French Health Insurance

The French Health Insurance needed to efficiently secure their critical email communications with clients. On weekdays, the organization processes peaks of over 130.000 emails per hour. Proxmox Mail Gateway now secures this critical mail flow, improving the usability for the institution's support teams.

The French Health Insurance exists since 1945 and ensures access to healthcare for the french population, including employees and self-employed individuals. The “Caisse nationale de l'assurance maladie” (CNAM) oversees the network of organizations that make up the French Health Insurance (CPAM, UGECAM, etc.).

With about 85,000 employees, including 2,500 CNAM employees, the organization has a high volume of interaction between employees and clients. On weekdays, the organization processes between 1 and 1.6 million of OTP communications, with peaks of over 130.000 emails per hour. The overall average is just over 1 million emails (each about 50kb) sent per day.

To further secure their email communications and mitigate phishing and email spoofing, Frédéric AUCLAIR, project manager at the French Health Insurance, was looking for a new mail gateway solution for their organization as the one in use did not support DMARC compliance, was too costly, and could not enhance email tracking for better support responses.

The Challenge

“We needed to find a reliable and robust platform to send a large quantity of electronic messages to the Internet. When we had discovered Proxmox Mail Gateway on the French list of recommended open-source software for public agencies, the “socle interministériel de logiciels libres” (SILL), we were first concerned about high availability and performance. Nevertheless, the competitive pricing was a crucial factor in our decision to select the Proxmox Mail Gateway solution.”

Integrate with the OTP system for two-factor authentication

“Our goal was to implement an infrastructure dedicated to issuing one-time password (OTP) codes for two-factor authentication for users on the ameli.fr portal, in order to control this critical SMTP flow. For example, by limiting the duration of sending attempts in the event of failure; there is no point in trying for 5 days to send an OTP code only valid for 15 minutes."

"Due to the critical nature of the service, we required a resilient solution. Moreover, it was essential for us to have a straightforward and efficient method of tracking the sending of these codes so that our support teams could respond rapidly.”

The Implementation

“Through the public procurement code, we were put in contact with DynFi, the Proxmox Gold partner in France, to help us with the implementation process. Grégory Bernard, CEO from DynFi, provided great expertise on the technical architecture, advised on traffic matrix, and specific configuration.”

To support the implementation of Proxmox Mail Gateway, DynFi first performed an in-depth audit offering cutting-edge technical expertise on the underlying systems (mainly Postfix and SpamAssassin) of Proxmox Mail Gateway.

Grégory Bernard: “Our project management support enabled the French Health Insurance to optimize the integration of the open-source email security solution, guaranteeing increased resilience and performance of their infrastructure. By joining forces and both our companies' expertise, CNAM now benefits from smooth, centralized management of some of its messaging services, while maximizing the efficiency of its IT infrastructure.”

Overall, the implementation was a smooth and relatively easy process, according to Frédéric A.: “We only experienced a challenge with implementing inter-data center traffic. But all requests to the Proxmox enterprise support were answered immediately and successfully. Additionally, we found the community forum to be full of useful information and helpful users.”

The Deployment

The team around project manager Frédéric A. deployed a Proxmox Mail Gateway cluster consisting of virtual appliances. Historically, the underlying virtualization system at the data centers currently is still a VMware virtualization system. But in the future, the organization plans to evaluate if OpenStack or Proxmox Virtual Environment will be an alternative virtualization solution.

“Proxmox Gold partner DynFi helped us to deploy a cluster consisting of nine nodes”, tells Frédéric, “with the first dedicated to the role of master in the intranet zone, and the other eight dedicated to outgoing SMTP traffic. The slave nodes handle DKIM signatures and TLS encryption.”

Improved user experience with the Proxmox API

By deploying the Proxmox Mail Gateway cluster across two data centers, behind an active/active load balancer, the French Health Insurance could achieve a very good level of resilience. Thanks to the Proxmox API, they could develop a site that allows their support teams to easily trace send attempts and the reasons for their failure: this greatly streamlines response times to complaints and significantly improves the quality of interactions.

“One of our favorites of Proxmox Mail Gateway is its centralized administration”, explains Frédéric Auclair. “The clarity of the interface adds even more strength to this open-source email security solution.”

"In the end, we feel that the team French Health Insurance + DynFi + Proxmox has formed a winning trio!"

Frédéric Auclair
Project Manager IT Development

About the French Health Insurance
The French Health Insurance exists since 1945 and ensures access to healthcare for the french population. The “Caisse nationale de l'assurance maladie” (CNAM) oversees the network of organizations that make up the French Health Insurance. With about 85,000 employees, including 2,500 CNAM employees, the organization has a high volume of interaction between employees and clients.

About Proxmox partner: DynFi
DynFi, the french Proxmox Gold partner, specializes in Proxmox project management and supports its clients in deploying, optimizing, and managing virtualized infrastructures. With strong expertise in networking, cybersecurity, and mail server solutions, DynFi provides tailored services that include compatible hardware and reliable data center hosting. More at: https://dynfi.com/proxmox/