Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > Handling encrypted messages
Handling encrypted messages
Administrator Help | Forcepoint Email Security | Version 8.5.x
An email content policy configured in the Data Security module may specify that a message should be encrypted for delivery. To encrypt specific outbound messages, you must create an email DLP policy that includes an encryption action plan in the Data Security module (Main > Policy Management > DLP Policies).
The following types of message encryption are supported:
*
*
*
*
Specify the type of encryption to use on the page Settings > Inbound/Outbound > Encryption.
Mandatory Transport Layer Security encryption
Transport Layer Security (TLS) is an Internet protocol that provides security for all email transmissions—inbound, outbound, and internal. The client and server negotiate a secure "handshake" connection for the transmission to occur, provided both the client and the server support the same version of TLS.
Enable TLS encryption with no backup method
In the Email Security module, if you select only TLS for message encryption and the client and server cannot negotiate a secure TLS connection, the message is sent to a delayed message queue for a later delivery attempt.
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Transport Layer Security (TLS).
3.
Use only TLS for message encryption; from TLS Encryption Backup Options, select Use TLS only (no backup encryption method; message is queued for later delivery attempt).
4.
The settings are saved.
Enable TLS encryption with a backup method
If you select TLS for message encryption, you can designate another encryption option as a backup method in case the TLS connection fails. Specifying a backup option allows you a second opportunity for message encryption in the event of an unsuccessful TLS connection. If both the TLS and backup connections fail, the message is sent to a delayed message queue for a later connection attempt.
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Transport Layer Security (TLS).
3.
*
This option is available only if your subscription includes the Forcepoint Email Security - Encryption Module.
*
*
Additional options display according to your selection.
4.
See Third-party encryption application and Secure Message Delivery.
5.
The settings are saved.
Forcepoint email encryption
The Forcepoint Email Encryption option enables the email hybrid service to perform message encryption on outbound messages. Forcepoint email encryption is available only if your subscription includes the Forcepoint Email Security Hybrid Module and the Forcepoint Email Security - Encryption Module, and if the email hybrid service is registered and enabled.
You can also specify Forcepoint Email Encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.
When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If the secure connection is not made, the message is placed in a delayed message queue for a later delivery attempt.
The SMTP server addresses used to route email to the email hybrid service for encryption are configured during the Forcepoint Email Security Hybrid Module registration process. Use the Delivery Route page under Settings > Hybrid Service > Hybrid Configuration to add outbound SMTP server addresses (see Define delivery routes).
If the email hybrid service detects spam or a virus in an encrypted outbound message, the mail is returned to the message sender.
The email hybrid service attempts to decrypt inbound encrypted mail and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.
The hybrid service does not encrypt inbound or internal mail. A DLP policy must be modified to designate only outbound messages for encryption when the email hybrid service is used.
See Forcepoint Email Security Message Encryption for more information.
Enable Forcepoint email encryption
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Forcepoint Email Encryption.
3.
The settings are saved.
Third-party encryption application
The email protection system supports the use of third-party software for email encryption. The third-party application used must support the use of x-headers for communication with the email system.
You can also specify third-party application encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.
The email protection system can be configured to add an x-header to a message that triggers a DLP encryption policy. Other x-headers indicate encryption success or failure. These x-headers facilitate communication between the email system and the encryption software. You must ensure that the x-header settings made on the Encryption page match the corresponding settings in the third-party software configuration.
Configure third-party application encryption
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Third-party application.
Applicable configuration options display.
3.
a.
b.
If you entered an IP address in the previous step, the MX lookup option is not available.
c.
Click the arrow to the right of the Add Encryption Server box to add the server to the Encryption Server List.
Delete a server from the list; select it and click Remove.
4.
In the pull-down menu Encrypted IP address group, specify an IP address group if decryption is enabled or if encrypted email is configured to route back to the email software.
The default is Encryption Gateway.
5.
Configure users to present credentials to view encrypted mail; mark the check box Require authentication and supply the desired user name and password in the appropriate fields.
Authentication must be supported and configured on your encryption server to use this function.
6.
In the field Encryption X-Header, specify an x-header to be added to a message that should be encrypted.
This x-header value must also be set and enabled on your encryption server.
7.
In the field Encryption Success X-Header, specify an x-header to be added to a message that has been successfully encrypted.
This x-header value must also be set and enabled on your encryption server.
8.
In the field Encryption Failure X-Header, specify an x-header to be added to a message for which encryption has failed.
This x-header value must also be set and enabled on your encryption server.
9.
*
Mark the check box Send messages to queue.
Select a queue for these messages from the pull-down menu. The default is the virus queue.
*
Mark the check box Send notification to original sender.
*
*
*
This is the default.
*
10.
11.
*
In the field Content type, enter the message content types to decrypt, separated by semicolons.
Maximum length is 49 characters. Default entries include multipart/signed, multipart/encrypted, and application/pkcs7-mime.
*
In the field X-Header, specify a message x-header that identifies a message to decrypt.
This x-header value must also be set and enabled on your encryption server.
*
In the field Decryption X-Header, specify an x-header to be added to a message that should be decrypted.
This x-header value must also be set and enabled on your encryption server.
*
In the field Decryption Success X-Header, specify an x-header to be added to a message that has been successfully decrypted.
This x-header value must also be set and enabled on your encryption server.
*
In the field Decryption Failure X-Header, specify an x-header to be added to a message for which decryption has failed.
This x-header value must also be set and enabled on your encryption server.
*
Forward a message that has failed decryption to a specific queue; mark the check box On decryption failure and select a queue for these messages from the pull-down menu.
The default is the virus queue.
12.
The settings are saved.
Secure Message Delivery
Secure Message Delivery is an on-premises encryption method used to configure delivery options for a secure portal in which recipients of your organization's email may view, send, and manage encrypted email. For example, you may wish to include sensitive personal financial information in a message to a client. The portal provides a secure location for the transmission of this data.
Users within your organization who send and receive secure messages handle these messages via their local email clients, not the secure portal.
Secure messages are stored in a default secure-encryption queue (Main > Message Management > Message Queues). Search for and delete messages in the secure-encryption queue view. Message details may not be viewed. The maximum queue size and number of days a message is retained are configured on the Edit Queue page. See Managing message queues.
You can also specify Secure Message Delivery as a backup encryption method for outbound email if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.
The Secure Message portal can be displayed in one of nine languages, which the end user selects during the registration process. The Forcepoint Secure Messaging User Help is available in Forcepoint Documentation, also in nine languages. It describes the user registration process and how to use the secure message portal.
 
