You are on page 1of 59

Message Encryption

Administration Guide
Google, Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
www.google.com

Part number: ENCAD_R6.16_13

4 November 2008

Copyright 2008 Google, Inc. All rights reserved.

Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the
Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and
PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc. All other trademarks are the property of
their respective owners.

Use of any Google solution is governed by the license agreement included in your original contract. Any intellectual property
rights relating to the Google services are and shall remain the exclusive property of Google, Inc. and/or its subsidiaries
(Google). You may not attempt to decipher, decompile, or develop source code for any Google product or service offering,
or knowingly allow others to do so.

Google documentation may not be sold, resold, licensed or sublicensed and may not be transferred without the prior written
consent of Google. Your right to copy this manual is limited by copyright law. Making copies, adaptations, or compilation works,
without prior written authorization of Google. is prohibited by law and constitutes a punishable violation of the law. No part of
this manual may be reproduced in whole or in part without the express written consent of Google. Copyright by Google, Inc.

Postini, Inc. provides this publication as is without warranty of any either express or implied, including but not limited to the
implied warranties of merchantability or fitness for a particular purpose. Postini, Inc. may revise this publication from time to
time without notice. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.

GD Graphics Copyright Notice:

Google uses GD graphics.

Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000 by Cold Spring Harbor Laboratory. Funded under Grant P41-
RR02188 by the National Institutes of Health.

Portions copyright 1996, 1997, 1998, 1999, 2000 by Boutell.Com, Inc.

Portions relating to GD2 format copyright 19s99, 2000 Philip Warner.

Portions relating to PNG copyright 1999, 2000 Greg Roelofs.

Portions relating to libttf copyright 1999, 2000 John Ellson (ellson@lucent.com).

Portions relating to JPEG copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane.

This software is based in part on the work of the Independent JPEG Group.

Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.

Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application,
provided that this notice is present in user-accessible supporting documentation.

This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd,
not to interfere with your productive use of gd. If you have questions, ask. Derived works includes all programs that utilize the

2 Message Encryption Administration Guide


library. Credit must be given in user-accessible documentation.

This software is provided AS IS. The copyright holders disclaim all warranties, either express or implied, including but not
limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying
documentation.

Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue
Software Corporation for their prior contributions.

Google Compliance Policies Notice:

Google assumes no responsibility in connection with the Compliance Policies lexicon-filtering feature, including any failure to
recognize credit card or social security numbers that do not follow an applicable pattern as established in Postinis systems or
any failure to encrypt a credit card or social security number.

3
Contents

What This Guide Contains 7


Related Documentation 7
How to Send Comments About This Guide 8

Chapter 1: Introduction to Encryption Services 9


About Encryption Services 9
Transport-Layer Security 9
Policy Enforced TLS 10
Message Encryption, Portal Delivery 11
Message Encryption, Inbox Delivery 11
How Encryption Services Components Work Together 11

Chapter 2: Policy Enforced TLS 13


About Policy Enforced TLS 13
How Policy Enforced TLS Works 14
Set Up Policy Enforced TLS 16
Certificate Validation 18
TLS Alerts 22

Chapter 3: Message Encryption, Portal Delivery 25


About Message Encryption, Portal Delivery 25
How Portal Delivery Works 26
Filtering 28
Custom Portal 29
Compose Mail 29
Set Up Portal Delivery 30
Common Encryption Scenarios 33
Configure Encryption for an Organization 35
Configure Encryption for a User 37
View User Encryption Settings 39
Configure Content Manager for Message Encryption 39
Troubleshooting the Secure Portal 40

Chapter 4: Message Encryption, Inbox Delivery 43


About Message Encryption, Inbox Delivery 43

Contents 5
How Inbox Delivery Works 44
Filtering 45
Reading Encrypted Messages 45
Inbox Delivery Branding 47
Set Up Inbox Delivery 48
Configure Encryption for an Organization 50
Configure Encryption for a User 50
View User Encryption Settings 50
Configure Content Manager for Message Encryption 51
Troubleshooting Inbox Delivery 51

Chapter 5: Reports 53
About Reports 53
View a Report 53
Policy-Enforced by Domain 54
Outbound External Encryption by Domain 55
Outbound External Encryption by Account 56
Outbound External Encryption Activity Log 56

6 Postini Encryption Services Administration Guide


About This Guide

What This Guide Contains


The Encryption Services Guide provides information about:

Descriptions of features and data flow of Policy Enforced TLS and Message
Encryption.

Specific steps-by-step instructions to enable encryption.

Information on reporting and administration.

This guide is intended for mail server administrators who are already familiar with
mail server configuration and security.

This guide is a supplement to the Email Security Service Administration Guide.


For details about using the features and components of the email security service,
see the Email Security Service Administration Guide. These documents are
available on the Support Portal. For details, see How to Send Comments About
This Guide on page 8.

Related Documentation
For additional information about your email security service, refer to the following
related documents, which are available on the Support Portal. For details, see
How to Send Comments About This Guide on page 8.

Document Description

Email Security Service See the Outbound chapter for information


Administration Guide about Outbound Services features, concepts,
and administration.

Outbound Services Step-by-step instructions for setting up your


Configuration Guide network environment and mail server for
Outbound Services, a prerequisite for using
most Encryption Services features.

7
Document Description

Message Encryption, Portal A simple user reference that explains features


Delivery Users Guide and data flow of Message Encryption, Portal
Delivery.

Message Encryption, Inbox A simple user reference that explains features


Delivery Users Guide and data flow of Message Encryption, Inbox
Delivery.

Message Encryption Release Release notes on the most recent changes to


Notes Message Encryption.

How to Send Comments About This Guide


Postini values your feedback. If you have comments about this guide, please send
an email message to:

doc_comments@postini.com

Please specify in your email message the section to which your comment applies.
If you want to receive a response to your comments, ensure that you include your
name and contact information.

8 Archive Manager - Microsoft Exchange Journaling Configuration Guide


Chapter 1

Introduction to Encryption Services Chapter 1

About Encryption Services


Our encryption offerings deliver policy-based, practical solutions for email
encryption. Message Security has long supported the TLS (Transport-Layer
Security) protocol which has an inherent best-effort delivery mechanism from
gateway to gateway. The protocol easily converts to clear text if the recipient
gateway can not perform the TLS handshake.

However, with the heightened concerns around privacy and confidentiality, best
effort is often not good enough. The need to deliver secure email regardless of a
business partners capabilities calls for a solution that can handle both connection
and message security. Adding Message Encryption not only adds a management
layer to the TLS protocol that ensures a secure connection gateway-to-gateway,
it also includes options for one-to-one message encryption when gateway TLS
capabilities are unknown or not present.

Several encryption components are available, including the following:

Policy Enforced TLS

Message Encryption, Portal Delivery or Inbox Delivery

Transport-Layer Security (TLS) is an encryption option, but is not part of the


Encryption Services suite. It is a basic form of encryption, and is included with the
email security service at no additional charge.

Transport-Layer Security
Transport-Layer Security is supported for all customers using the Email Security
Service for the Enterprise (it is not a separate Encryption Services product_.

Transport-Layer Security (TLS) is a standards-based protocol, based on Secure


Sockets Layer (SSL), that encrypts and delivers mail securely over the Internet.
TLS helps prevent eavesdropping and spoofing (message forgery) between mail
servers. TLS is rapidly being adopted as the industry standard for secure email.

Introduction to Encryption Services 9


The protocol uses cryptography to provide endpoint authentication and
communications privacy over the Internet. TLS is the email equivalent of HTTPS
for web communications and has similar strengths and weaknesses.

The key features of TLS are:

Message encryption
TLS uses Public Key Infrastructure (PKI) to encrypt messages from mail
server to mail server. This encryption makes it more difficult for hackers to
intercept and read messages.

Authentication
TLS supports the use of digital certificates to authenticate the receiving
servers. Any certificate is supported, included self-signed certificates.
Authentication of sending servers is not always necessary in TLS. This
process verifies that the receivers (or senders) are who they say they are,
which helps to prevent spoofing. Advanced options include the ability to verify
proper certificate form, domain names, and certificate authority.

Organizations that have a dedicated outbound gateway that handles only TLS
traffic can utilize the Mandatory TLS option. This feature, when activated, will
monitor the TLS handshake inbound and outbound and only allow message
transmission when the TLS handshake is successful. Notification to the sender
occurs in real time if the message can not be delivered.

For a full description of how TLS works, including key exchange information, see
Transport Layer Security for Inbound Mail in the Email Security Service
Administration Guide.

Policy Enforced TLS


Policy Enforced TLS enables organizations to identify the domain names of
gateways that require inbound and outbound message traffic to travel via a TLS
connection.

