Introduction

Exclaimer is a Microsoft Office 365, Exchange Server and G Suite solution for email signatures, archiving, email utilities & more.

It's possible to have Exclaimer and SecuMailer cooperate together to enjoy the benefits of both solutions. This appendix contains instructions for the proper setup of Exclaimer together with SecuMailer.

Exchange Admin Center

Please open a browser and provide the URL for your Exchange Admin Center.

In EAC select mail flow in the main menu and subsequently select rules from the context menu. In the rules overview move the Exclaimer rule above the SecuMailer rule(s) using the up arrow in the rules menu (see screenshot below).

Mail flow rule

After you've moved the Exclaimer rule above the SecuMailer rule, select the edit option to change the SecuMailer rule(s).

Change the first condition Apply this rule if... , add a condition by selecting A message header... from the drop down and select includes any of these words...

Click on Enter text... , fill in X-ExclaimerHostedSignatures-MessageProcessed and click on OK. Click on Enter words..., fill in true, click on the + symbol and click on OK. See below for an example.

Click on Save to store the change.

This change ensures that O365 / Exchange checks that the Exclaimer processing has completed successfully before sending the email to SecuMailer for further processing.

Introduction

The G-Suite integration with SecuMailer is very straightforward and should take 10-15 minutes to complete. The integration is fully controlled by your own settings and policies, you can determine yourselves which emails you want to secure with SecuMailer and which accounts or emails you want to exempt. The integration is accomplished by defining SecuMailer as a so called “Route” and subsequently determine which emails are using the SecuMailer Route.

Overview

The integration consists of three steps:

• Create a group (or multiple groups) of users that will use SecuMailer

• Add users to this group

• Create a route that directs email from this group to SecuMailer

Next to that there is one additional options that may apply to your situation:

• Adding NTA 7516 functionality

Setup

Start the integration by opening your G-Suite admin console in your browser (https://admin.google.com) and navigate to G-Suite.

Create Group

In the Groups UI select the "Create group" option (see below).

For the purpose of this instruction I will be using the group name "AVG" but you can select whatever you like as long as it is recognizable as a Group specifically for integrating with SecuMailer. For group email you can also use "avg". The group owner should be an administrator within your organization. When you are done click on the NEXT button.

You are now on the "Access type" screen (see below). In the "Access type" screen select "Only invited users" and click on CREATE GROUP.

When clicking "Create Group" you'll be taken to the summary screen below. Here, you can add members to this group.

Please add all senders that you want to use the SecuMailer configuration by selecting "Add members to AVG".

After you have completed adding all members to the AVG group you can click on SAVE.

Add Route

Go to the GMail settings in your GSuite admin overview. Select option "Hosts" (see below).

In the "Hosts" overview select button ADD ROUTE (see below).

In the next screen fill in the following:

• Name: SecuMailer

• Specify email server: mail-relay.secumail.cloud : 587

• Options

  • Select "Require mail to be transmitted via a secure (TLS) connection"

  • Select "Require CA-signed certificate"

  • Select "Validate certificate hostname"

After you have filled in the abovementioned details you can click on the "Test TLS connection" link, you should get a success message as shown above.

You can click on the SAVE button to store this configuration. Go back to the main admin screen of GMail and select “Routing” (at the bottom of the screen).

Below and on the right side of the Routing overview you'll see an option to ADD ANOHTER RULE . Click on the add option and you should get a popup for adding a route (see below).

You will be presented with the form below, this will allow you configure another route.

Provide the following information:

• Description: SecuMailer

• Messages to affect: Select "Outbound"

• For the above types of messages, do the following:

  • Select "Modify message", select "Add custom headers", click on ADD and provide "X-Secumail-Id" and the value for X-Secumail-Id that was provided to you by SecuMailer. Click on SAVE to store the setting.

  • Select "Change route" and in the dropdown select "SecuMailer" (the mail route you created in the previous paragraph)

  • Select "Require secure transport (TLS)"

• At the bottom of the popup select "Show options"

  • At "B. Account types to affect" select "Users"

  • At "C. Envelope filter" select "Only affect specific envelope senders", select "Group membership", select "AVG" (the group you made in the previous paragraph)

Click on SAVE to store the configuration.

You have now configured your GMail integration with SecuMailer.

Create rule for Out-of-Office e-mails

In this section you will create the mail rule that will route your out-of-office e-mail towards the public internet. This is needed since the sender is out of office and cannot respond to notifications in case a recipient cannot be reached securely. These message typically don't contain personal information and can be send without securing the message.

Please do check with you Security Officer before applying this rule.

Go to the GMail settings in your GSuite admin overview. Select option "Compliance" (see below).

Scroll down to the "Content Compliance" Section

Below and on the right side of the table you'll see an option to ADD ANOHTER RULE . Click on the add option and you should get a popup for adding a new rule(see below).

