Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages
 
Administrator Help | Forcepoint Email Security | Version 8.5.x
 
?
Configuring message properties
Administrator Help | Forcepoint Email Security | Version 8.5.x
Email message control properties allow you to set message size and volume limits, and to determine how invalid recipients are handled. The following settings are configured on the page Settings > Inbound/Outbound > Message Control:
?
?
?
?
?
?
Setting size properties
Use the Message Size Options to configure message size properties, such as setting a maximum message size or data size per connection.
Configure message size options

Navigate to the page Settings > Inbound/Outbound > Message Control.

From the section Message Size Options, mark the check box Limit message size.
This is the default setting. Selection enables the corresponding text field Maximum message size.

In the text field Maximum message size, enter a maximum message size in KB, from 1–102400 KB.
The default is 10,240. This setting can prevent very large messages from using valuable bandwidth.

Selection enables the corresponding text field Maximum data size.

In the text field Maximum data size, enter a maximum data size in KB, from 1–204800.
The default is 20,480 KB. This setting can help limit the receipt of messages with very large attachments, which can take up valuable bandwidth.

The settings are saved.
Setting volume properties
Use the Message Volume Options to configure message volume properties, such as limiting the number of messages per connection or recipients per message.
Configure message volume properties

Navigate to the page Settings > Inbound/Outbound > Message Control.

From the section Message Volume Options, mark the check box Limit number of messages per connection.
Selection enables the corresponding text field Maximum number of messages.

In the text field Maximum number of messages, enter a maximum number of messages per connection, from 1–65535.
The default is 30.

Mark the check box Limit number of recipients per message.
Selection enables the corresponding text field Maximum number of recipients.

In the text field Maximum number of recipients, enter a maximum number of recipients, from 1–4096.
The default is 20. This can save bandwidth by preventing one message from being sent to hundreds of users.

The settings are saved.
Configuring invalid recipient settings
Use the Invalid Recipient Options to configure invalid recipient settings, such as allowing invalid recipients.
Configure invalid recipient settings

Navigate to the page Settings > Inbound/Outbound > Message Control.

This option is available only when the recipient validation is configured on the page Settings > Users > User Authentication. See Managing user validation/authentication options. Selection enables the corresponding text field and check box.

In the text field Block message if the percentage of invalid recipients is at least, enter a value for the percentage of invalid recipients that determines if a message is blocked.
The default is 100%.

Enable the system to send a non-delivery report notification; mark the check box Send non-delivery report (NDR) only if a message is not blocked.

The settings are saved.
Enabling archive message options
Use the Message Archive Queue settings to save all incoming messages to an archive message queue before they are scanned. Enabling this feature can impact storage capacity and system performance.
Enable message archive queue

Navigate to the page Settings > Inbound/Outbound > Message Control.

This option is disabled by default.

The settings are saved. View the archive queue by clicking archive in the queue list on the page Main > Message Management > Message Queues. See Managing message queues.
Enabling message sender verification
Use the Internal Sender Verification settings to ensure that an internal email sender is an authenticated user. This operation performs a check to confirm that an email sender from an internal domain is also an authenticated user. For email to pass this check function, a mail sender's address must match the sender's login authentication entry.
Enable internal sender verification

Navigate to the page Settings > Inbound/Outbound > Message Control.

This option is disabled by default.

The settings are saved.
Enabling bounce address tag validation (BATV)
Bounce address tag validation (BATV) is a method for determining whether a bounce message to an address in your protected domain is valid. This method helps to prevent backscatter spam, in which a bounce message to your organization contains a forged recipient address.
With BATV enabled, the sender address of outbound email is marked with a unique tag. A bounce message addressed to that sender is examined for the presence of that unique tag. If the tag is detected, the bounce message is cleared for delivery. A bounce message without the tag is blocked.
Enable BATV

Navigate to the page Settings > Inbound/Outbound > Message Control.

Selection enables the corresponding pull-down menus.

