Mail Connector

Configuration of the UTM's mail connector

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Resellerpreview

12.5.1 12.2.4 11.7

Introduction

Schematic representation of how the Mail Connector functions

The Mail Connector offers the option of collecting emails from various mail servers via the POP3 and POP3S as well as IMAP and IMAPS protocols and forwarding them to an internal mail server. Forwarding to the internal mail server is done via the SMTP protocol.

If there are only mail clients in the internal network that have retrieved the external mail server so far, the Mail Connector cannot be used.

Setup to pick up individual accounts

If a separate email account is configured for each user on the external mail server, a separate Mail Connector service must be created for each account. If a service is created for each additional email account, the minute interval is set in the General ranch under Interval (minutes).
If the local user accounts are always the same SMTP mail server, this will already be displayed faintly in the field from the second service onwards. You can then save without another entry in this field.

Configurations

Services

To add a new Mail Connector service, click the Add Mail Connector service button under Applications Mail Connector Area Services.
Caption	Value	Description	Add Mail-Connector-Service UTMuser@firewall.name.fqdnApplicationsMail-Connector
Use OAuth 2:	No Default	When Yes is enabled, OAuth 2 is used. The OAuth 2 connection item appears.
OAuth 2 connection: Hidden by default		An existing OAuth 2 connection is selected. With + a new connection is created.
Server:		The external mail server from which the emails are fetched
Protocol:	POP3IMAP	Here the protocol used to connect to the external server is specified
User:		Username of the external mailbox. If Use OAuth 2 Yes is active, users can be selected from the OAuth source
Password: Hidden if Use OAuth 2 Yes is active.		Password of the external mailbox
Password: Hidden if Use OAuth 2 Yes is active.		The password is displayed
Maximum message size:	20 MB	Maximum message size for the Mail Connector
Multidrop:	Off	If Multidrop is deactivated, the emails of a mailbox are forwarded to an internal email address. To collect emails for multiple recipients, Multidrop must be enabled. When On is enabled, the ranch Multidrop options is enabled.
Keepmails	On	Usually emails are deleted after they have been picked up. Enabling of Keepmails prevents this deletion. When activated, external mailboxes can fill up! Keepmails should only be used temporarily for test purposes, or if it is otherwise ensured that the external mailbox does not reach its capacity limit.
Accept defective header:	Off	Emails with defective header are included in the Mail Connector
Check certificates notempty New as of: v12.5	On	When activated Ein, the SSL certificates are checked. notempty For new connections this is activated by default, for existing connections it is deactivated by default. notempty If the SSL certificate is rejected during the check because it is no longer valid or trustworthy, no connection is established.
Encryption:	AutoStartTLSSSL	Specifies the type of encryption
TLS version: Not when encyrption is: auto notempty New as of v12.5.1	TLS1.2 or higher (recommended)	The desired TLS version can be selected.
Destination email address: With multidrop deactivated		Specifies the destination mailbox If an SMTP route already exists for the mail domain in the mail relay, this is automatically suggested as the SMTP mail server
Destination domain: With activated multidrop		Specifies the destination domain
SMTP Mailserver:		Specifies the intern mail server to which accepted emails are to be forwarded If the mail domain has not yet been created in the mail relay, an SMTP route is automatically added there notempty Attention: If a suggested IP address is changed, the setting in the mail relay is overwritten with the new IP address after consultation!

Multidrop (Pickup from a collective account) Multidrop (Pickup from a collective account) If all emails should be stored on the external mail server in a collective mailbox and only assigned to the local user mailboxes when they are collected, these can be set up with the Multidrop option. To do this, activate the Multidrop option for a new service or for an existing one. The following settings are made in the Multidrop options ranch: The idea behind multidrop in the Mail Connector is to pick up mails from a CatchAll collective mailbox of an external provider and to deliver them to the individual mailboxes on the company's own mail server. The differentiation of the individual mailboxes via the Mail Connector is done via an envelope header entry in the emails of the collective mailbox. However, this can vary depending on the provider and the mail server used. notempty Make sure that if the Multidrop is used, the individual mailboxes must also be specified under "Remote User". Otherwise the mail connector cannot deliver the mails to the individual mail accounts.
Envelope-Header:	X-Original-To	The envelope header entry is selected. It determines which emails from the original recipient with this envelope header entry will be assigned to a local mail account on the internal mail server.
	X-Envelope-To
	Delivered-To
	Envelope-To
Remote email address:	user@mail.com	Email address of the original recipient
Local email address:	alice@tttpoint.de	Email address of the internal recipient
Click + to assign

OAuth 2 OAuth 2
In the OAuth 2 ranch, click the Add OAuth 2 connection button to create a new OAuth 2 connection. Depending on the provider selection Google Workspace, Microsoft 365 (Secret Client Key), or Microsoft 365 (Certificate) the configuration steps will change.
Google Workspace Google Workspace
Name:		Name of the OAuth 2 connection	Add OAuth 2 connection UTMuser@firewall.name.fqdnApplicationsMail-Connector
Provider:	Google Workspace	Provider selection
Service account:		The Google Workspace service account is entered
User account:	» ✕alice@ttt-point.de	The user accounts are selected
Certificate:	Google_Workspace-OAuth2_cert	The certificate that is uploaded in Azure is selected

