Enable Soft bounce

Configuring Office 365 and CipherMail requires a number of steps. If for whatever reason the CipherMail appliance cannot deliver email to Office 365, for example because Office 365 does not allow the gateway’s IP address to send email via Office 365, the email might get bounced (if Office 365 reports this as a 500 permanent error).

To prevent the CipherMail appliance from bouncing email, it is advised to enable the postfix soft_bounce setting. If soft_bounce is enabled, permanent SMTP errors, i.e., 5XX errors, will be treated as temporary errors, i.e., 4XX.

To enable soft_bounce, follow these steps:

  1. Log into CipherMail appliance.

  2. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  3. Add the following line to the end of postfix config file:

    soft_bounce = yes
    
  4. Click Apply

Note

If it is confirmed that the integration of CipherMail and Office 365 is successful and has been proven to be stable, you might consider disabling the soft_bounce setting.

Encrypt outgoing email

To setup encryption for outgoing email from Office 365 to external recipients, the following steps must be taken:

  1. Create lookup table for the Office 365 IP range

  2. Create a list of valid sender domains

  3. Configure postfix to only allow incoming email from Office 365 for valid domains

  4. Configure Office 365 connector to relay email from Office 365 to CipherMail appliance

  5. Setup a transport rule to relay via CipherMail appliance

  6. Configure Office 365 incoming connector to accept email from CipherMail appliance

  7. Configure the CipherMail appliance to relay email to the final recipients via Office 365.

Office 365 IP range lookup table

The CipherMail appliance should only relay email to external recipients if the request comes from an IP address used by Office 365. The CipherMail appliance contains a module which uses a Microsoft web service to retrieve the IP range used by Office 365.

To load the Office 365 IP range, follow these steps:

  1. Login to CipherMail admin GUI

  2. Open “MTA client access list providers” page (Admin ‣ MTA ‣ Client access list)

  3. Click on the “cog” icon for the “Office 365 SMTP endpoints” entry

  4. On the “Client access list for Office 365 SMTP endpoints” page, click the Load list button. The CipherMail appliance will now connect to the Microsoft web service to retrieve the Office 365 IP range

  5. Click Copy to lookup table to save the IP range to the “cidr-o365-ip-range.map” map file.

Office 365 Client access list

List of valid sending domains

To make sure the CipherMail appliance will only relay email for your domains, all of your Office 365 hosted domains should be added to the list of authorized sending domains.

  1. Login to CipherMail admin GUI

  2. Open ” MTA lookup tables” page (Admin ‣ MTA ‣ Lookup tables)

  3. Click Add lookup table to open the “Add MTA lookup table” page

  4. Set “Map Type” to “hash”

  5. Set “Name” to “exchange-online-authorized-senders”

  6. Add the following line to allow validation emails from Office 365

    <> exchange_online_checks

    Tip

    This entry can optionally be removed after the relay connector is validated (see Configure Office 365 relay connector)

  7. For each of the hosted Office 365 domains, add a line that maps your domain to a postfix restriction class:

    example.com exchange_online_checks

    where example.com should be replaced by your Office 365 hosted domain.

  8. Click Add to add the new lookup table.

Note

The postfix restriction class exchange_online_checks, which will be added in a later step, is used to restrict incoming IP addresses to the Office 365 IP range.

Configure postfix restrictions

Postfix should now be configured to allow relaying from Office 365.

  1. Log into CipherMail appliance

  2. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  3. Add the following check_client_access line to smtpd_recipient_restrictions setting:

    check_client_access cidr:${maps_d_dir}/cidr-o365-ip-range.map

    Resulting smtpd_recipient_restrictions should look like:

    smtpd_recipient_restrictions = permit_mynetworks
        check_client_access cidr:${maps_d_dir}/cidr-o365-ip-range.map
        reject_unauth_destination
        check_client_access hash:/etc/postfix/client-whitelist
        check_client_access hash:/etc/postfix/client-blacklist
        ${djigzo_rbl_clients}
        ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
    
  4. Add the following check_sender_access line to smtpd_relay_restrictions setting:

    check_sender_access hash:${maps_d_dir}/hash-exchange-online-authorized-senders.map

    Resulting smtpd_relay_restrictions should look like:

    smtpd_relay_restrictions = permit_mynetworks
        check_sender_access hash:${maps_d_dir}/hash-exchange-online-authorized-senders.map
        permit_sasl_authenticated
        reject_unauth_destination
    
  5. Add restriction class for Office 365

    Add the following lines to the end of postfix config file:

    smtpd_restriction_classes = exchange_online_checks
    exchange_online_checks = check_client_access cidr:${maps_d_dir}/cidr-o365-ip-range.map
    
  6. Click Apply

Configure Office 365 relay connector

To relay email from Office 365 via the CipherMail appliance, add a new mail flow connector.

