Smart Email Gateway

Introduction

This guide explains when to use Zivver’s Smart Email Gateway and how to set it up.

Zivver’s Smart Email Gateway allows you to securely send messages from any mail client, browser or device. There’s no Zivver client or integration needed to do so.

Implement Zivver’s Smart Email Gateway within your organization to allow employees to securely send messages:

  1. From a Mail client on a mobile device for which there’s no Zivver client or integration available.
    1. Such as Apple’s Mail App, Google’s Gmail App or BlackBerry Work.
  2. On whatever device they would like.
    1. Supporting Bring Your Own Devices (BYOD) scenario’s. Limiting the need for the IT department to restrict and support only specific Mail clients on specific devices.
  3. That are processed by your own email server.
    1. Allowing your organization’s email server to process the outbound message to add dynamic signatures, archive the message or make it available for eDiscovery.

Requirements

To implement Zivver’s Smart Email Gateway your organization must meet the following requirements.

  • Outbound messages need to be relayed from your organization’s email server to Zivver’s SMTP Gateway to make use of Zivver’s Smart Email Gateway.
  • Connect your organization’s email server to Zivver’s SMTP Gateway:
    • Smart host: smtp.zivver.com.
    • Port: 25 or 587.
    • Security: TLS 1.2 with STARTTLS.
    • Authentication: done by either:
      • Providing SMTP credentials.
      • Having SPF implemented for outbound messages.
  • There must be a Zivver account for the Sender’s email address (From:)
  • The Zivver DNS Settings need to be implemented to allow Zivver to send messages on behalf of the domain(s) that your organization uses to send messages from.
  • There’s no other third-party Secure Email Gateway (SEG) used, unless it allows outbound messages to be relayed to Zivver’s SMTP Gateway. As such Zivver’s Smart Email Gateway will be the last “hop” before the message is delivered to the Recipient.

Limitations

Please be aware of the following known limitations when using Zivver’s Smart Email Gateway.

  • It is possible to use a Zivver Client (such as the Zivver Office Plugin for Microsoft Outlook for desktop) while using Zivver’s Smart Email Gateway at the same time. When Zivver’s Smart Email Gateway processes a message that is sent with a Zivver client, it will not be classified a second time. This is because the sent message is classified while created. The Sender is already notified by the Zivver client about possible sensitive information in the message and/or attachments.
  • After classifying the outbound message Zivver’s Smart Email Gateway can’t relay the message back to your organization’s email server. The purpose of Zivver’s Smart Email Gateway is that the message is delivered securely to the Recipient in accordance with your company’s policy.
  • Only when a Recipient receives a notification message and replies within the Zivver Guest Portal, the original Sender will receive this reply securely via Zivver. If the Recipient replies to a message delivered by Zivver via an alternative delivery method, it depends on the replying email server how that reply is secured.
  • A reply by the original Sender to a reply received from the Recipient, will cause a new Zivver conversation to be created.

Implement Zivver Smart Email Gateway

Zivver’s Smart Email Gateway is implemented in your organization’s email server or Secure Email Gateway (SEG). This allows your email server or SEG to process the outbound message. The benefit of this is that your email server or SEG can for example add a dynamic signature to the message or archive the message, before the message is handed over to Zivver.

To make use of Zivver’s Smart Email Gateway the outbound message is submitted to Zivver’s SMTP Gateway.

Connect to Zivver’s SMTP Gateway

Connect your organization’s email server or Secure Email Gateway (SEG) to Zivver’s SMTP Gateway by using the following specifications:

  • Smart host: smtp.zivver.com.
  • Port: 25 or 587.
  • Security: TLS 1.2 with STARTTLS.
  • Authentication: done by either:
    • Providing SMTP credentials that are generated by a Zivver Admin in the Zivver Admin Panel.
    • Having SPF implemented for outbound messages. The Zivver SMTP Gateway will check if SPF passes and also verifies that the domain in the From header is allowed to submit messages.

Customize which outbound messages are submitted

Your organization can decide on which outbound messages are handled by Zivver’s Smart Email Gateway and which ones are not. For example messages sent to certain domains can be excluded from submitting them to the Zivver SMTP Gateway.

Please check the documentation of your email server or Secure Email Gateway (SEG) on what is possible and how to filter out those sent messages. Or see the manual about Zivver’s Custom Relay for more information on how to filter out messages.

