Support

Information and Guidance for the Email Gateway Service for N3 Organisations


The Email Gateway Service provided by NHSmail offers:

  • The relay service for inbound/outbound spam and antivirus scanning for N3/HSCN hosted *.nhs.uk email domains
  • Inbound/outbound spam and antivirus scanning for the NHSmail service

  • This guidance page offers information about the Email Gateway Service as well as configuration details. If you have been referred to this page, please review the guidance below, to address your query.

    • N3/HSCN *.nhs.uk email domains can use the Email Gateway by configuring their Message Transfer Agents (MTAs) to route traffic to/from the Email Gateway. See the configuration section in this guidance page.

    • The primary connection and configuration settings for the Email Gateway Service are listed below:

      Server Name: relay.nhs.uk
      Authentication: Anonymous
      TLS: Opportunistic supported
      SMTP port: 25
      SSL: Not supported
      Plain text: Supported
      IP Addresses: Variable to support high availability. Currently 155.231.210.221, 155.231.210.222, 155.231.210.253 and 155.231.210.254
      Note these must not be hard coded into applications, host names should always be used.
      DNS: Reverse DNS entries checked against sending systems. Where a reverse DNS check fails email will not be accepted. Please register your DNS entry with dnsteam@nhs.net
    • The Email Gateway should always be used for nhs.uk to nhs.uk message transfer to provide additional anti-virus and anti-spam protection to your email traffic over and above your own local protection.

    • The use of static IP addresses is not supported by the Email Gateway for NHSmail. All configuration should be done based on N3/HSCN DNS pointing to relay.nhs.uk (see how I configure my Organisation). It is possible that organisations can point directly to the end points of 'relay.nhs.uk', but these may change with little or no notice, and therefore availability of any/all IP’s cannot be guaranteed. It is equally important that the Email Gateway should not directly be restricted by connecting IP, connecting IP's may change over the service lifetime.

    • The Email Gateway will check reverse DNS (PTR) records as a form of connection validation. Therefore, organisations must have a reverse record (PTR) setup as for any/all MTAs sending mail to the Email Gateway. To request a PTR record contact NHS Digital via their online SMTP registration form.

    • As the Email Gateway services multiple interfaces (N3/HSCN, NHSmail and internet), the Email Gateway does not provide corresponding helo/ehlo responses to N3/HSCN DNS. Therefore, N3/HSCN organisations should not use the helo/ehlo response as a form of validation against the Email Gateway.

    • Yes, the Email Gateway supports opportunistic TLS, meaning, if an organisation’s MTA attempts to connect to the Email Gateway using TLS then it will use it. But, TLS is not enforced or required for a connection. This means that there is no end to end guarantee of encryption as your sending MTA may use TLS but when the relay service attempts to connect to the next hop to deliver the message after scanning that system may not support or use TLS.

      The Email Gateway only supports message transfer on port 25 meaning all traffic (TLS or otherwise) should be directed to the Email Gateway over port 25 only.

      The Email Gateway supports only a modern set of cipher suites. In order to successfully use TLS, a corresponding cipher suite must be used with the Email Gateway otherwise the connection will fail to be established. The following is a list of supported ciphers by the Email Gateway.

      Length Cipher Suite

      256

      ADH-AES256-SHA
      DHE-RSA-AES256-SHA
      DHE-DSS-AES256-SHA
      AES256-SHA

      128

      ADH-AES128-SHA
      DHE-RSA-AES128-SHA
      DHE-DSS-AES128-SHA
      AES128-SHA
      ADH-DES-CBC3-SHA
      EDH-RSA-DES-CBC3-SHA
      EDH-DSS-DES-CBC3-SHA
      DES-CBC3-SHA


      Note 1: It should also be noted that a number of these cipher suites do not meet UK Government or NHS security requirements.
      Note 2: Although no longer supported for use, it has been found that Windows 2003 servers require a patch to match the cipher settings supported by the Email Gateway. The following Microsoft patch for Windows 2003 has successfully been deployed to alleviate default incompatibility (https://support.microsoft.com/en-us/kb/948963). This stated fix cannot be guaranteed in every circumstance.

