Administrator Manual - Email Continuity

This manual describes Retarus Email Continuity. It includes a process description, but also serves as administrator manual and description.

If you are interested in the detailed technical documentation of the Email Continuity REST API itself, refer to Email Continuity API .

Before using Retarus Email Continuity, all process-related topics are clarified during a mandatory workshop together with a Retarus Technical Consultant.

If you obtain Retarus Email Continuity via a reseller or distributor, the process might be different from the one described in this manual.

General description

Retarus Email Continuity as part of the Retarus Secure Email Platform is an emergency email failover and disaster recovery solution1. In case of an outage of a customer’s corporate email infrastructure (e.g., malware infiltration, technical defect) that is expected to last for a longer period in time, it offers the possibility for all users to keep sending and receiving emails using their corporate email address.

Apart from temporary disaster scenarios, Email Continuity may also be used for employees with corporate email addresses, but without access to internal critical email infrastructure, but this particular use case is not covered by this document.

The emergency case is defined as a situation where several or all employees of a customer are no longer able to receive or send emails due to a technical problem (e.g. outage of data center, malware infection of the email server).

In the described emergency situation, Retarus provides a manual Email Continuity failover routing upon request, combined with webmail hosting. End users can continue working in a common, easy-to-use webmail interface replacing their local email client for the time of the outage.

Email Continuity explicitly uses no Microsoft-related systems.

In this manual, we are using the term Email Continuity switch-over. This term is chosen in order to distinguish the manually activated routing of emails to the web mailboxes as part of the Email Continuity service (described in this document) from other “failover” routings that might be done internally between the Retarus data centers, but do not have an effect on the customer or end user. Nevertheless, in the Email Continuity API itself, the technical term “failover” is used for the manual “Email Continuity switch-over”.

Process description – overview

Before using the Retarus Email Continuity service, it is recommended to clarify all process-related topics during a workshop together with a Retarus Technical Consultant.

Also, if you obtain Retarus Email Continuity via a reseller or distributor, the process might be different to the one described in this document.

Before an emergency case

Organizational preparations

Apart from the technical steps to provision the emergency mailboxes described in this document, the complete emergency process should be discussed and documented. The default process is described in this document and Retarus consultants are available to discuss the process suited best to your individual situation:

Rollout and end-user information about the service itself,
End user information about the Email Continuity switch-over in case of an emergency (e.g. by email to personal email addresses, SMS to corporate or personal mobile phones, etc.),
Activation process for the Email Continuity switch-over itself,
End user access including forgotten passwords, as well as
Getting back to normal after an incident.

Retarus Service Implementation will require the following information for the initial setup of Email Continuity; the information is gathered during the workshop with a Technical Consultant:

Customer contact persons enabled to authorize an Email Continuity switch-over or its deactivation; normally a list of 3-5 contact persons (e.g., CISO) including their job title, email address and mobile phone number. (Especially the mobile phone numbers are important.)
If an automated user sync is desired: CSV file with all users for which an emergency web mailbox shall be provisioned, provided via sftp share and updated regularly by the customer (for details, see Mailbox provisioning and password generation).
End users may receive an automatic email notification if a token is created for them (initial creation or later token creation for password renewal). By default, the sender address noreply@on.retarus.com is used and the default templates (see Mailbox provisioning and password generation). If these automatic notifications are desired, Retarus Implementation has to know when to activate this mechanism.

Technical preparations (provisioning of web mailboxes)

The following steps have to be executed to achieve an initial provision of the end users’ emergency web mailboxes before an emergency occurs.

Details are described under Mailbox provisioning and password generation.

Provisioning of emergency mailboxes at Retarus via automated synchronization (csv file provided via sftp location) or manual creation by the customer admin via Retarus Email Continuity REST API. Automatic end user notifications should be enabled first (if desired).
Customer receives security tokens for all users by requesting the Retarus Email Continuity API. The tokens are either included in the “create users” response or can be created via separate API request.
Customer admin forwards the token URLs to the end users or uses the built-in email notification functionality.
First-time password setting by the end users via Retarus Email Continuity account activation website.
Web mailboxes are provisioned and activated, so ready for a potential emergency. Nevertheless, users are not yet able to access and use them.

In an emergency case

The emergency case is defined as an outage of the customer’s corporate email infrastructure expected to last for a longer period of time.

Details are described under Email Continuity switch-over process for an emergency case.

