Overview

This article gives an high level overview of the basic concepts behind MailStore Gateway. It should help to understand in which scenarios to use MailStore Gateway in combination with MailStore Server or MailStore Service Provider Edition. Further instructions can be found in the corresponding articles of this help or the help of MailStore Server and MailStore Service Provider Edition.

MailStore Gateway has been designed primarily for two distinct scenarios:

  1. Serving as journal or archiving target for other email servers that themselves create copies of sent and received emails.
  2. Serving as SMTP and POP3 proxy that creates and stores copies of all emails that are exchanged between email clients and email servers.


Both scenarios are explained more detailed in the following sections.

MailStore Gateway as Server

Many email servers allow the creation of copies of all in- and outbound emails for the purpose of archiving. While on-premises email servers generally allow to deliver these copies into local mailboxes, most cloud based services (e.g. Microsoft 365, Google G Suite) do not, neither technically nor license-wise, and thus require external mailboxes to be used as a journal or archiving mailboxes. For those services, third-party archiving solutions, such as MailStore Server and MailStore Service Provider Edition, must either pull the emails from those external mailboxes, or, to circumvent that, be able to receive emails via SMTP directly.

As direct SMTP archiving is generally preferred over using yet another third-party mailbox provider, MailStore Gateway provides this functionality for MailStore Server and MailStore Service Provider Edition without changing their basic concept of pull-only archiving.

This chart gives a good overview of the whole setup.

MailStore Gateway Overview Server.png

The typical workflow to set up this scenario looks as follows:

  1. A MailStore Gateway mailbox is created. Each MailStore Gateway mailbox has a unique email address.
  2. On the email server, a new journal or archiving rule is created. This rule uses the email address of a MailStore Gateway mailbox as target.
  3. Through the rule, copies of the emails to be archived are sent to MailStore Gateway via SMTP. Received emails are stored encrypted with an encryption key unique to each mailbox.
  4. MailStore Server or MailStore Service Provider Edition will then archive those emails from MailStore Gateway mailboxes via the corresponding archiving profile.

MailStore Gateway as Proxy

Organizations without their own email server and without using an email service that allows to create journal or archiving rules as described before, may use the combination of POP3/SMTP on their email clients to receive and send emails.

To archive all in- and outbound emails in such a scenario, MailStore Gateway can record the communication between the email client and the email server, effectively operating as an email proxy.

This chart gives a good overview of the whole setup.

MailStore Gateway Overview Proxy.png

The typical workflow to set up this scenario looks as follows:

  1. A MailStore Gateway mailboxes is created. Each MailStore Gateway mailbox has a unique identifier.
  2. On the email client, the in- (POP3) and outbound (SMTP) server must be replaced by the MailStore Gateway's host name. Additionally, the user name needs to be modified to remote_username%target_server%mailbox_id where
    • remote_username is the user name (e.g. [email protected]) to login to a mailbox on target_server
    • target_server is the host name of the original email server (e.g. mail.example.com). It also needs to match the common name of the TLS/SSL certificate used by the original email server to ensure full confidentiality.
    • mailbox_id is the unique identifier of the MailStore Gateway mailbox into which copies of the sent or received emails are to be stored.
  3. Afterwards copies of all sent and received emails on that particular client are stored in the given MailStore Gateway mailbox. MailStore Gateway encrypts all stored emails with a key unique to the mailbox.
  4. Repeat step 2 for all email clients where the users' emails should be archived.
  5. MailStore Server or MailStore Service Provider Edition will then archive those emails from MailStore Gateway mailboxes via the corresponding archiving profile.

Security

All emails stored in MailStore Gateway mailboxes are protected by strong hybrid encryption. The mailbox passwords represent the passphrase for the private keys of the asymmetric part of the hybrid encryption. This means that without the correct mailbox password, no data can ever be decrypted. Therefore it is highly recommended to keep the password in a safe place (i.e. enterprise password manager).

Additionally, MailStore Gateway does not allow usernames or passwords to be transferred over an unencrypted connection. The remote server for proxied connections must support implicit (SMTPS, POP3S) or explicit (SMTP+STARTTLS, POP3+STARTTLS) encryption.