?
?
?
A domain group selected for outbound bypass must also be selected for inbound bypass. The default setting for each group is None.
Only user-defined domain and IP address groups are available in the pull-down menus. See Managing domain and IP address groups for information about creating domain and IP address groups.

The settings are saved.
Managing connection options
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Inbound/Outbound > Connection Control is used to configure connection settings, such as limiting the number of simultaneous connections per IP address and enabling real-time blacklist checking or reverse DNS verification.
The following settings can be configured on the page Connection Control:
?
?
?
?
?
?
?
?
?
To collect and view detailed information about some connections, you can allow connection control functions to save these details in the mail processing log, accessed via an appliance. When the function is activated, the log collects detailed data regardless of whether the connection control itself is enabled. This function is available for the following connection control options:
?
?
?
?
Configuring simultaneous connections
Limiting the number of simultaneous connections can improve system performance. The Connection Options section is used to limit these connections.
Limit simultaneous connections

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section Connection Options, in the text field Simultaneous connections per IP, enter the maximum number of allowed simultaneous connections per IP address, from 1–500.
The default is 10.

In the text field Timeout, specify the maximum number of seconds of inactivity allowed before a connection is dropped, from 1–43200.
The default is 300.

The settings are saved.
Using a real-time blacklist
A Real-Time Blacklist (RBL) is a third-party published list of IP addresses that are known sources of spam. When RBL checking is enabled, messages from a sender listed on an RBL are prevented from entering your system. The Email Security module supports the use of the Spamhaus Datafeed server or the entry of up to three third-party RBLs for RBL lookups. Functionality is configured from the section Real-time Blacklist Options on the page Settings > Inbound/Outbound > Connection Control.
Configure the RBL

Navigate to the page Settings > Inbound/Outbound > Connection Control.

This feature is enabled by default.

If you enable this option without designating a third-party RBL, the email protection system still collects log information that email content filters can use for subsequent message analysis.

?
Use the Spamhaus server for RBL lookups.
?
Enter up to three domain addresses of the RBL services to use. Separate multiple addresses with a semicolon (;).

The settings are saved.
Using reverse DNS verification
Reverse DNS lookup uses a pointer (PTR) record to determine the domain name that is associated with an individual sender IP address. The reverse DNS lookup function can determine whether email sent to your system is from a legitimate domain. Use of this option can enhance the detection of commercial bulk email. See Commercial bulk email.
However, if you enable Reverse DNS, server performance may be affected, or legitimate users may be rejected. This function is not enabled by default, but can be enabled from the section Reverse DNS Lookup Options on the page Settings > Inbound/Outbound > Connection Control.
Enable reverse DNS lookup

Navigate to the page Settings > Inbound/Outbound > Connection Control.

Selection enables the corresponding check boxes.

?
?
?
If you select this option, a connection is terminated when the following events occur:
?
?
?
?


The settings are saved.
Using the reputation service
The email protection system can check an email sender's IP address against the reputation service, which classifies email senders based on past behavior. With this function, the email system can block mail from known spam senders. The reputation service is enabled from the section Reputation Service Options on the page Settings > Inbound/Outbound > Connection Control.
Configure the reputation service

Navigate to the page Settings > Inbound/Outbound > Connection Control.

This is the default setting. Selection enables the corresponding radio buttons.

?
Blocks mail from addresses that send spam 100% of the time.
?
Blocks mail from addresses that send spam 99% of the time.
?
Blocks mail from addresses that send spam 97% of the time. This is the default.
?
Selection enables the corresponding text field, in which you can enter a custom spam percentage. The email system blocks mail from addresses that send spam the specified percentage of time.


