Handling encrypted messages

Administrator Help | Forcepoint Email Security | Version 8.4.x

An email content policy configured in the Data Security module may specify that a message should be encrypted for delivery. If you want to encrypt specific outbound messages, you must create an email DLP policy that includes an encryption action plan in the Data Security module (Main > Policy Management > DLP Policies).

The following types of message encryption are supported:

Mandatory Transport Layer Security (TLS) encryption

Forcepoint email encryption

Third-party encryption application

Secure Message Delivery

Use the Settings > Inbound/Outbound > Encryption page to specify the type of encryption you want to use.

Mandatory Transport Layer Security (TLS) encryption

TLS is an Internet protocol that provides security for all email transmissions—inbound, outbound, and internal. The client and server negotiate a secure "handshake" connection for the transmission to occur, provided both the client and the server support the same version of TLS.

In the Email Security module, if you select only TLS for message encryption and the client and server cannot negotiate a secure TLS connection, the message is sent to a delayed message queue for a later delivery attempt. Select Transport Layer Security (TLS) in the Encryption method drop-down list and the Use TLS only (no backup encryption method; message is queued for later delivery attempt) option to use only TLS for message encryption.

If you select TLS for message encryption, you can designate another encryption options as a backup method, in case the TLS connection fails. Specifying a backup option allows you a second opportunity for message encryption in the event of an unsuccessful TLS connection. If both the TLS and backup connections fail, the message is sent to a delayed message queue for a later connection attempt.

Select the Transport Layer Security (TLS) option in the Encryption method drop-down list to enable TLS encryption. Then mark 1 of the following options to enable a backup encryption method:

Use Forcepoint Email Encryption as backup encryption method. This option is available only if your subscription includes the Forcepoint Email Security - Encryption Module.

Use third-party application as backup encryption method

Use secure message delivery as backup encryption method

Forcepoint email encryption

If you want the email hybrid service to perform message encryption on outbound messages, select the Forcepoint Email Encryption option in the Encryption method drop-down list. Forcepoint email encryption is available only if your subscription includes the Forcepoint Email Security Hybrid Module and the Forcepoint Email Security - Encryption Module, and the email hybrid service is registered and enabled.

You can also specify Forcepoint Email Encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security (TLS) encryption for details.

When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If the secure connection is not made, the message is placed in a delayed message queue for a later delivery attempt.

The SMTP server addresses used to route email to the email hybrid service for encryption are configured in the Forcepoint Email Security Hybrid Module registration process. Use the Delivery Route page under Settings > Hybrid Service > Hybrid Configuration to add outbound SMTP server addresses (see Define delivery routes).

If the email hybrid service detects spam or a virus in an encrypted outbound message, the mail is returned to the message sender.

The email hybrid service attempts to decrypt inbound encrypted mail, and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.

The hybrid service does not encrypt inbound or internal mail. A DLP policy must be modified to designate only outbound messages for encryption when the email hybrid service is used.

Find more information about email encryption in Forcepoint Email Encryption in Forcepoint Documentation.

Third-party encryption application

The email protection system supports the use of third-party software for email encryption. The third-party application used must support the use of x-headers for communication with the email system.

You can also specify third-party application encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security (TLS) encryption for details.

The email protection system can be configured to add an x-header to a message that triggers a DLP encryption policy. Other x-headers indicate encryption success or failure. These x-headers facilitate communication between the email system and the encryption software. You must ensure that the x-header settings made in the Encryption page match the corresponding settings in the third-party software configuration.

X-header settings are entered on the Settings > Inbound/Outbound > Encryption page. Select Third-party application in the Encryption method drop-down list to configure the use of external encryption software. Use the following steps to configure third-party application encryption:

Add encryption servers (up to 32) to the Encryption Server List:

Enter each server's IP address or hostname and port number.

If you want to use the MX lookup feature, mark the Enable MX lookup check box.

If you entered an IP address in the previous step, the MX lookup option is not available.

Click the arrow to the right of the Add Encryption Server box to add the server to the Encryption Server List.

If you want to delete a server from the list, select it and click Remove.

In the Encrypted IP address group drop-down list, specify an IP address group if decryption is enabled or if encrypted email is configured to route back to the email software. Default is Encryption Gateway.

If you want users to present credentials to view encrypted mail, mark the Require authentication check box and supply the desired user name and password in the appropriate fields. Authentication must be supported and configured on your encryption server to use this function.

In the Encryption X-Header field, specify an x-header to be added to a message that should be encrypted. This x-header value must also be set and enabled on your encryption server.

In the Encryption Success X-Header field, specify an x-header to be added to a message that has been successfully encrypted. This x-header value must also be set and enabled on your encryption server.

In the Encryption Failure X-Header field, specify an x-header to be added to a message for which encryption has failed. This x-header value must also be set and enabled on your encryption server.

Select any desired encryption failure options:

Mark the Send messages to queue check box if you want to enable that option. Select a queue for these messages from the drop-down list (default is the virus queue).

Mark the Send notification to original sender check box if you want to enable that option.

In the Notification Details section, enter the notification message subject and content in the appropriate fields. Mark the Attach original message check box if you want the original message included as an attachment to the notification message.

