Send Email Inside Air Gap

The situation: we have a machine in an industrial air gap environment that needs to send email. Perhaps its VTscada, perhaps something else. We would prefer to use Google (smtp.google.com) or Microsoft (outlook).

The site doesn’t have outbound Internet connectivity, and this is undesired. The Agilicus connector has a single outbound HTTPS (port 443) connection, and we will multiplex the SMTP over this.

In the below diagram, we have a system that is needing to send email (VTS), we have two Agilicus Connectors (C1, C2) as a high-availability set. We have a site firewall (FW). We have our company headquarters with an Agilicus Connector (HQ).

The Agilicus connectors each have HTTPS outbound connectivity (port 443) to a fixed IP (Agilicus AnyX).

To configure this, we will first create a Network. This is logically running in the *HQ* site, and must have onwards connectivity (and DNS lookup). In the example given, we have used smtp.google.com, port 587.

The parameters for the network are:

name	arbitrary (this is a label for you)
Hostname/IP	smtp.google.com (or IP)
Port	587
Via Connector	HQ (or your connector name running outside firewall)

Next we create the Service Forwarder. Conceptually this runs on the connector within the Air Gap site. It will listen on a port, and, forward that to the Network we defined above.

Source Connector	C1 (or on-premise connector)
Destination Network	(Name chosen above in Networks)
Source IP/Hostname	0.0.0.0 (causes to listen on external interface)
Source Port	587

At this time the connectors (C1 and C2 above) will start listening on port 587. You can now configure your SMTP client to use the IP of C1 or C2, port 587, configure the SMTP authentication criteria.

To diagnose use the Connectors/Overview, select the action-button (3-dots) and then ‘view detailed statistics’. Wait a few seconds, attempt to send some email, wait a few seconds, and observe the counters.