Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint DLP Email Gateway Administrator Help > Handling encrypted messages
Handling encrypted messages
Administrator Help | Forcepoint DLP Email Gateway | Version 8.5.x
An email content policy configured in the Data Security module may specify that a message should be encrypted for delivery. To encrypt specific outbound messages, you must create an email DLP policy that includes an encryption action plan in the Data Security module (Main > Policy Management > DLP Policies).
The following types of message encryption are supported:
*
Mandatory Transport Layer Security encryption
*
Third-party encryption application
Specify the type of encryption to use on the page Settings > Inbound/Outbound > Encryption.
Mandatory Transport Layer Security encryption
Transport Layer Security (TLS) is an Internet protocol that provides security for all email transmissions—inbound, outbound, and internal. The client and server negotiate a secure "handshake" connection for the transmission to occur, provided both the client and the server support the same version of TLS.
Enable TLS encryption with no backup method
In the Email Security module, if you select only TLS for message encryption and the client and server cannot negotiate a secure TLS connection, the message is sent to a delayed message queue for a later delivery attempt.
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Transport Layer Security (TLS).
3.
Use only TLS for message encryption; from TLS Encryption Backup Options, select Use TLS only (no backup encryption method; message is queued for later delivery attempt).
4.
Click OK.
The settings are saved.
Enable TLS encryption with a backup method
If you select TLS for message encryption, you can designate a third-party application as a backup method in case the TLS connection fails. Specifying a backup option allows you a second opportunity for message encryption in the event of an unsuccessful TLS connection. If both the TLS and backup connections fail, the message is sent to a delayed message queue for a later connection attempt.
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Transport Layer Security (TLS).
3.
Enable a backup encryption method; from TLS Encryption Backup Options, select Use third-party application as backup encryption method.
Additional options display according to your selection.
4.
Configure the settings for the selected backup method.
See Third-party encryption application.
5.
Click OK.
The settings are saved.
Third-party encryption application
The email protection system supports the use of third-party software for email encryption. The third-party application used must support the use of x-headers for communication with the email system.
You can also specify third-party application encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.
The email protection system can be configured to add an x-header to a message that triggers a DLP encryption policy. Other x-headers indicate encryption success or failure. These x-headers facilitate communication between the email system and the encryption software. You must ensure that the x-header settings made on the Encryption page match the corresponding settings in the third-party software configuration.
Configure third-party application encryption
1.
Navigate to the page Settings > Inbound/Outbound > Encryption.
2.
From the pull-down menu Encryption method, select Third-party application.
Applicable configuration options display.
3.
Add encryption servers (up to 32) to the Encryption Server List:
a.
Enter the IP address or hostname and port number of each server.
b.
Use the MX lookup feature; mark the check box Enable MX lookup.
c.
Click the arrow to the right of the Add Encryption Server box to add the server to the Encryption Server List.
Delete a server from the list; select it and click Remove.
4.
In the pull-down menu Encrypted IP address group, specify an IP address group if encrypted email is configured to route back to the email software.
The default is Encryption Gateway.
5.
Configure users to present credentials to view encrypted mail; mark the check box Require authentication and supply the desired user name and password in the appropriate fields.
Authentication must be supported and configured on your encryption server to use this function.
6.
In the field Encryption X-Header, specify an x-header to be added to a message that should be encrypted.
This x-header value must also be set and enabled on your encryption server.
7.
In the field Encryption Success X-Header, specify an x-header to be added to a message that has been successfully encrypted.
This x-header value must also be set and enabled on your encryption server.
8.
In the field Encryption Failure X-Header, specify an x-header to be added to a message for which encryption has failed.
This x-header value must also be set and enabled on your encryption server.
9.
Select any desired encryption failure options:
*
Mark the check box Send notification to original sender.
*
In the section Notification Details, enter the notification message subject and content in the appropriate fields.
*
Include the original message as an attachment to the notification message; mark the check box Attach original message.
*
Deliver the message that failed the encryption operation; select Deliver message.
This is the default.
*
Do not deliver the message that failed the encryption operation; select Drop message.
10.
Click OK.
The settings are saved.
 
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint DLP Email Gateway Administrator Help > Handling encrypted messages
Copyright 2022 Forcepoint. All rights reserved.