    • To use the Email Gateway, local organisations must ensure inbound/outbound connectivity to the following IP addresses is available from the organisation’s sending/receiving Message Transfer Agents (MTAs):

      • 155.231.210.221
      • 155.231.210.222
      • 155.231.210.253
      • 155.231.210.254

      To test the connection to the Email Gateway IP’s, logon to the local MTA, and run the command ‘telnet <IP> 25’. The response should come back with: 220 SMTP-S or 220 SMTP-H. Below is an example of the successful output:

      # telnet 155.231.210.221 25
      Trying 155.231.210.221...
      Connected to 155.231.210.221.
      Escape character is '^]'.
      220 SMTP-S

      When configuring a connection to the Email Gateway by MTAs or applications, a hardcoded IP address is not recommended or supported. DNS should be used as it allows for dynamic service resiliency and failover.

      What if testing fails?
      1. Ensure the test is being executed from your MTA on N3/HSCN, and an appropriate PTR record exists.
      2. Confirm your organisation's firewalls contain the following full IP ranges used for NHSmail (not just the IP addresses listed) which are: 155.231.210.192/26 and 10.222.62.0/24

      If testing still fail contact the NHSmail support, as listed in the Where can I get help? section.

    • The NHSmail service has protective DNS records using Sender Policy Framework (or SPF). SPF can be used to assist with anti-spoofing as well as overall assist with IP ratings related to blacklisting. If a local organisation wishes to implement SPF for their own MX record, they can create a single record referencing the domain nhs.net.

      To have an entry for your organisations *.nhs.uk domain you submit a request to the NHS Digital DNS team to update your DNS record (dnsteam@nhs.net) with a new DNS record of type “TXT” with the following information:

      v=spf1 include:_spf.nhs.net ~all

      or, more specifically, v=spf1 include:_spf.nhs.net ip4:<IP1> ip4:<IP2> -all (where, IP1 and IP2 are a local organisations MTAs).

      The above TXT record will inherit the configuration from the master nhs.net SPF record (which would be updated with any changes to IP for the Email Gateway service). For other information and guidance regarding SPF please refer to the Open SPF Project.

    • The decision to use an SPF record for your organisations *.nhs.uk domain is highly recommended and encouraged.

      • ~all is a softfail SPF record, typically this setting allows messages to be delivered.

      • -all is a restrictive SPF record, it would be recommended to use softfail as a test before implementing restrictive SPF.

      The most important thing for SPF, is to get the record correct when creating it, otherwise sending/receiving email can be restricted. There are several SPF testing tools (such as MX Toolbox - mxtoolbox) for testing SPF records. Ensure testing is done before and after implementation confirming mailflow is not impacted by new SPF records.

      See the public SPF project for more details on SPF: Open SPF Project.

      Note once set other systems such as internet based marketing services that pretend to send from your system will get email rejected if they set the from address to be that of your nhs.uk domain.

    • Domain Key Identifiable Mail (DKIM) is used to sign outgoing message content. If an organisation wishes to use DKIM to sign or check mail, please refer to DKIM support pages on dkim.org ( http://www.dkim.org). The signing of outbound mail from the N3 would be the responsibility of N3 organisations.

    • Domain-based Messages Authentication Reporting and Conformance (DMARC) builds upon SPF and DKIM, and adds a reporting functionality. DMARC is an additional TXT DNS record, and can take a variety of options. The managed domain of nhs.net has DMARC enabled.

      A *.nhs.uk organisation can set up a DMARC record by creating an internet facing DNS TXT record in a format similar to the following:

      _dmarc.<organisation>.nhs.uk TXT v=DMARC1; p=reject; rua=mailto:<feedbackemailaddress>

      As there are various flags/options around DMARC, please review DMARC.org ( https://dmarc.org/) for options for specific configuration.

