Custom SMTP Relay

Introduction

This guide explains when to use Zivver’s Custom Relay and how to set it up.

A Custom Relay makes use of the functionality provided by Microsoft Exchange (On-premise and Online), to allow selected messages to be delivered securely.

Implement a Custom Relay within your organization to securely deliver messages when:

  1. A specific (word in the) subject is used.
    • When your organization wants to allow employees to be able to send a secure message, independent of the device and/or application that they are using for creating the message. For example a Mail App on a mobile device for which there’s currently no Zivver Client available.
  2. A message and/or an attachment has a certain Sensitivity Label applied.
    • When your organization uses Microsoft’s Sensitivity Labels to allow employees to easily stay compliant with your organization’s information protection policies.
  3. A specific email address is used as the Sender.
    • When a specific application automatically sends out messages that need to be delivered securely and a fixed email address is used as the Sender (From:).

Requirements

To implement a Custom Relay your organization must meet the following requirements.

  • Microsoft Exchange (On-premise or Online) is used when messages need to be securely delivered when:
    • A specific (word in the) subject is used.
    • A specific email address is used as the Sender.
  • Microsoft Exchange Online (Office 365) is used when messages need to be securely delivered when there’s a Sensitivity Label applied.
    • Microsoft’s Sensitivity Labels are only available in Office 365 with the right Compliancy license.
  • There’s no Secure Email Gateway (SEG) used.
    • Unless the SEG allows you to:
      • Set up a connection with smtp.zivver.com via port 25 or 587.
      • This connection is authenticated by either:
        • Providing SMTP credentials.
        • Having SPF implemented for outbound messages.
  • Any other email server is used that allows you to:
    • Set up a connection with smtp.zivver.com via port 25 or 587.
    • This connection is authenticated by either:
      • Providing SMTP credentials.
      • Having SPF implemented for outbound messages.

Limitations

Please be aware of the following known limitations when using a Custom Relay.

  • Zivver’s Data Loss Protection (DLP) does not apply to messages sent with Zivver’s Custom Relay. You can only use Zivver’s DLP when sending a message using a Zivver Client.
  • When a Mail Flow Rule in Microsoft Exchange (or a similar functionality in any other email server or Secure Email Gateway) is not set up correctly or deactivated, the sent message might not be delivered or delivered as a regular (unsecure) email.

Implement a Custom Relay in Microsoft Exchange Online

This chapter describes how to implement a Custom Relay in Microsoft Exchange Online as part of Office 365. If your organization uses Microsoft Exchange On-premise please see the corresponding chapter.

Implementing a Custom Relay in Microsoft Exchange Online allows you to securely deliver messages when:

  • A specific (word in the) subject is used.
  • A message and/or an attachment has a certain Sensitivity Label applied.
  • A specific email address is used as the Sender.

To implement a Custom Relay in Microsoft Exchange Online the following changes need to be made:

  • Create a Connector.
  • Create a Rule.

Create a Connector

A Custom Relay uses a Connector to submit sent messages to the Zivver SMTP Server.

Before you start creating a connector, please send an email to enterprise@zivver.com to request your domain to be added to the so-called Zivver SPF allowlist. This is needed to be able to make a connection from Microsoft Exchange Online to the Zivver SMTP Server.

Microsoft Exchange only allows an outbound message to be processed by one Connector. Therefore, check in advance which Connectors are set up in Microsoft Exchange Online. It may not be possible to implement a Custom Relay, if it is required that another specific Connector also processes the sent messages. If this is the case or if you need any help please send your use case to enterprise@zivver.com.

Follow the instructions below to create a Connector in Microsoft Exchange Online:

  1. Go to the Exchange Admin Center.
  2. Click on Mail flow in the menu on the left.
  3. Click on Connectors.
  4. Click on Add a connector.
  5. Select the option Office 365.
  6. Select the option Partner organization.
  7. Click Next.
  8. Enter a name for the connector.
    For example: Zivver Custom Relay.
  9. Click Next.
  10. Select the option Only when I have a transport rule set up that redirects messages to this connector.
  11. Click Next.
  12. Select the option Route email through these smart hosts.
  13. Click Next.
  14. Make sure that the option Always use Transport Layer Security (TLS) to secure the connection (recommended) is enabled.
  15. Make sure that the option Issued by a trusted certificate authority (CA) is enabled.
  16. Click Next.
  17. Enter an email address to validate the connector.
  18. Click Validate.
  19. Once the validation is successful click Next.
  20. Click Create connector.
  21. Click Done.

The connector is created and ready to use.

