Gateway

SMTP TLS Settings

It's important to set SMTP TLS in order to transmit e-mail messages between your Hermes SEG machine and other e-mail servers with TLS encryption.

By default, SMTP TLS support in Hermes SEG is disabled. In this section you can enable Hermes SEG TLS support as well as associate the SSL certificate you previously imported or requested.

Hermes SEG supports two SMTP TLS methods:

Opportunistic TLS

In this mode, any time a remote SMTP server makes a connection,  Hermes SEG announces that it supports STARTTLS, however it does not require TLS encryption. This mode, is the recommended mode if you need TLS encryption.

Mandatory TLS

In this mode, any time a remote SMTP server makes a connection, Hermes SEG announces STARTTLS and it will NOT accept email without TLS encryption. This mode should NEVER be used on a public Internet facing Hermes SEG.

Before you can set SMTP TLS, you must first have either imported or requested a SSL Certificate in the System --> System Certificates section for the Hostname and Primary Domain Name you set in the System --> Network Settings.

Figure 1

image-1642971499398.png

Figure 2

image-1642971616360.png

Verify TLS Encryption and Certificate

The easiest way to verify whether or not your Hermes SEG TLS encryption is working correcly as well as verify the certificates you installed, is to go to https://www.checktls.com/TestReceiver and run the TestReceiver test.

TLS Encryption Policies 

Hermes SEG allows you to create a policy to force TLS encryption when sending/receiving email from specific remote domains. TLS encryption along with S/MIME, PDF or PGP encryption will allow for the absolute best security.

1872E41D60: to=<someone@domain.tld>, relay=server.remotedomain.tld[75.xxx.xxx.xxx]:25, delay=0.52, delays=0.05/0/0.17/0.29, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 46C274158E)</someone@domain.tld>
Host offered STARTTLS: [server.remotedomain.tld]
  • If you find Host offered STARTTLS for the hostname you searched in the logs then it's pretty safe to assume that the remote smtp server support TLS encryption and you can proceed with adding the remote domain.
  • Click the Add Domain button and in the resultant window, enter the remote domain in the Domain field (if you add a "." in front of the domain, it will encompass the primary domain and any subdomains. Example: .remote.domain.tld), enter a note for your own use in the Note field and click the Submit button (Figure 3):

Figure 3

image-1643043011869.png

 

 

Relay Host

Normally, Hermes SEG delivers email directly to remote SMTP hosts over the Internet. Sometimes, this configuration may not work for certain scenarios. For example, your ISP may not allow outbound SMTP over port TCP/25.

In those scenarios it is necessary to configure a Relay Host e.g., an external SMTP host that will receive emails from your Hermes SEG and relay them to their final destination.

Enable Relay Host

  1. Select the Relay Host Enabled option (Figure 1).

Figure 1

image-1606158917570.png

  1. Selecting the Relay Host Enabled option from Step 1, will enable the options Relay Host Authentication Required and Relay Host Authentication NOT Required options below (Figure 2)

Figure 2

image-1606158927291.png

Relay Host Requires Authentication

  1. Select the Relay Host Authentication Required option (Figure 3).

Figure 3

image-1606158935426.png

  1. Selecting Relay Host Authentication Required from Step 1, will enable the Relay Host Username and the Relay Host Password fields below (Figure 4).

Figure 4

image-1606158945554.png

  1. Enter the relay host FQDN hostname or IP address in the Relay Host Host FQDN field.
  2. If the relay host requires a port other than 25, enter it in the Relay Host Port Number. Otherwise, leave it at default 25.
  3. Enter the relay host username in the Relay Host Username field and enter the password for that username in the Relay Host Password field and click on the Save Settings button (Figure 5).

Figure 5

image-1606158953618.png

  1. Click on the Apply Settings button on the bottom of the page for your changes to take effect (Figure 6)

Figure 6

image-1606158961802.png

 

Relay Host does NOT Require Authentication

  1. Select the Relay Host Authentication NOT Required option (Figure 7).

Figure 7

image-1606158969389.png

  1. Selecting Relay Host Authentication NOT Required from Step 1, will disable the Relay Host Username and the Relay Host Password fields below (Figure 8).

Figure 8

image-1606158977278.png

  1. Enter the relay host FQDN hostname or IP address in the Relay Host Host FQDN field.
  2. If the relay host requires a port other than 25, enter it in the Relay Host Port Number. Otherwise, leave it at default 25.
  3. Click on the Save Settings button (Figure 9).