Select Deliver message (default) if you want the message that failed the encryption operation delivered.

Select Drop message if you do not want the message that failed the encryption operation delivered.

Mark the Enable decryption check box if you want to decrypt encrypted messages.

Select any desired decryption options:

In the Content type field, enter the message content types to decrypt, separated by semicolons. Maximum length is 49 characters. Default entries include multipart/signed, multipart/encrypted, and application/pkcs7-mime.

In the X-Header field, specify a message x-header that identifies a message to decrypt. This x-header value must also be set and enabled on your encryption server.

In the Decryption X-Header field, specify an x-header to be added to a message that should be decrypted. This x-header value must also be set and enabled on your encryption server.

In the Decryption Success X-Header field, specify an x-header to be added to a message that has been successfully decrypted. This x-header value must also be set and enabled on your encryption server.

In the Decryption Failure X-Header field, specify an x-header to be added to a message for which decryption has failed. This x-header value must also be set and enabled on your encryption server.

If you want to forward a message that has failed decryption to a specific queue, mark the On decryption failure check box, and select a queue for these messages from the drop-down list (default is the virus queue).

Secure Message Delivery

Secure Message Delivery is an on-premises encryption method that lets you configure delivery options for a secure portal in which recipients of your organization's email may view, send, and manage encrypted email. For example, you may wish to include sensitive personal financial information in a message to a client. The portal provides a secure location for the transmission of this data.

Users within your organization who send and receive secure messages handle these messages via their local email clients, not the secure portal.

Secure messages are stored in a default secure-encryption queue (Main > Message Management > Message Queues). You can search for and delete messages in the secure-encryption queue view. Message details may not be viewed. The maximum queue size and number of days a message is retained are configured on the Edit Queue page.

Select Secure Message Delivery from the Encryption method drop-down list to display secure messaging options, including a template for the notification that users receive to alert them to encrypted mail.

You can also specify Secure Message Delivery as a backup encryption method for outbound email if mandatory TLS encryption is selected. See Mandatory Transport Layer Security (TLS) encryption for details.

Use the following steps to configure Secure Message Delivery encryption:

Enter the IP address or hostname for the appliance that hosts the secure message delivery portal (maximum length for hostname is 64 characters).

Entering a hostname rather than an IP address is recommended in order to avoid potential Microsoft Outlook warning messages generated in an end user's inbox by the notification message.


	Important The entry in this field should be mapped to the E1 interface (for a V10000 appliance) or the P1 interface (for a V5000 appliance). Ensure that the interface you use is visible from outside your internal network.

If you have an appliance cluster, enter the IP address or hostname for 1 cluster appliance (primary or secondary). The cluster load balancing function directs traffic appropriately.


	Note Secure messaging uses the same port configured for the Personal Email Manager portal (Settings > Personal Email > Notification Message).

Specify the actions that your customers are allowed to perform in the secure portal, along with the types of recipients to whom these users can send secure messages:

Enforce strong password policy. With this policy in force, an end-user password must meet the following requirements:

Between 8 and 15 characters

At least 1 uppercase letter

At least 1 lowercase letter

At least 1 number

At least 1 special character; supported characters include:

! " # $ & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

End users are prompted to create strong passwords in the Secure Messaging portal.

Maximum message size. Customer message size includes any attachments. Default value is 50 MB; maximum value is 100 MB.

Reply all to secure messages received in the portal. Customer may reply to all message recipients. However, if the Internal domain email addresses only option is selected for Allowed Recipients, user may reply only to recipients inside your organization.

The recipient list cannot be modified for this type of message.

Forward secure messages received in the portal. Customer may forward to allowed recipients any secure message received.

Compose new secure messages within the portal. Customer may compose and send a new secure message to allowed recipients.

Attach files to secure messages sent from the portal. Customer may send an attachment in a secure message

These options are all selected by default.

The Allowed Recipients box offers options for the types of recipients to whom your customer may reply, forward, or send new secure messages. For security purposes, the recipient list must include at least 1 email address within your organization.

Internal domain email addresses only. Only email addresses within your organization's protected domains may be specified as recipients.

Internal and external domain email addresses (at least one internal email address required). Email addresses outside your organization's protected domains may be specified as recipients, but at least 1 address within your domains must be entered (default selection).

See Protected Domain group for more information about determining your protected domains.

The Secure Email End-User Notification area contains a message template for the email that users receive when secure messages sent to them have been delivered to the portal for viewing. Use the default template, or customize it to suit your needs. You must include the $URL$ field in your notification, because that creates the link your customer clicks to access the secure email portal.

Enter 1 sender address for the notification in the Sender field, and specify an email subject in the Subject field. The sender address must belong to your internal protected domain. Because you do not want responses to the notification, ensure that the sender address is configured to drop any direct replies to the notification.

After you have configured your notification message, click Preview Message to view it.

The portal can be displayed in 1 of 9 languages, which the user selects during the registration process. The Forcepoint Secure Messaging User Help is available in Forcepoint Documentation, also in 9 languages. It describes the user registration process and how to use the secure message portal.