Introduction
The CipherMail email encryption gateway is a mail transfer agent (MTA) designed to encrypt and decrypt both incoming and outgoing emails. As a general SMTP email server, it seamlessly integrates with any existing email infrastructure and can be positioned before or after current email servers. Typically configured as a “store and forward” server, the gateway temporarily holds emails until they are forwarded to their final destination.
The CipherMail gateway provides several methods for sending email securely,
including S/MIME, OpenPGP, PDF encryption, and Webmail Messenger . S/MIME and
OpenPGP ensure authentication, message integrity, non-repudiation, and
encryption-based protection against message interception. Both methods rely on a
public key infrastructure (PKI) for encryption and digital signatures.
PDF encryption offers a simpler alternative to S/MIME and OpenPGP by automatically converting emails and attachments into password-protected PDF files.
CipherMail Webmail Messenger acts as a secure webmail pull delivery add-on for the CipherMail encryption gateway. When encryption rules dictate that a message needs to be secured, but S/MIME, OpenPGP, or PDF encryption cannot be used, the email is stored locally on the gateway. The recipient is notified of the new message and, upon receiving their first message, is prompted to choose a secure password. Recipients can access and reply to messages through any web browser.
Note
Some features are exclusively available in the professional edition of the
CipherMail gateway. If a feature is limited to the professional edition, the
icon will be displayed next to it.
A standard setup of the CipherMail gateway involves the following components:
Back-end service
Portal back-end service
Admin UI
Portal UI
Database
MTA (Postfix)
IMAP (required only for Webmail Messenger)
The back-end services expose a REST API, which can be utilized by a React-based user interface to manage the gateway. Additionally, a command-line interface (CLI) tool is available to configure the system directly from the command line. This CLI tool can also be used for scripting changes remotely, as it communicates with the REST API.
Tip
The majority of daily tasks can be handled through the web-based UI or via the command line using the CLI tool. However, certain advanced tasks are exclusively manageable through the CLI tool, which also supports remote functionality.
The gateway features a comprehensive permission model, where each action and setting is tied to a specific permission. Permissions can be grouped into roles, and administrators can be assigned multiple roles.
Network architecture
The CipherMail gateway is commonly installed as a store-and-forward server. It can be integrated into the existing infrastructure in various ways. The following configurations are the most common:
After content scanner
In this configuration, the CipherMail gateway is positioned between the content scanner and the Internet. This enables outgoing emails to be scanned—such as for viruses, SPAM, or sensitive and confidential information—before being encrypted, and allows incoming emails to be scanned after decryption.
Note
These are the most common setups. However, other setups are also supported as long as the connected systems utilize SMTP.
Content scanner with redirect
In this configuration, the CipherMail gateway is positioned below the content scanner. When the content scanner determines that an email needs to be encrypted, such as through deep email inspection, it forwards the email to the CipherMail gateway for encryption. Once the CipherMail gateway encrypts the email, it returns it to the content scanner, which then delivers it to the final recipient. For incoming emails that are encrypted with S/MIME or PGP, they are first directed to the CipherMail gateway for decryption. The decrypted email is then sent back to the content scanner for review, and if approved, it is delivered to the internal user’s inbox.
Office 365 integration
In this configuration, the CipherMail gateway acts as a relay for Office 365. Emails sent from Office 365 to external recipients are routed through the CipherMail gateway. The gateway encrypts the emails and sends them back to Office 365. From there, the Office 365 SMTP servers deliver the messages to the intended recipients.
For incoming email that needs to be decrypted, the process begins with the email being delivered to Office 365. Office 365 then forwards the email to the CipherMail gateway for decryption. Once decrypted, the CipherMail gateway returns the email to Office 365, which finally delivers it to the recipient’s inbox.
Google workspace integration
In this configuration, the CipherMail gateway acts as a relay for Google Workspace. Outgoing emails from Google Workspace to external recipients are routed through the CipherMail gateway, where they are encrypted. Once encrypted, the gateway sends the email back to Google Workspace, which then delivers it to the final recipients via its SMTP servers.
For incoming emails that require decryption, the process begins with the emails being delivered to Google Workspace. Google Workspace then forwards them to the CipherMail gateway for decryption. After decryption, the emails are sent back to Google Workspace, which finally delivers them to the user’s inbox.
Note
For clarity, the examples above do not demonstrate how to configure multiple gateways in a high-availability (HA) cluster. However, HA cluster configuration is supported.