The Unified SMTP proxy is a single proxy that includes the properties of both the Inbound SMTP proxy and the Outbound SMTP proxy. In fact, you can individually configure one Inbound and one Outbound SMTP proxy and achieve the same result as with the Unified SMTP proxy.
The Unified SMTP proxy can only be configured for a Lotus Protector for Mail Encryption Server in gateway placement.
With the Unified SMTP proxy, all mail traffic arrives on the same local connectors. This means that you do not need a second IP address for your Lotus Protector for Mail Encryption Server, which you would need if you created separate Inbound and Outbound SMTP proxies.
It also means you need to configure the Unified SMTP proxy so that it can distinguish between inbound and outbound mail traffic, because all mail traffic is arriving on the same local connectors.
You do this by creating a Designated Source IPs list, a list of IP addresses which by definition are sending outbound mail traffic to the Lotus Protector for Mail Encryption Server. Traffic from all other IP addresses are, by definition, inbound from the Internet.
Put a different way, on the Unified SMTP proxy you put the IP addresses of your trusted internal mail servers on the Designated Source IPs list, because these are the only devices that should be sending outbound email traffic to the Lotus Protector for Mail Encryption Server in gateway placement.
The Lotus Protector for Mail Encryption Server checks the source IP addresses of all incoming mail traffic on its local connectors and decides the traffic fits one of these two categories:
The mail traffic is coming from an IP address on the Designated Source IPs list. This traffic is thus outbound traffic coming from an internal mail server, and is processed as such. Messages are encrypted and/or signed, per the applicable policy, but not decrypted or verified.
The mail traffic is coming from an IP address not on the Designated Source IPs list. This traffic is thus inbound traffic coming from the Internet, and is processed as such. Messages are decrypted and verified, but not encrypted or signed.
To create or edit a Unified SMTP proxy
1 If you are editing an existing Unified SMTP proxy, click on the name of the proxy you want to edit in the Proxy column on the Mail Proxies page. The Edit Mail Proxy page appears.
2 If you are creating a new Unified SMTP proxy, click Add Proxy on the Mail Proxies page, select SMTP from the Protocol menu, then select Unified
from the SMTP Proxy Type in the Proxy Peer section.
IBM Lotus Protector for Mail Encryption Server Configuring Mail Proxies
The Add Mail Proxy: SMTP page appears.
3 In the Connector 1 field, in the Local Connector section, select the interface for the local connector for this proxy from the drop-down menu. The interfaces available are those configured on the Network Settings page (System > Network). If you want more interfaces to be available for your proxies, you need to configure them on the Network Settings page.
4 In the Port field, select the appropriate port.
The default port for SMTP is 25; the default for SMTPS (secure SMTP) is 465.
The port number automatically changes based on your selection from the
Security menu.
5 In the Security menu, select between:
STARTTLS Allow. Allows the security of the connection to be upgraded to TLS via negotiation when communications begin. The external MTA must support STARTTLS for the upgrade to occur. The default port is 25.
STARTTLS Disable. STARTTLS is not allowed for this connection. The default port is 25.
STARTTLS Require. Requires that the connection be secured by TLS. Only select this option if you are confident that all devices connecting to this local connector support upgrading the security to STARTTLS. The default port is 25.
SSL. Uses SSL to protect the connection between the external MTA and the Lotus Protector for Mail Encryption Server. The default port is 465.
6 Click the Restrict Access button to enhance the security of this local connector by restricting access by IP address.
7 On the Access Control for Connector dialog box, put a check in the Enable Access Control for Connector check box.
8 Select Hostname/IP or IP Range.
In the Hostname/IP field, type a hostname or IP address, then click
Add. What you type here appears in the Block or Allow field below. If you type a hostname such as example.com, the name will be
resolved to an IP address.
In the IP Range fields, type starting and ending IP addresses for an IP address range, then click Add. What you type appears in the Block or Allow field below.
In the Block or Allow field, select Block these addresses or Allow only these addresses, as appropriate, for the IP addresses or ranges in the box below.
IBM Lotus Protector for Mail Encryption Server Configuring Mail Proxies
Click Save when you have configured the appropriate access control restrictions.
The Access Control for Connector dialog box disappears.
9 In the Designated Source IPs list, add the internal mail server(s) that sends mail traffic to the Lotus Protector for Mail Encryption Server that is
outbound for the Internet.
To add the IP address of a mail server, click the plus sign icon, type the IP address, then click Save.
The Unified SMTP proxy considers all mail traffic coming from IP addresses on this list to be outbound for the Internet, and processes it accordingly.
10 Choose between:
Send mail directly to recipient mailserver. When selected, the outgoing email messages coming from your internal email users will be sent to the recipient mail server after processing by the Lotus Protector for Mail Encryption Server per the appropriate policies. Send all outbound mail to relay. When selected, the outgoing email
messages from your internal email users will be sent to the device you specify after processing by the Lotus Protector for Mail Encryption Server per the appropriate policies.
11 If you selected Send all outbound mail to relay, in the Hostname field, type the hostname or IP address of the device you want outgoing email messages to be sent to after processing by the Lotus Protector for Mail Encryption Server.
In the Port field, select the appropriate port. The default port for SMTP is 25. The default for secure SMTP is 465. The port number automatically changes based on your selection from the Security menu.
In the Security menu, select between SSL, STARTTLS Attempt,
STARTTLS Disable, and STARTTLS Require. These are the same options available for the Security menu in the Local Connector section.
12 In the Mailserver field, for Hostname, type the hostname or IP address of the device you want incoming email messages to be sent to after
processing by the Lotus Protector for Mail Encryption Server.
Under most circumstances, this should be your outward-facing mail server. In the Port field, select the appropriate port. The default port for SMTP is 25; the default for SMTPS (secure SMTP) is 465. The port number automatically changes based on your selection from the Security menu. In the Security menu, select between SSL, STARTTLS Attempt,
STARTTLS Disable, and STARTTLS Require. These are the same options available for the Security menu in the Local Connector section.
13 Click Save.
19
Email in the Mail Queue
This section describes the Mail Queue feature.
You can configure Mail Queues from the Mail > Mail Queue page. This feature is available with Lotus Protector for Mail Encryption Server.
Overview
The Mail Queue page lists email messages that are waiting to be sent by the Lotus Protector for Mail Encryption Server. The list is often empty, even on medium-load servers.
When there are messages in the list, the following information is shown about each queued message: the email address of the sender, the email address of the recipient, the reason the message is in the queue, when the server received the message, and its size.
If the reason is too long to display in full, it is truncated. Click on or roll your cursor over the shortened reason to see the complete text.
There are several reasons why an email message would appear on the list: While looking for a key for the recipient of a message, a keyserver did not
respond. Only keyserver failures for $ADDRESS_DOMAIN keyservers do not cause a message to be queued.
A problem with the network or the recipient mail server is preventing the Lotus Protector for Mail Encryption Server from sending messages (a network outage might be the issue). While the Lotus Protector for Mail Encryption Server waits for the mail server to respond, it queues up outgoing messages.
The message recipient’s email address does not exist. If the message is not immediately deliverable, the Lotus Protector for Mail Encryption Server places it in the Mail Queue and continues trying to send it. The message times out and disappears from the queue after 4 days (96 hours). You can wait for the messages to be sent or you can delete them from the queue.
Note: If a message is addressed to multiple recipients, and the keys for some of the recipients cannot be found immediately, Lotus Protector for Mail Encryption Server breaks the message into multiple messages and only queues the messages for those recipients whose key(s) were not found.
IBM Lotus Protector for Mail Encryption Server Email in the Mail Queue