Provide the following information:

• Description: SecuMailer - Auto Reply Exception

• Messages to affect: Select "Outbound"

• Add expressions that the describe the content you want to search for in each message

  • Change the setting to "If ALL of the following match the message"

  • Add an Expression with the following:

    • Advanced content match

    • Location: Full headers

    • Match type: Contains text

    • Content: Auto-Submitted: auto-replied

• Select "Change route" and in the dropdown select "Normal Routing"

• At the bottom of the popup select "Show options"

  • At "B. Account types to affect" select "Users"

Click on "Save" and the rule has been created, please make sure it is enabled.

NTA 7516 setup

To use the NTA 7516 functionality of the SecuMailer platform it is required that your outgoing NTA 7516 email is provided with a specific header and that this header is associated with senders in your organization that need to use the NTA 7516 functionality. This section of the guide has as a prerequisite that you have successfully completed the first part of the guide.

This section of the configuration guide details how to set up this situation. The whole process consists of the following high level steps:

• Define a group that contains senders that must send with NTA 7516 configuration

• Add a Routing rule that inserts the X-SecuMailer-NTA7516 header to outgoing email for the NTA 7516 group

Create Group

In GSuite create a new group.

For "Group details" you can use NTA 7516 as an example, but you can name it whatever you like as long as it is recognizable to you as an NTA 7516 group later in the setup process. You can also define multiple groups that you want to apply the NTA 7516 policy for.

You can choose your own settings for the other fields. For this guide I will assume the following values:

• Description: NTA-7516

• Group email: nta-7516

• Group owner: Responsible GMail administrator

After you are finished click on NEXT, this will bring you to the "Access type" screen below. In the "Access type" screen select "Only invited users" and click on CREATE GROUP.

In the summary screen below you can add members to this group.

Please add all senders that you want to use the NTA 7516 configuration by selecting "Add members to NTA 7516".

After you have completed adding all members to the NTA 7516 group you can click on SAVE.

Create Routing rule

The Routing rule will add a specific header to outgoing emails for the NTA 7516 group which is required for the SecuMailer platform.

In the GMail admin console select "Routing" and scroll down to "Routing". There should already be a Routing rule for SecuMailer in place. Select "Add Another" to add an additional Routing rule.

For this guide this new rule will be named "NTA 7516". Please apply the following settings:

1. "Messages to affect": Outbound

2. "For the above types of messages, do the following": Select "Modify message",

   1. Headers

      1. Select "Add custom headers", click on ADD and provide "X-Secumail-Id" and the value for X-Secumail-Id that was provided to you by SecuMailer. Click on SAVE to store the setting.

      2. Select "Add custom headers", click on ADD and provide "X-SecuMailer-NTA7516" and as value "true". Click on SAVE.

   2. Route

      1. Select "Change route" and select the Secumail route that you added previously.

   3. Encryption

      1. Select "Require secure transport (TLS)"

3. At the bottom of the popup select "Show options"

   • At "B. Account types to affect" select "Users"

   • At "C. Envelope filter" select "Only affect specific envelope senders", select "Group membership", select "NTA-7516" (the NTA-7516 group you made in the previous paragraph)

Click on SAVE. In the Admin console click on SAVE (in the right hand bottom corner of the screen).

You should now have two Routing rules as shown below.

This concludes your setup of NTA 7516.

Introduction

In situations where SecuMailer is not able to securely deliver an email it will return the email to the SecuMailer environment. At this point there are two possibilities to deal with the non-delivery:

• Accept non-delivery and find an alternative way to deliver the message, for instance via a physical letter

• Retry delivery via a different channel, i.e. show the content of the message on a secure web page

This Integration Guide explains how to implement the second option, alternative delivery via a secure web page.

Process

When the SecuMailer system is triggered that an email can’t be delivered due to an insecure connection to the recipient mail server it will activate its alternative delivery function.

The alternative delivery function creates a notification email containing a unique link. This unique link contains the senders secure website address and a unique identifier that is used by the SecuMailer Portal Script to retrieve the email.

The following process takes place when using the alternative delivery process.

Constraints

The SecuMailer Portal Script will only work on a website that is secured with TLS. If a customer tries to integrate the script on an unsecured website, it will not activate. If a customer is not able to configure a secure website, it is possible to configure a specific delivery website for the customer . Please discuss this option with your SecuMailer account manager.

Instructions

The sender needs to create an empty page on their website, paste in the SecuMailer supplied HTML + JavaScript code and configure the full url of this new page in the SecuMailer management portal (https://secumailer.app). After configuration of the portal url in the SecuMailer management portal the portal widget is active.

Portal code

Copy and paste the code snippet below on your web page.

Introduction

CodeTwo is a Microsoft Office 365, Exchange Server and G Suite solution for email signatures, archiving, email utilities & more.

It's possible to have CodeTwo and SecuMailer cooperate together to enjoy the benefits of both solutions. This appendix contains instructions for the proper setup of CodeTwo together with SecuMailer.

Exchange Admin Center

Please open a browser and provide the URL for your Exchange Admin Center.

In EAC select mail flow in the main menu and subsequently select rules from the context menu. In the rules overview move the CodeTwo rule above the SecuMailer rule(s) using the up arrow in the rules menu (see screenshot below).

