Handling encrypted messages

Administrator Help | Forcepoint Email Security | Version 8.5.x

An email content policy configured in the Data Security module may specify that a message should be encrypted for delivery. To encrypt specific outbound messages, you must create an email DLP policy that includes an encryption action plan in the Data Security module (Main > Policy Management > DLP Policies).

The following types of message encryption are supported:

Mandatory Transport Layer Security encryption

Forcepoint email encryption

Third-party encryption application

Secure Message Delivery

Specify the type of encryption to use on the page Settings > Inbound/Outbound > Encryption.

Mandatory Transport Layer Security encryption

Transport Layer Security (TLS) is an Internet protocol that provides security for all email transmissions—inbound, outbound, and internal. The client and server negotiate a secure "handshake" connection for the transmission to occur, provided both the client and the server support the same version of TLS.

Enable TLS encryption with no backup method

In the Email Security module, if you select only TLS for message encryption and the client and server cannot negotiate a secure TLS connection, the message is sent to a delayed message queue for a later delivery attempt.

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Transport Layer Security (TLS).

Use only TLS for message encryption; from TLS Encryption Backup Options, select Use TLS only (no backup encryption method; message is queued for later delivery attempt).

Click OK.

The settings are saved.

Enable TLS encryption with a backup method

If you select TLS for message encryption, you can designate another encryption option as a backup method in case the TLS connection fails. Specifying a backup option allows you a second opportunity for message encryption in the event of an unsuccessful TLS connection. If both the TLS and backup connections fail, the message is sent to a delayed message queue for a later connection attempt.

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Transport Layer Security (TLS).

From TLS Encryption Backup Options, select one of the following options:

Use Forcepoint Email Encryption as backup encryption method

This option is available only if your subscription includes the Forcepoint Email Security - Encryption Module.

Use third-party application as backup encryption method

Use secure message delivery as backup encryption method

Additional options display according to your selection.

Configure the settings for the selected backup method.

See Third-party encryption application and Secure Message Delivery.

Click OK.

The settings are saved.

Forcepoint email encryption

The Forcepoint Email Encryption option enables the email hybrid service to perform message encryption on outbound messages. Forcepoint email encryption is available only if your subscription includes the Forcepoint Email Security Hybrid Module and the Forcepoint Email Security - Encryption Module, and if the email hybrid service is registered and enabled.

You can also specify Forcepoint Email Encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.

When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If the secure connection is not made, the message is placed in a delayed message queue for a later delivery attempt.

The SMTP server addresses used to route email to the email hybrid service for encryption are configured during the Forcepoint Email Security Hybrid Module registration process. Use the Delivery Route page under Settings > Hybrid Service > Hybrid Configuration to add outbound SMTP server addresses (see Define delivery routes).

If the email hybrid service detects spam or a virus in an encrypted outbound message, the mail is returned to the message sender.

The email hybrid service attempts to decrypt inbound encrypted mail and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.

The hybrid service does not encrypt inbound or internal mail. A DLP policy must be modified to designate only outbound messages for encryption when the email hybrid service is used.

See Forcepoint Email Security Message Encryption for more information.

Enable Forcepoint email encryption

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Forcepoint Email Encryption.

Click OK.

The settings are saved.

Third-party encryption application

The email protection system supports the use of third-party software for email encryption. The third-party application used must support the use of x-headers for communication with the email system.

You can also specify third-party application encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.

The email protection system can be configured to add an x-header to a message that triggers a DLP encryption policy. Other x-headers indicate encryption success or failure. These x-headers facilitate communication between the email system and the encryption software. You must ensure that the x-header settings made on the Encryption page match the corresponding settings in the third-party software configuration.

Configure third-party application encryption

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Third-party application.

Applicable configuration options display.

Add encryption servers (up to 32) to the Encryption Server List:

Enter the IP address or hostname and port number of each server.

Use the MX lookup feature; mark the check box Enable MX lookup.

If you entered an IP address in the previous step, the MX lookup option is not available.

Click the arrow to the right of the Add Encryption Server box to add the server to the Encryption Server List.

Delete a server from the list; select it and click Remove.

In the pull-down menu Encrypted IP address group, specify an IP address group if decryption is enabled or if encrypted email is configured to route back to the email software.

The default is Encryption Gateway.

Configure users to present credentials to view encrypted mail; mark the check box Require authentication and supply the desired user name and password in the appropriate fields.

Authentication must be supported and configured on your encryption server to use this function.

In the field Encryption X-Header, specify an x-header to be added to a message that should be encrypted.

This x-header value must also be set and enabled on your encryption server.

In the field Encryption Success X-Header, specify an x-header to be added to a message that has been successfully encrypted.

This x-header value must also be set and enabled on your encryption server.

In the field Encryption Failure X-Header, specify an x-header to be added to a message for which encryption has failed.

This x-header value must also be set and enabled on your encryption server.

Select any desired encryption failure options:

Mark the check box Send messages to queue.

Select a queue for these messages from the pull-down menu. The default is the virus queue.

Mark the check box Send notification to original sender.

In the section Notification Details, enter the notification message subject and content in the appropriate fields.

Include the original message as an attachment to the notification message; mark the check box Attach original message.

Deliver the message that failed the encryption operation; select Deliver message.

This is the default.

Do not deliver the message that failed the encryption operation; select Drop message.

10.

Decrypt encrypted messages; mark the check box Enable decryption

11.

