How to use Ciphermal only for content scanning

Hello Everyone,

My name is Thomas, and my job involves providing and managing our Linux servers and their applications, with a focus on DevOps (Docker, Microservices, etc.). For several years now, I’ve been using Ciphermail in the Community Version (Appliance) among my colleagues, and we are generally very pleased with the solution.

Setting up components like Postfix, Dovecot, or Fetchmail is not a big deal. So far, I’ve always had the Ciphermail Appliance behind our mail server, acting as a smarthost, and the Appliance in turn has forwarded it to the actual smarthost.

What I’d like to achieve now is for our mail server (Postfix) at to send mails directly to our smarthost, and Fetchmail to pick up the mails and deliver them to our Postfix, but only use the Ciphermail Gateway as a content scanner.

So every mail that comes in on my should be encrypted and decrypted through Ciphermail and nothing else. The Appliance itself should not send mails.

Unfortunately, I can’t really find a guide for this, even though the Ciphermail documentation is quite good. The configuration should be very similar to how it is set up on the Ciphermail Appliance itself, but on a different Postfix.

Im guessing that I have to set my to something like this:

content_filter = scan:[IP_der_Ciphermail_Appliance]:Port

and like this:

scan      unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_enforce_tls=yes
    -o smtp_tls_note_starttls_offer=yes

But Im not certain if this will be enough. I am just planning and have not yet a ready configuration.

Greetings tom

The Appliance itself should not send mails

What do you mean with “not send mails”?

Do you mean not send emails at all or not to external recipients?

ciphermail appliance should only encrypt and decrypt my mail.

I have included a highly professional photo for this purpose ;=)

Thanks for your time martijn

The long story:
Martijn, to provide you with a bit more background information:
I have, in fact, installed a Dovecot on the Appliance (Ciphermail), and configured everything in such a way that I can connect Outlook Clients to it, enabling them to send emails through the Appliance . Incoming mails are handled by fetchmail.( this version is not the version you see on the photo!)
This setup works wonderfully, but it was quite an extensive configuration endeavor. I had to significantly modify the Postfix on the Appliance so that it would deliver mails locally, etc., and I thought that it might be better to leave the Ciphermail Appliance nearly untouched (just handling the domain (internal), root certificates, mail certificates, etc.) and configure postfix on my machine to deliver locally. But I would still use the Ciphermail Appliance as an encryption and decryption gateway, or content scanner, or whatever you’d like to call it, handling S/MIME only. ( this is the version on the photo now ).

And that’s why I’d like to know what I need to do on my Postfix to ensure that every incoming or outgoing email is briefly sent to the Ciphermail Appliance for either decryption or encryption of the mails.
Whew, that was a lot of words, sorry, but I hope it’s clear now.
Best regards,

Yes that is possible.

For an example see

You configure the CipherMail gateway to always send email back to the same system, i.e., for internal and external domains.

The main issue is to make sure you do not have an unlimited mail loop. It depends on your mail server whether or not it’s easy or hard to prevent a mail loop. With Postfix, O365 and Gmail it’s easy, With Exchange it’s little harder.

Hi Martijn,
To be honest, I was hoping to receive a bit more information, especially after I had described my situation so thoroughly. The link you sent me is certainly nice in content, but size-wise it’s somewhat out of focus, and to be honest, I was hoping to get some more specific code examples, as fundamentally this can’t be that difficult.
I’ve already implemented all of this on the Appliance itself and now I simply want to separate it again. This means that parts from the and the from the Ciphermail appliance need to be incorporated into my Postfix, which can’t be too wild of a task.
So, if you possibly have some more concrete examples, I would truly be very pleased.

My apologies for the delay.

Explaining all steps in all details might be a bit too much for the forum and I also do not have a lot of time to explain it in all details. The basic configuration steps should be something like the following (assuming you use Postfix on the receiving mail server:

  1. Setup a Postfix instance (the Mail server) with Dovecot

  2. On the Mail server, configure a content filter to forward incoming email to CipherMail

    content_filter = smtp:[IP-OF-CIPHERMAIL]:25

    See Postfix After-Queue Content Filter for details

  3. On the Mail server, configure a reinjection port (in

    The reinjection port sets content_filter to an empty valud to prevent a mail loop


    :10026 inet  n       -       -       -       10      smtpd
                -o content_filter= 
                -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
                -o smtpd_helo_restrictions=
                -o smtpd_client_restrictions=
                -o smtpd_sender_restrictions=
                -o smtpd_recipient_restrictions=permit_mynetworks,reject
                -o mynetworks=IP-OF-CIPHERMAIL/32
  4. Configure the CipherMail gateway to deliver email to the Mail server on the reinjection port (10026)

    Configure both the internal and external relay host to deliver back to the Mail server, i.e., all outgoing email from the CipherMail gateway should go back to the Mail server.

With the above setup (which I have not tried but should work), email received by the Mail server will be delivered to the CipherMail gateway the first time the email is received.

After CIpherMail handled the email, encrypted or decrypted, the email will be sent back to the Mail server (on port 10026). Because the content_filter setting on the reinjection port is set to an empty value, the email will not be sent back to the CipherMail gateway again but handled as a normal email.

Hey Martijn,
thanks for the replay.
I will try this in the next weeks.
thanks a lot for the time you spent, I appreciate that.