Mail Encryption Endpoints

PGP and Password encryption is not available in FIPS mode. If your Secure Email Gateway is operating in FIPS mode, you will only be able to use an S/MIME Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification for secure email messages that uses the X.509 format for digital certificates and uses various encryption algorithms such as 3DES. certificate A digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. or the recipient's key (and the sender's key) as encryption options. This is to maintain compliance with FIPS 140-2.

What's a mail encryption endpoint?

A mail encryption endpoint A profile of encryption settings for the Email Gateway to use for recipients that match the endpoint. is a package of encryption settings that are specific to one or more recipient email addresses. An endpoint can apply to a single email address, an address list, or a domain.

The endpoint tells the Gateway which Partner public key The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt email messages to the sender. to use to encrypt messages and (if necessary) which Corporate private key The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected. to use to digitally sign messages.

Where are encryption endpoints used?

You configure policy routes and policy content rules to specify that an email message must be delivered using encryption endpoints:

• Mail policy route
  You enable encryption by changing the default delivery action.

• Mail policy content rule
  You enable encryption by changing the delivery disposal action.

How many endpoints do I need?

If encryption is enabled on a mail policy route, then mail from a sender and/or to a recipient for that route is encrypted. For example, you can encrypt mail sent from Anyone to My Company, or from a designated address list to a designated address list. You need to create encryption endpoints that match all of those recipients.

For example, one message could have recipients that match different endpoints such that one is encrypted using S/MIME, one signed with PGP, and one sent unencrypted. This is known as message splitting.

If no valid endpoint is found for at least one of the message recipients, encryption fails.

Which endpoint is used?

The Gateway matches the mail route by searching the endpoints in the order defined on the Mail Encryption Endpoints page. Endpoints that are higher in the list take precedence over lower ones.

For example, you could have an endpoint for all users in the My Company address list that does not encrypt their email messages, and higher-priority entries for individual users who need encryption to be applied to their email messages.

If an endpoint is found that cannot be used (because the key is expired, for example), encryption fails.

To catch any recipients that don’t match another endpoint, define a "fallback" endpoint that does not sign or encrypt at the end of the list of endpoints.

What else do I need to know?

• If you have nominated a PGP or S/MIME certificate to encrypt the message, you may only choose a certificate of the same type to sign it (or use “sender’s key”).
• If a password is chosen to encrypt a message, you cannot sign it.
• You can sign a message even if you have chosen not to encrypt it.

• For any given mail recipient, only one endpoint is used. If you want the message to be signed and encrypted for that recipient, the first endpoint that matches that recipient address must specify both signing and encryption.

See also...

• Enable encryption on a mail policy route
• Encrypt email using mail policy content rules