Feature request: New Action object "send to another relayhost"

[msperl]

I'm requesting this for the implementation of a corporate S/MIME solution to achieve a rescan for S/MIME encrypted inbound email.
If this could be achieved PMG would be a great option for our company (16k Employees).

Inbound path:

Internet -+------> PMG ------+-> MTA --> LDA
          |                  |
          +<-decryption GW---+
          
Outbound path:

LDA --> MTA --> encryption GW --> PMG --> Internet

 

[dcsapak]

hi,

what exactly do you want to achieve? what should the 'send to another relayhost' be like?

AFAIU you want to scan the mail before and after the mail was decrypted ? why not simply employ two mail gateway instances? one before the decryption gw and one after?
or why do you want to scan the mail before decryption anyway?

 

[msperl]

Hi, thanks for your fast response.
This functionality should be similar to the "BCC" Action object with the difference to enter a IP Address of the alternate server instead of an email address so that (in our case) the de-/encryption gateway can process the email as usual.
Yes, scanning before and after decryption is intended by us. Employing two gateway instances would still be possible but this creates (in our opinion) unnecessary overhead because high availability comes into play (results in 4 instances that must be patched and upgraded when necessary as well as two clusters with their own config). And double this amount for our equal built QA environment.
Scanning mail before decryption is mandatory because of the placement of the de-/encryption appliances in our security networking concept.
My thoughts about this request were because of the existing possibility of adding a BCC recipient as an action object (may not be hard to implement?) and all of our previous gateway solutions also had this functionality.

Thank you!!

 

[dcsapak]

the problem with this is that it only would cover a very narrow use case, since normally the backend relay is determined by the mx records per domain
so for this feature to work "properly" we'd have to have list for each relay domain which servers could be used and then somehow match that in the rule system
your case is the simplest one where there is only one downstream server and one additional one, but there are many setups that
have multiple backend relays (sometimes multiple per domain)

another way of "fixing" it could be to try to detect if a mail is s/mime encrypted and offer a seperate server/ip per relay domain to send to for encrypted mails that could be used instead of the regular ip/server

while i don't think this is a use case that's needed for most of our users, and i don't even know if this could be properly implemented, you can open feature request on https://bugzilla.proxmox.com
maybe another dev has a different stance on this..

EDIT: also one thing that just came to mind:

if you have to have 'high availability' wouldn't you need at least 2 possible decryption gateways?

 

[msperl]

Ok, I understand that the use case for other customers wouldn't be very necessary.
about the other way of as you call it "fixing": I'm quite interested about how to configure this, seems to be sufficient for our needs, maybe I've overlooked this functionality.
high availability for decryption is provided by a (also high available) load balancer cluster with a moving IP, and yes, decryption is already set-up with 2 gateways

 

[dcsapak]

about the other way of as you call it "fixing": I'm quite interested about how to configure this, seems to be sufficient for our needs, maybe I've overlooked this functionality.

no i meant this would another way of implementing this, not that we already have this, sorry for the confusion. in any case i'd recommend opening a feature request so that we can discuss this and keep track of it (even if we ultimately decide to not implement anything like this)​