If you obtain Retarus Email Continuity via a reseller or distributor, the process might be different.

The customer informs Retarus about the emergency case.
Email Continuity switch-over to the user mailboxes and activation of their webmail access via API by the customer (or optionally by Retarus, also possible for single users as test).
→ Result: By Retarus, all emails are routed to/from his emergency web mailbox, not any more to/from the customer’s email server.
End users are informed about the emergency case by your administrator. (If you would like Retarus to take over this part, e.g. by sending an SMS to corporate mobile phone numbers, this would be possible as an option; please refer to your Retarus consultant in this case.)
Users may now access their web mailboxes via https://on.retarus.com, receive and send emails. They also have access to an internal global address book containing all contacts worldwide (all mailboxes that have been provisioned).
If a user has forgotten his password, he has to inform a customer admin who is able to request a security token for the user via the Email Continuity API. The admin hands over the token URL to the user (or uses the built-in email notification) who may now set a new password using the Retarus Email Continuity account management website – or the admin himself is doing this and informing the end user about his new password.

After an emergency

As soon as the corporate email infrastructure is working again, the following steps can be carried out. Details are described under Deactivation process after an incident.

If you obtain Retarus Email Continuity via a reseller or distributor, the process might be different.

The customer informs Retarus about the successful restoration and the end of the emergency case.
Email Continuity failover deactivation via API by the customer (or optionally by Retarus).
→ Result: Inbound and Outbound emails are routed to/from the customer environment again.
Webmail access not yet disabled for users in order to allow the users to access and read their emails from the time of the outage, as well as forward them to their regular email client again if necessary.
After a grace period, webmail access may be deactivated again for all users via API by the customer (or optionally by Retarus).

Process description – details

Mailbox provisioning and password generation

The provisioning of mailboxes is normally done via automatic synchronization in several steps described below.

As an alternative to synchronization, user mailboxes may also be created directly by the customer via the Email Continuity API. Of course, this may also be automated on the customer side.

Users created manually via the API are deleted as soon as the next automatic sync is executed if they aren’t included in the csv file for the sync!

Steps for the standard provisioning process via automatic synchronization:

1. Preparations for automatic notifications

End users may receive an automatic email notification if a token is created for them (initial creation or later token creation for password renewal). By default, the sender address noreply@on.retarus.com and the default Retarus email templates are used:

If these automatic notifications are desired, Retarus Implementation has to know when to activate this mechanism.

Retarus Service Implementation must activate the notification functionality before the first synchronization to guarantee that all end users receive the automatic notifications.

2. Synchronization

The existing DirSync process is used to trigger the provisioning of Email Continuity mailboxes. Nevertheless, the DirSync tool does not yet support the provisioning for Email Continuity, therefore a separate csv file has to be provided by the customer via sftp.

The csv file has to have the following format:
primaryEmail;displayName;givenName;surname;language;timezone;department; costcenter;phone;mobile;failoverGroups

Mandatory fields are displayed in red.
A semicolon is used as a separator.
Double quotes are used for strings.
The primary email is also the user and login name.
FailoverGroups: In case of an emergency, failover can be activated not only for all users of your company or single users, but also for a dedicated “failover group”. A failover group may refer to a region, a cluster of your email infrastructure or any other group of users for which a failover activation might be required without affecting other users. Up to 16 failover groups may be assigned to a user.

Example
"john.doe@greatcompany.com";"John Doe / Great Company";"John";"Doe";"en_GB"; "Europe/London";"Sales";;;"+44 7911 123456";"emea,uk"

For details concerning the different fields (length, characters) refer to the schema definitions included in the technical API documentation (see 6 API documentation).

The sync itself is set up once and tested together with a Retarus Implementation engineer.

If a user mailbox included in the file doesn’t exist yet, he will be provisioned automatically. In the first step, he is created including a random password (as a placeholder, not saved or known by Retarus or anybody else) with three status flags – see API description for details:

Activation = False means that users haven’t created an individual password for their mailbox yet. With this flag set, they aren’t able to access their Email Continuity mailbox either. This flag is set to True as soon as the user has created a password.
Access = False means that users are not able to access their web mailboxes yet. If set to True, they do have access to the web mailboxes (if Activation=True as well).
Failover = False: This flag is set to True when activating the failover routing.

In an emergency case, all three flags have to be set to TRUE, meaning that the user mailbox has been provisioned, the user created an individual password, may access the web mailbox and the emergency routing has been activated.

