlled by content scanner.

Office 365 integration

In this configuration, the CipherMail gateway acts as a relay for Office 365. Emails sent from Office 365 to external recipients are routed through the CipherMail gateway. The gateway encrypts the emails and sends them back to Office 365. From there, the Office 365 SMTP servers deliver the messages to the intended recipients.

For incoming email that needs to be decrypted, the process begins with the email being delivered to Office 365. Office 365 then forwards the email to the CipherMail gateway for decryption. Once decrypted, the CipherMail gateway returns the email to Office 365, which finally delivers it to the recipient’s inbox.

Office 365 integration

Google workspace integration

In this configuration, the CipherMail gateway acts as a relay for Google Workspace. Outgoing emails from Google Workspace to external recipients are routed through the CipherMail gateway, where they are encrypted. Once encrypted, the gateway sends the email back to Google Workspace, which then delivers it to the final recipients via its SMTP servers.

For incoming emails that require decryption, the process begins with the emails being delivered to Google Workspace. Google Workspace then forwards them to the CipherMail gateway for decryption. After decryption, the emails are sent back to Google Workspace, which finally delivers them to the user’s inbox.

Google Workspace integration

Note

For clarity, the examples above do not demonstrate how to configure multiple gateways in a high-availability (HA) cluster. However, HA cluster configuration is supported.