Policy Enforced TLS is enabled and configured in the Administration Console,


under TLS settings. If you have Policy Enforced TLS, you can add specific
domains for special treatment.

Key features of Policy Enforced TLS are:

Compatibility with standard TLS settings

Ability to handle important domains separately

Ability to guarantee encrypted traffic and to bounce messages if encryption is


not possible.

Policy Enforced TLS is set for an email config organization.

10 Postini Encryption Services Administration Guide


Message Encryption, Portal Delivery
Message Encryption, Portal Delivery can be used on an on-demand basis to
communicate with any recipient regardless of their capabilities. This secure-and
post-feature easily enables a sender to create a message in their native email
client and simply mark the message as confidential. For example, a Microsoft
Outlook user would set setting Sensitivity to Confidential when sending the
message. The email is seamlessly passed to Portal Delivery to be encrypted and
posted on a secure web portal. The recipient receives a notification in their native
email client informing them of the message location. The recipient can read the
message via the web portal and submit a reply to the sender. Replies arrive in the
senders native email client.

You can also customize the secure web portal used with Portal Delivery. With a
Custom Portal, you can add branding and additional features to the secure portal
your contacts see. A Custom Portal is an optional feature; for more information
about Custom Portals, contact your account representative.

Portal Delivery can be set on an organization or an individual user.

Message Encryption, Inbox Delivery


Message Encryption, Inbox Delivery can be used on an on-demand basis to
communicate securely with any recipient. This is similar to Portal Delivery, but
Inbox Delivery sends the encrypted message to the recipient as an attachment
and does not require a web portal login.

The email is seamlessly passed to Inbox Delivery to be encrypted, and is placed


as an attachment to a notification mail. The recipient receives the message as an
encrypted attachment which can be read locally using a standard web browser.

Inbox Delivery can be set on an organization or an individual user. Inbox Delivery


notifications can also be branded.

How Encryption Services Components Work Together


If you are using Policy Enforced TLS or Message Encryption, be sure to enable
TLS in the Administration Console. This allows mail which is not secured by these
methods to be encrypted if third-party servers support TLS, and assures that
connections between your server and the email protection service are encrypted.

Encryption Services features are designed to be used together. Policy Enforced


TLS allows you to create a special encryption policy for certain domains, and
Message Encryption allow you to send encrypted mail even when normal TLS
connections are not possible.

The two forms of Message Encryption, Portal Delivery and Inbox Delivery, are
similar services, and function identically up to the point of delivery to the recipient.
You can only have one of them enabled.

Introduction to Encryption Services 11


When Encryption Services Apply
Policy Enforced TLS applies to all inbound mail received from designated
domains, and all outbound mail sent to designated domains. For each your
inbound and outbound email configs, you can designate domains that require TLS
connections, and optionally certificate validation.

Message Encryption applies to outbound messages. For a group of users or an


individual, you can enable Message Encryption for all outbound messages or only
outbound messages with a specific header. Also, you can set up Content
Manager filters to trigger Message Encryption based on content in the message
header or body.

How Policy Enforced TLS and Message Encryption Interact


Message Encryption currently takes precedence over all TLS connections, except
for Policy Enforced TLS.

When you send an outbound message, Policy Enforced TLS takes precedence
over Message Encryption. If a message is sent to a domain listed in Policy
Enforced TLS, the message will be sent via TLS if possible. If the message cannot
be sent via TLS, the message fails. It is not sent to Message Encryption.

This means all messages are always delivered directly to trusted partners' mail
servers, and recipients in domains you specify are not prompted to access
messages via the Message Encryption Secure Portal or Inbox Delivery.

Note: This applies to Release 6.12 and later. In earlier versions of the service,
Message Encryption took precedence over all forms of TLS, including Policy
Enforced TLS.

12 Postini Encryption Services Administration Guide


Chapter 2

Policy Enforced TLS Chapter 2

About Policy Enforced TLS


The email security service includes Transport Layer Security (TLS) functionality
which can be applied to all mail traffic. Policy Enforced TLS expands this
functionality, by allowing domain-based control of TLS. You can use Policy
Enforced TLS to set up a custom encryption policy to send and receive for specific
domains. For instance, you could configure Policy Enforced TLS so that all mail
sent to a partner will be encrypted with TLS, and will bounce if TLS encryption is
not possible.

When you specify encryption for a specific sender or recipient, you can be sure
that these connections are always encrypted. If Policy Enforced TLS cannot
establish a TLS connection to the other server, the message will be deferred and
no mail will be sent.

Features and Benefits


Policy Enforced TLS provides the following benefits:

Support for Transport-Layer Security (TLS) encryption of email. Mail is


encrypted before delivery, based on your TLS settings. You can set Policy
Enforced TLS to bounce messages which cannot be encrypted, or to allow
non-secure mail transmission.

Ability to configure security settings separately for specific domains. You can
name specific domains which will receive additional security. Domain-based
TLS is set for each mail server separately.

TLS configuration for inbound and outbound mail. Policy Enforced TLS can be
configured for inbound mail and outbound mail separately.

Ability to verify certificates to prevent malformed certificates or domain


spoofing.

Ability to send alert emails to administrators when Policy Enforced TLS


bounces a message.

Policy Enforced TLS 13


Requirements
Policy Enforced TLS is set up separately for inbound and outbound mail.

To set up Policy Enforced TLS for inbound or outbound mail requires the
following:

Support on your mail server for Transport Layer Security (TLS).

Administration Console read and write permissions for Inbound Transport


Security on the email config level.

To set up Policy Enforced TLS for outbound mail requires the following

Support on your mail server for Transport Layer Security (TLS).

Administration Console read and write permissions for Outbound Transport


Security and Outbound Server Management on the email config level.

Support on your server for Outbound Services.

Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.

For more information about Transport Layer Security in the Administration


Console, see Transport Layer Security in the Email Security Service
Administration Guide.

For instructions on how to route your outbound mail through Outbound Services,
see the Outbound Services Configuration Guide.

How Policy Enforced TLS Works


Following is an overview of the data flow of Policy Enforced TLS. Policy Enforced
TLS handles inbound and outbound mail flow separately.

Inbound Policy Enforced TLS Mail Flow


If you have Policy Enforced TLS enabled for inbound mail, specify a list of sending
domains. Mail from these domains will be encrypted, while other domains use
your normal TLS rules.

For inbound mail traffic, the email protection service acts as a proxy between the
sending server and your mail server. Inbound messages are received through two
separate SMTP connections.The first connection is from the sending server to the
email protection service. The second connection is from the email protection
service to your mail server.

This diagram shows the flow of TLS messages between servers:

14 Postini Encryption Services Administration Guide


Stage 1: The sending server sends a message via TLS to the email protection
service, which will always accept TLS messages and process them according
to the TLS protocol. The message is encrypted from the sending server to the
email protection service.

Stage 2: A TLS connection is attempted between the email protection service


and your receiving mail server. If a TLS connection is not possible, the email
protection service will either defer the message, or send the message
unencrypted, depending on your settings.

Without Policy Enforced TLS, you can set the email protection service to defer
all messages if TLS is not possible, or to deliver them.

With Policy Enforced TLS, you can name specific sender domains which must
be encrypted. If a message from one of these domains cannot be encrypted
with TLS, it will always be deferred.

The deferral message for inbound messages is:


451 STARTTLS is required for this sender - psmtp

The deferral is handled by the sending server. Most sending servers will
continue to attempt to send the message for up to five days.

As noted above, messages are decrypted in memory for virus and junk mail
processing, then encrypted again when sent to you. In some instances, mail
delivered via TLS is stored unencrypted:

Spooled mail. In the case of disaster recovery, spool messages are stored
unencrypted in our secure network, and then encrypted when delivered from
spool to your mail servers.

Quarantined messages. Quarantined messages are stored unencrypted in


our secure network, and then delivered encrypted to your mail server when
delivered from the Message Center. Both the quarantine summary message
links and the Message Center allow users to display the messages in a
browser via HTTP (not secure).

As part of your security policy, you may wish to disable the message links in the
quarantine summary and Message Center. This will ensure end-to-end secure
delivery, requiring users to deliver messages from quarantine summary or
Message Center to their inboxes. However, since the risk of falsely quarantining
valid email is small, you may choose to retain the convenience of viewing
messages through the quarantine summary or Message Center.

Policy Enforced TLS 15


Outbound Policy Enforced TLS Mail Flow
If you have Policy Enforced TLS enabled for outbound mail, you can specify a list
of sending domains. Mail to these domains will always be encrypted. For
outbound mail traffic, the email protection service acts as a proxy between the
your mail server and the receiving server.