Mail flow rule

After you've moved the CodeTwo rule above the SecuMailer rule(s), select the edit option to change the SecuMailer rule(s).

Change the first condition Apply this rule if... , add a condition by selecting A message header... from the drop down and select includes any of these words...

Click on Enter text... , fill in X-CodeTwoProcessed and click on OK. Click on Enter words..., fill in true, click on the + symbol and click on OK. See below for an example.

Click on Save to store the change.

This change ensures that O365 / Exchange checks that the CodeTwo processing has completed successfully before sending the email to SecuMailer for further processing.

Events

The Events section of the portal provides access to all delivery / bounce event data for your domain(s). It consists of three aspects:

• Search

• List overview

• Detailed overview

Search

The search bar at the top allows you to select the range of events you want to investigate. Clicking on a date will yield a date selector where you can change either the start or end date or both.

The Search box allows for free text searching in combination with standard search attributes like and / or. A typical search query would be "person@example.com AND delivery" (the upper casing of and is not mandatory, it's just there for emphasis).

List overview

Below the search bar you will find the list overview starting from old to new events.

Each column is sortable, so if you want to sort the events from new to old you need to click on the Timestamp column to activate the sort order and click again to change the sort order to newest events first.

Detailed overview

Each entry in the list overview has a caret symbol to the left which you can click on to yield a detailed overview.

The detailed view is mostly relevant for looking at bounce events as the detailed view will provide you with the diagnostic information why an email was not delivered.

The bounce event information is at the bottom of the detailed view.

Accounts

The Accounts section allows you to inspect the recipient email addresses that your organization has communicated with. It also allows you to change the association of an email address with a recipients phone number. This functionality will help you if one of your recipients has changed their phone number. The phone number is a required element for the two factor authentication that SecuMailer uses for delivery to insecure recipients or in case of NTA 7516 functionality.

You can either scroll through the list to find a specific recipient or you can use the search box (which probably is faster). The search box will start searching with incomplete input so if you don't know the full address it will show you all matching addresses based on the provided input.

Once you've pinpointed the address you want to change you can select the edit option to the right of the address.

You can change the phone number to the new value and click on Save. It's also possible to delete an address. Use caution when doing this as it will also delete any associated phone number. In case you've deleted an address erroneously there's no need to worry, next time when there's an email to this recipient it will be added back again into the database.

Mailbox

Introduction

Exchange is able to direct traffic to certain recipients (recipient based routing), it does not however contain functionality for routing based on the sender (sender based routing). By using a redirect mail flow rule it is possible to do a form of sender based routing that is sufficient for directing traffic to SecuMailer without violating the Exchange way-of-working. The high level approach is that any mailbox that needs to be integrated with SecuMailer is placed in a specific Distribution Group. Next to that a new mail contact is created that uses a non-existent email address / domain (to prevent any undesirable external routing). A new mail rule is created that redirects email from members of the Distribution Group to the Contact with the non-existent email address. This Contact is associated with a Send Connector which in turn forwards all email to the SecuMailer Mail Relay (and thereby into the SecuMailer system).

Exchange Admin Center

Please open a browser and provide the url for your Exchange Admin Center.

Create Distribution Group

In EAC select recipients in the main menu and subsequently select groups from the context menu. Click on the + symbol and select Distribution Group from the dropdown menu. You should now see the pop-up named new distribution group.

Please fill in Display name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer.

Please fill in Alias.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer.

Please select the Organizational unit that contains the mailboxes that you wish to connect with SecuMailer. Please set the Owners according to your organization’s standards. Please add as Members the mailbox(es) that you wish to connect with SecuMailer.

Please deselect Add group owners as members as this would automatically add the administrators to the group that will forward all email via SecuMailer (unless this is your intention).

Please apply any other setting that you apply within your organization on this Distribution Group. After you are finished setting all options please click on the Save button to store your Distribution Group configuration.

Create Contact

You should still be in the recipients context (if not please click on recipients in the main navigation). Please select contacts in the context menu. Click on the + symbol and select Mail contact from the dropdown menu. You should now see the pop-up new mail contact (see below).

Please fill in Display name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer Relay.

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer Relay.

Please fill in Alias.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer Relay.

Please fill in External email address and use the following convention:

SMTP:secumailer@secumailer.relay

The domain secumailer.relay doesn’t exist which is intentional. After you are finished setting all options please click on the Save button to store your Contacts configuration.

Create Transport Rule

In this section you will create two Transport Rules. The first transport rule will handle external BCC recipients, the second rule will direct your mail traffic towards the SecuMailer platform.

External BCC recipients

Due to how mail relay integration works SecuMailer can’t work with BCC recipients, this information gets lost in the protocol exchange. Internal BCC recipients are not affected but to make sure no inadvertent external BCC recipients are used we require a transport rule that will decline usage of external BCC recipients. In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “No external BCC”.

Carry out the following steps:

• Click on the button Add condition to add the second condition. At the second dropdown list select The recipient... and in the sub dropdown list select is internal/external. In the select recipient location popup select the option Outside the organization and click on OK.