  1. Log into “Exchange admin center”

  2. Click mail flow (lef-hand side menu)

  3. Click connectors (top menu)

  4. Add a new connector by clicking +

  5. In from field, select “Office 365”

  6. In to field, select “Your organization’s email server”. Click Next

  7. Give the connector a name (for example “Relay via CipherMail”) and optionally a description. Click Next

  8. Select “Only when I have a transport rule set up that redirects messages to this connector”. Click Next

  9. Add a new smart host by clicking +

  10. Specify the fully qualified hostname of the CipherMail appliance (for example ciphermail.example.com). Click Save and Click Next

  11. Make sure “Always use Transport Layer Security (TLS) to secure the connection” and “Issued by a trusted certificate authority (CA)” is selected. For additional security, you can optionally enable domain name validation. Click Next

  12. In the next step, the connector will be validated by sending an email from Office 365 via the connector. Add a valid email address on which you will receive a test email and click Validate

  13. After a successful validation, click Save.

New Office 365 relay connector
Office 365 connector validation

Setup a transport rule

Because we selected “Only when I have a transport rule set up that redirects messages to this connector” in the previous section, we need to add a transport rule which triggers the redirect.

Tip

A rule will only be active when the rule is triggered. This allows you to be selective which emails are handled by the CipherMail appliance. There are various ways a rule can be triggered. For example, the rule can be triggered if:

  • the subject contains a certain keyword

  • the email is sent by a specfic user

  • the email recipient matches some domain

  • the email contains some header

In this example we will trigger the rule if the subject contains the keyword [secure].

  1. Log into “Exchange admin center”

  2. Click mail flow (lef-hand side menu)

  3. Click rules (top menu)

  4. Add a new rule by clicking + and selecting Create a new rule… from the pull-down menu

  5. On the “new rule” dialog, give the rule a name. For example: “Relay via CipherMail”

  6. In the “Apply this rule if..” field, select “The recipient is located…” and then select “Outside the organization”. Click OK

  7. Because we need to add an additional trigger, we need to view more options. Click More options…

  8. Click add condition, select “The subject or body…” and then select “subject includes any of these words”

  9. Add the subject keyword that triggers the rule. For this example we will set it to: [secure]. Click + to add the keyword. Click OK

  10. In the “Do the following…” field, select “Redirect the message to…” and select “the following connector”

  11. Select the connector we added in section Configure Office 365 relay connector. Click OK

  12. Click add exception

  13. Select “The sender IP address is in any of these ranges or exactly matches”

  14. Specify the IP address of the CipherMail gateway. Click + and then OK

  15. Leave the other settings to the default values. Click Save.

Now every email sent from Office 365 for which the subject contains the keyword [secure] will be delivered via the CipherMail appliance.

New rule

Configure Office 365 incoming connector

While it’s possible to let the CipherMail appliance deliver email to the final recipients, it’s better to use the Office 365 SMTP infrastructure to deliver email to the final recipients.

We therefore need to setup a connector in Office 365 which accepts incoming connections from the CipherMail appliance.

  1. Log into “Exchange admin center”

  2. Click mail flow (lef-hand side menu)

  3. Click connectors (top menu)

  4. Add a new connector by clicking +

  5. In from field, select “Your organization’s email server”

  6. In to field, select “Office 365”. Click Next

  7. Give the connector a name (for example “Accept from CipherMail”) and optionally a description. Leave other settings to the default value. Click Next

  8. In “How should Office 365 identify email from your email server?” select “By verifying that the IP address…”. Click + and add the IP address of the CipherMail appliance. Click OK, Click Next

  9. On the final page, click Save.

Configure CipherMail to relay via Office 365

Because we want Office 365 to deliver all email to final recipients, we need to configure CipherMail to relay all email via Office 365.