Figure 9

image-1606158985527.png

  1. Click on the Apply Settings button on the bottom of the page for your changes to take effect (Figure 10).

Figure 10

image-1606158994398.png

Relay Domains

In order for Hermes SEG to deliver email, you must first set the domain(s) that Hermes SEG will process email for along with their corresponding email server(s). You can add as many domains and email servers as required. An email server can be configured as an IP address or a Host Name as long as the Hermes SEG can reach it over Port TCP/25. Multiple domains can be pointed to the same email server if necessary.

Add Relay Domain with IP Address Destination

  1. Under the Relay Domain Destination Type, select the IP Address Destination option.
  2. In the Relay Domain field enter the domain name and in the Dest IP fields, enter the email server's IP address and click the Add button (Figure 1).

Figure 1

image-1606159087277.png

  1. After adding a Relay Domain and IP Address Destination, the entry will show up below the Edit/Delete domains & Destinations section (Figure 2).

Figure 2

image-1606159096831.png

Add Relay Domain with Host Name Destination

  1. Under the Relay Domain Destination Type, select the Host Name Destination option.
  2. In the Relay Domain field enter the domain name, in the Dest Host Name field, enter the email server's Host Name part of the FQDN address (without the domain part), in the Dest Host Domain field, enter the email server's domain part of the FQDN address and then click the Add button (Figure 3).

Figure 3

image-1606159106034.png

  1. After adding a Relay Domain and Host Name Destination, the entry will show up below the Edit/Delete domains & Destinations section (Figure 4).

Figure 4

image-1606159116207.png

Edit Existing Relay Domain Mapping

  1. Click on the edit icon  under the Edit column of the Domain you wish to edit.
  2. On the Edit Existing Relay Domain Mapping page, select either the IP Address Destination or the Host Name Destination option (Figure 5).

Figure 5

image-1606159130229.png

IP Address Destination

Selecting IP Address Destination will enable the IP Address Destination entry. Enter the IP Address of the destination email server under the Dest IP field and click the Edit button to save your changes (Figure 6). Note that the Relay Domain field is already pre-filled and cannot be changed.

Figure 6

image-1606159138595.png

Host Name Destination

Selecting Host name Destination will enable the Host Name Destination entry. Enter the host name (without the domain) of the destination email server under the Dest Host Name field, enter the domain of the destination email server under the Dest Host Domain field and click the Edit button to save your changes (Figure 7). Note that the Relay Domain field is already pre-filled and cannot be changed.

Figure 7

image-1606159147071.png

  1. When finished making your changes, click on the Back to Relay Domains button on the bottom of the page to return to the Relay Domains page (Figure 8).

Figure 8

image-1606159155109.png

Delete Existing Relay Domain Mapping

Note: Deleting existing Relay Domain mappings can only be accomplished if there are are no existing Internal Recipients assigned to that domain. If there are existing Internal Recipients assigned to the domain, you will receive the following message under the Delete column of the Edit/Delete Domains & Destination section (Figure 9). In order to delete the domain, you must first navigate to Gateway --> Internal Recipients, delete all the Internal Recipients for that domain and then return to this section to delete the domain.

Figure 9

image-1606159162930.png

  1. Click on the image-1606159178896.pngicon under the Delete column of the Domain you wish to delete.
  2. On the confirmation page, click on the Yes button to proceed with deleting the domain. Clicking on the No button will take you back to the Relay Domains page (Figure 10).

Figure 10

image-1606159194706.png

Relay IPs & Networks

In this section, you can add which individual IPs or networks will be allowed to send (relay) email through Hermes SEG.

Best security practice is to never allow entire networks to send email through Hermes SEG and instead only allow specific IPs.

Add Relay IP

  1. Under the Select the type of entry... section, Select IP Address option.
  2. Under the IP field, enter the IP Address that you want to allow.
  3. Under the Note field, enter a note identifiying the IP address and click the Add button (Figure 1).

Figure 1

image-1606159291850.png

  1. Each IP address you add shows up in the Permitted Relay IPs/Network to be added section (Figure 2)

Figure 2

image-1606159299320.png

  1. Continue adding IP addresses as needed. When finished, click on the Apply Settings button on the bottom of the page (Figure 3).

Figure 3

image-1606159307790.png

Add Relay Network

  1. Under the Select the type of entry... section, Select Network option.
  2. Under the Network field, enter the Network Address that you want to allow.
  3. Under the Network Mask drop-down field, select the mask (subnet mask) of the network
  4. Under the Note field, enter a note identifiying the network address and click the Add button (Figure 4).

