Installation
Secure Email installation profile options
All outgoing e-mails can be sent through Secure Email server (smart host) or only e-mails marked with ‘.s’ can be routed. There are three ways that Secure Email server can be located in a network:
• Secure Email can use standard SMTP-gateway (relay host) to transport all messages (outgoing notification messages and incoming reply and D-Compose messages) (See Example 1) • Secure Email can use standard SMTP-gateway to transport incoming messages (reply and Dcompose messages). Notification messages are sent directly to Internet from Sec@GW. (See Example 2) • Secure Email can act as a SMTP-gateway and send notification messages directly to Internet and incoming messages (reply and D-Compose messages) directly back to mail server. For example when there is no SMTP-gateway at use. (See Example 3)
Example 1. Network layout (using SMTP-gateway)
Example 2. Network layout (using SMTP-gateway incoming only)
Example 3. Network layout (without SMTP-gateway)
• SMS-Gateway: Secure Email can use modem or existing SMS-gateway. A PIN code is sent to receiver’s SMS-gateway by using SMTP or HTTPS protocol.
Configuration
Accepted networks or IP addresses of mail servers that are allowed to send outgoing mail and outgoing mail routing (default route for outgoing mail; IP address) must be defined for configuration. Also default route for incoming mail; IP address (all incoming mail is routed to the following IP address, unless a different route is specified) and incoming mail domains (domains that are allowed to receive mail from Internet).
Network connections and IP addresses
Servers are placed in to the network so that a secure or reliable connection to mail servers (typically to DMZ) can be made. Secure Email server requires one to three public IP addresses. One IP address (eth0:0 adapter) will be used as a cluster address through which e-mail traffic is relayed. This IP address is used by the active machine. If NAT is used in address translation, information of both public and network address translated addresses is needed.
Options:
It is recommended that web-based management tool is separated from public network by defining DCenter with its own IP address and own port (default 443).
For customized customer environments (eth0:x --adapters), additional IP addresses are needed. For these IP addresses port 443 should be opened from Internet. Customized customer's all traffic (SMTP, HTTPS) is routed through the virtual IP address (eth0:x).
For example:
Customer X: eth0:1
Customer Y: eth0:2
Cluster net (duplicated system)
Servers are in constant contact with each other concerning data and setting replication as well as automated monitoring. In order for the two servers to monitor each other, a dedicated connection is required (minimum of 100mbit full-duplex). Connection can be made with direct cable connection or connection through clutches. Usually, network uses addresses 10.0.0.20 (node 1) and 10.0.0.50 (node 2).
SMS interface
In Secure Email solution's "registered letter" level the receiver can be authenticated. SMS authentication works in a following way. Secure Email identifies the receiver's GSM number from the message, creates an SMS message and sends it to the customer's chosen SMS gateway in the net using e-mail or http(s) interface. Next, customer's SMS gateway sends the message forward to the receiver's mobile phone when the link in the notification message is opened.
Firewall settings
Firewall must allow the required connections. The following table shows requirements for basic installation; rules must be specified.
Connections to Secure Email system (firewall settings)
Table: Firewall settings
| Port | Type | Source | Destination | Protocol/usage |
|---|---|---|---|---|
| 443 | TCP | * | Sec/c | HTTPS |
| 25 | TCP | Mailserver | Sec/c | SMTP, _s messages |
| 25 | TCP | Sec/c | Mailserver | SMTP, reply messages |
| 25 | TCP | Sec/c | * | SMTP, notification emails |
| 53 | TCP/UDP | n1, n2 | Nameservers | DNS |
| 123 | NTP | n1, n2 | NTP servers | NTP |
| 22 | TCP | 195.20.116.101 | n1, n2 | SSH, Reporting & updates, Deltagon maintenance |
| 443 | TCP | Sec/c | * | Deltagon update server, D-Network |
| 443 | TCP | n1, n2 | 193.184.14.150 | Deltagon monitoring |
| 443 | TCP | n1, n2 | 193.184.14.151 | Deltagon update server |
| 80 | TCP | n1, n2 | Centos update servers | CentOS updates |
| 443 | TCP | n1, n2 | Redhat update servers | Redhat updates |
n1 = server 1 n2 = server 2 c= cluster
Monitoring and updates
The Secure Email software has a build-in monitoring agent. This can be used as a part of the support services. The agent will collect information on software's performance and critical processes and reports it to SSH Communications Security Corporation. SSH Communications Security Corporation maintains the monitoring environment which receives and analyses the information sent in by the software agent. The connection between the software agent and the monitoring environment is a secure https connection (port 443).
SSH Communications Security Corporation will also use the chosen connection for the software updates. In addition to the software level monitoring, the operational system level can be monitored with SNMP if wanted.