Configuring SpamTitan for EncyptTitan
Note
Use the following instructions for the Advanced Managed Email Security license.
If you have the Managed Email Security license, follow the instructions in License Type: Managed Email Security.
The following setup is specifically for customers who have a dedicated SpamTitan Infrastructure and setting up an account with an Advanced Managed Email security license. If you are a SpamTitan customer on TitanHQ's SAS platform and SpamTitan is handling your outbound mail, please contact support for setup assistance.
Note
Before configuring SpamTitan to work with EncryptTitan, please ensure that your SpamTitan instance has been added to the EncryptTitan system to allow EncryptTitan to accept mail from your SpamTitan instance. This can be validated by contacting TitanHQ support.
If SpamTitan is not added to the EncyptTitan system prior to setup, then you may experience email delivery issues.
If you're using SpamTitan for your outbound email and you want to use EncryptTitan email encryption service, you'll need to follow the steps below. Configuration is required on both your SpamTitan instance and O365 environment to to allow EncryptTitan to accept emails from your SpamTitan instance.
To configure a customer account with an Advanced Managed Email Encryption license for content based encryption, you will need administrative access to your SpamTitan gateway.
If there are multiple domains on your M365 tenant, but you are only enabling EncryptTitan for one or some of those domains, you should consider whether your M365 rules/connectors should be configured for just the specific domain(s) you are configuring for EncryptTitan.
Add a Connector from O365 to SpamTitan.
If you have not already set up a connector from O365 to SpamTitan, follow the steps below to route your email traffic from O365 to SpamTitan.
Log in to Microsoft Online, and enter your administrator email address and password.
Note
If you are not an administrator, you will be redirected to the user hub. Contact your O365 Administrator if you need administrator access.
Select Sign in.
In the left area of the O365 console, select Admin to go to the O365 Admin Center.
Select Exchange > Mail Flow > Connectors.
In the Connectors section, select the + sign to add a new connector. The Mail Flow Scenario dialog box opens.
In Connection From, select Office 365 and in Connection to, select Partner organization. Select Next.
In the Name field, enter a descriptive name for the outbound connector; for example, EncryptTitan.
In the Description field, enter additional information about the outbound connector. To enable the connector immediately upon completion, select Turn it on. Select Next.
In the Use of Connector dialog box, select the option Only when email messages are sent to these domains. Enter * in the field and select +. Select Next.
On the Route email messages page, select Route email through these smart hosts.
Enter the IPs of the SpamTitan Instances that will be used for Outbound mail. Enter each IP and select + to add. Then select Next.
Ensure that Always use Transport Layer Security (TLS) and Issued by a trusted certificate authority (CA) are selected. Select Next.
Verify the connector by entering a test email address. This can be any email outside the domain you are setting up. Select the + sign, and then select Validate.
The validation step will attempt a connection from Office 365 to the EncryptTitan Gateway and email the designated email address. Both validation results should be successful. Select Next.
Select Create connector.
Add an O365 Rule for the EncryptTitan Token Header.
Go to Mail Flow and select Rules.
Select the plus + sign beside Add a rule, and select Create a new rule from the dropdown menu.
Enter a name for the rule you are creating, and from the Apply this rule if dropdown menu, select Apply to all messages.
From the Do the following dropdown menu, select Modify the message properties and in the dropdown menu beside it, select set a message header.
Select the Enter text... link beside message header, and enter X-ETVALTOK. Select Save.
Select the Enter text... link beside value, and retrieve the value for your account in the EncryptTitan portal. Go to Configurations > Domain setup and select the domain you are setting up. Select Outbound servers and in the window that appears, copy the custom x-header value by clicking the copy
icon. Paste this value, which is typically 20 characters, into the message header text field and select Save.
Select Next. If Next is greyed out, review your selections rule conditions to ensure they are correct.
Under Rule mode, leave the default Enforce selected. Other available options would typically be left unchanged from the default settings.
Select Next to review the rule. Then select Finish > Done.
Add to your Allowed Domains on SpamTitan.
You will need to add @encrypttitan.io to your allowed domains in SpamTitan to ensure inbound mail from EncryptTitan is not picked up as spam.
In SpamTitan, go to Filter Rules > Global Allow List to manage allow list entries. See Managing Global Allow Lists for assistance.
In the Allowed Domains section, select Add.
In the dialog box that opens, do the following:
Sender Domain: Enter @encrypttitan.io.
Include Subdomains: Leave enabled (by default).
Comment (optional): Add a short description.
Select Save.
Add a GreyList Exemption on SpamTitan.
To ensure mail from EncryptTitan is not greylisted, you'll need to add the EncryptTitan IPs to Greylist Exemptions.
In SpamTitan, go to System Setup > Mail Relay > Greylisting. See Greylisting Settings for assistance.
In the Sender IP Exemptions section, select Add.
In the dialog box that opens, do the following:
IP/Network: Enter 34.237.18.131.
Netmask: Select /32 (255.255.255.255).
Address Type (optional): Select IPv4.
Comment (optional): Add a short description.
Select Save.
Repeat the above steps for the following IPs, so that in total you'll add three entries.
52.87.122.63
54.161.105.105
Add an RBL IP Exception.
If you have the Realtime Blackhole Lists (RBLs) feature enabled on SpamTitan, we recommend adding the EncryptTitan IPs to Bypass RBL checks.
Go to System Setup > Mail Relay > IP Controls.
In the Bypass RBL checks section, select Add.
In the dialog box that opens, do the following:
IP/Network: Enter 34.237.18.131.
Netmask: Select /32 (255.255.255.255).
Address Type: Select IPv4.
Comment (optional): Add a short description.
Select Save.
Repeat the above steps for the following IPs, so that in total you'll add three entries.
52.87.122.63
54.161.105.105
Add Advanced Routing Smart Host.
Go to System Setup > Mail Relay > Advanced Routing, and select Add.
Enter the sender domain in @domain.com format. Then, enter the Smart Host as defined in the customer account on the EncryptTitan system.
Go to your EncryptTitan portal to get your smart host:
Select Configurations > Domain Setup and select the checkbox for your domain.
Select Outbound servers.
In the pop-up window, select Microsoft 365 from the dropdown menu and take note of the smart host where O365 will deliver emails (securemail.encrypttitan.io).
Enter a comment, which is optional, and select Save.
Once the smart host is added, all email for the listed sending domain will be routed to EncryptTitan for content based encryption immediately.