SMTP Mail Gateway: Secure, Automated, Modular

Secure & Automated Email Encryption, with no effort for your users

Our SMTP Mail Gateway is a modular S/MIME gateway that integrates seamlessly into your existing IT landscape. It automates email signing, encryption, and validation—GDPR-compliant, with no client changes and maximum security.

Request now

Why companies choose our SMTP Mail Gateway

As part of the modular SecPKI Server, the S/MIME gateway can be used flexibly: as a starting point or as an add-on to existing modules (Signature Portal, LTA, 2FA), with seamless integration into Microsoft 365/Exchange Online.

Benefits at a glance

  • Central control instead of certificate sprawl
  • No client rollouts, lower operating costs
  • Future-proof thanks to standards (S/MIME detached/opaque)
  • REST API automation for provisioning & reporting

Zero touch for users: No certificate installations, no client add-ins—everything runs transparently at the gateway.

Automated S/MIME signing & encryption: Integrity, authenticity, and confidentiality out of the box.

Central certificate management: Just-in-Time certificate issuance (JIT), assignment and lifecycle—connected to Active Directory (LDAP/AD) and D-Trust CSM.

Flexible rules & workflows: By sender, recipient, subject, or classification.

Highly available & scalable: Clustering/active-active, multi-tenancy, monitoring & API, failover strategies.

How can I encrypt email in a GDPR-compliant way?

Deploy a gateway that enforces end-to-end encryption (S/MIME) centrally, based on policies, with no user intervention.

Incoming signatures are validated, certificates are stored (public key harvesting) and used for subsequent emails. A fallback web portal is available for recipients without a certificate.

Result: legally sound, traceable processes with detailed logs for audits.

Questions? Contact us!More about SecPKI

S/MIME gateway vs. client certificates—pros and cons

S/MIME Gateway (server-side)

  • Advantages: Zero touch, central policies, JIT certificate issuance, public key harvesting, Active Directory integration, multi-tenancy, clustering/high availability, GDPR-compliant email encryption, REST API automation, clear audit trails.
  • Disadvantages: The gateway must be highly available; initial integration & policy maintenance required; fallback processes (e.g., web portal) must be defined.

Client-side certificates (endpoint)

  • Advantages: Classic end-to-end crypto on the client, independent of a front-end gateway.
  • Disadvantages: Rollout/backup/renewal per user & device, higher helpdesk effort, heterogeneous client add-ins, lack of central governance.

S/MIME encryption without client installation

Gateway-side signing/encryption: Policies apply on send/receive.

Users remain uninterrupted: Emails arrive unencrypted in the inbox if they were previously decrypted on the server side.

Fast rollout: No add-ins, no training, no certificate deployments.

How does Just-in-Time certificate issuance (JIT) work?

  • User identification via Active Directory (LDAP/AD)
  • JIT: certificates are created at first send and assigned automatically
  • Public key harvesting: incoming partner certificates are stored and kept up to date
  • D-Trust CSM connection for issuance/renewal—completely without manual effort

How it works in practice

1

Provision: users & certificates automatically, no admin overhead.

2

Secure: sign/encrypt outbound; verify/decrypt inbound.

3

Automate: workflows start on mail receipt (e.g., classification).


Integration of the S/MIME gateway with Microsoft 365 / Exchange

  • Seamless M365/Exchange Online integration as a front-end gateway.
  • Policies (e.g., “Confidential” in the subject, domain-based rules) enforce signing/encryption.
  • Failover strategies: optionally send unencrypted or report an error—depending on compliance requirements.

Security & compliance—without friction

  • Enforced encryption by policy (domain/subject/classification)
  • GDPR-compliant email encryption & traceable audit trails
  • Fallback web portal for recipients without a certificate
  • Transparency & traceability for audits/review

Examples

Sign everything: “Sign all emails” as a global rule.

On-demand: The keyword “Confidential” triggers signing/encryption.

Targeted: “Encrypt everything to *@partnerfirma.de”.

Key features at a glance

Certificate management & S/MIME

  • Just-in-Time certificate issuance (JIT) & renewal without manual effort
  • Active Directory integration (LDAP/AD) for user and role mapping
  • Public key harvesting & updates—automatic use of incoming partner certificates
  • Integration of external CAs (e.g., D-Trust CSM)
  • Import of root certificates from unknown CAs

More about certificate management

Security & encryption

  • Enforced encryption by policy (e.g., by domain, subject, classification)
  • Support for common standards—S/MIME (detached/opaque)
  • Configurable failover strategies (block, delay, alternate sending)
  • Clustering and high-availability operation (active-active), multi-tenancy
  • Fallback for recipients without certificates—e.g., web portal

Technical highlights

  • Standards & protocols: S/MIME (detached/opaque)
  • PKI & CAs: D-Trust CSM connection, import of external root certificates
  • Operations: Clustering/active-active, multi-tenancy, backup/recovery, monitoring
  • Integration: Microsoft 365 / Exchange gateway
  • Automation: REST API automation for provisioning, policies & reporting
  • Compliance: GDPR, BSI, KRITIS incl. logs & validation of inbound signatures

Questions? Contact us!More about SecPKI

FAQs

What happens if a recipient has no certificate?
How does just-in-time certificate issuance work?
Is the system highly available?
Is the mail gateway integrated with Microsoft 365?
How is GDPR compliance ensured?
Does my staff need new software?
Which certificate types are supported?


Get started with the SMTP Mail Gateway

Signature Portal

SecPKI streamlines your document workflows and provides secure electronic signatures. With the Signature Portal you can use all eIDAS signature levels—whether for signing business-critical documents or creating complex workflows.

Learn more about the Signature Portal