This diagram shows the flow of TLS messages between servers:

Stage 1: The first connection is from your mail server to the email protection
service. You can choose whether this connection uses TLS.

Stage 2: The second connection is from the email protection service to the
receiving mail server. If the exact recipient domain is in your list of domains for
Outbound TLS by Recipient Domain, the outbound security service will
connect via TLS to the receiving mail server.

If the recipient domain is set up for Policy Enforced TLS and TLS is not
available, the following deferral message for outbound messages is sent:
451 Recipient does not support STARTTLS - psmtp

The deferral is handled by your server. Most sending servers will continue to
attempt to send the message for up to five days.

Outbound mail sent to a domain that exactly matches one on the outbound sender
list will always be sent via TLS in the second step. The Policy Enforced TLS
settings override standard TLS setting for that email config organization for these
domains.

If you have set up Certificate Validation, Policy Enforced TLS will drop the second
connection and send an error if the recipients certificate does not meet your
validation requirements. See Certificate Validation on page 18 for more
information.

Set Up Policy Enforced TLS

Set up Inbound TLS by Sender Domain

1. In the Administration Console, click the Inbound Servers tab. Select your
email config organization, and click the TLS link.

2. If TLS is set to Send only SMTP, change it to allow TLS. The recommended
setting is SMTP or TLS. See Transport Layer Security for Inbound Mail in
the Email Security Service Administration Guide for more information on TLS
settings.

16 Postini Encryption Services Administration Guide


3. Scroll to the Inbound TLS by Sender Domain section, at the bottom of the
page. If you do not see this section, you do not have Policy Enforced TLS
enabled. Contact your account representative for information.

4. Enter the domain name you wish to set as TLS-only. Type the exact domain
name; wildcards and subdomains are not supported.

5. Click Add. The change takes effect immediately.

6. Recommended: Enable TLS Alerts so you will be notified if a problem occurs.


See TLS Alerts on page 22 for more information.

To remove one or more domains, check the domains you wish to delete and click
Delete Selected. The changes take effect immediately.

Set up Outbound TLS by Recipient Domain

Before you can use Outbound TLS by Recipient Domain, set your mail server to
route outbound mail through the email protection service, and enable TLS on your
mail server. See About Policy Enforced TLS on page 13 for more information
about requirements.

1. In the Administration Console, click the Outbound Servers tab. Select your
email config organization, and click the TLS link.

2. If TLS is set to Accept only SMTP or Send only SMTP, change your
settings to allow TLS. The recommended setting is SMTP or TLS. See
Transport Layer Security for Outbound Mail in the Email Security Service
Administration Guide for more information on TLS settings.

3. Scroll to the Outbound TLS by Sender Domain section, at the bottom of the
page. If you do not see this section, you do not have Policy Enforced TLS
enabled. Contact your account representative for information.

Policy Enforced TLS 17


4. Enter the domain name you wish to set as TLS-only. Type the exact domain
name. Wildcards and subdomains are not supported; each subdomain must
be added separately.

5. Click Add. The change takes effect immediately.

6. Optional: Set Certificate Validation. The default setting, Encryption Only,


should be sufficient for most domains, but you can validate the recipients
certificate by changing this setting to Verify Certificate, Trust Check, or
Domain Check. For more information, see Certificate Validation on page 18.

7. Recommended: Enable TLS Alerts so you will be notified if a problem occurs.


See TLS Alerts on page 22 for more information.

To remove a domain, select the domain you wish to delete and click Remove. The
change takes effect immediately.

Certificate Validation
Policy Enforced TLS can analyze and validate TLS certificates, and block
sessions that use malformed or spoofed certificates. When outbound mail is sent
to a domain that is configured for Certificate Validation, Policy Enforced TLS
verifies the format, source, and domain of the certificate.You can specify different
validation settings for each domain.

Set up Certificate Validation for each domain on the Outbound TLS settings page,
under the heading Domain-Specific Setting for Outbound TLS.

18 Postini Encryption Services Administration Guide


To set up Certificate Validation:

1. Go to Outbound TLS settings in the Administration Console.

2. If the domain is not already listed in Policy Enforced TLS, add the recipient
domain to Policy Enforced TLS.

3. Under Domain-Specific Setting for Outbound TLS, set TLS Certification to


the appropriate setting and click Save Selected.

Scope of Certificate Validation


Certificate Validation examines SSL certificates to verify a recipients identity. The
standard that defines TLS, RFC 2487, states clearly that the possibility of multiple
hops during email delivery makes TLS certificates unsuitable for authenticating a
sender's identity (inbound messages).

To comply with the standard, Certificate Validation authenticates the recipients


identity for only outbound Policy Enforced TLS. Certificate Validation is not used
for inbound mail because the RFC standards do not support this use.

Certificate Validation Settings


Certificate Verification is a powerful tool to protect your secure connection from
spoofing and invalid certificates. However, it also will interrupt mail flow if the
recipients certificate is not set up correctly. If protection from spoofing and invalid
certificates is not a major concern, use Encrypt Only. Use Certificate Verification if
you wish to set up regular, ongoing secure connections with a specific partner for
extremely sensitive information.

Note: If you set up Certificate Validation, be sure to set up TLS Alerts as well, so
you will know if a problem occurs. For more information, see TLS Alerts on
page 22.

Certificate Validation settings are described below.

Policy Enforced TLS 19


TLS Certification Description

Encrypt Only Behavior: Policy Enforced TLS obtains the keys


from the Server Certificate, extracts the keys,
completes the TLS handshake, and begins the
encrypted session. No further verification takes
place. Errors that prevent key extract will result in a
bounced connection, but any other certificate-
related errors are ignored.

Recommendations: This setting provides the most


reliable delivery of encrypted mail, and is
recommended in most cases. Use if you wish to
allow a TLS connection even with malformed or out-
of-date certificates. This setting allows encrypted
communication even if the recipients certificate is
invalid, as long as the certificate is functional.

Verify Cert Behavior: Confirm that the certificate has proper


form and syntax. Ensures that certificates are valid,
but provides no protection against spoofing. Policy
Enforced TLS ends the session if any certificate
errors occur, but allows an out of date certificate,
self-signed certificate, or certificate from an
unknown trust.

Recommendations: This setting can be used to


detect any problems with the TLS certificate. If you
wish to block malformed certificates, and detect any
certificate problems, use this setting. This setting
provides increased verification, but may stop some
outbound mail.

20 Postini Encryption Services Administration Guide


TLS Certification Description

Check Trust Behavior: In addition to the certificate tests in


Verify Cert, also verifies that the certificate is from a
known valid Certificate Authority. Does not allow a
self-signed certificate or certificate from an
unknown trust. Requires a complete certificate
chain. Will also block any certificate linked to an IP
address instead of a hostname. Ends the mail
session if the trust check fails.

Recommendations: This is a very stringent setting


and can cause problems with outbound mail flow to
the recipient if the recipients certificate is not
properly prepared. Contact your recipient before
you use this setting, and send at least a few trial
messages to test that mail flow is not interrupted.
This setting provides secure delivery and protection
against spoofing, but may interrupt delivery if the
certificate is not signed properly.

Check Domain Behavior: In addition to the certificate tests in


Verify Cert and Check Trust, also confirms that the
domain in the certificate matches the domain of the
server host. If there is a wildcard in the domain
certificate, the recipients domain must match the
wildcard. Will also block any certificate linked to an
IP address instead of a hostname. Ends the
session if the domain check fails.

Recommendations: This is the most stringent


setting and will cause outbound mail to fail if the
domain in the certificate does not match the domain
of the recipients mail server. Contact your recipient
before you use this setting, and send at least a few
trial messages to test that mail flow is not
interrupted. Be aware that mislabeled domains in
TLS certificates are not uncommon; if your recipient
is using a different domain name in certificates, mail
flow will be interrupted. This setting provides the
most secure delivery and protection against
spoofing, but has a high risk of mail flow
interruption.

Change the Default Certificate Validation Setting


You can change the default setting as well. When you add a new domain to Policy
Enforced TLS, it will use this Certificate Validation setting.

To change the default Certificate Validation setting

Go to Outbound TLS settings in the Administration Console.

1. Under TLS Certificate Validation, select the default setting you wish to use.

Policy Enforced TLS 21


2. Click Save as Default.

TLS Alerts
Policy Enforced TLS is intended for secured business partners who intend to
encrypt all email communication between two parties. To prevent secure
messages from being transmitted in the open, Policy Enforced TLS will refuse
messages that come from specified domains when TLS sessions fail.