Specify preferred delivery method

For messages that are processed by Zivver’s Secure Email Gateway you can specify which of the following is the preferred delivery method:

  • Notification message (default).
    • This is the default delivery method. The Recipient receives a notification message, which allows the Recipient to read the message in the Guest Portal.
  • Enforced TLS v1.2 (or higher) and a certificate that is issued by a certificate authority (CA).
    • Zivver will check if the receiving email server supports the specified level of transport security (or higher). If not, Zivver will deliver a notification message instead.
  • Best effort transport security.
    • Zivver will check which level of transport security the receiving email server supports and will use that level to deliver the message.

Set a delivery method

For each message processed by Zivver’s Secure Email Gateway the delivery method can be set. Check the table below which delivery method is used, depending on the situation.

Delivery method set? Receiving email server supports delivery method? Delivery method used
Yes Yes The specified level of transport security.
Yes No Notification message
No n/a Notification message
Wrongly set up n/a Notification message

A delivery method is set by using a custom mail header: X-Zivver-MinimumTransportSecurity

And the possible values are:

  • PKIX
    • Zivver will check if the receiving email server support TLS v1.2 (or higher) and uses a certificate issued by a certificate authority (CA).
  • NONE
    • Zivver will check which level of transport security the receiving email server supports and will use that level to deliver the message.

Available verification methods for a notification message

When a notification message is delivered, Zivver’s Smart Email Gateway automatically applies one of the following verification methods to verify the Recipient. This is one in the following order of priority:

  • Zivver account.
    • This method is automatically applied if the Recipient has its own Zivver account, which is protected with a 2FA.
  • NTA7516 verification.
    • This method is automatically applied when both the Sender and the Recipient meet the requirements of the NTA7516 and have made clear to the world that they can send and receive secure messages in accordance with the NTA7516.
  • The verification method specified in the message.
    • The verification method can be specified in the header of the body of the message and could be set to either SMS verification or an Access Code. The Recipient can read the secured message after entering the SMS code or Access Code.
  • A previously used SMS verification shared within your organization.
    • Either the Sender or someone else within your Zivver organization could have used a shared SMS verification before for this specific Recipient. If the Recipient successfully opened that message, the same SMS verification can automatically be applied to this new message to the same Recipient.
  • A previously used Access Code shared within your organization.
    • Either the Sender or someone else within your Zivver organization could have used a shared Access Code before for this specific Recipient. If the Recipient successfully opened that message, the same Access Code can automatically be applied to this new message to the same Recipient.
  • Email verification.
    • The Recipient needs to verify its email address to be able to read the message. This is an extra level of security to prevent someone other than the Recipient from reading the message, in case the notification message is forwarded to someone else.

Enforced 2FA

If your organization has enforced 2FA for Zivver notification messages, then Zivver’s Smart Email Gateway will only automatically apply the following verification methods:

  • Zivver account.
    • This method is automatically applied if the Recipient has its own Zivver account, which is protected with a 2FA.
  • NTA7516 verification.
    • This method is automatically applied when both the Sender and the Recipient meet the requirements of the NTA7516 and have made clear to the world that they can send and receive secure messages in accordance with the NTA7516.
  • SMS verification.
    • This method is automatically applied if the mobile phone number of the Recipient is provided in either the header or the body of the message.
    • This method is automatically applied if either the Sender or someone else within your Zivver organization could have used a shared SMS verification before for this specific Recipient. If the Recipient successfully opened that message, the same SMS verification can automatically be applied to this new message to the same Recipient.

In case the Recipient doesn’t have a Zivver account nor are both Sender and/or Recipient NTA7516 compliant, then Zivver’s Smart Email Gateway will send the message with SMS verification. But for that a valid mobile phone number is needed. If SMS verification can’t be automatically applied, then Zivver will inform the Sender about the fact that the message has not been sent yet. The Sender is asked to provide a (valid) mobile phone number for the Recipient.

To do so the Sender can use the link provided in that email. This link will bring the Sender to the corresponding Zivver Conversation in the Zivver Webapp. The Sender can now enter a (valid) mobile phone number for the Recipient to be able to securely receive the message. The (body of the) message itself can’t be changed.

How large attachments are handled

Large (>10 MB) attachments can’t always be added directly to the message, as the receiving email server might not support larger attachments. That is why it depends on the delivery method how any large (>10 MB) attachment is available for the Recipient:

  • Notification message (default).
    • The Recipient reads the message in the Guest Portal and any additional attachments are downloadable from the message.
  • Enforced TLS v1.2 (or higher) and no self-signed PKIX certificate.
    • Attachments under 10 MB are directly attached to the message. Attachments over 10 MB are added to the message as a download link.
  • Best effort transport security.
    • Attachments under 10 MB are directly attached to the message. Attachments over 10 MB are added to the message as a download link.

Was this article helpful?

thumb_up thumb_down