Getting Proofpoint to work with non-Microsoft platforms

Created by Yves Lacombe, Modified on Mon, 9 Mar, 2020 at 3:04 PM by Yves Lacombe

One of the biggest challenges customers face is the fact that Proofpoint Essentials was designed initially (as far as we know) to play best with Exchange on-premise and Microsoft Office365.  It will work fine with other platforms but  certain components (like Archiving and Encryption) will be a challenge to get to work depending on the limitations of the primary MTA platform.


For Archiving, the platform must support the idea of a "journaling" mailbox.  Basically, a mailbox where a copy of every email that comes into or out of the mail server gets copied to.   Most platforms do support this. 


The problem is getting these journaling messages to Proofpoint.  You can use the IMAP connection sync with Proofpoint but in many cases, this isn't an option.  The issue is that Proofpoint requires that emails going to the archivers go directly to them. If you're using Proofpoint as your smarthost and are running say, Lotus Domino, you can only have one smarthost. You can't make an exception route whereas "For all outgoing emails, send them through here EXCEPT if they are going to us.earchive.cloud".  Most MTAs simply don't support that kind of smart mail routing.


Example of mail platforms with these limitations:  

hMailServer, SmarterMail, MailEnable, IceWarp, IMail, Zimbra, etc

So how do you get these servers to play nice with Proofpoint's archiving stack?

 

If you stick a modusGate server in the middle for the outbound mail flow … you can.    Clients can use our modusGates  (we run our own redundant cluster for special cases like this) although we prefer they deploy a copy of modusGate on-prem on a VM or available server on the client's end.



Process:


Regardless if you deploy modusGate on prem or use our own modusGate servers here @ vircom, this is the process to get things rolling:


  • On the Proofpoint side, under SENDING SERVERS, you would put the IP address of the modusGate box as server that is allowed to relay mail from.

  • Add the modusgate IP to their SPF record (if using vircom’s own servers: include:_spf.modusstuff.com)

  • In modusGate, add IP of primary MTA(s) to SECURITY > Mail Relay > Accept mail for relay from these hosts (to allow relay)

  • In modusGate, add IP of primary MTA(s) to SECURITY > Trusted Addresses > SMTP Trusted Address (to turn off IP reputation checking for those IPs)

  • In modusGate, under RULES > create a new rule BEFORE ALL SCANNING that looks like this:


if envelope :contains "origin-ip" ["x.x.x.x","y.y.y.y","z.z.z.z"] {      
if not envelope :contains "to" "@us.earchive.cloud" {
if header :contains "from" ["@mylocaldomain.com","@mylocaldomain2.com"]{
x_mailroute "outbound-us1.ppe-hosted.com:25:10";
stop;
}
}
}


Note that in this example, if the email IS going to [email protected], the email will just follow normal MX resolution.  So the emails destined for the archiving server will not use the Proofpoint smarthost, which is what we want.

 

If the email is a forwarded email / calendar invite or anything where from is not mylocaldomain.com or mylocaldomain2.com, it will also follow normal MX resolution (that solves the problems with anything that is being forwarded by the MTA where the FROM is external and the TO is external as well).

 




What if my mail server doesn't support the concept of a journaling mailbox?


Again, modusGate to the rescue.


If your mail server doesn't support the concept of a journaling mailbox, you can use modusGate to capture all inbound and outbound mail flow.  Unfortunately, this will not capture Emails between users on the same MTA but at least you'll capture the emails being sent and received between your end users and the outside world.


In this context, it requires that modusGate also be between Proofpoint and your MTA for the inbound mail flow.


The mail flow would look like this:


inbound mail

{ internet } ---> { Proofpoint } ---> { modusGate } --> { your MTA }


outbound mail

{ your MTA } ---> { modusGate } ---> { Proofpoint } ---> { internet }



For the inbound mail scenario:


  • You obviously need a modusGate up and running (on prem) or we use our own here @ vircom (nospam.vircom.com).   A connection should be setup on the modusGate to route mail for your domains to your primary MTA.

  • The modusGate box has to be up and running and tested via telnet to port 25 that if we send an email manually to port 25 of modusGate it goes to your server's inbox.  It also has to be visible on the internet.

  • On modusGate, under SECURITY -> Trusted Addresses -> SMTP Trusted Address, the Proofpoint IP addresses should be listed there.

  • Make sure that you have your modusGate IP in your SPF (if using us: include:_spf.modusstuff.com)

  • First get mail flowing through the gate by telling Proofpoint under DOMAINS > yourdomain.com > SMTP Destination to be the IP of your modusGate box.

  • At this point, after 30 minutes, mail would be flowing through the gate as the interim step.

  • Create the inbound mail rule that will capture the mail traffic going to the proper @us.earchive.cloud mailbox -- the rule must be "before all scanning".


if envelope :contains "local-status" ["inbound","incoming"] {
if header :contains ".ppe-hosted.com" {
if header :contains "to" ["yourdomain.com","yourdomain2.com"] {
redirect "[email protected]";
keep;
}
}
}


So in the rule above, if it's an incoming email with a ppe.hosted.com header element, and it's going to your domains on your primary MTA, send a copy of each incoming email to your archiving address @us.earchive.cloud and keep processing a local copy (which will get delivered to your primary MTA as if nothing special happened).


For the outbound mail scenario:


  • On the Proofpoint side, under SENDING SERVERS, you would put the IP address of the modusGate box as server that is allowed to relay mail from.

  • Add the modusgate IP to their SPF record (if using vircom’s own servers: include:_spf.modusstuff.com)

  • In modusGate, add IP of primary MTA(s) to SECURITY > Mail Relay > Accept mail for relay from these hosts (to allow relay)

  • In modusGate, add IP of primary MTA(s) to SECURITY > Trusted Addresses > SMTP Trusted Address (to turn off IP reputation checking for those IPs)

  • In modusGate, under RULES > create a new rule BEFORE ALL SCANNING that looks like this:


if envelope :contains "origin-ip" ["x.x.x.x","y.y.y.y","z.z.z.z"] {      
if header :contains "from" ["@mylocaldomain.com","@mylocaldomain2.com"]{
redirect "[email protected]";
keep;
x_mailroute "outbound-us1.ppe-hosted.com:25:10";
stop;
}
}
}


Note that in this example, a copy of each email is sent to the archive first, and the original email is routed to Proofpoint outbound.  Other exceptions can be added in this code.


CONCLUSION

Whatever scenario you may have, we can probably make it work.  Even with Exchange and Office365, modusGate can come in handy (old hardware not supporting latest ciphers for instance, like ancient printers won't relay through either, we can do it).    We'll always be happy to assist and figure out a workaround of some sort.