Secure Mail Gateway

Introduction

With the Secure Mail Gateway (SMG), Relution offers the possibility to connect to an Exchange server without making it available on the internet. Relution works as a proxy for the communication via Exchange Active Sync (EAS). The use of SMG requires the availability of basic auth on the Exchange server. Modern auth is not supported.

Port 443 must be enabled in the firewall and the Exchange server must be reachable from the Relution server and vice versa.

It is recommended to configure the restrictions options only after the connection has been successfully tested to exclude possible errors. Once the connection has been successfully tested and one can work with the endpoints, the permissions can be configured accordingly.

Breaking change with Relution 26.4.0: From version 26.4.0, the SMG feature requires a dedicated standalone service. Setup instructions: Secure Mail Gateway (Add-on) →.

Configuration of the Secure Mail Gateway

Exchange configuration

  • Exchange URL The address where the Exchange server can be reached.

  • SMG Service URL The publicly reachable URL of the SMG service. This can be a dedicated subdomain (e.g. https://smg.yourserver.example.com) or the same URL as the Relution server — provided the reverse proxy forwards /Microsoft-Server-ActiveSync to the SMG service correctly.

    This field is available in Relution 26.3 with the SMG_STANDALONE feature toggle enabled, and from version 26.4.0 without any additional configuration. If a URL is entered that differs from the Relution server URL, the Exchange configuration must be reapplied on all enrolled devices.

  • Exchange Domain The corresponding domain of the Exchange server to be accessed.

  • All parameters under Permissions for enrolled devices Configure them at the beginning as it can be seen in the screenshot. A connection should be established first and the function tested before any restrictions are configured.

  • Permissions for unknown devices This function allows communication for unknown devices.

Technical overview

For exchange configurations using SMG, https://<SMG Service URL>/Microsoft-Server-ActiveSync is configured as EAS endpoint on the device. The exchange domain is set to the unique name of the corresponding organization. Relution uses the domain to identify the corresponding SMG settings.

If SMG is enabled and configured in these settings, the request headers DeviceId and DeviceType are evaluated to identify the device triggering the request. Depending on the SMG settings, if the device could be identified at all, and the properties and status of the device (see prior section), the request is denied or forwarded to the Exchange host configured in the SMG settings and the response is delivered back to the device. The domain is adjusted to the one configured in the SMG settings if present.

Hints

Password

Exchange and SMG use BasicAuth, here it is possible that account errors may occur on the end device when using special characters such as $ # / * ü ö ä and space.

To check this, a simple password consisting of letters and numbers should be used for testing.

macOS

MacOS uses the Exchange connection via EWS. However, the SecureMailGateway can only forward ActiveSync. Therefore, it is currently not possible to use macOS devices with SMG.