Define an automatic mail encryption endpoint

You can define a mail encryption endpoint without selecting the encryption certificate. The Email Gateway automatically searches for the correct encryption certificate to use. Following on from the steps in Define endpoints, continue below to define an automatic mail encryption endpoint:

1. In the Encryption and Signing Options area, select Encrypt the message using: and choose either the recipient's key, or the following certificate.

   If you select the following certificate, click the Search button to find a particular certificate from the Certificate Store. The search operates on the certificate Details field.

   If you select the recipient's key, when the email message is sent, the Email Gateway selects a PGP or S/MIME certificate with the recipient’s email address as its owner.

2. In the PGP Options area, click Click here to change these settings, and then follow the instructions on screen.

   PGP encryption is not available in FIPS mode. If your Gateway is operating in FIPS mode, you will only be able to use S/MIME defaults. This is to maintain compliance with FIPS 140-2.

3. In the S/MIME Options area, click Click here to change these settings, and then follow the instructions on screen.

   Extra information

   Setting	Description
   Messages will be signed using the detached format	S/MIME signatures are usually detached signatures where the signature information is separate from the text being signed. The MIME type for this is multipart/signed with the second part having a MIME subtype of application/(x-)pkcs7-signature. It is possible, however, for mailing list software to change the textual part and invalidate the signature.
   Messages will be signed using the opaque format	The secured content in S/MIME messages is actually made up of Multipurpose Internet Mail Extension (MIME) body parts. A plain text message can, therefore, contain an attached signature. This is called a clear-signed message because the message can be read without verifying the signature. An opaque-signed message contains the message and signature combined in a single part that cannot be read except by verifying the signature.
   Encryption using RSA/PSS is Enabled/Disabled	RSA/PSS (Probabilistic Signature Scheme) is a cryptographic signature scheme, which is part of the Public Key Cryptography Standards. We recommend that you confirm the recipient supports this option, before enabling.
   Message header protection is Enabled/Disabled	Message header protection specifies that message headers will be included in the encrypted part of the message. You can specify a replacement subject header if necessary, provided header protection is enabled.
   Encryption using RSA/OAEP is Enabled/Disabled	RSA/OAEP (Optimal Asymmetric Encryption Padding) provides security against ciphertext attacks by processing plaintext prior to assymetric encryption.

4. Apply the configuration.

What else do I need to know?

• When Automatic Encryption using the recipient's key is selected, and the Automatic Encryption default setting is to use password encryption if an encryption key cannot be found, the Email Gateway will use Password Encryption.

  However, if the PGP default setting is to use inline format, and the definition of whether Message Attachments will be encrypted is different from that in Password Encryption Defaults, the PGP setting takes precedence.

• The key type (PGP or S/MIME) selected for encryption and signing must be the same. When using automatic encryption and signing, the key type selected for encryption takes precedence over the possible keys that could be used for signing.
• When automatic encryption is selected, and signing is also specified, the message will not be signed if the encryption fails and reverts to password encryption.

See also...

• Configure the encryption/decryption default settings
• Apply the new configuration
• Apply encryption endpoints to a mail policy route