Create a Rule

A Mail Flow Rule allows you to filter sent messages on:

  • A specific (word in the) subject is used.
  • A message and/or an attachment has a certain Sensitivity Label applied.
  • A specific email address is used as the Sender.

Once a message has been filtered out, it needs to be submitted to the Zivver SMTP Server, to be able to deliver them securely to the recipient. Unfiltered messages will be delivered unsecurely, as a regular email.

Follow the instructions below to create a Rule in Microsoft Exchange Online:

  1. Go to the Exchange Admin Center.
  2. Click on Mail flow in the menu on the left.
  3. Click on Rules.
  4. Click on the plus icon.
  5. Click on Create a new rule.
  6. Enter a name.
    For example: Zivver Custom Relay.

Depending on when the message needs to be securely delivered, continue with one of the 3 additional instructions described in the corresponding section.

Additional instruction 1: A specific (word in the) subject is used

  1. Under *Apply this rule if… select The subject or body… and then subject includes any of these words.
  2. Add a word or phrase.
    For example: Secure.
  3. Click on the plus icon.
  4. Click OK.

Now continue with the follow up instructions.

Additional instruction 2: a message has a certain Sensitivity Label applied

Follow these additional instructions if the message needs to be delivered securely when the message has a certain Sensitivity Label applied. Make sure that you know the name of the Sensitivity Label you want to filter on.

  1. Follow the instructions in this manual from Microsoft on how to connect to Security & Compliance PowerShell.
  2. Run the following cmdlet to get the Guid of the Sensitivity Label you are looking for:
    Get-Label -Identity "Name" | Select-Object Guid
  3. Go back to the Mail Flow Rule in the Exchange Admin Center.
  4. Under *Apply this rule if… select The recipient is located… and then is external/internal and then Outside the organization.
  5. Click OK.
  6. Under *Apply this rule if… select A message header… and then include any of these words.
  7. Click *Enter text….
  8. Enter msip_labels.
  9. Click OK.
  10. Click *Enter words….
  11. Enter MSIP_Labels_Guid_Enabled=True. Replace Guid with the Guid that you’ve retrieved from the Powershell cmdlet.
  12. Click on the plus icon.
  13. Click OK.

Now continue with the follow up instructions.

Additional instruction 3: a specific email address is used as the Sender

  1. Under *Apply this rule if… select The sender… and then is this person.
  2. Select the desired sender.
  3. Click add ->.
  4. Click OK.

Now continue with the follow up instructions.

Follow up instructions

After you have followed on of the additional instructions, continue with these steps:

  1. Under *Do the following… select Redirect the message to… and then the following connector.
  2. Select the connector that you have created in the previous section.
  3. Click OK.
  4. Enable the option Defer the message if rule processing doesn’t complete.
  5. Click Save.

The rule is created and already enabled. Please make sure that the priority of all existing rules is correct. If the sent message needs to be processed by other rules first, please make sure that the rule created for the Custom Relay has a lower priority.

As the rule is already enabled, any outbound message that matches the filter will be submitted to the Zivver SMTP Server. If this is not desirable, please disable the rule and reactivate it at a later moment in time.

Implement a Custom Relay in Microsoft Exchange On-premise

This chapter describes how to implement a Custom Relay in Microsoft Exchange On-premise 2013 and higher. If your organization uses Microsoft Exchange Online please see the corresponding chapter.

To implement a Custom Relay in Microsoft Exchange On-premise the following changes need to be made:

  • Create an Accepted domain.
  • Create a Contact.
  • Create a Mail Flow Rule.
  • Create a Send connector.

Unfortunately Microsoft Exchange On-premise doesn’t support redirecting a message in a Mail Flow Rule to a specific Connector. For that reason the Accepted Domain and Contact are created. The Mail Flow Rule will redirect the filtered message to the Contact. This Contact has an email address with the Accepted Domain. The Connector is set up to submit any messages for that Accepted Domain to the Zivver SMTP Server.

Create an Accepted domain

The first step is to add a fictional domain to Microsoft Exchange On-premise as an Accepted Domain. This is a placeholder domain that should not refer to any existing domain. In the next section a Contact is created that uses this Accepted Domain.

Follow the instructions below to create an Accepted Domain in Microsoft Exchange On-premise:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to Mail Flow in the menu on the left.
  4. Go to Accepted domains.
  5. Add a new domain.
  6. Enter a name. For example: Zivver’s Custom Relay.
  7. Specify the accepted domain. For example: zivver.org.
  8. Select for This accepted domain is the option Authoritative.
  9. Click Save.

The placeholder accepted domain is now created as an Accepted Domain within Exchange.