Preliminary note Microsoft 365
In order to use Microsoft 365, configured Azure Apps are necessary.
Note This article includes descriptions of third-party software and is based on the status at the time this page was created. Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation. All information without warranty. In order to use the Mail Connector with Microsoft 365, the following information is required: Application ID Client ID Secret client key This guide shows an example of the preparations and setting required in Microsoft Azure Launch Azure Active Directory admin center Note down/Copy Tenant ID from the Azure Active Directory menu Register new app under theApp registration menu under the New registration button Assign a unique name and click the register button In the API permissions menu, click the Add a permission button. Select permission for Office 365 Exchange Online in the APIs my organization uses tab Add IMAP.AccessAsApp permission for Office 365 Exchange Online In the menu API permissions activate the entry Grant admin consent for [...]. Create a Client secret in the Certificates & secrets menu Note down Value, will be entered as Secret Client Key when adding an OAuth 2 connection Open menu Enterprise Applications and select app Note down from the app properties Application ID and Object ID. Open Powershell on Windows Client Administrator, import ExchangeOnlineManagement and connect to tenant Select the recipient mailbox in the Exchange admin center and choose Read and manage (Full Access) as delegation. Add member for Mailbox Delegation This completes the configuration in Microsoft Azure. The further configuration is done in the UTM in the menu Applications Mail Connector Area Services Button Add Mail Connector Service anf in the tab OAuth2 with the Add OAuth2 connection button. notempty The Microsoft servers may take up to 30 minutes before access works Fig.1 Select Azure Active Directory menu Note down or copy Tenant ID, is entered when adding an OAuth 2 connection Fig.2 Register new app: Menu App registration Button New registration Fig.3 Assign a unique name Click Register button Fig.4 A summary of the newly registered app is displayed The Object ID displayed here does not belong to the app and is not needed! Select API permissions menu Fig.5 Click Add a permission button Fig.6 Select the tab APIs my organization uses Select permission for Office 365 Exchange Online Fig.7 Click Application permissions button Search for imap Checkmark IMAP.AccessAsApp Click the Add permissions button Fig.8 Select menu API permissions again. Select entry Grant admin consent for [...] Click the Yes button Fig.9 Grant admin consent for... successfully granted Fig.10 Menu Certificates & secrets Tab Client secrets Entry New Client secret Enter unique description Select desired duration (max. 24 months) Click Add button Fig.11 Note down Value, will be entered as Secret Client Key when adding an OAuth 2 connection Fig.12 Back to the dashboard, menu Azure Active Directory Menu Enterprise applications Fig.13 All applications menu Select Securepoint app Fig.14 Note down from the app properties: Application ID, is entered as Application ID when adding an OAuth 2 connection Object ID, is required for the granting of the authorisation via Powershell Fig.15 Open Powershell on a Windows client administrator Install ExchangeOnlineManagement module If there are problems installing the module or connecting, you may need to configure Powershell to TLS 1.2: >[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 > Install-Module -Name ExchangeOnlineManagement -allowprerelease Import ExchangeOnlineManagement and connect to Tenant: > Import-module ExchangeOnlineManagement > Connect-ExchangeOnline -Organization Tenant ID (See Fig.1) Create a new service principal and assign a unique name: > New-ServicePrincipal -DisplayName SecurepointServicePrincipal -AppId Enterprise-oApp-ooID-oooo-oooooooo -ServiceId Enterprise-oObj-ooID-oooo-oooooooo For Enterprise-oApp-ooID-oooo-oooooooo enter the Application ID and for Enterprise-oObj-ooID-oooo-oooooooo enter the Object ID (see Fig. 14) Then assign mailbox permissions: > Add-MailboxPermission -Identity alice@anyideas.onmicrosoft.com -User SecurepointServicePrincipal -AccessRights FullAccess
Microsoft 365 (Secret client key) Microsoft 365 (Secret client key)
Name:		Name of the OAuth 2 connection
Provider:	Microsoft 365 (Secret client key)	Provider selection
Application ID:		The application ID is entered In Microsoft Azure in the App property under Application ID
Tenant ID:		The tenant's ID is entered In Microsoft Azure in the menu Azure Active Directory under Tenant ID
Secret client key:		The secret client key is entered In Microsoft Azure in the menu Certificates & secrets in the tab Client secrets under Value

Microsoft 365 (certificate) Microsoft 365 (certificate)
Name:		Name of the OAuth 2 connection
Provider:	Microsoft 365 (certificate)	Provider selection
Application ID:		The application ID is entered In Microsoft Azure in the App property under Application ID
Tenant ID:		The tenant's ID is entered In Microsoft Azure in the menu Azure Active Directory under Tenant ID
Certificate:	CC-OAuth2-MS365_cert	The certificate that is uploaded in Azure is selected

General General
In the General ranch, the following settings can be made, effective for all Mail Connector services.
Interval (minutes):	15	The minute interval in which the external mail server is checked for new emails	Mail-Connector UTMuser@firewall.name.fqdnApplications Mail Connector Log
NoSoftBounce:	Off	If enabled, no further delivery attempt is made for emails that generate a permanent forwarding error. These emails are deleted from the mailbox (if Keepmail is inactive) or marked as read (if Keepmail is active).