Synchronization also means deletion of mailboxes of users that are not included any more in the DirSync file. As a protective mechanism, mailboxes that aren’t included in the latest DirSync file any more are not deleted straight away, but deactivated first and finally deleted 7 days later. Nevertheless, the DirSync files have to be generated carefully.

3. Password generation

Before being able to use the mailbox, every user has to create an individual password once.

This process also has to be followed in case of a forgotten password after the mailbox had been activated already.

In order to create a password for the first time or create a new password, the following steps have to be completed:

Request token via API (curl request, automation possible), once per user. The Token is included in the response, alone and embedded in a URL ready to be sent to the end user.
A customer IT administrator has to request a password token via the Retarus Email Continuity API described in the second part of this document.
If the user is created via API call, the initial response already includes the token as well, no additional API call is necessary in this case.
A token consists of 32 characters (e.g., “5aec19d5bd0e4f4992fte75f845e1710”) and has to be requested for every user. Of course, this process may be automated by the customer in order to request tokens for multiple users. Access to the API is possible via curl or specialized tools like Postman.
Provide end user(s) with token URL. If the end user still has access to his corporate email address (not available during a Continuity switch-over scenario), the administrator may use the built-in email notification functionality and the end user gets an email automatically including a short description and the token URL.
Otherwise (e.g., during Continuity switch-over, where the users are no longer able to access their regular mailboxes), as an administrator, you have to send this token URL to the user via another channel.
End user creates his password via account management website. The user has click on the token URL or go to the Retarus Email Continuity account management website directly: https://account.on.retarus.com/activation (first activation) or https://account.on.retarus.com/password-reset (in case of a forgotten password).
On this page, he has to enter the token (prefilled if the token URL was used), his corporate email address and a new password.
This password has to fulfill the password policy, which is also displayed to the user:
- minimum length of 8 characters,
- min. 1 upper character,
- min. 1 lower character,
- min. 1 number (0-9) and
- min. 1 special character from this set: @$!%*?&

Account activation website

Password reset

Email Continuity switch-over process for an emergency case

The Email Continuity switch-over is not activated automatically; its activation has to be decided by the customer and done

by the customer admin via the Email Continuity API (see dedicated API documentation) or
by calling the Retarus Support.

If you obtain Retarus Email Continuity via a reseller or distributor, the process might be different.

The Continuity switch-over activation process in detail:

Retarus Support is informed about the emergency case by phone. International 24/7 support hotline: +49 89 5528-2828. This may be done by any customer employee having the Retarus support permission. Mandatory information includes for which users or “failover groups” the Continuity switch-over shall be activated.
Retarus Support writes a confirmation SMS to two or more pre-defined mobile numbers (often belonging to C-Level or other IT Security executives in the customer organization).
At least one of those contacts has to confirm the activation via SMS back. If there is only one or no reply within 15 minutes, Retarus Support tries to contact the pre-defined contact persons via telephone or – if none of them can be reached – the ticket opener, who then has to confirm the activation by email or SMS.
Retarus Support activates the Email Continuity switch-over and confirms the routing change.
All Inbound and Outbound emails are now routed to/from the Retarus Email Continuity mailbox and no longer to the customer’s email server. Emails are stored encrypted in the Retarus data centers.

Testing

Of course, the Continuity switch-over may be activated via the API for testing purposes as well. Please refer to your Retarus consultant if you would like to do testing including the Retarus Support. It is recommended to do regular yearly tests.

User password reset

This functionality is designed to be used when an end user has forgotten his password for the Email Continuity web mailbox.

Details are described under Mailbox provisioning and password generation.

The end user informs the customer admin.
The customer admin requests a new security token via an API call and forwards the token URL to the end user. If the end user still has access to his corporate email address (not available during a switch-over scenario), the administrator may use the automatic end user mail notification functionality when doing the token request.
End user sets a new password via Retarus Email Continuity account management website. Alternatively, the customer admin may set a password on behalf of the end user and hand out the password to the user directly, but in this case, the admin gets to know the password of course.

This manual process is actually necessary, because Retarus doesn’t have a “second factor” for end user authentication during a switch-over scenario (e.g., mobile number, personal email address).

Deactivation process after an incident (“switch-back”)

As soon as the corporate email infrastructure is working again, the following steps can be carried out.

If you obtain Retarus Email Continuity via a reseller or distributor, the process might be different.

