NTACurrent en:Configuration of the Mail Server

Aus Cryptshare Documentation
Wechseln zu:Navigation, Suche


The existing mail server of your organisation needs to be configured to route all outgoing mails to the Cryptshare Mail Gateway as smart host.


  • Check if connections can be made between the mail server and the server on which Cryptshare Mail Gateway runs. Please refer to the network section of System Requirements.

Configuration Example: Exchange Server 2016

The following steps refer to Exchange Server (2016) as an example.

  1. Remove the existing send connector, if one is present.
  2. Create a new send connector:
    1. Delivery: Route mail through smart hosts. Add the IP address of the Cryptshare Mail Gateway as new smart host.
    2. Scoping: Add an address space of type "SMTP", with "*" scope, to send all emails to the Cryptshare Mail Gateway.

Configuration Example: Microsoft 365

With Microsoft 365 (formerly "Office 365", subsequently referenced as "M365") it is possible to send emails to a specific connector based on transport rules.

We have built the Cryptshare Mail Gateway ("CMG") to only allow email from a specific M365 "tenant". You will need the tenant ID from your Azure Active Directory (AAD)’s “Overview” page before setting up the CMG.


To configure M365 with CMG you will need to create two Connectors.

  1. CMG→M365
    • From: Your organization's email server
    • To: Office 365
    • Identify incoming messages from your email server by the CMG server’s public facing IP
  2. M365→CMG
    • From: Office 365
    • To: Your organization‎'s email server
    • Select the option: “Use only when I have a transport rule set up that redirects messages to this connector.”
    • Route email messages through these smart hosts: public facing IP address for the CMG.
    • Select “Always use Transport Layer Security ‎(TLS)‎ and connect only if the recipient’s email server certificate is issued by a trusted certificate authority ‎(CA)‎.”
    • You will need to test this with an email address outside of the domain you are configuring.

Transport Rules

If you are only using the Cryptshare for Outlook addin then you only need to setup this transport rule:

  • Title: "Forward Emails with X-CS-Sensitivity Header mail to CMG"
  • If the message...
    • 'X-CS-Sensitivity' header contains confidential
    • and Is received from 'Inside the organization'
  • Do the following...
    • Route the message using the connector named 'M365_to_CMG'. (or however you named your connector in the previous section)
  • and Stop processing more rules

Currently we do not have an addin for OWA, however, you can still use CMG with OWA by using rules that are triggered with a word in the subject, e.g. "[confidential]". This rule must be set to a higher priority than the “Forward Emails with X-CS-Sensitivity Header mail to CMG” rule.

  • Title: OWA Confidential
  • If the message...
    • Includes these words in the message subject: '[confidential]'
    • and Is received from 'Inside the organization'
  • Do the following...
    • set message header 'X-CS-Sensitivity' with the value 'confidential'
  • Except if...
    • sender ip addresses belong to one of these ranges: '<CMG-Public IP goes here>’

The exception is important, otherwise replies to outgoing mails will trigger the rule again and send back to the CMG.


The CMG is responsible for SPF, DKIM and DMARC checks, however, M365 also performs these checks. As we are unable to disable these and due to the CMG not being able to be authoritative for all incoming mail domains, the M365 checks will inevitably fail. This can lead to duplicate SPF, DKIM and DMARC headers in your emails, which will be shown as a “soft fail” in most cases. To ensure that this does not affect mail flow between CMG and M365, you should configure M365 to always accept emails from the CMG. The options for this are now located in the "Security and Compliance" admin section located on your tenant’s admin page.

  1. Open Threat Management
  2. Select Policy
  3. Choose Anti-Spam
  4. Expand “Connection filter policy ‎(always ON)‎”
  5. Choose Edit Policy
  6. Click Edit next to the IP Allow List
  7. Add the IP address for the CMG (Remember to click the + button after entering)
  8. Click Save