Our Serverless Email Gateway (SEG) allows you to integrate your SendSafely directly with G-Suite and Office365 for policy-based email encryption. The SEG is available to subscribers on a SendSafely Enterprise plan. Below are the steps for deploying the SEG in your AWS environment using CloudFormation.
The steps outlined in this article assumes the following prerequisites:
- You have already verified your domain for sending email through SES. Refer to this article for steps on verifying a domain with Amazon SES. You should ensure that ALL of the relevant DNS entries are in place for not only verification but also for SPF and DKIM.
- You have permissions within AWS to setup and deploy new resources. Specifically you will need permission to:
- Create a new Lambda Function
- Create a new DynamoDB Table
- Create a new S3 Bucket
- Create a new SNS Topic (Simple Notification Service)
- Create a new SES Rule and edit the Active Rule Set
- Create a new AWS Secret (AWS Secrets Manager )
- Define a custom IAM Role for the Lambda Function
Prior to beginning this setup please contact email@example.com for instructions on how to obtain the CloudFormation template file, which is required for Step 1 below.
Step 1: Create stack and specify template
First, create a stack by logging into your AWS account and browsing to the CloudFormation console. Choose: AWS -> CloudFormation -> Create stack -> With new resources (standard)
Under "Step 1: Specify template" select the following options and click next:
- Prepare template: Template is ready
- Template source: Upload a template file
- Template file: The YAML obtained from your SendSafely account representative or SendSafely Support
Step 2: Specify stack details
Next, you will need to configure the Gateway Routing Addresses.
- Outbound Email Address
This is the SMTP envelope address that redirected outbound messages will be routed to. This address does not need to be a valid email address but does need to be within a validated email domain (ie firstname.lastname@example.org)
- Default Sender Email
This is the email address that will be used to deliver error notifications to users. This address does not need to be a valid email address but does need to be within a validated email domain. We recommend email@example.com.
- Support Email
This is the email address that internal users will be told to contact in the event of an error. This address will also receive an email alert any time the gateway encounters an error that includes the full error details. This address must be a valid address that is monitored. We recommend using your internal it help desk.
Below the Gateway Routing Addresses is the Advanced Parameters section. We recommend leaving these to their default values unless you are a Cloud Formation expert and which to customize the resource names created by the template.
Note: The "Stack Name" will be prepended to all created resources to ensure that they are uniquely named.
Step 3: Configure stack options
For this step we recommend that you leave the default values and click the "Next" button. CloudFormation will automatically create a new role for the connector that has the minimum permissions needed for it to run correctly.
Step 4: Review settings and create the stack
Review and acknowledge the required resources and capabilities then click "Create stack". The Stack may take several minutes to create. You can view the status from the CloudFormation > Stacks screen. Once the entire process completes successfully, the stack will have a status of "CREATE_COMPLETE".
Step 5: Enable the SendSafely SES receipt rule
Before you enable the SendSafely SES receipt rule, you should confirm that your domain has been verified and is enabled for sending. Browser to SES -> Domains and confirm that you see all three verification settings in green.
- Verification Status: Verified
- DKIM Status: Verified
- Enabled for Sending: Yes
The steps to enable the SES receipt rule will depend on whether you have an active rule set already in place. From the SES Console, choose Email Receiving -> Rule Sets.
Scenario 1 - No Active Rule Set
If you do not have an active rule set in place, you will see a message at the top of the screen indicating this. Choose the rule set name created by Cloud Formation and press the "Set as Active Rule Set" button.
Scenario 2 - Existing Active Rule Set
If you do have an active rule set in place, the message at the top of the Rule Sets section of the console will tell you the name of the rule set and when it was created.
For this scenario, you will NOT want to override the existing rule set since you can only have a single active rule set. Instead, you should copy the rule that was created by Cloud Formation for the SEG into the active rule set as shown below.
- Click on the name of the SEG Rule Set to drill down and see the individual rule
- You should see a single rule. Select that rule, and choose "Copy Rule" from the Actions menu.
When the Copy Rule modal appears, choose a name for the copied rule and choose the active rule set for the destination. The active rule set will have the word "(Active)" next to it.
The copied rule will be added to the active rule set with a status of "Disabled". After the rule has been copied, navigate back to the main screen of the Rule Sets section and press the "View Active Rule Set" button. You should see the copied rule listed (Disabled) within the rule set along with any other previously existing rules.
Click on the rule name to edit the rule. At the top of the rule editor, check the box labeled "Enabled", then press the "Save Rule" button at the bottom of the screen to enable the rule.
Step 6: Update Secrets Manager
The final step of the setup is to update SecretsManager with your SendSafely API credentials. You can find a direct link to the secrets manager entry that was created by CloudFormation on the "Resources" tab of the stack within the CloudFormation console (the Logical ID is "OutboundConfigSecret").
Press the "Retrieve Secret Value" button to reveal the example secret that was populated by the CloudFormation.
Press the "Edit" button to update the key/value pair to reflect your enterprise portal credentials:
- Secret Key: The source domain for outbound messages (ie yourcompany.com)
- Secret Value: Name/value pairs for additional configuration parameters (stored as a JSON string)
- apiHost: Your SendSafely portal URL (ie https://yourcompany.sendsafely.com)
- apiKey: The API Key for the SendSafely SEG service account
- apiSecret: The API Secret for the SendSafely SEG service account
Step 7: Configure S3 Bucket Lifecycle
Most customers will want to configure a Lifecycle Policy on the SEG S3 bucket in order to automatically expire and delete encrypted mail files after they have been processed. We recommend configuring the policy to expire files after 5 days and permanently delete them 5 days later. This lifecycle policy will prevent old encrypted mail files from accumulating over time while allowing for cases where a message processing failure needs to be investigated or replayed by an authorized systems administrator.
For more information on how to configure an S3 Lifecycle Policy, consult this link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
Step 8: Test the SEG (Final Step)
Once you complete the steps above, you should be able to test the SEG. Refer to our setup guide for steps on how to route messages to the SEG.
NOTE: The hostname that you route messaged to refers to the endpoint that receives email for the AWS Region where you use Amazon SES. For example, the endpoint for the US West (Oregon) Region is inbound-smtp.us-west-2.amazonaws.com. For a complete list of endpoints, see Amazon SES regions and endpoints.
For additional assistance setting up the SendSafely Serverless Gateway, contact firstname.lastname@example.org.