The deactivation (“switch-back”) process in detail:

Retarus Support is informed about the successful restoration and the end of the emergency case by phone. International 24/7 support hotline: +49 89 5528-2828. This may be done by any customer employee having the Retarus support permission.
Retarus Support writes a confirmation SMS to three pre-defined mobile numbers (same as for the activation of the switch-over).
At least one of those contacts has to confirm the deactivation via SMS back. If there is no reply within 15 minutes, Retarus Support tries to contact the ticket opener who then has to confirm the deactivation by email or SMS.
Retarus Support deactivates the Email Continuity routing and confirms the routing change.
→ Result: Inbound and Outbound emails are routed to/from customer environment again.
Emails sent/received during the switch-over period are kept in the web mailbox.

The deactivation of the Email Continuity routing may be done by the customer admin as well, by using the Email Continuity API. Nevertheless, an information to the Retarus Support is recommended.

Webmail access is not yet disabled for end users, in order to allow them to access and read their emails from the time of the outage, as well as forward them to their regular mailbox again if necessary. (For details, see Webmail frontend for end users.)
After a grace period (e.g. two weeks), webmail access may be deactivated again for all users via API by the customer (or optionally by Retarus).

Webmail frontend for end users

Access/Login to the web mailbox

By default, access to the provisioned web mailbox is deactivated for end users, in order to avoid that end users use the web mailbox in parallel to their regular mailbox for regular business.

When the switch-over is activated during an emergency situation, the access for end users is granted as well. End users may now access the web mailbox via the public URL https://on.retarus.com.

If you would like another internal domain familiar to your employees, please contact Retarus to find the best solution. Normally, an http redirect will be the easiest solution.

Authorization works with a login user name and a password:

User name: Primary corporate email address of the user
Password: Generated by the end user during the first account activation prior to the emergency. Account activation, password setting is described in Mailbox provisioning and password generation. Resetting a (forgotten) password is described in User password reset.

Below is the login screen for end users with the Retarus default color scheme and English as the default language:

User interface

End users familiar with common email clients will be able to work with the easy-to-use webmail interface instantly without any training or documentation.

The web mailbox also uses a responsive design and is therefore fully optimized for mobile devices. Below is the web mailbox with the default color scheme and English language:

Send and receive emails / Logout

After login, the Inbox is shown automatically. The folders “Drafts,” “Sent,” and “Trash” are created automatically at first use. The end user may create other custom folders.

Emails are received automatically (pushed every five minutes) or manually via clicking on “Refresh”. Writing an email is done via clicking on “Compose”.

By default, not all existing recipient fields are displayed, but for example, the “CC” and “BCC” fields may be added by clicking on the “+”-icon on the right side:

The size of an email including attachments is restricted to 75 MB.

If no action is executed at all, the user is logged out automatically after 60 minutes for security reasons. Otherwise, the user may log out manually by clicking on “Logout”.

Forwarding emails to the regular Inbox after an incident

After the emergency is successfully resolved and the corporate mail server is working again, users start working there again. In order to be able to continue with the emails sent and received during the incident, you should leave access to the web mailboxes activated even after the switch-over routing of new emails has been deactivated again.

Now, end users may still access their web mailboxes although they don’t receive any new emails there. Nevertheless, they may forward existing emails from the web mailbox to their corporate email address. In this case, the email is relayed to their regular mailbox.

Apart from using the regular “forward” functionality users may also export a single email from the web mailbox as *.eml file by using the “export” option from the upper menu.

Built-in address book

To ensure that a user is able to reach colleagues and other departments during an emergency situation, the web mailbox includes a “Contacts” tab containing the email addresses of all provisioned Email Continuity users. A search functionality is included as well.

Localization

When a user logs in for the first time, the webmail frontend chooses its display language (menu items, buttons, etc.) based on the local browser language setting and saves this setting for the following sessions using a cookie. Nevertheless, if the user would like to use a different language, he may manually change it in the settings tab and choose between more than 80 different languages. This setting is then saved as well for the following sessions using a browser cookie.

User settings

Apart from the language setting mentioned above, the end user has a couple of other configuration options available via the settings tab. Nevertheless, the webmail client is designed to be used without training, so the number of options has been limited to a minimum, mainly time and date format, display font and font size.

API documentation

The Email Continuity API is designed for creating and managing the Email Continuity user mailboxes, as well as administrating the Continuity switch-over routing. This REST interface is described in detail using the OpenAPI format in Email Continuity API.