Note 
When advanced file analysis is enabled (see Selecting advanced file analysis platform), and the advanced file analysis filter is configured in Enforce mode with the option to send an enforcement notification (see Advanced file analysis), replies to messages from the Secure Message Delivery portal will include a plain text file, or only the filename, until analysis is complete.
Configure Secure Message Delivery encryption
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Secure Message Delivery.
3.
The maximum length for the hostname is 64 characters.
Entering a hostname rather than an IP address is recommended, to avoid potential Microsoft Outlook warning messages generated in an end user's inbox by the notification message.
 
Important 
If you have an appliance cluster, enter the IP address or hostname for one cluster appliance (primary or secondary). The cluster load balancing function directs traffic appropriately.
 
Note 
4.
*
With this policy in force, an end-user password must meet the following requirements:
*
*
*
*
*
! " # $ & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
End users are prompted to create strong passwords in the Secure Message portal.
*
Use this option to determine whether to allow images to display in secure messages viewed in the Secure Message portal. For security, this option is disabled by default.
 
Warning 
*
End-user message size includes any attachments. The default value is 50 MB; maximum value is 100 MB.
*
An end user may reply to all message recipients. However, if the option Internal domain email addresses only is selected for Allowed Recipients, the user may reply only to recipients inside your organization.
The recipient list cannot be modified for this type of message.
*
An end user may forward any secure message received to allowed recipients.
*
An end user may compose and send a new secure message to allowed recipients.
*
An end user may send an attachment in a secure message
These options are all selected by default.
The Allowed Recipients box offers options for the types of recipients to whom your customer may reply, forward, or send new secure messages. For security purposes, the recipient list must include at least one email address within your organization.
*
Internal domain email addresses only. Only email addresses within your organization's protected domains may be specified as recipients.
*
Internal and external domain email addresses (at least one internal email address required). Email addresses outside your organization's protected domains may be specified as recipients, but at least one address within your domains must be entered (default selection).
See Protected Domain group for more information about determining your protected domains.
5.
*
The $URL$ field must be included in your notification because it creates the link the end user clicks to access the secure email portal.
*
In the field Sender, enter one sender address for the notification.
The sender address must belong to your internal protected domain. Because you do not want responses to the notification, ensure that the sender address is configured to drop any direct replies to the notification.
*
In the field Subject, enter an email subject.
Any customizations you make to the notification email template are lost when upgrading to a new version of Forcepoint Email Security. After upgrade, you will need to reconfigure your customized templates.
6.
7.
The settings are saved.
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > Handling encrypted messages
Copyright 2022 Forcepoint. All rights reserved.