The settings are saved.
Delaying the SMTP greeting
An SMTP greeting message can be delayed for a specified time interval, so that a connection from a client will be dropped if the client tries to send data during this time interval. This option can help prevent mail from spam-sending applications that send a high volume of messages very quickly. The connection is dropped as soon as a message is sent to the SMTP server before it is ready. This feature is not enabled by default, but can be enabled from the section SMTP Greeting Delay Options on the page Settings > Inbound/Outbound > Connection Control.
Configure the SMTP greeting delay

Navigate to the page Settings > Inbound/Outbound > Connection Control.

Selection enables the corresponding field.

The default is 3 seconds.


The settings are saved.
Enabling the SMTP VRFY command
The SMTP VRFY command can be used to verify an email username. When asked to validate a username, a receiving mail server responds with the user's login name. The SMTP VRFY Command section on the page Settings > Inbound/Outbound > Connection Control is used to configure this option.
Important 
Enable the SMTP VRFY command

Navigate to the page Settings > Inbound/Outbound > Connection Control.


The settings are saved.
Enabling SMTP authentication for email hybrid service
By default, SMTP authentication is enabled for inbound messages that enter the system via the email hybrid service. This type of authentication provides additional authentication protection for email that is relayed to the email protection system from the hybrid service. The Email Hybrid Service SMTP Authentication section on the page Settings > Inbound/Outbound > Connection Control is used to enable or disable this option.
Disable SMTP authentication for Forcepoint Email Security Hybrid Module

Navigate to the page Settings > Inbound/Outbound > Connection Control.

This option is available only when your subscription includes Forcepoint Email Security Hybrid Module and the hybrid service is registered and enabled.

The settings are saved.
Changing the SMTP port
The default SMTP port number is 25. Proper communication with the email hybrid service requires the use of port 25 for SMTP. However, the SMTP Port Option settings on the page Settings > Inbound/Outbound > Connection Control can be used to customize the port number.
 
 
Change the SMTP port

Navigate to the page Settings > Inbound/Outbound > Connection Control.

Valid values are from 25 to 5000.

The settings are saved. The Email Security module services are restarted.
Using access lists
An access list enables you to specify an IP address group for which certain email analysis is not performed. The Allow Access List Options on the page Settings > Inbound/Outbound > Connection Control are used to identify these IP addresses. Mail from these addresses bypasses the following email analysis:
?
?
?
?
?
?
?
?
IP address groups are defined on the page Settings > Inbound/Outbound > IP Groups. The groups defined on that page appear for selection in the Connection Control Allow Access List Options section.
Create and modify an access list

Navigate to the page Settings > Inbound/Outbound > Connection Control.

The IP addresses in the group display in the list of IP addresses list and the Edit button is enabled.

Click Edit.
The Edit IP Groups page displays to configure the IP addresses. See Editing an IP address group.

In the section IP Address Group, add a predefined IP address group; from the field IP address file, click Browse and navigate to the desired text file.
The file format should be one IP address per line, and its maximum size is 10 MB.
Because mail from the Trusted IP Addresses group bypasses additional email analysis, that group should not be entered in the Allow Access List. See Managing domain and IP address groups.

Manually add IP address entries; in the field IP address, enter an individual IP address and click >.
The information is added to the Added IP Addresses box on the right.
 
 



The Connection Control page displays with the newly configured IP addresses.

The settings are saved.
DomainKeys Identified Mail (DKIM) integration
Administrator Help | Forcepoint Email Security | Version 8.5.x
The DomainKeys Identified Mail (DKIM) functionality provides an email authentication method to help ensure that a message is not modified while it is in transit from an organization's protected domains. The implementation depends on a set of keys (private and public), which a recipient domain can use to verify the sender domain. DKIM settings are configured on the page Settings > Inbound/Outbound > DKIM Settings.
A DKIM integration has the following components:
?
?
For the signing element, a private key resides in the mail transfer agent, providing a digital signature that is added to the header of each message sent from a protected domain. A public key is generated and published in the DNS as a text record that is used by a recipient mail system in the verification process.
A signing rule associates specified sender domains with a private and public key set.
Configuring a DKIM signing key
A signing key provides a digital signature for email sent from your protected domains. You may create a signing (private) key, import a key from a local directory, or export a key to a local directory.
The signing keys table includes the following information about each key:
 
Configure the number of entries per page
?
From the pull-down menu Per page, select the number of signing key entries per page, between 25 and 100.
Search entries by keyword


Click Search.
Search results display in the section DKIM Signing Keys.