• Click on the button Add condition to add the third and last condition. At the third dropdown list select A message header … and in the sub dropdown list select matches these text patterns. To the right of the dropdown click on the Enter text link and in the popup titled specify header name fill in the following: X-MS-Exchange-Organization-BCC and click on OK. Next click on the link titled Enter text patterns … and in the popup titled specify words or phrases fill in the following: $ and click on the + symbol to the right and subsequently click on OK. At the next drop down under the label Do the following... select the option Block the message and in the sub drop down select Reject the message with the explanation. In the popup titled specify rejection reason you can provide an explanation why this message is blocked. An example that you might use is:

“Your message is blocked and not delivered due to our policy not allowing external BCC recipients”. Click on ‘OK’.

• Scroll down the form and check the box at Stop processing more rules. Click on Save. You are now done with the first transport rule

Redirect traffic to SecuMailer

You are still in the rules section of mail flow. Please create the second transport rule by clicking on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule.

Please carry out the following steps:

• Please fill in Name

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Redirect to SecuMailer”.

• At Except if … click on the button add exception. If you don’t see this option please scroll down until you see the link More options… and click on the link, this should give you the possibility of adding an exception. In the dropdown list select The recipient… and select internal/external. In the popup window select internal and click on OK.

• Click on the button add exception to add a second exception. In the dropdown list select A message header… and in the sub dropdown list select matches these text patterns. To the right of the dropdown click on the Enter text link and in the popup titled specify header name fill in the following: X-MS-Exchange-Organization-BCC and click on OK. Next click on the link titled Enter text patterns… and in the popup titled specify words or phrases fill in the following: $ and click on the + symbol to the right and subsequently click on OK. After you are finished setting all options please click on the Save button to store your Mail Rule configuration.

Create Send Connector

You should still be in the mail flow context (if not please click on mail flow in the main navigation). Please select send connectors in the context menu. Click on the + symbol. You should now see the pop-up new send connector (see below).

Please fill in Name

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer”.

Click on button Next. Please select Route mail through smart hosts and click on the + symbol.

You will get a pop-up titled “add smart host”.

Please fill in the following value: mail-relay.secumail.cloud. Click on the Save button. Click on the Next button to proceed.

Please select option Basic authentication and select Offer basic authentication only after starting TLS. At the User name and Password fields please fill in the values supplied by SecuMailer. If you haven’t received these values please contact SecuMailer Support at support@secumailer.com. Click on the Next button to proceed to the next screen.

Please click on the + symbol. In the popup please fill in Full Qualified Domain Name (FQDN) with value: secumailer.relay

Click on the Save button to proceed. The new send connector windows should look as follows:

Click on the Next button to proceed. In the next popup click on the + button.

Please select your server and click on the Add button. Please click on the OK button.

The new send connector windows should look as follows (with your mail server shown rather than the example server):

Please click on Finish

Change Send Connector Port

Please start the Exchange Management Shell.

Please type: Get-SendConnector

With the next command you switch the SecuMailer Send Connector to use port 587 rather than port 25. This instruction assumes you have used “SecuMailer” as the name for your Send Connector. If you have chosen a different name for the Connector please use that name. Please type:

Set-SendConnector -identity "SecuMailer" -Port:587

Hit enter to execute. If all went well the command completes without any issues.

Firewall

Please make sure you allow port 587 outgoing to mail-relay.secumail.cloud to allow the email traffic to reach the SecuMailer platform.

Disabling Rich Text Format

Microsoft uses an outdated format for emails called “Rich Text Format” (or RTF in short). The RTF format is only supported by Outlook and can’t be read on the standard mail clients of Apple devices or Android devices. Microsoft advises to disable Rich Text Format to avoid inadvertently sending mails in this format.

To disable RTF please start the Exchange Management Shell. This instruction assumes you have used “SecuMailer Contact” as the name for your Contact setting. If you have chosen a different name for the Contact please use that name. Please type:

Set-MailContact -Identity "SecuMailer Contact" -UseMapiRichTextFormat Never

Hit enter to execute. If all went well the command completes without any issues.

The integration is now completed. Please send a couple of test emails from the address you connected with SecuMailer and verify they arrive correctly at an email address you have access to.

NTA 7516

The NTA 7516 functionality requires two additional changes to your Exchange configuration:

• Creation of a separate Distribution Group

• Creation of a mail flow rule

NTA 7516 Distribution Group

After you have created the Distribution Group please create a new mail flow rule.

NTA 7516 Mail Flow Rule

In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516”.

Please carry out the following steps:

• In the next dropdown list named Do the following select the option Modify the message properties and select Set a message header. In the text to the right of the option click on the first Enter text... link and in the message header popup fill in: X-SecuMailer-NTA7516 and click on OK. Click on the second Enter text... link and in the message value popup fill in: true and click on OK.

• Click on the button Add exeption to add a exeption. At dropdown list select The recipient... and in the sub dropdown list select is internal/external. In the select recipient location popup select the option inside the organization and click on OK.