TLS Alerts inform your administrators when Policy Enforced TLS rejects a
message. If a TLS connection fails, this may indicate a problem which requires
immediate administrator action. With TLS Alerts, your administrators can detect
and correct security problems immediately.

TLS Alerts apply to both inbound and outbound messages.

WARNING: TLS Alerts are not enabled by default. You must set up them up.

Configure TLS Alerts

Set up, modify or disable TLS Alerts in the Administration Console using batch
commands.

Enable, Modify or Disable TLS Alerts

1. Log in to the Administration Console.

2. Go to the Batch page in the Orgs & Users tab.

3. Enter the following command into Step 2.5 and click Submit job:
modifyorg <orgname>, tls_notify_admin=<admin>,
tls_notify_on=<interval>

orgname is the name of your email config organization. TLS Alerts are set on
the email config level, not the user or account level.

admin is the email address (or alias) of an administrator account. You can use
your own address or another address in any domain, as long as it is the
address or alias of an administrator for any organization.

interval shows how often an alert can be sent, in seconds. The minimum is
1 (no more than one message per second), and the maximum is 86400 (no
more than one message per day.) After a Policy Enforced TLS problem
causes an alert, no more alerts will be sent for the time period specified. In
most cases, a 600 second default is recommended. To turn off TLS Alerts, set
the interval to 0.

22 Postini Encryption Services Administration Guide


4. Confirm the values by entering the following command into Step 2.5 and
clicking Submit job:
displayorg <orgname>

orgname is the name of your email config organization.

Modify or Disable TLS Alerts

1. Log in to the Administration Console.

2. Go to the Batch page in the Orgs & Users tab.

3. Enter the following command into Step 2.5 and click Submit job:
modifyorg <orgname>, tls_notify_admin=<admin>,
tls_notify_on=<interval>

orgname is the name of your email config organization. TLS Alerts are set on
the email config level, not the user or account level.

admin is the email address (or alias) of a new admin address to use. You can
use your own address or another address in any domain, as long as it is the
address or alias of an administrator for any organization.

interval shows how often an alert can be sent, in seconds. Set to 0 to


disable TLS Alerts.

4. Confirm the values by entering the following command into Step 2.5 and
clicking Submit job:
displayorg <orgname>

orgname is the name of your email config organization.

Alerts Description
The sender of TLS Alerts is:

<yourcompany> Support support@<domain>

yourcompany is the name of your company, listed in the Adminsitration Console


Organization General Settings. domain is the name of the domain affected.

Policy Enforced TLS 23


When Policy Enforced TLS blocks an inbound message, your administrator will
see the following alert:

This message is an automated alert from your email protection


service.

Your email protection service was unable to accept messages from


the following domain, because the domain's mail server cannot use
TLS:

<sender domain>

Your Inbound TLS by Domain encryption policy requires this domain


to send messages using TLS. Your email protection service returns
messages from this domain if the domain's mail server cannot
establish a TLS connection with the service.

Recommended action: Contact the email administrator for domain


<sender domain>.

When Policy Enforced TLS blocks an outbound message, your administrator will
see the following alert:

This message is an automated alert from your email protection


service.
Your email protection service was unable to send messages to the
following domain, because the domain's mail server cannot use TLS:
<recipient domain>

Your Outbound TLS by Domain encryption policy requires this domain


to receive messages using TLS. Your email protection service
returns messages sent to this domain if the domain's mail server
cannot establish a TLS connection with the service.

Recommended action: Contact the email administrator for domain


<recipient domain>.

24 Postini Encryption Services Administration Guide


Chapter 3

Message Encryption, Portal Delivery Chapter 3

About Message Encryption, Portal Delivery


Message Encryption, Portal Delivery is a component that provides enhanced
security for confidential email transmission by encrypting outbound mail.

With Portal Delivery, an encrypted message is secured and posted on a web


portal, which the recipient can then access and read.

Features and Benefits


Message Encryption, Portal Delivery provides the following benefits:

Strong security to protect your confidential email, even across the Internet.
Your confidential mail is protected by 128-bit or better encryption during all
steps of transmission, and stored on a secure server for the recipient to read.

Ability to send secure messages to any recipients, even those who do not
have Transport-Layer Security (TLS) enabled on their mail servers.

Ability to receive secure replies to confidential mail, even from recipients who
do not have TLS enabled on their mail servers.

Ability to encrypt specific messages based on their content using Content


Manager.

Use of industry-leading ZixCorp encryption technology.

Secure public-private key encryption.

Requirements
Using Message Encryption requires that you route your mail through the message
security service. For instructions on how to do this, see the Outbound Services
Configuration Guide.

Message Encryption, Portal Delivery 25


You will also need to enable Transport Layer Security (TLS) on your mail server.
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service, and
configure TLS in the Administration Console.

Billing
Billing for Message Encryption is based on the number of users that have
Message Encryption enabled in the Administration Console.

Any user with individual Message Encryption enabled, or inside an organization


with org-level Message Encryption enable, is billed. This includes users that dont
actively use Message Encryption.

For details about pricing and other billing questions, contact your sales
representative.

How Portal Delivery Works


You can also set Portal Delivery for a specific org or user. You can set Portal
Delivery to send all outbound mail securely, or only messages that have been
marked for encryption. With Portal Delivery, outbound mail is first routed to the
email protection service, then to the Secure Portal. In the Secure Portal, the
recipient can securely read, download, and reply to the message. Portal Delivery
then sends the recipient a notification that a message has arrived, which includes
a link to the Secure Portal.

26 Postini Encryption Services Administration Guide


1. Sender to Email Security Service
Your outbound email is routed through the email protection service. To assure that
your email is secure, set up TLS on your mail server and transmit only encrypted
messages to the email protection service. Confidential messages are sent to
Secure Portal. Other messages are delivered directly to the recipients mail
server. You can send messages up to 10MB in size through Message Encryption.
Larger messages will be bounced with a 554 error message.

2. Email Security Service to Secure Portal


Messages routed to Portal Delivery are sent securely by TLS to the Secure Portal.
Because your secure messages may be stored in the Secure Portal for a period of
weeks, your mail is stored using 168-bit encryption. This is more secure than
industry-standard 128-bit encryption.

3. Notification to Recipient
Portal Delivery sends a notification that informs the recipient of the message. The
notification includes a link to set up an account within the Secure Portal.

4. Recipient to Secure Portal


Using HTTPS on a standard web browser, the recipient can view, download, and
reply to the message in the Secure Portal. Messages remain in the Secure Portal
for 14 days. The Secure Portal is a branded web interface that secured by
password. In the Secure Portal, recipients can read, download, and reply to
confidential messages.

Message Encryption, Portal Delivery 27


If the message expires without being read, the sender will receive a notice.

If the recipient replies to a message, Portal Delivery sends the reply back to the
email protection service, which routes the message to your inbox. Replies are
filtered by the email protection service using the same protection as any other
inbound messages.

Filtering
Before a message is routed to Message Encryption, the email security service
applies the same filter rules as all outbound mail.

The Email Security Service filters all mail before sending it to the portal. All
Attachment Manager or Virus filters still apply.

Content Manager rules with a disposition of Message Encryption override any


other Content Manager disposition except Log and Deliver. Content Manager
filters may not apply if you use a Message Encryption rule in Content Manager.

Note: If an outbound message is quarantined, then released from quarantine, it


will be sent through normal mail delivery, not Message Encryption.

28 Postini Encryption Services Administration Guide


Custom Portal
For an additional cost, you can custom-brand your Secure Portal. Contact your
account representative for more information about customizing branding for your
portal.

A Custom Portal allows you to choose the following options:

Brand Name

Top Banner Image

Color Scheme

Footer Text

Welcome Text

Instructions and Disclaimers

Customer Support Contact Information

Account Creation Confirmation

Password Requirements

Security confirmation messages for password changes

Portal Timeouts

Message Expiration Time

Notification Sent Before Message Expiration

Domains Supported

Compose Mail
The ability to compose new messages is an optional feature that can be
purchased separately as part of a custom portal.

If you have a Custom Portal with the Compose feature enabled, anyone who
receives a message through Portal Delivery can use it to:

Compose new messages to the sender or any other address at your domain.
These messages are securely delivered directly to the recipients inbox.

Include attachments in messages.

Save drafts of messages before sending them. Drafts are available in the
Drafts tab.

View messages that have previously been sent. Sent messages are visible in
the Sent Mail tab.

For information about setting up a Custom Portal, contact your account


representative.

Message Encryption, Portal Delivery 29


Set Up Portal Delivery
To set up Portal Delivery, youll work with an account representative to enable the
service. If you will be setting up a Custom Portal, additional design time may be
required.