    • For the domain nhs.uk, the Email Gateway support up to 3 levels of sub-domains for email transfer. No subdomains should be used to send or receive emails greater than 3 subdomains deep. The below example will illustrate the sub-level support of the email gateway for the domain *.nhs.uk:

      Domain Level Examples

      Top Level and 1st Sub-Domain

      *.nhs.uk
      Example domain: x.nhs.uk
      Example email: test@x.nhs.uk

      2nd Level Sub-Domain

      *.*.nhs.uk
      Example Domain: x.x.nhs.uk
      Example Email: test@x.x.nhs.uk

      3rd Level Sub-Domain

      *.*.*.nhs.uk
      Example Domain: x.x.x.nhs.uk
      Example Email: test@x.x.x.nhs.uk

      Any sub-levels greater that 3 (as illustrated above), are not supported and may be rejected by the Email Gateway service.

    • The Email Gateway does not tolerate spoofing of NHSmail domains. DNS records (such as SPF) have been implemented specifically for this purpose - to restrict spoofing of the secure NHSmail domains. There are also Email Gateway specific transfer rules in place to validate/check spoofing in an attempt to limit it. The practice of spoofing any of the NHSmail domains going through the relay is not permitted. NHSmail recommend all N3/HSCN based organisations:

      1. Do not spoof nhs.net or hscic.gov.uk, doing so may result in email being blocked.

      2. Setup SPF records to limit spoofing of N3/HSCN organisations domains (see DNS, and Sender Policy Framework).

    • The Email Gateway checks all outbound messages for SPAM and attempts to prevent both SPAM and malicious files/attachments from being sent. SPAM and malicious email are not the only cause of blacklisting. Blacklisting can happen due to the following:

      • Automated Email Bounce Backs – N3/HSCN based *.nhs.uk organisations sending automated emails to external recipients must monitor bounce backs. The higher the number of undelivered (bounced back) email from the Email Gateway, the higher the potential the Email Gateway would be categorised as a spamming source. It is vital that any automated mailing facility has a process in place to check and remove bounced email from mailing lists.

      • Compromised Accounts – A compromised account has the ability to send SPAM or malicious email. These emails (due to coming from a semi-trusted source on the N3/HSCN), may have been able to send several emails through the Email Gateway before being classified as SPAM (or malicious). It is important that local organisations monitor email locally for suspicious activity and ensure only warranted communications are sent to the Email Gateway.

      • Compromised Systems – Locally compromised systems can themselves be sources of spam or malicious email, or can lead to compromised accounts. All N3/HSCN based organisations should have security policies, antivirus, and system monitoring in place to minimise the likelihood of compromised systems.

    • The Email Gateway tracks SPAM and malicious files from N3/HSCN based organisations. If these organisations send large volumes of SPAM or malicious files to the Email Gateway, the Email Gateway will block the offending organisation at the internet protocol (IP) level from sending any mail for up to four hours. This block is done to protect the greater base of N3/HSCN *.nhs.uk organisations who rely on the Email Gateway.

    • The Email Gateway monitors the volume of email sent from all accounts. This monitoring is in place to protect against the potential of compromised accounts, compromised systems and ultimately the blacklisting of the Email Gateway. If there is an account designated to send high volumes of email, please contact the Email Gateway relayhelpdesk@nhs.net for the account to be added to a high-sender whitelist.

    • Data transmitted across the Relay Service is not guaranteed to be encrypted end to end or meet the national encryption cipher requirements. Thus the Relay Service is not considered secure enough to transmit patient identifiable or similarly sensitive data across. It does not meet the Caldicott Guidelines requirements alone. It is the joint responsibility of the sender(s) and receiver(s) of such data to implement a solution that conforms such as suitably encrypted messages that provide end to end integrity.

    • Messages restictions across the Email Gateway service are:

      Message Size Limit: 35MB
      Permitted/Restricted Attachment Types: See Attachments Guide for complete details attachments.
      Rate Limiting: The Email Gateway service monitors and resticts/limits message transfer if large volumes of messages are unexpectedly seen. This restriction can be placed at the IP level, or on specific accounts.

    Additional Policy and Guidance resources for the NHSmail 2 service.