Create a Contact

The second step is to create a contact in Microsoft Exchange On-premise. This contact uses the placeholder domain that is created in the previous section. In the next section the Mail Flow Rule will redirect messages that are filtered out to this contact.

Follow the instructions below to create a Contact in Microsoft Exchange On-premise:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to **Recipients **in the menu on the left.
  4. Go to Contacts.
  5. Create a new Mail Contact.
  6. Enter a display name. For example: Zivver Custom Relay.
  7. Enter a name. For example: Zivver Custom Relay.
  8. Enter an alias. For example: relay.
  9. Enter the external email address. Use the placeholder domain that was created in the previous section. For example: relay@zivver.org.
  10. Click Save.

The contact person is now created.

Create a Send connector

The third step is to create a Send Connector in Microsoft Exchange On-premise. The Custom Relay uses a Send connector to submit sent messages to the Zivver SMTP Server.

Microsoft Exchange only allows an outbound message to be processed by one Send connector. Therefore, check in advance which Send connectors are set up in Microsoft Exchange On-premise. It may not be possible to implement a Custom Relay, if it is required that another specific Send connector also processes the sent Zivver messages. If this is the case or if you need any help please send your use case to enterprise@zivver.com.

Follow the instructions below to create a Send connector in Microsoft Exchange On-premise:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to Mail Flow in the menu on the left.
  4. Go to Send connectors.
  5. Add a new connector.
  6. Enter a name. For example: Zivver Custom Relay.
  7. Select for Type either Custom or Partner.
  8. Click Next.
  9. Select the option Route mail through these smart hosts.
  10. Click Add.
  11. Enter smtp.zivver.com.
  12. Click Save.
  13. The added smart host is now shown in the list.
  14. Click Next.
  15. Select for Smart host authentication the option Basic authentication.
  16. Enable the option Offer basic authentication only after starting TLS.
  17. Generate Mail Submission SMTP credentials in the Zivver Organization Settings.
  18. Enter for User name the generated SMTP username.
  19. Enter for Password the generated SMTP password.
  20. Click Next.
  21. Click Add.
  22. Enter for Type SMTP.
  23. Enter for FQDN the fictional domain. For example: zivver.org.
  24. Enter for Cost a 1.
  25. Click Save.
  26. Enable the option Scoped send connector.
  27. Click Next.
  28. Click Add.
  29. Select a server.
  30. Click OK.
  31. Click Finish.

The Send Connector is set up to process all messages that are sent to this placeholder domain.

Create a Mail Flow Rule

The last step is to create a Mail Flow Rule in Microsoft Exchange On-premise. A Mail Flow Rule allows you to filter sent messages on:

  • A specific (word in the) subject is used.
  • A specific email address is used as the Sender.

Once a message has been filtered out, it will be redirected to the contact that is created in a previous section.

Follow the instructions below to create a Rule in Microsoft Exchange On-premise:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to Mail Flow in the menu on the left.
  4. Go to Rules.
  5. Create a new rule.
  6. Give the rule a name. For example:_ Zivver Custom Relay_.

Depending on when the message needs to be securely delivered, continue with step 7 or 11.

A specific (word in the) subject is used

  1. Under *Apply this rule if… select The subject or body… and then subject includes any of these words.
  2. Add a word or phrase. For example: Secure.
  3. Click on the plus icon.
  4. Click OK.

Now continue with step 15.

A specific email address is used as the Sender

  1. Under *Apply this rule if… select The sender… and then is this person.
  2. Select the desired sender.
  3. Click add ->.
  4. Click OK.

Now continue with step 15.

  1. Under *Do the following… select Redirect the message to… and then These recipients.
  2. Look up the contact person that was created previously and select it.
  3. Click Add ->.
  4. Click OK.
  5. Click add action.
  6. Choose Modify the message properties … > set a message header.
  7. Click the first Enter text … link
  8. Enter x-zivver-ignore-smtp-recipients.
  9. Click OK.
  10. Click the second Enter text … link.
  11. Enter true.
  12. Click OK.
  13. Select for Choose a mode for this rule the option Enforce.
  14. Enable the option Defer the message if rule processing doesn’t complete. If you enable this option, a message will not leave Exchange until the message has been checked by this rule. If for any reason Exchange temporarily does not check messages for this rule, processing these messages will be paused.
  15. Click Save.

The Mail Flow Rule is now set. Please make sure that the priority of all existing rules is correct. If the sent message needs to be processed by other rules first, please make sure that the rule created for the Custom Relay has a lower priority.

Any outbound message that matches the filter will be submitted to the Zivver SMTP Server. If this is not desirable, please do not activate the rule yet.

Was this article helpful?

thumb_up thumb_down