Prerequisites
Using Message Encryption, Portal Delivery requires that you route your mail
through Outbound Services. For instructions on how to do this, see the Outbound
Services Configuration Guide.

You will also need to enable Transport Layer Security (TLS) on your mail server.
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.

Transport-Level Security (TLS) is an industry standard for secure email. Setting


up TLS usually involves installing a certificate on your mail server. You can use a
purchased certificate, or a self-signed certificate. For information about setting up
TLS, see the documentation for your mail server.

Also, you will need to enable Transport Level Security in the Administration
Console. For steps on setting up TLS in the Administration Console, see below.

30 Postini Encryption Services Administration Guide


Activate Message Encryption
An Activation Specialist will walk you through activating the Message Encryption
service. Here is an overview of the steps that will be required to enable Message
Encryption, Portal Delivery. Each step is described in detail in the sections below.

List Your Domains

List Custom Portal Preferences (optional)

Activation Specialist Adds Domains and Portal

Add DNS Records for your Domain

Configure TLS settings in the Admin Console

Configure Message Encryption

Test Portal Delivery

List Your Domains


Provide your Activation Specialist with a list of all domains youll be using with
Encryption Services.

List Custom Portal Preferences (optional)


If you are using a Custom Portal, your Secure Portal can be branded with your
logo and custom text. You can specify a support email address, a logo, and any
custom text you wish to add. See Custom Portal on page 29 for the full list of
options. Contact your account representative for more information about
customized branding for your portal.

Message Encryption, Portal Delivery 31


Activation Specialist Adds Domains and Portal
Once you have specified your domain (and, if you are using Custom Portal, portal
options), your account representative will work with portal designers to create your
custom Secure Portal. This process requires special implementation and testing
and may take up to 10 days.

Add DNS Records for Your Domain


Message Encryption uses ZixCorp encryption technology, which provides
encryption services and message portal access. These DNS records assure that
if another ZixCorp customer sends secure mail to you, it will be routed correctly.

To assure that all incoming mail routes properly, add the following MX records to
your DNS records with first priority:

zixvpm.[domain].com. MX IN 3600 mx35241.zixworks.com


zixvpm.[domain].com. MX IN 3600 mx35242.zixworks.com

This domain needs to be queried explicitly, including the zixvpm subdomain. If this
MX record is not added, replies and some other encrypted traffic will not be routed
properly. This MX record does not affect the filtering of an inbound message.

Contact your DNS server to change this setting. Because these are new MX
records, changes take place immediately. You do not need to add an A record.

Configure TLS Settings in the Administration Console


In the Administration Console, configure TLS to specify the requirements for
encrypting outbound mail through the email protection service. We recommend
setting outbound TLS to accept only TLS connections, and to attempt to deliver
TLS to the recipient server. This assures that all of your mail is as secure as
possible throughout transmission.

To set TLS in Administration Console:

1. Log in to the Administration Console.

2. In the Outbound Servers tab, click TLS in the top menu.

3. In section 1, click Accept Only TLS.

4. In section 2, click Send by TLS if possible.

5. Click Save to store your settings.

32 Postini Encryption Services Administration Guide


Configure Message Encryption
Set Message Encryption Settings in the Administration Console for organizations
or individual users. You can also set up Content Manager rules to encrypt some of
your mail based on the content of the mail.

For information on organization Encryption Settings, see Configure


Encryption for an Organization on page 35.

For information on user Encryption Settings, see Configure Encryption for a


User on page 37.

For information on Message Encryption with Content Manager, see


Configure Content Manager for Message Encryption on page 39.

Test Portal Delivery


When you have completed these steps, send a Confidential test message to an
outside address to test Portal Delivery. You should receive a notification at the
recipient address that directs you to the Secure Portal.

Common Encryption Scenarios


The headings below show common scenarios for configuring Message
Encryption. For detailed configuration steps, see Configure Encryption for an
Organization on page 35 and Configure Encryption for a User on page 37.

Encrypt mail with Security to Confidential in Microsoft Exchange, for any user

1. In org-level Message Encryption, for each organization that contains users,


set Encryption to Messages with subject or header text: Sensitivity:
Company-Confidential

2. Save.

Encrypt mail that matches a Content Manager rule

1. In org-level Message Encryption, for each organization that contains users,


set Encryption to Messages with subject or header text: Sensitivity:
Company-Confidential.

2. Save your settings.

3. In Content Manager, for each organization that contains users, create a


Content Manager rule, set disposition to Deliver and check Encrypt.

4. Save your settings.

In this scenario, Message Encryption will also apply for messages with
Sensitivity: Company-Confidential in the subject or header.

Message Encryption, Portal Delivery 33


Encrypt all mail for a select group of users. Encrypt mail for other users if it
contains a certain custom phrase in the subject or header

1. In org-level Message Encryption, for each organization that contains users,


set Encryption to Messages with this subject or header text:

2. Enter the custom phrase you want to use.

3. Save your settings.

4. In user-level Message Encryption for each user who should have mail
encrypted, set Encryption to All messages.

5. Save your settings.

Encrypt only mail with a custom phrase in the subject or header, and only for a
small set of users, without changing your organization structure.

1. In org-level Message Encryption for each organization that contains users, set
Encryption to Messages with this subject or header text:

2. Enter the custom phrase you want to use.

3. Save your settings.

4. Set Encryption to No Messages. The custom phrase will still apply to


individual users.

5. Save your settings again.

6. In user-level Message Encryption for each user who should have mail
encrypted, set Encryption to Based on Organization Setting.

7. Save your settings.

In this scenario, since org-level Message Encryption is set to No Messages, you


will only be billed for the users who have individual Message Encryption enabled.

Encrypt mail that matches a Content Manager rule, but only for a small set of
users, without changing your organization structure

1. In org-level Message Encryption for each organization that contains users, set
Encryption to No Messages.

2. Save your settings.

3. In user-level Message Encryption for each user who should have mail
encrypted, set Encryption to Only messages with this subject or header text:
Sensitivity: Company-Confidential

4. Save your settings.

5. In Content Manager for each organization that contains users, create a


Content Manager rule, set disposition to Deliver and check Encrypt.

6. Save your settings.

34 Postini Encryption Services Administration Guide


In this scenario, Message Encryption will also apply for messages from with
Sensitivity: Company-Confidential in the subject or header, but only if they are
sent by these users.

Configure Encryption for an Organization


After setting up Message Encryption, you can configure encryption settings for a
specific organization in the Administration Console. Encryption settings are
available through the user interface or through batch commands.

In the Message Encryption Settings page, you can view and change your settings
for your organization. This page is used for Message Encryption, whether you are
using Portal Delivery or Inbox Delivery.

You can also set up encryption for individual users. See Configure Encryption for
a User on page 37 for more information.

Note: When you enable encryption for an organization, you will be billed for all
users in the organization.

To set Encryption Services settings for an organization:

1. In the Administration Console, select the organization that contains your


users.

2. Under Organization Management, go to the Encryption Settings page.

3. Select the setting you wish to use for this organization. This setting will apply
to all users in the organization except those with overriding settings.

If you select the Only messages with this subject or header text option, enter
the text to match or use the default.

Choose from the following options on the Message Encryption Settings page.

Message Encryption, Portal Delivery 35


Setting Description

No messages Messages will not be sent through Message


Encryption. Content Manager rules for Encryption
are disabled.

All messages All Messages will be sent through Message


Encryption.

Messages with this Messages will be sent through Message Encryption


subject or header text if the exact text entered is found somewhere in the
header, including the subject line. If left blank, the
text defaults to Sensitivity: Company-Confidential.

Content Manager rules also apply.

Messages with Messages will be sent through Message Encryption


subject or header text: if the text is found somewhere in the header,
Sensitivity: including the subject line.
Company-
Confidential The text Sensitivity: Company-Confidential which
is a special header detailed in RFC 1327. Microsoft
Exchange also adds this header text when
Sensitivity is set to Confidential.

Content Manager rules also apply.

4. Check Apply these settings to existing sub-orgs. to overwrite Encryption


Services setting of sub-organizations.

5. Click Save Configurations to save these changes.

6. View User Encryption Settings to confirm your changes. See View User
Encryption Settings on page 39.

Batch Interface
You can also use the following batch commands for Message Encryption. These
match the functions in the Encryption Settings page.

The encryption display_org command displays an organizations


encryption information.

The encryption list_users command lists all encryption users in this


organization.

The encryption modify_org modifies encryption settings for an organization.

For information about using batch commands, see the Batch Command
Reference Guide.

