×

Want to Search?

Go here

Switch Language

English

Contact Us

Get Help Give feedback

I am a Zivver admin

Configure and manage Zivver

Help Center >  Secure Relay

Secure Relay

Introduction

This guide explains when to use Zivver Secure Relay and how to set it up.

Zivver Secure Relay uses Microsoft Exchange mail flow rules (Server and Online) to implement secure delivery of selected messages.

Implement Secure Relay within your organization to securely deliver messages when:

  1. A specific (word in the) subject is used.
    • When your organization wants to allow employees to be able to send a secure message, independent of the device and/or application that they are using for creating the message. For example a Mail App on a mobile device for which there is currently no Zivver client available.
  2. A message and/or an attachment has a certain Sensitivity Label applied.
    • When your organization uses Microsoft’s Sensitivity Labels so that employees easily stay compliant with your policies of information protection.
  3. A specific email address is used as the Sender.
    • When a specific application automatically sends out messages that need to be delivered securely and a fixed email address is used as the Sender (From:).

Requirements

To implement Secure Relay your organization must meet these requirements.

  • Microsoft Exchange (Server or Online) is used when messages need to be securely delivered when:
    • A specific (word in the) subject is used.
    • A specific email address is used as the Sender.
  • Microsoft Exchange Online (Office 365) is used when messages need to be securely delivered when there’s a Sensitivity Label applied.
    • Microsoft’s Sensitivity Labels are only available in Office 365 with certain Microsoft licenses.
  • You do not use a Secure Email Gateway (SEG).
    • Exceptions are:
      • With that SEG, you can configure a connection with smtp.zivver.com through port 25 or 587.
      • This connection is authenticated by either:
        • SMTP credentials.
        • SPF implemented for outbound messages.
  • A different email server.
    • You must configure a connection with smtp.zivver.com via port 25 or 587.
    • This connection is authenticated by either:
      • SMTP credentials.
      • SPF implemented for outbound messages.
  • There must be an active Zivver account for the Sender’s email address (From:).

Limitations

Know these limitations when you use a Secure Relay.

  • Zivver’s Data Loss Protection (DLP) does not apply to messages sent with Zivver Secure Relay. You can only use Zivver’s DLP when sending a message using a Zivver client (integration) or Smart Relay.
  • When a Mail Flow Rule in Microsoft Exchange (or a similar functionality in any other email server or Secure Email Gateway) is not set up correctly or deactivated, the sent message might not be delivered or delivered as a regular email.

Implement Secure Relay in Microsoft Exchange Online

This chapter describes how to implement Secure Relay in Microsoft Exchange Online as part of Office 365. If your organization uses Microsoft Exchange Server please see the corresponding chapter.

With the implementation of Secure Relay in Microsoft Exchange Online, you can securely deliver messages when:

  • A specific (word in the) subject is used.
  • A message and/or an attachment has a certain Sensitivity Label applied.
  • A specific email address is used as the Sender.

To implement Secure Relay in Microsoft Exchange Online, these changes are necessary:

  • Create a Connector.
  • Create a Rule.

Create a Connector

Secure Relay uses a Connector to submit sent messages to the Zivver SMTP Server.

Before you start creating a connector, please send an email to enterprise@zivver.com to request your domain to be added to the Zivver domain allowlist. This is needed to be able to make a connection from Microsoft Exchange Online to the Zivver SMTP Server.

With Microsoft Exchange, an outbound message can be processed only by one Connector. Therefore, know in advance which Connectors are configured in Microsoft Exchange Online. It might not be possible to implement Secure Relay, if it is required that a different specific Connector also processes the sent messages. If this is the case or if you need help, send your use case to enterprise@zivver.com.

Do these steps to create a Connector in Microsoft Exchange Online:

  1. Go to the Exchange Admin Center.
  2. Click on Mail flow in the menu on the left.
  3. Click on Connectors.
  4. Click on Add a connector.
  5. Select the option Office 365.
  6. Select the option Partner organization.
  7. Click Next.
  8. Enter a name for the connector.
    For example: Zivver Secure Relay.
  9. Click Next.
  10. Select the option Only when I have a transport rule set up that redirects messages to this connector.
  11. Click Next.
  12. Select the option Route email through these smart hosts.
  13. Click Next.
  14. Make sure that the option Always use Transport Layer Security (TLS) to secure the connection (recommended) is enabled.
  15. Make sure that the option Issued by a trusted certificate authority (CA) is enabled.
  16. Click Next.
  17. Enter an email address to validate the connector.
  18. Click Validate.
  19. Once the validation is successful click Next.
  20. Click Create connector.
  21. Click Done.