The search field clears and all DKIM signing keys display.
Adding a key
Use the following steps to create a DKIM signing key on the page Settings > Inbound/Outbound > DKIM Settings:

The Add Signing Key page displays.

In the text field Key name, enter a name for your key.

?
This is the default. Only 1024-bit keys are supported.
?
Paste the key in the entry box.

The key is saved and displays in the section DKIM Signing Keys.
Deleting a key
?
The key is deleted. A key cannot be deleted if it is currently in use by a signing rule.
Editing a key

The Edit Signing Key page displays. The current private key displays in the text field.

Only 1024-bit keys are supported. A new key is generated and displays in the text field.

The key is saved and displays in the section DKIM Signing Keys.
Importing or exporting a key
DKIM signing keys can be imported and exported on the page Settings > Inbound/Outbound > DKIM Settings.
Import a DKIM signing key

The Import Key dialog box displays.

Click Browse and navigate to the desired key file.

Click Open.
The Import Key dialog box displays.

The key is imported. Duplicate key files cannot be imported.
Export a DKIM signing key

A dialog box displays.

The key is exported.
Creating a DKIM signing rule
A DKIM signing rule associates a private/public key pair with a set of domains and email addresses. Signing rule options let you determine which message headers to sign, how much of the message body to sign, and whether to attach additional signature tags for such items as signature date/time or expiration time. Signing rules are configured on the page Settings > Inbound/Outbound > DKIM Settings.
The signing rules table includes the following information about each rule:
 
Link that opens a Generate DNS Text Record dialog box. See Generating a DNS text record (public key).
Configure the number of entries per page
?
From the pull-down menu Per page, select the number of signing rule entries per page, between 25 and 100.
Search entries by keyword


Click Search.
Search results display in the section DKIM Signing Rules.

The search field clears and all DKIM signing rules display.
Adding a signing rule
Use the following steps to create a DKIM signing rule on the page Settings > Inbound/Outbound > DKIM Settings:

The Add Signing Rule page displays.

In the text field Rule name, enter a name for your rule.


(Optional) Include the identity of the user or agent for whom the message is signed; mark the check box Include user identifier.

(Optional) In the text field User identifier, enter the user identifier.
This field is not enabled if the check box Include user identifier is not marked.

In the text field Selector, enter the domain name selector.
A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.

From the pull-down menu Signing key, select the signing key to associate with this rule from the list of existing keys.

Click Advanced Options.
A box displays with additional optional rule settings:
?
From the pull-down menu Algorithm, select an encryption algorithm.
Options include RSA-SHA-1 or RSA-SHA-256. The default is RSA-SHA-1.
?
The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.
The following header and body changes are made, based on the selection of Simple or Relaxed:
?
?
In the field Additional headers, include other headers as a comma-separated list.
?
For the latter selection, enter the maximum number of Kbytes to be signed. The default is 1024.
?
?
t lets you add a signature creation timestamp.
?
x lets you specify a signature expiration time in seconds.
The default is 3600 seconds.
?
z adds the list of signed header fields to the signature.

From the pull-down menu Signing rule options, select either Sign email messages or Do not sign email messages.
Next, create a list of email addresses to which this option applies.
?
For example, if you select Sign email messages, then email from the addresses in the list is signed. Email from other addresses is not signed.
?
If you select Do not sign email messages, then email from the addresses in the list is not signed, and email from all other users is signed.
Remove an email address from the list by selecting it and clicking Remove.