36 Postini Encryption Services Administration Guide


Configure Encryption for a User
After setting up Message Encryption, you can configure encryption settings by
individual user in the Administration Console. Normally, all users will apply the
organization settings, but if you need to have individual users with different
settings, you can configure Message Encryption for users. Encryption settings are
available through the user interface or through batch commands.

In the Message Encryption Settings page, you can view and change your settings
for your organization. This page is used for Message Encryption, whether you are
using Portal Delivery or Inbox Delivery.

To set Encryption Services settings for a user:

1. In the Administration Console, select the user you wish to change.

2. Under User Management, go to the Encryption Settings page.

3. Select the radio button of the setting you wish to use for this user. This will
override org settings. See Message Encryption Settings Page, below.

If you select the Only messages with this subject or header text option, enter
the text to match or use the default.

Choose from the following options on the Message Encryption Settings page.

Setting Description

No messages Messages will not be sent through Message


Encryption. Content Manager rules for Message
Encryption are disabled.

All messages All Messages will be sent through Message


Encryption.

Message Encryption, Portal Delivery 37


Setting Description

Only messages with Messages will be sent through Message Encryption


this subject or header if the exact text Sensitivity: Company-Confidential
text: Sensitivity: is found somewhere in the header, including the
Company- subject line.
Confidential
The text Sensitivity: Company-Confidential which
is a special header detailed in RFC 1327. Microsoft
Exchange also adds this header text when
Sensitivity is set to Confidential.

Content Manager rules also apply.

Based on Match the settings of the users parent org. For


Organization Setting: reference, the organization setting text is shown.
[Text]
The text used is set on the organization Message
Encryption settings page.

Content Manager rules also apply.

Note: You can use this setting even if you have


Message Encryption disabled for an organization.
Set the text on the organization level, then disable
Message Encryption again for the organization.

4. Click Save Configurations to save these changes.

5. View User Encryption Settings to confirm your changes. See View User
Encryption Settings on page 39.

Batch Interface
You can also use the following batch commands for Message Encryption. These
match the functions in the new Encryption Settings page.

The encryption display_user command displays user specific encryption


information.

The encryption list_users command lists all encryption users in this


organization.

The encryption modify_user command modifies encryption settings for a


user.

For information about using batch commands, see the Batch Command
Reference Guide.

38 Postini Encryption Services Administration Guide


View User Encryption Settings
You can view a list of user Message Encryption settings through the
Administration Console.

To view Encryption Settings for All Users

1. In the Orgs & Users, click Users.

2. Click Settings Summary on the far right of the page.

External Encryption settings are listed for each user, on the right side of the page.

This will show a list of Message Encryption settings for all users. If the users
Message Encryption is set to the org default, the setting will show as blank (-).

To view a list users with specific encryption settings

1. In the Orgs & Users, click Users.

2. Click Only Encryption Users and choose the settings youd like to see and
click Search.

A list of user names is shown. All users on the list have the specified Encryption
Settings.

Configure Content Manager for Message Encryption


If you have Content Manager enabled and Message Encryption set to match
specific text, you can set Content Manager rules for Message Encryption.

You can set Content Manager rules to detect text in the sender, recipient, header
or body of the email message. If the rule is triggered, mail will be encrypted with
Message Encryption.

Message Encryption, Portal Delivery 39


To set up a Content Manager rule for Message Encryption

Before you can set up Content Manager to use Message Encryption, you must set
Message Encryption to match specific text (or default text). See Configure
Encryption for an Organization on page 35 for more information.

1. In the Administration Console, go to the organization that contains your users.

2. In the Org Management page, scroll down to the Outbound Services section
and click Content Manager.

3. If you have not already set up Outbound Content Manager, click Edit. Set
Filter Status to On, and enter any administrator address as the Quarantine
Redirect Address. Click Save.

4. Click Add Filter. Enter a description of the rule in Filter Name.

5. Add the Content Manager rules to describe the text content you want to
detect.

6. Select the Deliver disposition and check Encrypt in the checkbox to the right.

7. Click Save.

Note: If you disable Message Encryption, the Message Encryption disposition


has no effect.

For more information about Content Manager, see Content Manager in the Email
Security Service Administration Guide.

Troubleshooting the Secure Portal


The Secure Portal includes online help, which a recipient can use to get more
information. If the recipient has further problems with the Secure Portal, see below
for troubleshooting help.

What browsers are supported?

Portal Delivery is compatible with:

Internet Explorer 6 SP-1.

40 Postini Encryption Services Administration Guide


Mozilla Firefox 1.06 or later, including Firefox 2.0.

Netscape Navigator 8.0 or later.

Safari 2.0.

Blackberry mobile devices.

Windows Mobile 5.0 devices.

Portal Delivery also requires JavaScript support in the browser.

The recipient didnt receive a notification when an encrypted message was sent.

When secure mail routes through Portal Delivery, a notification is sent by normal
email to the recipients mail server. If this mail isnt received, it may be a result of
the recipients mail filtering. Instruct the recipient to add zixmail.net to the
whitelist of any mail filtering service the recipient uses.

Notifications are being quarantined as spam

If Message Encryption notifications sent to you are being quarantined as spam,


add @secure.psmtp.com to the list of approved senders for the email security
service, as well as your firewall or server.

The recipient cant log in to the Secure Portal.

If login problems persist, check the security settings on the recipients web
browser. The recipient should set security to Medium and be sure cookies are
enabled.

The recipient forgot their password.

A new password can be generated from the login page of the Secure Portal. The
password wont be changed until the email is received and the link in the email is
used.

The recipient cant open an attachment.

Recipients may have problems downloading the attachments. The recipient can
download attachments individually, or download all attachments together as a ZIP
file. Direct the recipient to click these links to download attachments.

If the recipient is having problems downloading a PDF file, it may be a problem


with the recipients PDF settings. If this happens, the recipient should save the
PDF file to the desktop instead of opening it directly. The recipient can then open
the file on the desktop.

Are secure messages ever sent directly to the recipient?

If both the sender and the recipient are signed up with Message Encryption,
messages are sent directly to the recipients mail server. Messages are encrypted
on every step of transmission.

Message Encryption, Portal Delivery 41


The Secure Portal times out as user is responding to a message

When a user logs in to the portal, they have a limited time to complete their activity
before having to log in again. If the recipient tries to reply and takes longer than
the timeout, the recipient is prompted to log in again and all reply text is lost. The
default session timeout in the Encryption Portal is 20 minutes. This timeout can be
set in a Custom Portal.

42 Postini Encryption Services Administration Guide


Chapter 4

Message Encryption, Inbox Delivery Chapter 4

About Message Encryption, Inbox Delivery


Message Encryption, Inbox Delivery is a component of Encryption Services that
provides enhanced security for confidential email transmission by enforcing
encryption of outbound mail. It allows end users easy access to secure, encrypted
messages.

With Inbox Delivery, an encrypted message is sent to a customer as an encrypted


attachment, which can be opened with a JavaScript-enabled browser.

Features and Benefits


Message Encryption, Inbox Delivery provides the following benefits:

Industry-standard security to protect your confidential email, even across the


Internet. Your confidential mail is protected by 128-bit or better encryption
during all steps of transmission, and stored in the recipients inbox for the
recipient to read.

Ability to send secure messages to any recipients, even those who do not
have Transport-Layer Security (TLS) enabled on their mail servers.

Ability to receive secure replies to confidential mail, even from recipients who
do not have TLS enabled on their mail servers.

Ability to deliver encrypted messages directly to the recipient, without the


need for a web login.

Ability to read encrypted messages while disconnected from the network.

Ability to encrypt specific messages based on their content using Content


Manager.

Use of industry-leading ZixCorp encryption technology.

Message Encryption, Inbox Delivery 43


Requirements
Using Message Encryption requires that you route your mail through Outbound
Services. For instructions on how to do this, see the Outbound Services
Configuration Guide.

You will also need to enable Transport Layer Security (TLS) on your mail server.
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.

Billing
Billing for Message Encryption is based on the number of users that have
Message Encryption enabled in the Administration Console.

Message Encryption bills for every user in an organization with org-level Message
Encryption set up, including users that dont actively use Message Encryption.
Message Encryption also bills for any individual user with user-level Message
Encryption.

For details about pricing and other billing issues, contact your sales
representative.

How Inbox Delivery Works


Inbox Delivery is normally set on the email config level, and directs all outbound
email for all servers in that email config level. You can also set Inbox Delivery for a
specific org or user. You can set Inbox Delivery to send all outbound mail securely,
or only messages that have been marked for encryption. With Inbox Delivery,
outbound mail is first routed to the email protection service, then is encrypted and
sent as an attachment to the recipient. The attachment includes all the tools
needed to set up a password, read the message, and forward or reply to the
message securely.

