Third-party application message encryption

Email Encryption | Forcepoint Email Security | Updated: 29-Apr-2022


Applies To:	Forcepoint Email Security v8.5.x

Forcepoint Email Security supports the use of third-party software for message encryption. Enable this encryption method by selecting the option Third-party application in the pull-down menu Encryption method (Settings > Inbound/Outbound > Encryption).

The third-party application must support the use of x-headers for communication with the Email Security module.

Forcepoint Email Security can be configured to add an x-header to a message that triggers an encryption policy. Other x-headers can indicate encryption success or failure. These x-headers facilitate communication between the email protection system and the third-party encryption software. You must ensure that the x-header settings made on the Encryption page of the Email Security module match the corresponding settings in the third-party software configuration. See Forcepoint Email Security Administrator Help for information about configuring the Email Security module for a third-party encryption application.

It is also necessary to configure an outbound email DLP policy in the Data Security module. See Forcepoint DLP Administrator Help for details about configuring an email DLP policy with an encryption action plan. See Creating an email DLP policy for encryption for a sample email DLP policy configuration.

Preparations for using third-party application encryption also involve the following tasks:

Setting the encryption gateway IP address

Setting the encryption gateway options

Setting the encryption gateway IP address

Perform the following steps in the Security Manager Email Security module to configure the encryption gateway IP address:

On the page Settings > Inbound/Outbound > IP Groups, from the IP Address Group List, click Encryption Gateway.

From the IP Address Group box, enter the IP address of your encryption gateway machine in the IP address field.

Click the arrow button to add the address to the Added IP Addresses list.

Click OK.

Setting the encryption gateway options

Perform the following steps in the Email Security module to configure the encryption gateway options:

On the page Settings > Inbound/Outbound > Encryption, from the pull-down menu Encryption method, select Third-party application.

In the Add Encryption Server area, enter the IP address (or hostname) and port of your encryption gateway server.

Enable the MX lookup function; mark the check box Enable MX lookup.

Important

If you entered an IP address in the previous step, the MX lookup option is not available.

If you entered a hostname in the previous step, this option is available.

Mark the check box Enable MX lookup for encrypted message routing based on the hostname MX record.

If you do not mark this check box, encrypted message routing is based on the hostname A record.

Click the arrow button to add this information to the Encryption Server List.

In the pull-down menu Encrypted IP address group, ensure that Encryption Gateway is displayed.

This selection helps to prevent the creation of an email routing loop.

Ensure that users present credentials to view encrypted mail, mark the check box Require authentication and supply the desired user name and password in the appropriate fields.

Authentication must be supported and configured on your encryption server to use this function.

In the field Encryption X-header, enter the header name and value that you created in your third-party application using the following format:

header name:value

In the field Encryption success X-header, enter the header name and value that you created in your third-party application for the encryption success header using the format shown in the previous step.

In the field Encryption failure X-header, enter the header name and value that you created in your third-party application for the encryption failure header using the format shown in step 7.

10.

Click OK.