This completes the Transport Rule for NTA 7516. Please click on Save to finalize the setup.

Appendix Exclaimer & CodeTwo

Installatie instructies voor en demo omgevingen.

Introduction

O365 is able to direct traffic to certain recipients (recipient based routing), it does not however contain functionality for routing based on the sender (sender based routing). By using a redirect mail flow rule it is possible to do a form of sender based routing that is sufficient for directing traffic to SecuMailer without violating the Microsoft 365 way-of-working. The high level approach is that any mailbox that needs to be integrated with SecuMailer is placed in a specific Distribution Group. Next to that a new mail contact is created that uses a non-existent email address / domain (to prevent any undesirable external routing). A new mail rule is created that redirects email from members of the Distribution Group to the Contact with the non-existent email address. This Contact is associated with a Send Connector which in turn forwards all email to the SecuMailer Mail Relay (and thereby into the SecuMailer system).

Microsoft 365 Admin center

Please log in to your Microsoft 365 Admin Center(via https://portal.office.com).

Select Admin Centers → Exchange.

You will see the Exchange Admin Center as shown above.

Configure Connector

Please click on mail flow, followed by connectors. In the connector view click on the +New Connector link to open the New Connector popup (see below). In the corporate Microsoft 365 versions you need to select the send connector.

In the Connection from list select Microsoft 365, after selection select in the Connection to list select for Partner organization. Click Next.

Next step is to give the connector a name. You may choose anything you like, if you can’t think of anything then put in SecuMailer. You can add a description if you wish in the Description field, it is not mandatory. You can keep the checkbox at What do you want to do after connector is saved? selected. Click on Next to go the step.

The next steps determines when you want to use the connector. Please select the first radio button Only when I have a transport rule set up that redirects messages to this connector and click on Next.

The next step determines where you want to deliver email that is associated with this transport rule. Please select the second radio button Route email through these smart hosts and click on the + symbol. In the new popup fill in mail-relay.secumail.cloud and click on Save.

The Add a connector popup should show mail-relay.secumail.cloud as new smart host. Click Next to go to the next step.

In this step you need to configure the secure connection with the SecuMailer mail relay. Please make sure that the first checkbox is on, it's named Always use Transport Layer Security (TLS) to secure the connection (recommended). Select the radio button Issued by a trusted certificate authority (CA). Please activate the checkbox And the subject name or subject alternative name (SAN) matches this domain name: and fill in mail-relay.secumail.cloud (see below). Click on Next.

You are now at the final step of the Transport Rule flow. The connector needs to be validated through a remote e-mail domain. This cannot be the domains used within the Microsoft 365 tenant, Fill in an e-mail address (likely Gmail or another address) and click on Validate .

You should see a summary of the Transport Rule settings you applied in the previous steps.

Verify your settings and click on Create connector. Herby the connector is created.

Configure Distribution Group

In Exchange Admin select recipients in the main menu and subsequently select groups from the context menu.

Click on add a group. You should get a choice for the type of the newly to created group, choose for mail-enabled security. Click Next.

Please fill in Name

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer AVG.

The description is not mandatory, Click Next.

You should add a owner to this new group, like an Administrator or Manager. Click Next.

Add users to this new group or add them later to this new group, Click Next.

Please fill in Email address

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use secumailer_avg.

Click Next.

You should see a summary of the settings you applied in the previous steps.

Verify your settings and click on Create group. Hereby the Secumailer AVG group is created, Click on close.

Add members to Distribution Group

To add members to the specific group that you wish to connect with the specific SecuMailer function, head back to recipients in the main menu and subsequently select groups from the context menu. Under the specific tab mail-enabled security. click on the specific group you want to add members

Click on Members followed by View all and manage members.

When click on + Add Members. you can add other users to this specific group.

Create mail flow rules

In this section you will create two mail flow rules:

1) that will direct your mail traffic towards the SecuMailer platform.

2) that will direct out of office e-mails though public internet.

Mail Flow Rule Redirection to SecuMailer

In this section you will create the mail flow rule that will direct your mail traffic towards the SecuMailer platform.

In the Exchange Admin please go to mail flow and then rules. Please create the mail flow rule by clicking on the + symbol and select create a new rule from the drop down menu. You should now see the pop-up named new rule.

Please carry out the following steps. Please fill in Name If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Redirect to SecuMailer AVG”.

At drop down list Apply this rule if… please select The sender is a member of… and select and add the distribution group you created in section Configure Distribution Group and click on the OK button. At drop down list Do the following… please select Modify the message properties..., then select Set a message header and set the message header to X-Secumail-Id and the value to the value that was supplied to you by SecuMailer. Click on the button Add action to add another action to the mail flow rule. At drop down list Do the following… please select Redirect the message to… and select option the following connector, this will start a popup where you can select the SecuMailer connector you configured in section Configure Connector.

Select connector At Except if … click on the button add exception. If you don’t see this option please scroll down until you see the link More options… and click on the link, this should give you the possibility of adding an exception. In the drop down list select The recipient… and select internal/external. In the popup window select internal and click on OK.

