Google Workspace

Instructions for integrating with SecuMailer.

Introduction

The G-Suite integration with SecuMailer is very straightforward and should take 10-15 minutes to complete. The integration is fully controlled by your own settings and policies, you can determine yourselves which emails you want to secure with SecuMailer and which accounts or emails you want to exempt. The integration is accomplished by defining SecuMailer as a so called “Route” and subsequently determine which emails are using the SecuMailer Route.

Overview

The integration consists of three steps:

Create a group (or multiple groups) of users that will use SecuMailer
Add users to this group
Create a route that directs email from this group to SecuMailer

Next to that there is one additional options that may apply to your situation:

Adding NTA 7516 functionality

Setup

Start the integration by opening your G-Suite admin console in your browser (https://admin.google.com) and navigate to G-Suite.

Create Group

In the Groups UI select the "Create group" option (see below).

For the purpose of this instruction I will be using the group name "AVG" but you can select whatever you like as long as it is recognizable as a Group specifically for integrating with SecuMailer. For group email you can also use "avg". The group owner should be an administrator within your organization. When you are done click on the NEXT button.

You are now on the "Access type" screen (see below). In the "Access type" screen select "Only invited users" and click on CREATE GROUP.

When clicking "Create Group" you'll be taken to the summary screen below. Here, you can add members to this group.

Please add all senders that you want to use the SecuMailer configuration by selecting "Add members to AVG".

After you have completed adding all members to the AVG group you can click on SAVE.

Add Route

Go to the GMail settings in your GSuite admin overview. Select option "Hosts" (see below).

In the "Hosts" overview select button ADD ROUTE (see below).

In the next screen fill in the following:

Name: SecuMailer
Specify email server: mail-relay.secumail.cloud : 587
Options
- Select "Require mail to be transmitted via a secure (TLS) connection"
- Select "Require CA-signed certificate"
- Select "Validate certificate hostname"

After you have filled in the abovementioned details you can click on the "Test TLS connection" link, you should get a success message as shown above.

You can click on the SAVE button to store this configuration. Go back to the main admin screen of GMail and select “Routing” (at the bottom of the screen).

Below and on the right side of the Routing overview you'll see an option to ADD ANOHTER RULE . Click on the add option and you should get a popup for adding a route (see below).

You will be presented with the form below, this will allow you configure another route.

Provide the following information:

Description: SecuMailer
Messages to affect: Select "Outbound"
For the above types of messages, do the following:
- Select "Modify message", select "Add custom headers", click on ADD and provide "X-Secumail-Id" and the value for X-Secumail-Id that was provided to you by SecuMailer. Click on SAVE to store the setting.
- Select "Change route" and in the dropdown select "SecuMailer" (the mail route you created in the previous paragraph)
- Select "Require secure transport (TLS)"
At the bottom of the popup select "Show options"
- At "B. Account types to affect" select "Users"
- At "C. Envelope filter" select "Only affect specific envelope senders", select "Group membership", select "AVG" (the group you made in the previous paragraph)

Click on SAVE to store the configuration.

You have now configured your GMail integration with SecuMailer.

Create rule for Out-of-Office e-mails

In this section you will create the mail rule that will route your out-of-office e-mail towards the public internet. This is needed since the sender is out of office and cannot respond to notifications in case a recipient cannot be reached securely. These message typically don't contain personal information and can be send without securing the message.

Please do check with you Security Officer before applying this rule.

Go to the GMail settings in your GSuite admin overview. Select option "Compliance" (see below).

Scroll down to the "Content Compliance" Section

Below and on the right side of the table you'll see an option to ADD ANOHTER RULE . Click on the add option and you should get a popup for adding a new rule(see below).

Provide the following information:

Description: SecuMailer - Auto Reply Exception
Messages to affect: Select "Outbound"
Add expressions that the describe the content you want to search for in each message
- Change the setting to "If ALL of the following match the message"
- Add an Expression with the following:
  - Advanced content match
  - Location: Full headers
  - Match type: Contains text
  - Content: Auto-Submitted: auto-replied

Select "Change route" and in the dropdown select "Normal Routing"
At the bottom of the popup select "Show options"
- At "B. Account types to affect" select "Users"

Click on "Save" and the rule has been created, please make sure it is enabled.

NTA 7516 setup

To use the NTA 7516 functionality of the SecuMailer platform it is required that your outgoing NTA 7516 email is provided with a specific header and that this header is associated with senders in your organization that need to use the NTA 7516 functionality. This section of the guide has as a prerequisite that you have successfully completed the first part of the guide.

This section of the configuration guide details how to set up this situation. The whole process consists of the following high level steps:

Define a group that contains senders that must send with NTA 7516 configuration
Add a Routing rule that inserts the X-SecuMailer-NTA7516 header to outgoing email for the NTA 7516 group

Create Group

In GSuite create a new group.

For "Group details" you can use NTA 7516 as an example, but you can name it whatever you like as long as it is recognizable to you as an NTA 7516 group later in the setup process. You can also define multiple groups that you want to apply the NTA 7516 policy for.

You can choose your own settings for the other fields. For this guide I will assume the following values:

Description: NTA-7516
Group email: nta-7516
Group owner: Responsible GMail administrator

After you are finished click on NEXT, this will bring you to the "Access type" screen below. In the "Access type" screen select "Only invited users" and click on CREATE GROUP.

In the summary screen below you can add members to this group.

Please add all senders that you want to use the NTA 7516 configuration by selecting "Add members to NTA 7516".

After you have completed adding all members to the NTA 7516 group you can click on SAVE.

Create Routing rule

The Routing rule will add a specific header to outgoing emails for the NTA 7516 group which is required for the SecuMailer platform.

In the GMail admin console select "Routing" and scroll down to "Routing". There should already be a Routing rule for SecuMailer in place. Select "Add Another" to add an additional Routing rule.

For this guide this new rule will be named "NTA 7516". Please apply the following settings:

"Messages to affect": Outbound
"For the above types of messages, do the following": Select "Modify message",
1. Headers
  1. Select "Add custom headers", click on ADD and provide "X-Secumail-Id" and the value for X-Secumail-Id that was provided to you by SecuMailer. Click on SAVE to store the setting.
  2. Select "Add custom headers", click on ADD and provide "X-SecuMailer-NTA7516" and as value "true". Click on SAVE.
2. Route
  1. Select "Change route" and select the Secumail route that you added previously.
3. Encryption
  1. Select "Require secure transport (TLS)"
At the bottom of the popup select "Show options"
- At "B. Account types to affect" select "Users"
- At "C. Envelope filter" select "Only affect specific envelope senders", select "Group membership", select "NTA-7516" (the NTA-7516 group you made in the previous paragraph)