Figure 4

image-1606159316424.png

  1. Each network address you add shows up in the Permitted Relay IPs/Network to be added section (Figure 5)

Figure 5

image-1606159325025.png

  1. Continue adding Network addresses as needed. When finished, click on the Apply Settings button on the bottom of the page (Figure 6).

Figure 6

image-1606159332639.png

Delete Relay IPs/Networks

  1. Under the Delete Relay IPs/Networks section, select the entry you wish to delete and click the Delete button below (Figure 6). Note that only one entry can be selected to be deleted at a time.

Figure 6

image-1606159339930.png

  1. Each entry you select to be deleted shows up in the Permitted Relay IPs/Network to be deleted section (Figure 7).

Figure 7

image-1606159348670.png

  1. Continue selecting entries to be deleted as needed. When finished, click on the Apply Settings button on the bottom of the page (Figure 8).

Figure 8

image-1606159359121.png

 

Internal Recipients

Hermes SEG requires a listing of Internal Recipients in order to process incoming email and deliver that email to the correct recipient mailboxes which are located on an email server(s) which must be previously specified in the Gateway --> Relay Domains. The system will ONLY allow you to add recipients with domains that are specified in the in the Gateway --> Relay Domains.

Manually Add Internal Recipients

This method will allow you to add Internal Recipients manually one by one. Hermes SEG also supports automatic import of recipients via AD (Active Directory) but that feature is only available with Hermes SEG Pro License. If you have a SEG Pro License and you wish to utilize AD Recipient import, please see Import Internal Recipients from Active Directory section below.

  1. Ensure the Manually Add option is selected.
  2. Under the Manually Add Internal Recipient section, enter a valid email address in the Internal Recipient E-mail Address field and click the Add button (Figure 1).

Figure 1

image-1609595461953.png

  1. Each Internal Recipient you add shows up in the Internal Recipients to be added section (Figure 2)

Figure 2

image-1609595484218.png

  1. Continue adding Internal Recipients as needed. When finished, click on the Apply Settings button on the bottom of the page (Figure 3).

Figure 3

image-1609595507621.png

  1. If you make a mistake, click on the Cancel All Add button to cancel (Figure 4).

Figure 4

image-1609595515746.png

Import Internal Recipients from Active Directory

This method will allow you to add Internal Recipients automatically via an AD (Active Directory) connection. Please note, this feature is ONLY available if you have a Hermes SEG Pro License.

In order to import Internal Recipients via AD (Active Directory), you must have previously created an AD connection under System --> AD Integration.

Note: Only once an AD connection is created, the Import from Active Directory option will become enabled.

  1. Select the Import from Active Directory option under the Add Internal Recipients section.
  2. Selecting the Import from Active Directory option will automatically populate the Import Internal Recipients from Active Directory drop-down containing the Active Directory connection(s) you previously added (Figure 5).

Figure 5

image-1609595527445.png

  1. Ensure the correct connection is selected from the drop-down and click the Import button.
  2. The Internal Recipients to be added section, will automatically be populated with SMTP address(es) from Active Directory (Figure 6)

Figure 6

image-1609595535970.png

  1. Click the Apply Settings button at to the bottom of the page (Figure 7).

Figure 7

image-1609595545683.png

  1. If you make a mistake, click on the Cancel All Add button to cancel (Figure 8).

Figure 8

image-1609595555593.png

Filter Internal Recipients

Setting a filter will assist you in narrowing down specific recipients by email address or domain in order to manage them easily.

  1. In the Filter By field, enter a complete or partial email address or domain and click the Set Filter button. If any matches are found, the Existing Internal Recipients listing will be populated with only the entries matching the filter you set (Figure 9).

Figure 9

image-1609595563878.png

  1. You can clear a filter you set by clicking the Clear Filter button at any time (Figure 9).

Edit Internal Recipient Settings

When Internal Recipients are added, by default, they are not allowed to Train the Bayes Filter and they are not allowed to Download Messages from the User Self-Service Portal.

Training the Bayes Filter should ONLY be performed by individuals who have a firm grasp on the concepts of Spam, Ham, marketing email etc. Incorrectly training the Bayes Filter will have bad consequences on ALL of the users of your system. Thus, it's highly recommended not to allow individuals to train the Bayes Filter.

Note: Setting Recipient Can Train Bayes Filter from User Portal will have no effect unless the Bayes Database is set to  Enabled under Content Checks --> Antispam Settings.