The connector is created and ready to use.

Create a Rule

With a Mail Flow Rule, you can filter sent messages on:

  • A specific (word in the) subject is used.
  • A message and/or an attachment has a certain Sensitivity Label applied.
  • A specific email address is used as the Sender.

Once a message has been filtered out, it needs to be submitted to the Zivver SMTP Server, to be able to deliver them securely to the recipient. Unfiltered messages will be delivered unsecurely, as a regular email.

Do these instructions to create a Rule in Microsoft Exchange Online:

  1. Go to the Exchange Admin Center.
  2. Click on Mail flow in the menu on the left.
  3. Click on Rules.
  4. Click on the plus icon.
  5. Click on Create a new rule.
  6. Enter a name.
    For example: Zivver Secure Relay.

Depending on when the message needs to be securely delivered, continue with one of the 3 additional instructions described in the corresponding section.

Additional instruction 1: A specific (word in the) subject is used

  1. Under *Apply this rule if… select The subject or body… and then subject includes any of these words.
  2. Add a word or phrase.
    For example: Secure.
  3. Click on the plus icon.
  4. Click OK.

Continue with the follow-up instructions.

Additional instruction 2: a message has a certain Sensitivity Label applied

Do these additional instructions if the message needs to be delivered securely when the message has a certain Sensitivity Label applied. Make sure that you know the name of the Sensitivity Label you want to filter on.

  1. Do the instructions in this manual from Microsoft on how to connect to Security & Compliance PowerShell.
  2. Run the following cmdlet to get the Guide of the Sensitivity Label you are looking for:
    Get-Label -Identity "Name" | Select-Object Guid
  3. Go back to the Mail Flow Rule in the Exchange Admin Center.
  4. Under *Apply this rule if… select The recipient is located… and then is external/internal and then Outside the organization.
  5. Click OK.
  6. Under *Apply this rule if… select A message header… and then include any of these words.
  7. Click *Enter text….
  8. Enter msip_labels.
  9. Click OK.
  10. Click *Enter words….
  11. Enter MSIP_Labels_Guid_Enabled=True. Replace Guid with the Guid that you’ve retrieved from the Powershell cmdlet.
  12. Click on the plus icon.
  13. Click OK.

Now continue with the follow up instructions.

Additional instruction 3: a specific email address is used as the Sender

  1. Under *Apply this rule if… select The sender… and then is this person.
  2. Select the desired sender.
  3. Click add ->.
  4. Click OK.

Now continue with the follow up instructions.

Follow up instructions

After you have followed on of the additional instructions, continue with these steps:

  1. Under *Do the following… select Redirect the message to… and then the following connector.
  2. Select the connector that you have created in the previous section.
  3. Click OK.
  4. Enable the option Stop processing more rules.
  5. Enable the option Defer the message if rule processing doesn’t complete.
  6. Click Save.

The rule is created and already enabled. Please make sure that the priority of all existing rules is correct. If the sent message needs to be processed by other rules first, please make sure that the rule created for Secure Relay has a lower priority.

As the rule is already enabled, any outbound message that matches the filter will be submitted to the Zivver SMTP Server. If this is not desirable, please disable the rule and reactivate it at a later moment in time.

Implement Secure Relay in Microsoft Exchange Server

This chapter describes how to implement Secure Relay in Microsoft Exchange Server 2013 and higher. If your organization uses Microsoft Exchange Online please see the corresponding chapter.

To implement Secure Relay in Microsoft Exchange Server the following changes need to be made:

  • Create an Accepted domain.
  • Create a Contact.
  • Create a Mail Flow Rule.
  • Create a Send connector.

Unfortunately Microsoft Exchange Server doesn’t support redirecting a message in a Mail Flow Rule to a specific Connector. For that reason the Accepted Domain and Contact are created. The Mail Flow Rule will redirect the filtered message to the Contact. This Contact has an email address with the Accepted Domain. The Connector is set up to submit any messages for that Contact to the Zivver SMTP Server.

Create an Accepted domain

The first step is to add a fictional domain to Microsoft Exchange Server as an Accepted Domain. This is a placeholder domain that should not refer to any existing domain. In the next section a Contact is created that uses this Accepted Domain.

Do these instructions to create an Accepted Domain in Microsoft Exchange Server:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to Mail Flow in the menu on the left.
  4. Go to Accepted domains.
  5. Add a new domain.
  6. Enter a name. For example: Zivver Relay.
  7. Specify the accepted domain. Use zivver.org as the accepted domain.
  8. Select for This accepted domain is the option Authoritative.
  9. Click Save.

