Portal split-mode Pro/Ent only

The CipherMail Gateway includes built-in portal functionality that allows external users to access secure messages through a web browser.

For enhanced security in production environments, it is recommended to separate the gateway into two distinct components: an internal gateway and an external gateway. The internal gateway contains the sensitive cryptographic material, including private keys used for signing and decrypting messages. This component should be placed in your protected internal network, isolated from direct Internet access. The external gateway hosts the portal functionality and should be positioned in a network zone that is accessible from the Internet, such as a demilitarized zone (DMZ). This allows external users to securely access their messages without exposing your internal cryptographic keys to Internet-facing systems.

In this split configuration, secure email messages that need to be delivered through the portal are first processed by the internal gateway. The internal gateway then forwards these messages to the external gateway using the SMTP protocol. The external gateway receives the messages and makes them available to external users through the web portal interface. This architecture provides several security benefits. By keeping your private encryption and signing keys on the internal gateway, you minimize the risk of key compromise from Internet-based attacks. The external gateway only handles the presentation of already-processed messages to end users, without requiring access to sensitive cryptographic material. Both gateway components work together seamlessly to provide secure message delivery while maintaining strong security boundaries between your internal network and external users.

CipherMail Portal Split-Mode

To set up split-mode portal, install and configure a main gateway and a portal gateway.

Main gateway

Configure the main gateway using the same procedure as a standard gateway deployment. If you have an existing operational gateway, you may continue using your current gateway configuration.

To configure split-mode, you need to create an ansible override file /etc/ciphermail/ansible/group_vars/all/spit-mode.yml

---
# route email for PDF Messenger OTP mode and Webmail to the remote portal
ciphermail_backend__remote_portal_enabled: true

After creating the override file, you need to run the playbook to apply the changes:

sudo cm-run-playbook

After running the playbook, email for the portal will be relayed to the private domain @relay-to-webmail.private. This applies to both PDF one-time password mode and Webmail Messenger.

To send emails from the private portal domain through the portal gateway, you need to add an SMTP transport rule.

To set up a transport rule, follow these steps:

  1. Open the “MTA Maps” page MTA ‣ Maps

  2. Select the transport-maps line

  3. Add the following line:

    relay-to-webmail.private smtp:[<portal-server>]

    Replace <portal-server> with the fqdn or IP address of the portal server.

  4. Click Save to save the changes

With the above changes, email for Webmail Messenger and PDF OTP, will be delivered to the remote portal server.

Emails that need to be processed by Webmail Messenger on the remote portal server will include the following header:

X-Keep-CipherMail-To-Webmail: True

Emails that need to be processed by PDF Messenger on the remote portal server will include the following header:

X-Keep-CipherMail-To-PDF-OTP: True

You can configure the remote portal server to use header-based triggers to start Webmail Messenger or PDF Messenger.

Portal gateway

Configure the main gateway using the same procedure as a standard gateway deployment.

Hint

To ensure secure email transmission, configure the portal gateway to use either Webmail or PDF OTP based on your security requirements. Once configured, all emails sent through the portal gateway will be transmitted securely.

To configure the portal gateway to accept email from the main gateway, complete the following steps:

  1. Add the IP address of the main gateway to the MTA “MyNetworks” list

  2. Add the private domain and enable domain rewriting

  3. Add header triggers

Add IP to MyNetworks list

Open the MTA settings page MTA ‣ Settings, then add the IP address of the main gateway to the “MyNetworks” list and click Save to save the changes.

Add private domain and enable domain rewriting
ciphermail-cli domain add --domain relay-to-webmail.private
ciphermail-cli property domain set --domain relay-to-webmail.private --name revert-rewrite-recipient --value true

Add header triggers

ciphermail-cli property global set --name trigger-webmail-header --value "X-Keep-CipherMail-To-Webmail: True"
ciphermail-cli property global set --name trigger-webmail-header-enabled --value true

ciphermail-cli property global set --name trigger-otp-encryption-header --value "X-Keep-CipherMail-To-PDF-OTP: True"
ciphermail-cli property global set --name trigger-otp-encryption-header-enabled --value true