1. Sender to Email Security Service


Your outbound email is routed through the email protection service. Confidential
messages are sent to the recipient. Other messages are delivered directly to the
recipients mail server.

2. Email Security Service to Recipient


Messages routed to Inbox Delivery are encrypted and placed in an HTML file. The
file contains the text of the message (encrypted for security), key information, and
scripts to allow secure decryption. The message is then sent to the recipient.

44 Postini Encryption Services Administration Guide


3. Recipient Decryption
When the recipient receives the message, the message includes explanatory text
and an HTML attachment. The recipient opens the attachment using a standard
web browser, which launches JavaScript functions to allow secure reading. If
necessary, the recipient will enter a password for future decryption. The recipient
can only the message, read the text, and reply or forward the message if desired.

Filtering
Before a message is routed to Message Encryption, the email security service
applies the same filter rules as all outbound mail.

The Email Security Service filters all mail before sending it to the recipient. All
Attachment Manager or Virus filters still apply.

Content Manager rules with a disposition of Message Encryption override any


other Content Manager disposition except Log and Deliver. Content Manager
filters may not apply if you use a Message Encryption rule in Content Manager.

Note: If an outbound message is quarantined, then released from quarantine, it


will be sent through normal mail delivery, not Message Encryption.

Reading Encrypted Messages


When the recipient opens an attachment containing an Inbox Delivery message, it
opens a local web browser.

Message Encryption, Inbox Delivery 45


The first time the user opens a message, the user will be prompted to add a
password.

On subsequent messages, the user is prompted to enter that password to read


the message.

Key information is stored by Inbox Delivery in a separate server used to manage


keys for decrypting messages. The browser connects to that server to update
password information and verify keys.

Depending on the recipients browser settings, passwords are also stored as


cookies on the recipients local browser.

If the user forgets the password, a Forgot Your Password? link is available,
which allows the user to send a new message to create a new password.

46 Postini Encryption Services Administration Guide


Once the password is entered and the message is decrypted, the message text is
displayed. Because the message is stored in the attachment, message text can
be displayed even when the recipient is working offline.

Recipients reading the message can then forward or reply to the message
securely using the same browser.

Recipients can also change passwords securely using the same attachment. If a
password changes, previous messages will not be legible until the message is
recovered. Recipients can read old messages that were encrypted using a
previous password by clicking the Recover this Message link.

If the recipients web browser is unable to run JavaScript, the recipient will be
directed to a secure portal which allows the user to log in and read the message.
This secure portal uses the same mechanism as Message Encryption, Portal
Delivery. For more information about the Secure Portal, see About Message
Encryption, Portal Delivery on page 25. Each message is handled separately; if
JavaScript is later enabled, subsequent messages will open with Inbox Delivery
automatically.

Inbox Delivery Branding


You can customize your Inbox Delivery message in the following ways:

Customize inbox message with company logo or banner

Add a support email address

Change password requirements

Allow or disallow recipients to forward messages securely

Save recipients passwords (enter once feature)

Customize branding of portal page (used if the recipient is unable to run the
encrypted attachment)

Contact your account representative for more information about custom branding
for your Inbox Delivery message.

Message Encryption, Inbox Delivery 47


Set Up Inbox Delivery
To set up Inbox Delivery, youll work with an account representative to enable the
service.

Prerequisites
Using Message Encryption, Inbox Delivery requires that you route your mail
through Outbound Services. For instructions on how to do this, see the Outbound
Services Configuration Guide.

You will also need to enable Transport Layer Security (TLS) on your mail server.
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.

Transport-Level Security (TLS) is an industry standard for secure email. Setting


up TLS usually involves installing a certificate on your mail server. You can use a
purchased certificate, or a self-signed certificate. For information about setting up
TLS, see the documentation for your mail server.

Activate Message Encryption


An Activation Specialist will walk you through activating the Message Encryption.
Here is an overview of the steps that will be required to enable Message
Encryption, Inbox Delivery. Each step is described in detail in the sections below.

List Your Domains

List Branding Preferences (optional)

Activation Specialist Adds Domains and Customized Branding

Add DNS Records for your Domain

Configure TLS settings in the Admin Console

Configure Message Encryption

Test Inbox Delivery

List Your Domains


Provide your Activation Specialist with a list of all domains youll be using with
Encryption Services.

48 Postini Encryption Services Administration Guide


List Branding Preferences (optional)
You can custom the Inbox Delivery messages with your support email address,
logo, password requirements, and any additional text you wish to add. See Inbox
Delivery Branding on page 47 for the complete list of options. Contact your
account representative about setting up customized branding of your Inbox
Delivery message.

Activation Specialist Adds Domains and Customized


Branding
Once you have specified your domains, your account representative will add your
domains and customize your branding (if needed). This process requires special
implementation and testing and may take up to 10 days.

Add DNS Records for Your Domain


Message Encryption uses ZixCorp encryption technology, which provides
encryption services and message portal access. These DNS records assure that
if another ZixCorp customer sends secure mail to you, it will be routed correctly.

To assure that all incoming mail routes properly, add the following MX records to
your DNS records with first priority:

zixvpm.[domain].com. MX IN 3600 mx35241.zixworks.com


zixvpm.[domain].com. MX IN 3600 mx35242.zixworks.com

This domain needs to be queried explicitly, including the zixvpm subdomain. If this
MX record is not added, replies and some other encrypted traffic will not be routed
properly. This MX record does not affect the filtering of an inbound message.

Contact your DNS server to change this setting. Because these are new MX
records, changes take place immediately. You do not need to add an A record.

Configure TLS Settings in the Administration Console


In the Administration Console, configure TLS to specify the requirements for
encrypting outbound mail through the email protection service. We recommend
setting outbound TLS to accept only TLS connections, and to attempt to deliver
TLS to the recipient server. This assures that all of your mail is as secure as
possible throughout transmission.

To set TLS in Administration Console:

1. Log in to the Administration Console.

2. In the Outbound Servers tab, click the TLS link.

3. In section 1, click Accept Only TLS.

Message Encryption, Inbox Delivery 49


4. In section 2, click Send by TLS if possible.

5. Click Save to store your settings.

Configure Message Encryption


Set Message Encryption Settings in the Administration Console for organizations
or individual users. You can also set up Content Manager rules to encrypt some of
your mail based on the content of the mail.

For information on organization Encryption Settings, see Configure


Encryption for an Organization on page 35.

For information on user Encryption Settings, see Configure Encryption for a


User on page 37.

For information on Message Encryption with Content Manager, see


Configure Content Manager for Message Encryption on page 39.

Test Inbox Delivery


When you have completed these steps, send a Confidential test message to an
outside address to test Inbox Delivery. You should receive a notification at the
recipient address that includes the encrypted message and instructions on how to
open it.

Configure Encryption for an Organization


Inbox Delivery uses the same interface as Portal Delivery in the Administration
Console.

For information about setting up Message Encryption for an organization, see


Configure Encryption for an Organization on page 35.

Configure Encryption for a User


Inbox Delivery uses the same interface as Portal Delivery in the Administration
Console.

For information about setting up Message Encryption for a user, see Configure
Encryption for a User on page 37.

View User Encryption Settings


Inbox Delivery uses the same interface as Portal Delivery in the Administration
Console.

50 Postini Encryption Services Administration Guide


To can view a list of user Message Encryption settings through the Administration
Console, see View User Encryption Settings on page 39.

Configure Content Manager for Message Encryption


Inbox Delivery uses the same interface as Portal Delivery in the Administration
Console.

For information about setting up Content Manager for Message Encryption, see
Configure Content Manager for Message Encryption on page 39.

Troubleshooting Inbox Delivery

Why does the recipient get a script error message in Firefox?

Firefox monitors the amount of time it allows a script to run. By default, this is set
to five seconds. Because Inbox Delivery is encoding and decoding the message,
the script often runs longer than this and the recipient gets the error message. The
recipient can click Continue to let the script continue to run, or change the amount
of time that Firefox allows a script to run.

To set the script time-out period in Firefox:

1. Enter about:config in the address bar of Firefox.

2. Enter dom.max_script_run_time in the Filter bar.

3. Double click dom.max_script.run_time to edit this value.

4. Enter a new time limit (for example, 20)

5. Click OK.

Why cant the recipient see the images in Microsoft Internet Explorer?

The Accessibility feature of Internet Explorer causes the images to display


incorrectly. In Tools->Internet Options, click Accessibility and uncheck Ignore
colors specified on web pages and Ignore font sizes specified on web pages.
Click OK twice to save this change.