The settings are saved.
Importing or exporting a rule
DKIM signing rules can be imported or exported on the page Settings > Inbound/Outbound > DKIM Settings.
Import a DKIM signing rule

The Import Rule dialog box displays.

Click Browse and navigate to the desired key rule file.

Click Open.

The key rule is imported. Duplicate key rule files cannot be imported.
Export a DKIM signing rule

A dialog box displays.

The rule is exported.
Generating a DNS text record (public key)
Generate a public key for a rule from the DKIM Signing Rules table by clicking the link for the desired rule in the DNS Text Record column. A Generate DNS Text Record box that contains the new public key appears.
You can view a public key by clicking View for a particular private key in the DKIM Signing Keys table Public Key column.
Testing a rule
Ensure that you have created a valid rule by clicking the Test link in the Test Rule column of the DKIM Signing Rules table for the desired signing rule. The test performs a DNS lookup query. You receive confirmation of success or failure when the test is complete.
You must have performed a successful rule test before a rule can be enabled.
Enabling DKIM verification
The DKIM validation method uses the message header digital signature to associate a domain name with the email. The DKIM signature verification function retrieves signer information, including the public key, from the DNS. This signer information is analyzed and verified to determine message legitimacy.
You can enable DKIM verification on the page Settings > Inbound/Outbound > DKIM Settings, in the section DomainKeys Identified Mail (DKIM) Verification. Mark any or all of the following check boxes to activate DKIM verification:
?
?
?
By default, these check boxes are not marked.
You can configure a custom content policy filter to scan for a DKIM signature in the message header, along with a filter action to take when a message header triggers the filter. See Custom content.
Domain-based Message Authentication, Reporting and Conformance (DMARC) validation integration
Administrator Help | Forcepoint Email Security | Version 8.5.x
Domain-based Message Authentication, Reporting and Conformance (DMARC) uses the results of its Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validation processes, along with the sender domain's DMARC policy, to determine message disposition. Published in the sender's DNS record, a DMARC policy includes the sender's affirmation that its email is protected by SPF and DKIM validation, and provides instructions for handling mail that does not pass either of those checks on the recipient's end. A mechanism for reporting DMARC results is also provided.
SPF and DKIM analyses enabled and configured in the Email Security module are independent of DMARC verification. SPF checks are configured on the page Settings > Inbound/Outbound > Relay Control, whereas DKIM validation is configured on the page Settings > Inbound/Outbound > DKIM Settings. If either SPF or DKIM analysis is enabled in the Forcepoint Security Manager, DMARC can use the results in its own verification analysis.
Assuming a message is not dropped for failing either the SPF or DKIM check, DMARC validation comprises the following steps:


?
?




When you enable DMARC validation, a reporting mechanism is also included to provide the sender with information about the number of messages received from that sender domain and the results of the recipient's validation checks. Reports are sent to the email address specified in the sender domain's DNS text record via the RUA (reporting URL of aggregate reports) tag.
If SPF and DKIM are not enabled in the Email Security module, DMARC performs these checks. In this case, message disposition is determined only by the DMARC policy. A message is not rejected based on the individual SPF or DKIM analysis results.
For optimal protection, both SPF and DKIM validation settings should be configured and enabled on your email protection system, along with DMARC. See Configuring relay control options and DomainKeys Identified Mail (DKIM) integration.
Configure DMARC verification on the page Settings > Inbound/Outbound > DMARC Settings. Mark the check box for any or all of the following options:
?
?
?
True source IP detection
Administrator Help | Forcepoint Email Security | Version 8.5.x
True Source IP detection uses message header information and the number of network hops to an email appliance to determine the IP address of the first sender outside the network perimeter. This feature allows Connection Control techniques (such as reverse DNS lookup and reputation checks) to be applied effectively to sender information, even when the appliance is downstream from a firewall or an internal mail relay.
Define direct relays and network edge locations to determine whether True Source IP detection is performed. A direct relay is the network device that connects directly to the email appliance. All mail from a direct relay device is subject to True Source IP Detection. A network edge is the network device that connects directly to the Internet (e.g., a firewall).
If your subscription includes Forcepoint Email Security Hybrid Module, you can use True Source IP detection with email hybrid service analysis. An Email Hybrid Service IP Group is created based on information entered during a successful email Hybrid Module registration. The IP group appears in the direct relay IP address list on the page Settings > Inbound/Outbound > True Source IP. Although this IP group cannot be edited directly, its content is modified whenever you change an email hybrid service IP address (Settings > Hybrid Service > Hybrid Configuration).
 