Please click on Next to set the additional settings

The default settings doesn’t need to be changed, so click on Next.

Click on Finish to save this Rule.

Mail Flow Rule Out Of Office Message

In this section you will create the mail flow rule that will route your out-of-office e-mail towards the public internet. This is needed since the sender is out of office and cannot respond to notifications in case a recipient cannot be reached securely. These message typically don't contain personal information and can be send without securing the message.

Please do check with you Security Officer before applying this rule.

In the Exchange Admin please go to mail flow and then rules. Please create the mail flow rule by clicking on the + symbol and select create a new rule from the drop down menu. You should now see the pop-up named new rule.

Please carry out the following steps. Please fill in Name If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Out Of Office Exception SecuMailer”.

At drop down list Apply this rule if… please select The Message properties and select include the message type Automatic reply and click on the Save button. At drop down list Do the following… please select Modify the message properties..., then select Set a message header and set the message header to X-SecuMailer-OOO and the value totrue.

At Except if select The recipient and is external/internal. In the pop-up select Inside the organization.

Click on the Next button.

In the follewing screen check the option Stop processing more rules

Click next to complete the configuration.

Click on Finish to save this Rule.

Disabling Rich Text Format

Microsoft uses an outdated format for emails called “Rich Text Format” (or RTF in short). The RTF format is only supported by Outlook and can’t be read on the standard mail clients of Apple devices or Android devices. Microsoft advises to disable Rich Text Format to avoid inadvertently sending mails in this format.

To disable RTF please go to mail flow section in Exchange Admin and select remote domains. Select the name Default. Click on Edit text and character set.

Change the setting from Follow user settings to Never

The integration is now completed. Please send a couple of test emails from the address you connected with SecuMailer and verify they arrive correctly at an email address you have access to.

NTA 7516

The NTA 7516 functionality requires two additional changes to your Exchange configuration:

• Creation of a separate Distribution Group

• Creation of a mail flow rule

In Exchange Admin select recipients in the main menu and subsequently select groups from the context menu.

Choose Mail-enabled security

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer NTA Group.

The description is not mandatory, Click Next.

Assign members and click Next.

Please fill in Alias

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer_NTA.

Please fill in Email address

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use secumailer_nta.

Click Next.

You should see a summary of the settings you applied in the previous steps.

Verify your settings and click on Create group. Hereby the Secumailer NTA group is created, Click on close.

NTA 7516 Mail Flow Rule - 1

In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516 Rule - 1”.

Please carry out the following steps:

• In the next dropdown list named Do the following select the option Modify the message properties and select Set a message header. In the text to the right of the option click on the first Enter text... link and in the message header popup fill in: X-SecuMailer-NTA7516 and click on OK. Click on the second Enter text... link and in the message value popup fill in: true and click on OK.

This completes the Transport Rule 1 for NTA 7516. Please click on Save to finalize the setup.

NTA 7516 Mail Flow Rule - 2

In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516 Rule - 2”.

Please carry out the following steps:

• At drop down list Do the following… please select Modify the message properties..., then select Set a message header and set the message header to X-Secumail-Id and the value to the value that was supplied to you by SecuMailer.

• Click on the button Add action to add another action to the mail flow rule

• At Except if … click on the button add exception. If you don’t see this option please scroll down until you see the link More options… and click on the link, this should give you the possibility of adding an exception. In the drop down list select The recipient… and select internal/external. In the popup window select internal and click on OK.

This completes the Transport Rule 2 for NTA 7516. Please click on Save to finalize the setup.

Rule Order

For the rules to work correctly the following order must be maintained:

1. Out Of Office Exception SecuMailer

2. SecuMailer NTA 7516 Mailflow Rule - 1

3. SecuMailer NTA 7516 Mailflow Rule - 2

4. SecuMailer AVG mailflow Rule

WARNING: The SecuMailer NTA7516 rules have to have a higher priority then the regular Secumailer AVG mailflow rule, so that the highest security set is always used if the case a user is a member of both AVG and SecuMailer NTA7516 groups.

This completes the Transport Rules for NTA 7516. Please click on Save to finalize the setup.

Appendix Exclaimer & CodeTwo

The documentation for the SecuMailer Public REST API can be found here: https://developer.secumail.nl

The API key provided by SecuMailer needs to be used in header x-api-key

The SecuMailer SMTP API is available at mail-relay.secumail.cloud. Connections are available on port 25 and port 587.

The SMTP API uses SASL for authentication. SecuMailer will provide you with an username and password for the connection.

Example

The following example shows how a connection can be made using PHPMailer, a popular mailer package for PHP.