Why cant the recipient read attachments in Firefox or Netscape?

The recipient may not have the correct version of the Java Runtime Engine (JRE_
installed. Firefox and Netscape require version 1.4.2 or later. Recipients can
download the latest version of the JRE at http://www.java.com.

What browsers are supported?

Inbox Delivery is compatible with:

Internet Explorer 6 SP-1

Message Encryption, Inbox Delivery 51


Mozilla Firefox 1.06 or later

Netscape Navigator 8.0 or later

Inbox Delivery also requires cookies and JavaScript support in the browser.

What privacy settings are needed?

For supported browsers, use the default security settings or lower.

Are secure messages ever sent directly to the recipient?

If both the sender and the recipient are signed up with Message Encryption,
messages are sent directly to the recipients mail server. Messages are encrypted
on every step of transmission.

Notifications are being quarantined as spam

If Message Encryption notifications sent to you are being quarantined as spam,


add @secure.psmtp.com to the list of approved senders for the email security
service, as well as your firewall or server.

52 Postini Encryption Services Administration Guide


Chapter 5

Reports Chapter 5

About Reports
Reports provide visibility into the traffic patterns across your organization. The
Administration Console produces reports for Message Encryption under the name
External Encryption. External Encryption reports give information about either
Portal Delivery or Inbox Delivery, depending on which delivery method you use.

Reporting provides extensive analysis into Message Encryption email message


traffic over a span of time that you specify. You may also download report data
and import it into reporting or spreadsheet software for further analysis.

Policy Enforced TLS reports are sorted by sending or receiving domain. Both
inbound and outbound reports are available.

Reports are generally available around noon, Pacific Time, the day after
messages are sent. The time of availability fluctuates with quantity of traffic
processed.

The reports displayed in the Administration Console show the top 20 results. You
can also click the Download link to download reports in a comma-delimited list,
which contains all results.

View a Report
Viewing a report requires selecting the org you wish to report on, specifying
whether or not to include sub-orgs in the report, choosing time range in the Report
Length of the report, and choosing the report type. Viewing a report is described in
the steps that follow.

Viewing a Report

1. In the Administration Console, click the Reports tab.

2. Specify Report Length, and whether to include sub orgs.

3. Select the organization from the pull-down list. The total number of registered
users in organization, including sub-orgs, is displayed above the reports list.

Reports 53
4. Click one of the External Encryption reports: Domain, Account or Activity Log,
or the Inbound or Outbound TLS report: Policy-Enforced by Domain.

Policy-Enforced by Domain
This report contains information on Policy-Enforced TLS filtering, sorted by
domain. For each sending or receiving domain, you will be able to view the
number of messages sent and/or received by Policy-Enforced TLS, and traffic
volumes measured in message size.

The Inbound TLS Policy-Enforced by Domain report shows incoming messages


that were filtered by Policy-Enforced TLS rules. Messages are sorted by sending
domain.

The Outbound TLS Policy-Enforced by Domain report shows outgoing messages


that were filtered by Policy-Enforced TLS rules. Messages are sorted by receiving
domain.

Both reports contain the following fields:

Item Description

Domain Sending or receiving domain.

54 Postini Encryption Services Administration Guide


Item Description

Msgs Number of messages sent or received through


Policy-Enforced TLS.

Msgs Bytes The total size (in bytes) of all messages sent or
received through Policy-Enforced TLS.

Outbound External Encryption by Domain


This report contains Message Encryption information on outbound encryption,
sorted by sender domain. Domains that sent the most messages are listed at the
top.

Item Description

Domain Sending domain

Msgs Encrypted and Number of messages sent through Message


Relayed Encryption.

% Msgs Encrypted and Percentage, by total messages, of messages sent


Relayed through Message Encryption.

Bytes Encrypted and Byte size of messages sent through Message


Relayed Encryption.

% Bytes Encrypted and Percentage, by byte size, of messages sent


Relayed through Message Encryption.

Reports 55
Outbound External Encryption by Account
Message Encryption information on outbound encryption, sorted by sender
address. Senders who sent the most messages are listed at the top.

Item Description

Sender Email address of the sender.

Account Shows as Y if the sender has a registered user


account in the email protection service, or N if the
sender is not a registered user account. Aggregate
reports show as -.

Msgs Encrypted and Number of messages sent through Message


Relayed Encryption.

% Msgs Encrypted and Percentage, by total messages, of messages sent


Relayed through Message Encryption.

Bytes Encrypted and Byte size of messages sent through Message


Relayed Encryption.

% Bytes Encrypted and Percentage, by byte size, of messages sent


Relayed through Message Encryption.

Outbound External Encryption Activity Log


The Outbound External Encryption Activity Log shows detailed data for outgoing
messages that are sent through Message Encryption.

56 Postini Encryption Services Administration Guide


The logs contain data from the prior day. Timestamps are in PST for most
systems, and GMT for System 200. The log contains a maximum of 5000 lines of
data (the lines are tab-delimited.) Once the size limit is reached, logging
continues, with the oldest data deleted first. A sample log entry looks like:

2007/03/24 10:13:21 clara@jumboinc.com jlee@mixateria.com 689

Following are the descriptions of each field in the log.

Item Description

Timestamp Time (in GMT) the message is sent.

Sender Senders email address.

Recipient Recipients email address.

Size Size (in bytes) of the message sent.

The logs contain data from the prior day. Timestamps are in PST for most
systems, and GMT for System 200. The log contains a maximum of 5000 lines of
data (the lines are tab-delimited.) Once the size limit is reached, logging
continues, with the oldest data deleted first. A sample log entry looks like:

2007/03/24 10:13:21 clara@jumboinc.com jlee@mixateria.com 689

Following are the descriptions of each field in the log.

Item Description

Timestamp Time (in GMT) the message is sent.

Sender Senders email address.

Reports 57
Item Description

Recipient Recipients email address.

Size Size (in bytes) of the message sent.

58 Postini Encryption Services Administration Guide


Index

A outbound for Policy Enforced TLS 16


alerts for Policy Enforced TLS 22 Message Encryption, Inbox Delivery 11
batch commands 36, 38
B configuring Content Manager filters 51
batch commands configuring for a user 50
for Message Encryption 36, 38 configuring for organizations 50
for TLS Alerts 22 customizing messages 47
DNS MX records 49
C features and benefits 43
certificate validation 18 logs 56
comments about this guide, sending 8 mail flow 44
Compose tab 29 prerequisites 48
Content Manager reports 53
configuring for Inbox Delivery 51 requirements 44
configuring for Portal Delivery 39 setup 48
Custom Portal 11, 29, 31 troubleshooting 51
customizing the Inbox Delivery message 47 Message Encryption, Portal Delivery 11
about 25
D batch commands 36, 38
DNS MX records configuring Content Manager filters 39
Message Encryption, Inbox Delivery 49 configuring for a user 37
Message Encryption, Portal Delivery 32 configuring for an organization 35
documentation, related 7 customizing the portal 29, 31
DNS MX records 32
E features and benefits 25
Encryption Services logs 56
how features work together 11 mail flow 26
Policy Enforced TLS and Message Encryption prerequisites 30
interaction 12 reports 53
when features apply 12 requirements 25
setup 30
F
troubleshooting 40
feedback about this guide, sending 8
viewing user settings 37
L
N
logs
notifications for Message Encryption, Portal Delivery 27
Message Encryption 56
P
M
Policy Enforced TLS 10
mail flow
alerts 22
inbound for Policy Enforced TLS 14
batch commands 22
Message Encryption, Inbox Delivery 44
certification validation 18
Message Encryption, Portal Delivery 26

Index 59
features and benefits 13
inbound mail flow 14
outbound mail flow 16
reports 53
requirements 14
Postini Email Security Administration Guide
related documentation 7

R
related documentation 7
reports
Message Encryption 53
Outbound External Encryption Activity Log 56
Outbound External Encryption by Account 56
Outbound External Encryption by Domain 55
Policy Enforced TLS 53
Policy-Enforced TLS by Domain 54
RFC 2487 18

S
setup
Message Encryption, Inbox Delivery 48
Message Encryption, Portal Delivery 31
Policy Enforced TLS 16
prerequisites for Message Encryption, Inbox
Delivery 44, 48
prerequisites for Message Encryption, Portal
Delivery 25, 30
prerequisites for Policy Enforced TLS 14

T
Transport-Layer Security (TLS) 9
troubleshooting
Message Encryption, Inbox Delivery 51
Message Encryption, Portal Delivery 40

60 Postini Encryption Services Administration Guide