 
Mark the check box Use True Source IP Detection with email hybrid service analysis to enable True Source IP detection with hybrid service and display the Email Hybrid Service IP Group in the direct relay IP address list. The Email Hybrid Service IP Group does not appear if the check box is not marked.
Configure your direct relay and all network edge devices on the page Settings > Inbound/Outbound > True Source IP as follows:

Click Add.
The Add Direct Relay IP Address/IP Group page displays.

By default, the direct relay hop number is 1, because it is the closest network device to the email appliance.
 
Important 
The IP address or group that you enter here must not already be defined in the Trusted IP Addresses group (Settings > Inbound/Outbound > IP Groups) or appear in the connection control Allow Access List (Settings > Inbound/Outbound > Connection Control).

In the field Check for header, enter header text to match for true source IP detection.
If this field is empty, the message Received field is analyzed for the true source IP.


The settings are saved.
Enforced TLS connections
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Inbound/Outbound > Enforced TLS Connections is used to specify that connections to or from a specific IP or domain group use mandatory Transport Layer Security (TLS) and determine the security level used by that connection.
Functionality is used to define connection directions relative to the email SMTP server. Incoming connections are those from a protected or external domain or IP address group to the email protection system. Outgoing connections are those from the email system to a protected or external domain or IP address group.
After you define a group, you can change its order in the incoming or outgoing direction list. Select the group by marking its associated check box and use the Move Up or Move Down button to modify list order.
Delete a group by marking the check box and clicking Delete.
You may configure up to 32 incoming or outgoing connections.
Add an incoming or outgoing connection for which to use TLS

Navigate to the page Settings > Inbound/Outbound > Enforced TLS Connections.

Click Add.
The Add Incoming Connection page displays.

In the text field Name, enter a name for your enforced TLS connection.

From the pull-down menu Priority order, select a priority order for the connection.

Security level options include the following:
?
Encrypt, the minimum enforcement level, used in all security levels
This security level is the only option available for incoming connections.
?
Encrypt and check CN, validation of a certificate's common name
?
Verify, validation that the certificate is from a trusted CA
?
Verify and check CN, validation of the certificate's common name and that the certificate is from a trusted CA
 
Important 

?
?

?
This option applies to any connection, regardless of IP or domain address.
?
Select an existing IP address group in the pull-down menu or create a new group using Add New IP Group.
?
Select an existing domain address group in the pull-down menu or create a new group using Add New Domain Group.

The settings are saved.
Controlling directory harvest attacks
Administrator Help | Forcepoint Email Security | Version 8.5.x
A directory harvest attack is used by questionable sources to gain access to an organization's internal email accounts. A directory attack not only consumes large amounts of system resource but also, through the acquisition of email accounts, creates spam problems for email end users. With directory attack prevention settings, you can limit the maximum number of messages and connections coming from an IP address over a given time period. These settings are configured on the page Settings > Inbound/Outbound > Directory Attacks.
Configure directory attack control

Navigate to the page Settings > Inbound/Outbound > Directory Attacks.

Enable the directory harvest attack prevention function; mark the check box Limit the number of messages/connections per IP every.

The default is 60 seconds.

The default is 30.

The default is 30.

The default is 3 hours.

?
The default is 5.
?
The default is 50%.
When these recipient limitations are exceeded, the connection is dropped automatically.
This option is available only when the recipient validation option is used (see Adding user authentication settings).