Select any desired decryption options:

In the field Content type, enter the message content types to decrypt, separated by semicolons.

Maximum length is 49 characters. Default entries include multipart/signed, multipart/encrypted, and application/pkcs7-mime.

In the field X-Header, specify a message x-header that identifies a message to decrypt.

This x-header value must also be set and enabled on your encryption server.

In the field Decryption X-Header, specify an x-header to be added to a message that should be decrypted.

This x-header value must also be set and enabled on your encryption server.

In the field Decryption Success X-Header, specify an x-header to be added to a message that has been successfully decrypted.

This x-header value must also be set and enabled on your encryption server.

In the field Decryption Failure X-Header, specify an x-header to be added to a message for which decryption has failed.

This x-header value must also be set and enabled on your encryption server.

Forward a message that has failed decryption to a specific queue; mark the check box On decryption failure and select a queue for these messages from the pull-down menu.

The default is the virus queue.

12.

Click OK.

The settings are saved.

Secure Message Delivery

Secure Message Delivery is an on-premises encryption method used to configure delivery options for a secure portal in which recipients of your organization's email may view, send, and manage encrypted email. For example, you may wish to include sensitive personal financial information in a message to a client. The portal provides a secure location for the transmission of this data.

Users within your organization who send and receive secure messages handle these messages via their local email clients, not the secure portal.

Secure messages are stored in a default secure-encryption queue (Main > Message Management > Message Queues). Search for and delete messages in the secure-encryption queue view. Message details may not be viewed. The maximum queue size and number of days a message is retained are configured on the Edit Queue page. See Managing message queues.

You can also specify Secure Message Delivery as a backup encryption method for outbound email if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.

The Secure Message portal can be displayed in one of nine languages, which the end user selects during the registration process. The Forcepoint Secure Messaging User Help is available in Forcepoint Documentation, also in nine languages. It describes the user registration process and how to use the secure message portal.


	Note When advanced file analysis is enabled (see Selecting advanced file analysis platform), and the advanced file analysis filter is configured in Enforce mode with the option to send an enforcement notification (see Advanced file analysis), replies to messages from the Secure Message Delivery portal will include a plain text file, or only the filename, until analysis is complete.

Configure Secure Message Delivery encryption

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Secure Message Delivery.

Enter the IP address or hostname for the appliance that hosts the secure message delivery portal.

The maximum length for the hostname is 64 characters.

Entering a hostname rather than an IP address is recommended, to avoid potential Microsoft Outlook warning messages generated in an end user's inbox by the notification message.


	Important The entry in this field should be mapped to the E1 interface (for a V10000 appliance) or the P1 interface (for a V5000 appliance). Ensure that the interface you use is visible from outside your internal network.

If you have an appliance cluster, enter the IP address or hostname for one cluster appliance (primary or secondary). The cluster load balancing function directs traffic appropriately.


	Note Secure messaging uses the same port configured for the Personal Email Manager portal (Settings > Personal Email > Notification Message).

Specify the actions that your users are allowed to perform in the secure portal, along with the types of recipients to whom these users can send secure messages:

Enforce strong password policy

With this policy in force, an end-user password must meet the following requirements:

Between eight and 15 characters

At least one uppercase letter

At least one lowercase letter

At least one number

At least one special character; supported characters include:

! " # $ & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

End users are prompted to create strong passwords in the Secure Message portal.

Display images within messages viewed in the Secure Message Portal

Use this option to determine whether to allow images to display in secure messages viewed in the Secure Message portal. For security, this option is disabled by default.


	Warning Enabling this feature is not recommended, because a malicious script hosted remotely could be disguised in the email as an image, allowing the attacker to compromise your system.

Maximum message size

End-user message size includes any attachments. The default value is 50 MB; maximum value is 100 MB.

Reply all to secure messages received in the portal

An end user may reply to all message recipients. However, if the option Internal domain email addresses only is selected for Allowed Recipients, the user may reply only to recipients inside your organization.

The recipient list cannot be modified for this type of message.

Forward secure messages received in the portal

An end user may forward any secure message received to allowed recipients.

Compose new secure messages within the portal

An end user may compose and send a new secure message to allowed recipients.

Attach files to secure messages sent from the portal

An end user may send an attachment in a secure message

These options are all selected by default.

The Allowed Recipients box offers options for the types of recipients to whom your customer may reply, forward, or send new secure messages. For security purposes, the recipient list must include at least one email address within your organization.

Internal domain email addresses only. Only email addresses within your organization's protected domains may be specified as recipients.

Internal and external domain email addresses (at least one internal email address required). Email addresses outside your organization's protected domains may be specified as recipients, but at least one address within your domains must be entered (default selection).

See Protected Domain group for more information about determining your protected domains.

From the Secure Email End-User Notification section, configure the notification email that users receive when secure messages sent to them have been delivered to the portal for viewing.

Use the default message or customize it to suit your needs.

The $URL$ field must be included in your notification because it creates the link the end user clicks to access the secure email portal.

In the field Sender, enter one sender address for the notification.

The sender address must belong to your internal protected domain. Because you do not want responses to the notification, ensure that the sender address is configured to drop any direct replies to the notification.

In the field Subject, enter an email subject.

Any customizations you make to the notification email template are lost when upgrading to a new version of Forcepoint Email Security. After upgrade, you will need to reconfigure your customized templates.

After you have configured your notification message, click Preview Message to view it.

Click OK.

The settings are saved.