The placeholder accepted domain is now created as an Accepted Domain within Exchange.

Create a Contact

The second step is to create a contact in Microsoft Exchange Server. This contact uses the placeholder domain that is created in the previous section. In the next section the Mail Flow Rule will redirect messages that are filtered out to this contact.

Do these instructions to create a Contact in Microsoft Exchange Server:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to Recipients in the menu on the left.
  4. Go to Contacts.
  5. Create a new Mail Contact.
  6. Enter a display name. For example: Zivver Relay.
  7. Enter a name. For example: Zivver Relay.
  8. Enter an alias. Use: relay.
  9. Enter the external email address. Use the placeholder domain that was created in the previous section. Use relay@zivver.org as the email address.
  10. Click Save.

The contact person is now created.

Create a Send connector

The third step is to create a Send Connector in Microsoft Exchange Server. Secure Relay uses a Send connector to submit sent messages to the Zivver SMTP Server.

With Microsoft Exchange, only one Send connector can process an outbound message. Therefore, know in advance which Send connectors are set up in Microsoft Exchange Server. It may not be possible to implement Secure Relay, if it is required that another specific Send connector also processes the sent Zivver messages. If this is the case or if you need any help please send your use case to enterprise@zivver.com.

Do these instructions to create a Send connector in Microsoft Exchange Server:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to Mail Flow in the menu on the left.
  4. Go to Send connectors.
  5. Add a new connector.
  6. Enter a name. For example: Zivver Relay.
  7. Select for Type either Custom or Partner.
  8. Click Next.
  9. Select the option Route mail through these smart hosts.
  10. Click Add.
  11. Enter smtp.zivver.com.
  12. Click Save.
  13. The added smart host is now shown in the list.
  14. Click Next.
  15. Select for Smart host authentication the option Basic authentication.
  16. Enable the option Offer basic authentication only after starting TLS.
  17. Generate Mail Submission SMTP credentials in the Zivver Organization Settings.
  18. Enter for User name the generated SMTP username.
  19. Enter for Password the generated SMTP password.
  20. Click Next.
  21. Click Add.
  22. Enter for Type SMTP.
  23. Enter for FQDN the fictional domain. Use: zivver.org.
  24. Enter for Cost a 1.
  25. Click Save.
  26. Enable the option Scoped send connector.
  27. Click Next.
  28. Click Add.
  29. Select a server.
  30. Click OK.
  31. Click Finish.

The Send Connector is set up to process all messages that are sent to this placeholder domain.

Create a Mail Flow Rule

The last step is to create a Mail Flow Rule in Microsoft Exchange Server. With a Mail Flow Rule, you can filter sent messages on:

  • A specific (word in the) subject is used.
  • A specific email address is used as the Sender.

Once a message has been filtered out, it will be redirected to the contact that is created in a previous section.

Do these instructions to create a Rule in Microsoft Exchange Server:

  1. Go to the Exchange Administrative Center (EAC).
  2. Log into EAC as an administrator.
  3. Go to Mail Flow in the menu on the left.
  4. Go to Rules.
  5. Create a new rule.
  6. Give the rule a name. For example: Zivver Secure Relay.

Depending on when the message needs to be securely delivered, continue with step 7 or 11.

A specific (word in the) subject is used

  1. Under *Apply this rule if… select The subject or body… and then subject includes any of these words.
  2. Add a word or phrase. For example: Secure.
  3. Click on the plus icon.
  4. Click OK.

Now continue with step 15.

A specific email address is used as the Sender

  1. Under *Apply this rule if… select The sender… and then is this person.
  2. Select the desired sender.
  3. Click add ->.
  4. Click OK.

Now continue with step 15.

  1. Under *Do the following… select Redirect the message to… and then These recipients.
  2. Look up the contact person that was created previously and select it.
  3. Click Add ->.
  4. Click OK.
  5. Select for Choose a mode for this rule the option Enforce.
  6. Enable the option Defer the message if rule processing doesn’t complete. If you enable this option, a message will not leave Exchange until the message has been checked by this rule. If for any reason Exchange temporarily does not check messages for this rule, processing these messages will be paused.
  7. Click Save.

The Mail Flow Rule is now set. Please make sure that the priority of all existing rules is correct. If the sent message needs to be processed by other rules first, please make sure that the rule created for Secure Relay has a lower priority.

Any outbound message that matches the filter will be submitted to the Zivver SMTP Server. If this is not desirable, please do not activate the rule yet.

Updated on 2024-05-01

Was this article helpful?

thumb_up thumb_down