The settings are saved.
Configuring relay control options
Administrator Help | Forcepoint Email Security | Version 8.5.x
Functionality on the page Settings > Inbound/Outbound > Relay Control is used to prevent the unauthorized use of your mail system as an open relay by limiting the domains and IP address groups for which your server is allowed to relay mail. Protected domains are defined on the page Settings > Users > Domain Groups. Trusted IP address groups are defined on the page Settings > Inbound/Outbound > IP Groups.
Configure relay control settings on the page Settings > Inbound/Outbound > Relay Control as follows:

This option is enabled by default.

?
Fail. The domain owner's SPF record does not authorize the sender host machine to send email for the domain.
?
SoftFail. The domain owner's SPF record allows the sender host machine to send email for this domain, even though the host is not explicitly authorized to do so.
?
Neutral. The domain owner's SPF record makes no statement as to whether the sender host machine is authorized to send email for the domain.
?
None. The lack of definitive SPF information prevents an SPF check (e.g., an SPF record does not exist).
?
PermError. A permanent error occurs (e.g., the SPF record has an invalid format).
?
TempError. A transient error occurs (e.g., a DNS timeout).
These options are not marked by default.


Mark the check box Bypass SPF validation for senders in the following domain group


The default setting is Allow relays only for senders from trusted IP addresses. Allowing all outbound relays may create a security vulnerability in your system.
You must use the default setting if you use SMTP authentication.
?

The default setting is Allow relays only for senders from trusted IP addresses. Allowing all internal relays may create a security vulnerability in your system.
The default setting is required if you use SMTP authentication.

The settings are saved.
Configuring delivery routes
Administrator Help | Forcepoint Email Security | Version 8.5.x
Configure delivery routes on the page Settings > Inbound/Outbound > Mail Routing. You can create the following types of message routes:
?
?
Change the order of a user directory- or domain-based route by marking its associated check box and using the Move Up or Move Down buttons.
Copying a route
Use the following steps to copy a route on the page Settings > Inbound/Outbound > Mail Routing:


Click Copy.
A new route appears in the route list, using the original route name followed by a number in parentheses. The number added indicates the order that copies of the original route are created (1, 2, 3, etc.).

Removing a route
To remove a route, select the route by marking the check box next to its name and click Delete.
The default domain-based route cannot be deleted.
User directory-based routes
Administrator Help | Forcepoint Email Security | Version 8.5.x
Delivery routes based on user directory entries are examined first for a match with an email message recipient. Domain group entries are validated against the selected user directory to determine whether email will be delivered via a specified route.
Adding a user directory-based route
Use the following steps to add a user directory-based delivery route on the page Settings > Inbound/Outbound > Mail Routing:

Click Add.
The Add User Directory-based Route page displays.

In the field Name, enter a name for your new route.
Length must be between 4 and 50 characters.

From the pull-down menu Route order, select an order number to determine the scanning order of the route.

From the pre-defined domains in the pull-down menu Domain group, select a destination domain.
The default is Protected Domain. Information about the domain group appears in the Domain details box.
To edit your selected domain group, click Edit to open the Edit Domain Group page. See Editing a domain group.

Select from the list of currently defined user directories and click the arrow button to move them to the Selected User Directories box.
 
 
?
The Add User Directory page displays. See Adding and configuring a user directory.
?

?
?
If you select this option, an SMTP Server List opens:

Click Add to open the Add SMTP Server dialog box


Mark the check box Enable MX lookup to enable the MX lookup function
 
Important 
?
Mark the Enable MX lookup check box for message delivery based on the hostname MX record.

The default value is 5.
If a single route has multiple defined server addresses, mail is delivered in order of server preference. When multiple routes have the same preference, round robin delivery is used.
You may enter no more than 16 addresses in the SMTP Server List.



Enter the appropriate user name and password in the Authentication Information box. You must use the SMTP server IP address delivery method for users to authenticate.