$mail = new PHPMailer(true);

try {
    //Server settings
    $mail->isSMTP();                                    // Send using SMTP
    $mail->Host       = 'mail-relay.secumail.cloud';    // Set the SMTP server to send through
    $mail->SMTPAuth   = true;                           // Enable SMTP authentication
    $mail->Username   = 'user@example.com';             // SMTP username
    $mail->Password   = 'secret';                       // SMTP password
    $mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS; // Enable TLS encryption
    $mail->Port       = 587;                            // TCP port to connect to

    //Recipients
    $mail->setFrom('from@example.com', 'Mailer');
    $mail->addAddress('joe@example.net', 'Joe User');    // Add a recipient

    // Content
    $mail->isHTML(true);                                 // Set email format to HTML
    $mail->Subject = 'Here is the subject';
    $mail->Body    = 'This is the HTML message body <b>in bold!</b>';
    $mail->AltBody = 'This is the body in plain text for non-HTML mail clients';

    $mail->send();
    echo 'Message has been sent';
} catch (Exception $e) {
    echo "Message could not be sent. Mailer Error: {$mail->ErrorInfo}";
}

Introduction

SecuMailer is the new method for secure mail in your organisation. Using SecuMailer for all your emails guarantees the use of encrypted connections. This provides you with the easiest method to send emails with personal data. The privacy for you and your customers is safeguarded.

Portal

When an email can’t be directly delivered by a secure connection, your organisation has chosen to send the recipient a message with a link to get the e-mail via a portal. This message is secured with a one time password (OTP) code via SMS.

The recipient can use the link and will be directed to your organisation's website. At the website the recipient can securely download the original message (with attachments if there are any). To open the message the recipient needs to use the OTP code that will be provided by SMS.

Process

The usage of the portal is fully automatic and generally does not require any action from the sender unless a recipient doesn't have a registered phone number. The process looks as follows:

1. The sender sends an email

2. The recipient uses an insecure mail server, therefore the email can't be delivered

3. If there's no mobile phone number registered for the recipient a message will be sent to the sender to register a mobile phone number for the recipient

4. If there's a mobile phone number available for the recipient an email will be sent to the recipient with an invitation to retrieve the email from the sender organisation's website

5. At the website the recipient needs to request a one-time password, this will be delivered to the mobile phone of the recipient

6. The recipient enters the code and gains access to the email. The email can be downloaded to the mail client of the recipient and can be opened and used for responding

The first two steps do not require any specific action other than sending an email.

Provide phone number

If there is no registration of a mobile phone number for the recipient the SecuMailer platform will send a registration request to the sender. This request will be in the form of an email (example below).

Please click on the link in the email, this should bring you to your own organisation's website. On the website you will find a section resembling the screenshot below where you can provide the phone number of the recipient.

After you have entered the phone number please click on the 'Submit' button, if everything went well you will see a 'Stored' notification with the confirmation that the phone number was stored successfully.

You can close the website after this step, no further action is needed from you. The next time you're communicating with the same recipient you will not be asked for the phone number anymore and communication will appear as seamless as a regular email.

In case you're wondering what the recipient's experience looks like please read on.

Recipient experience

The recipient will receive an email notification with an invitation to retrieve the email from your organisation's website. This email contains a link to your website, following this link will show the message below to the recipient.

The recipient will have to click on the 'Request pin code' button to receive the one-time password. After clicking on the button the pin code will arrive shortly, depending on the mobile provider of the recipient. The recipient will input the pin code and click on the 'Submit' button (see below).

If the pin code is correct the message will be shown to the recipient.

The secure email delivery has an option to download the email to the recipients mail client via the 'Download' button. By downloading the email the recipient can open it in their mail client of choice and respond to the email in the regular way. The reponse back to the sender will be secure.

De @ikmailveilig.nl demo omgeving gebruikt auto configuratie om e-mail accounts automatisch te configureren voor alle gangbare e-mail toepassingen. Dit houdt in dat in vrijwel alle e-mail toepassingen uitsluitend het e-mail adres van @ikmailveilig.nl en het bijbehorende wachtwoord ingevoerd hoeft te worden en de e-mail toepassing zorgt samen met de mail server van @ikmailveilig.nl voor de juiste configuratie.

Outlook installatie

Het installatieproces begint met het toevoegen van een nieuw e-mail account. Dit kunt u starten via de menu optie Bestand. U kunt bij Accountgegevens vervolgens op de knop Accountinstellingen klikken (zie hieronder).

U krijgt een drop down menu met de volgende mogelijkheden:

Selecteer de optie "Profielen beheren" (zoals in het voorbeeld hierboven). U krijgt nu de window E-mail configuratie te zien. Selecteer hier de bovenste optie met de knop E-mailaccounts.

U krijgt vervolgens het scherm Accountinstellingen te zien. Klik hier op de knop Nieuw (zoals hieronder getoond).

U krijgt nu het scherm Account toevoegen, hier kunt u het @ikmailmetzorg.nl account dat u van ons ontvangen hebt instellen.

Vul bij Uw naam: uw volledige naam in. Vul bij E-mailadres: het e-mail adres in dat u van ons ontvangen hebt. Vul bij Wachtwoord: het wachtwoord in dat u van ons ontvangen heeft en herhaal dit bij het tweede wachtwoord veld.

Als alle velden zijn ingevuld kunt u op de knop Volgende > klikken en gaat uw e-mail account geconfigureerd worden.