  1. Log into CipherMail appliance

  2. Open “MTA config” page (Admin ‣ MTA ‣ Config)

  3. Set “Internal relay host” field to <your-o365-domain>.mail.protection.outlook.com

  4. Set “External relay host” field to <your-o365-domain>.mail.protection.outlook.com

  5. Click Apply.

Note

<your-o365-domain> should be replaced by your default Office 365 domain name with “.” characters replaced by “-“

Example: if your default Office 365 hosted domain is ciphermail.example.com, set “Internal relay host” field to ciphermail-example-com.mail.protection.outlook.com

Mandatory TLS

To make sure email sent from the CipherMail appliance to Office 365 cannot be intercepted, we need to configure mandatory TLS for the connection to Office 365.

  1. Login to CipherMail admin GUI

  2. Open ” MTA lookup tables” page (Admin ‣ MTA ‣ Lookup tables)

  3. Click Add lookup table to open the “Add MTA lookup table” page

  4. Set “Map Type” to “hash”

  5. Set “Name” to “tls-policy”

  6. Add the following line

    [<your-o365-domain>.mail.protection.outlook.com]:25 verify match=mail.protection.outlook.com

  7. Click Add to add the new lookup table

  8. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  9. Add the following lines to the end of postfix config file:

    smtp_tls_policy_maps = hash:${maps_d_dir}/hash-tls-policy.map

  10. Click Apply

Note

<your-o365-domain> should be replaced by your default Office 365 domain name with “.” characters replaced by “-“

Example: if your default Office 365 hosted domain is ciphermail.example.com, set “Internal relay host” field to ciphermail-example-com.mail.protection.outlook.com

Test relay

Test whether relaying via Office 365 is correctly setup and allowed:

  1. Log into CipherMail appliance

  2. Open the “Compose a test email” page (Admin ‣ Other ‣ Send email)

  3. On the “Compose a test email” page, set “To” to a valid external recipient

  4. Select a valid “Subject”

  5. Click “More” to enable additional settings

  6. Set “Sender” to a valid sender from your Office 365 domain

  7. Provide a body text

  8. Click Send

  9. Open the MTA log (Logs ‣ MTA) and check whether the email was successfully relayed via Office 365.

Decrypt incoming email

With Office 365, email for your domain is delivered to Office 365 (assuming your MX records are setup for Office 365). If you want the CipherMail gateway to decrypt incoming S/MIME or PGP encrypted email, incoming email should, at some point, be handled by the CipherMail gateway.

Note

You only need to setup incoming email encryption if you use the CipherMail gateway and use S/MIME or PGP. If you only use PDF encryption or Webmail Messenger, you can skip this part.

One option is to re-configure your MX records so that email for your domains is directly delivered to your CipherMail gateway. The CipherMail gateway should then deliver the email to Office 365.

Another option is to configure Office 365 to deliver incoming email to the CipherMail gateway which will then sends it back to Office 365 after decryption. To prevent a mail loop, Office 365 should only forward the email to the CipherMail gateway if the email was not already handled by the CipherMail gateway. The main benefit of this setup, is that Office 365 will be the first entry point for your email and can therefore check incoming email for viruses or spam.

To configure forwarding incoming email to CipherMail gateway for decryption, the following steps are required:

  1. Log into “Exchange admin center”

  2. Click mail flow (lef-hand side menu)

  3. Click rules (top menu)

  4. Add a new rule by clicking + and selecting Create a new rule… from the pull-down menu

  5. Give the rule a name. For example: “CipherMail decrypt”

  6. In the “Apply this rule if..” field, select “The recipient is located…” and then select “Inside the organization”. Click OK

  7. Click More options…

  8. In the “Do the following…” field, select “Redirect the message to…” and select “the following connector”

  9. Select the connector we added in section Configure Office 365 relay connector. Click OK

  10. Click add exception

  11. Select “The sender is located…” and then select “Inside the organization”. Click OK

  12. Click add exception

  13. Select “The sender IP address is in any of these ranges or exactly matches”

  14. Specify the IP address of the CipherMail gateway. Click + and then OK

  15. Leave the other settings at their default value and click Save

Incoming to CipherMail

In the Ciphermail appliance, add all the Office 365 domains to the “Relay domain” list.

  1. Log into CipherMail appliance

  2. Open “MTA config” page (Admin ‣ MTA ‣ Config)

  3. For each of your Office 365 hosted domains, add the domain as a “Relay Domain”

  4. Click Apply