Hello, dear community!
I’m looking for a way to protect emails from our mail server administrators. I want emails to pass through the server or be stored on it only encrypted. However, I’m not sure the sender will always encrypt the emails themselves, so I can’t implement a PGP/S/MIME scheme on the client side. Please help me figure out whether Ciphermail can be used to solve this problem.
I drew a few diagrams for clarity. Is it possible to use Ciphermail in any of these configurations?
The gateway uses two processing pipelines to manage mail: encryption and decryption.
The decryption pipeline handles email sent to recipients with the Locality set to Internal. You should generally set all of your own domains to Internal to ensure the gateway decrypts incoming mail for your users.
The encryption pipeline handles email sent to recipients with the Locality set to External. Since External is the default setting, any email sent to a domain not explicitly marked as internal will be encrypted whenever possible.
If you want to ensure all email is encrypted, including mail sent to internal users, you can keep the Locality set to External for everyone and add the public certificates or PGP keys for your internal users to the gateway. If you use this configuration, your users must have email clients capable of decrypting messages locally using S/MIME or PGP.
Hello again!
I have a testbed for ciphermail.
When user-c@mail.local sends an email to the user user-b@secure.local everything is working as it should. The letter moves like this: user-c@mail.local → mail-c.mail.local → ciphermail.local (encrypting) → mail-b.secure.local (encrypted) → user-b@secure.local (decrypting).
When user-b@secure.local sends an email to someone, it uses Ciphermail Gateway as SMTP server. Everything is working correctly for emails inside the secure.local domain: user-b@secure.local → ciphermail.local (encrypting) → mail-b.secure.local (encrypted) → user-a@secure.local (decrypting). It’s OK.
But when user-b@secure.local sends an email user-c@mail.local I get the error: “Sending of the message failed. An error occurred while sending mail. The mail server responded: user-c@mail.local: Relay access denied. Please check the message recipient “user-c@mail.local” and try again.”
If I add mail.local to the list of external domains, the error disappears. But this doesn’t seem like a correct solution, since in prod, any email domain (Gmail, etc.) could replace mail.local.
Can tou help me resolve this issue?