Als alle stappen goed doorlopen zijn zult u de mededeling Procedure voltooid boven aan het scherm zien. U kunt het scherm afsluiten met Voltooien. Alle andere openstaande schermen kunt u nu sluiten. Uw e-mail adres is ingesteld en u kunt direct beginnen met e-mailen.

Krijgt u een foutmelding? Loop dan alle gegevens goed door om te verifiëren dat de correcte waarden zijn ingevoerd.

Klopt het nog steeds niet? Neem dan contact op met SecuMailer en we helpen u graag verder.

De @ikmailmetzorg.nl demo omgeving gebruikt auto configuratie om e-mail accounts automatisch te configureren voor alle gangbare e-mail toepassingen. Dit houdt in dat in vrijwel alle e-mail toepassingen uitsluitend het e-mail adres van @ikmailmetzorg.nl en het bijbehorende wachtwoord ingevoerd hoeft te worden en de e-mail toepassing zorgt samen met de mail server van @ikmailmetzorg.nl voor de juiste configuratie.

Outlook installatie

Het installatieproces begint met het toevoegen van een nieuw e-mail account. Dit kunt u starten via de menu optie Bestand. U kunt bij Accountgegevens vervolgens op de knop Accountinstellingen klikken (zie hieronder).

U krijgt een drop down menu met de volgende mogelijkheden:

Selecteer de optie "Profielen beheren" (zoals in het voorbeeld hierboven). U krijgt nu de window E-mail configuratie te zien. Selecteer hier de bovenste optie met de knop E-mailaccounts.

U krijgt vervolgens het scherm Accountinstellingen te zien. Klik hier op de knop Nieuw (zoals hieronder getoond).

U krijgt nu het scherm Account toevoegen, hier kunt u het @ikmailmetzorg.nl account dat u van ons ontvangen hebt instellen.

Vul bij Uw naam: uw volledige naam in. Vul bij E-mailadres: het e-mail adres in dat u van ons ontvangen hebt. Vul bij Wachtwoord: het wachtwoord in dat u van ons ontvangen heeft en herhaal dit bij het tweede wachtwoord veld.

Als alle velden zijn ingevuld kunt u op de knop Volgende > klikken en gaat uw e-mail account geconfigureerd worden.

Als alle stappen goed doorlopen zijn zult u de mededeling Procedure voltooid boven aan het scherm zien. U kunt het scherm afsluiten met Voltooien. Alle andere openstaande schermen kunt u nu sluiten. Uw e-mail adres is ingesteld en u kunt direct beginnen met e-mailen.

Krijgt u een foutmelding? Loop dan alle gegevens goed door om te verifiëren dat de correcte waarden zijn ingevoerd.

Klopt het nog steeds niet? Neem dan contact op met SecuMailer en we helpen u graag verder.

De @ikmailvertrouwd.nl demo omgeving gebruikt auto configuratie om e-mail accounts automatisch te configureren voor alle gangbare e-mail toepassingen. Dit houdt in dat in vrijwel alle e-mail toepassingen uitsluitend het e-mail adres van @ikmailvertrouwd.nl en het bijbehorende wachtwoord ingevoerd hoeft te worden en de e-mail toepassing zorgt samen met de mail server van @ikmailvertrouwd.nl voor de juiste configuratie.

Outlook installatie

Het installatieproces begint met het toevoegen van een nieuw e-mail account. Dit kunt u starten via de menu optie Bestand. U kunt bij Accountgegevens vervolgens op de knop Accountinstellingen klikken (zie hieronder).

U krijgt een drop down menu met de volgende mogelijkheden:

Selecteer de optie "Profielen beheren" (zoals in het voorbeeld hierboven). U krijgt nu de window E-mail configuratie te zien. Selecteer hier de bovenste optie met de knop E-mailaccounts.

U krijgt vervolgens het scherm Accountinstellingen te zien. Klik hier op de knop Nieuw (zoals hieronder getoond).

U krijgt nu het scherm Account toevoegen, hier kunt u het @ikmailvertrouwd.nl account dat u van ons ontvangen hebt instellen.

Vul bij Uw naam: uw volledige naam in. Vul bij E-mailadres: het e-mail adres in dat u van ons ontvangen hebt. Vul bij Wachtwoord: het wachtwoord in dat u van ons ontvangen heeft en herhaal dit bij het tweede wachtwoord veld.

Als alle velden zijn ingevuld kunt u op de knop Volgende > klikken en gaat uw e-mail account geconfigureerd worden.

Als alle stappen goed doorlopen zijn zult u de mededeling Procedure voltooid boven aan het scherm zien. U kunt het scherm afsluiten met Voltooien. Alle andere openstaande schermen kunt u nu sluiten. Uw e-mail adres is ingesteld en u kunt direct beginnen met e-mailen.

Krijgt u een foutmelding? Loop dan alle gegevens goed door om te verifiëren dat de correcte waarden zijn ingevoerd.

Klopt het nog steeds niet? Neem dan contact op met SecuMailer en we helpen u graag verder.