Define an automatic mail signing endpoint

You can define a mail encryption endpoint without specifying the PGP or S/MIME certificate that contains the sender's private key. The Email Gateway automatically searches for the correct key certificate to use. Following on from the steps in Define endpoints, continue below to define an automatic mail signing endpoint:

1. In the Encryption and Signing Options area, deselect the Encrypt the message using: option.

2. Select Sign the messages using: and choose either the sender's key, or the following certificate.

   If you select the following certificate, click the Search button to find a particular certificate from the Certificate Store. The search operates on the certificate Details field.

   If you select the sender's key, when the email message is sent, the Email Gateway selects a PGP or S/MIME key certificate with the sender’s email address as its owner.

3. In the PGP Options area, click Click here to change these settings, and then follow the instructions on screen.

   PGP signing is not available in FIPS mode. If your Gateway is operating in FIPS mode, you will only be able to use S/MIME defaults. This is to maintain compliance with FIPS 140-2.

4. In the S/MIME Options area, click Click here to change these settings, and then follow the instructions on screen.

   Extra information

   Setting	Description
   Messages will be signed using the detached format	S/MIME signatures are usually detached signatures where the signature information is separate from the text being signed. The MIME type for this is multipart/signed with the second part having a MIME subtype of application/(x-)pkcs7-signature. It is possible, however, for mailing list software to change the textual part and invalidate the signature.
   Messages will be signed using the opaque format	The secured content in S/MIME messages is actually made up of Multipurpose Internet Mail Extension (MIME) body parts. A plain text message can, therefore, contain an attached signature. This is called a clear-signed message because the message can be read without verifying the signature. An opaque-signed message contains the message and signature combined in a single part that cannot be read except by verifying the signature.
   Encryption using RSA/PSS is Enabled/Disabled	RSA/PSS (Probabilistic Signature Scheme) is a cryptographic signature scheme, which is part of the Public Key Cryptography Standards. We recommend that you confirm the recipient supports this option, before enabling.
   Encryption using RSA/OAEP is Enabled/Disabled	RSA/OAEP (Optimal Asymmetric Encryption Padding) provides security against ciphertext attacks by processing plaintext prior to assymetric encryption.
   Message header protection is Enabled/Disabled	Message header protection specifies that message headers will be included in the encrypted part of the message. You can specify a replacement subject header if necessary, provided header protection is enabled.

5. Apply the configuration.

Notes

• If there are two or more keys of different types (PGP and S/MIME), you can configure the default encryption/decryption settings to prefer one key type.

  Show me how

  1. Navigate to System > Encryption > Encryption/Decryption Defaults.
  2. In the Key Resolution area, click Click here to change these settings.
  3. Select either S/MIME key or PGP key.
  4. Click Save.
  5. Apply the configuration.
• If there are two or more keys of the same type (PGP or S/MIME) that could be used to sign the message, the first key that was saved in the store is used.
• The key type (PGP or S/MIME) selected for encryption and signing must be the same. When using automatic encryption and signing, the key type selected for encryption takes precedence over the possible keys that could be used for signing.
• When automatic encryption is selected, and signing is also specified, the message will not be signed if the encryption fails and reverts to password encryption.

• When automatic encryption is enabled, the Email Gateway searches the certificate store for a public key to use for encryption. You can configure the Email Gateway to query one or more external key servers if a suitable key can't be found in the certificate store.

See also...

• Apply the new configuration
• Encryption/Decryption Defaults
• Create, edit or delete a key server query
• Apply encryption endpoints to a mail policy route