Additionally, allowing users to Download Messages from the the User Self-Service Portal can expose those users to malware from infected messages. Thus, it's highly recommended not to allow individuals to download messages.

  1. Click on theimage-1609595584697.pngicon under the Recipient Settings column of the Internal Recipient you wish to edit.
  2. In the Recipient Settings page, select the option(s) you want to enable for this recipient by selecting Yes on the corresponding option and click on the Save Settings button (Figure 10).

Figure 10

image-1609595602375.png

  1. Once finished, click on the Back to Recipients button on the bottom of the page (Figure 11).

Figure 11

image-1609595610645.png

 

Edit Internal Recipient Report Settings

Every night starting at 12:30 a.m., Hermes SEG sends Daily Quarantine Reports to all the Internal Recipients in the system. The Daily Quarantine Reports functionality is two fold. First, it provides customized links to the User Self-Service Portal for the particular recipient and if any messages that were destined for that recipient were quarantined, they are also included in the report.  This default functionality can be changed by editing the Internal Recipient Report Settings.

  1. Click on theimage-1609595623510.pngicon under the Report Settings column of the Internal Recipient you wish to edit.
  1. In the Quarantine Report Settings page, select the option(s) you want to enable for this recipient by selecting the corresponding option.

Enable Quarantine Reports Regardless if quarantined messages exist

This option is the default option the system sets when an Internal Recipient is added to the sytem. With this option set, Hermes SEG will send a quarantined report of the previous day's quarantined messages to the recipient. If there are no quarantined messages from the previous day, the report will be empty (Figure 12).

Figure 12

image-1609595642145.png

Enable Quarantine Reports Only if quarantined messages exist

By setting this option Hermes SEG will only send a quarantine report only if there are quarantined messages for that recipient. If there are no quarantined messages, Hermes SEG will not send a report. Setting this option will also enable you to set the Quarantine Report FrequencyThe Quarantined Report Frequency can be set as follows (Figure 13):

Figure 13

image-1609595653496.png

The drawback of this option is users will not have links to the User Self-Service Portal unless there are quarantined messages for that particular recipient. If you set this option for any recipients, they should be advised to save any previous quarantine reports as a gateway to the User Self-Service Portal.

Disable Quarantine Reports

By setting the NO option, Hermes SEG will not send a quarantine report for that recipient regardless if quarantined messages exist or not. This option is not recommended unless you have a special need for a specific recipient (Figure 14).

Figure 14

image-1609595661385.png

  1. When finished setting the options needed, click on the Save Settings button (Figure 15).

Figure 15

image-1609595669285.png

  1. Click on the Back to Recipients button to return to the Internal Recipients page (Figure 16).

Figure 16

image-1609595677955.png

Delete Internal Recipients

Note: Deleting Internal Recipients is irreversible. Addtionally, deleting an Internal Recipient will also delete any recipient certificates, any recipient block/allow entries and any virtual recipients assigned to that internal recipient.

  1. Click on theimage-1609595689361.png icon on the Delete column of the particular recipient you wish to delete.
  2. The Recipient email address will turn red under the Recipient column (Figure 17).

Figure 17

image-1609595703980.png

  1. Repeat for any additional recipients you wish to delete and then click on the Apply Settings button to delete the recipients from the system (Figure 18).

Figure 18

image-1609595712688.png

  1. If you make a mistake, click on the Cancel All Delete button to cancel (Figure 19).

Figure 19

image-1609595757638.png

Virtual Recipients

If you have an Internal Recipient joe@domain.tld but you also want the email address joe.smoe@domain.tld to deliver email to joe@domain.tld, you would set up a virtual address of joe.smoe@domain.tld to deliver to joe@domain.tld. Please note, Virtual Recipients are not only limited to Internal Recipients. You can also create a Virtual Recipient to deliver email to an outside email address not handled by Hermes SEG. In the above example, we can easily setup joe.smoe@domain.tld to deliver to someone@gmail.com.

Any email destined for a virtual recipient are NOT checked by the spam filter.

Create Virtual Recipient(s)

Figure 1

image-1649069023132.png

Figure 2

image-1649070095512.png

 

Edit Virtual Recipient

Figure 3

image-1649070420418.png

On the Edit Virtual Recipient page, make the necessary changes and click the Submit button (Figure 4).

Figure 4

image-1649070665136.png

Delete Virtual Recipient(s)

Figure 5

image-1649070920070.png

On the Delete Recipient(s) confirmation page, click the Yes button to delete the recipient or No to cancel (Figure 6)

Figure 6

image-1649071064926.png