The settings are saved and the new route displays under User Directory-based Routes.
Domain-based routes
Administrator Help | Forcepoint Email Security | Version 8.5.x
Delivery routes based on domain groups are examined after defined user directory-based routes for a match with an email message recipient. If a match is made with a user directory-based route, domain-based routes are not examined for matches.
 
Important 
The Protected Domain group defined on the page Settings > Users > Domain Groups should not be used to configure delivery routes if you need to define domain-based delivery routes via multiple SMTP servers.
Adding a domain-based route
Use the following steps to add a domain-based delivery route on the page Settings > Inbound/Outbound > Mail Routing:

Click Add.
The Add Domain-based Route page displays.

In the field Name, enter a name for your new route.

From the pull-down menu Route order, select an order number to determine the route's scanning order.

From the pre-defined domains in the pull-down menu Domain group, select a destination domain.
Default is Protected Domain. Information about the domain group appears in the Domain details box.
To edit your selected domain group, click Edit to open the Edit Domain Group page. See Editing a domain group.

?
?
If you select this option, an SMTP Server List opens.

Click Add.
The Add SMTP Server dialog box displays.


Mark the check box Enable MX lookup to enable the MX lookup function.
 
Important 
?
Mark the check box Enable MX lookup for message delivery based on the hostname MX record.

If a single route has multiple defined server addresses, mail is delivered in order of server preference. When multiple routes have the same preference, round robin delivery is used.
You may enter no more than 16 addresses in the SMTP Server List.


Enable email traffic to use opportunistic TLS protocol; select Use opportunistic Transport Layer Security (TLS).

Enter the appropriate user name and password in the Authentication Information box. You must use the SMTP server IP address delivery method for users to authenticate.
Rewriting email and domain addresses
Administrator Help | Forcepoint Email Security | Version 8.5.x
An email envelope recipient address can be rewritten to redirect message delivery to a different address. Envelope sender and message header addresses can also be rewritten to mask address details from message recipients. Configure address rewriting for inbound, outbound, and internal email on the page Settings > Inbound/Outbound > Address Rewriting. Email or domain addresses in an address rewrite list can be added, exported, or deleted.
Adding recipient address rewrite entries
On the page Settings > Inbound/Outbound > Address Rewriting, use the Inbound Messages tab to specify recipient address rewrite entries for inbound messages and the Outbound and Internal Messages tab for outbound or internal message redirection. The email envelope recipient address is rewritten based on the entries in the Envelope Recipient Address Rewrite List.
Add recipient rewrite entries

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.

The Add Recipient Email or Domain Address page displays.

?
Mark the check box Individual email address or domain rewrite entry and enter the original recipient address and the rewrite address in the appropriate entry fields.
An email address entry may have multiple rewrite entries, with each entry separated by a space. A domain address may have only one rewrite entry.
?
If you have an existing email or domain address rewrite entry file, mark the check box Email address or domain rewrite entry file and browse to the file File size may not exceed 10 MB.

Your entries appear in the Envelope Recipient Address Rewrite List.
Adding message header address rewrite entries
On the page Settings > Inbound/Outbound > Address Rewriting, use the Inbound Messages tab to add message header address rewrite entries for inbound messages and the Outbound and Internal Messages tab for outbound or internal message address masking. The email envelope sender address and message header addresses are rewritten based on the entries in the Envelope Sender and Message Header Rewrite List.
Add address rewrite entries

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.

The Add Sender Email or Domain Address page displays.

?
Mark the check box Individual email address or domain rewrite entry and enter the original sender address and the rewrite address in the appropriate entry fields.
Each email or domain address entry may have only one rewrite entry.
?
File size may not exceed 10 MB.

Your entries appear in the Envelope Sender and Message Header Rewrite List.
Exporting address rewrite entries
All email or domain addresses in an address rewrite list can be exported to a text file.

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.


The selected address rewrite list is exported. A success message displays at the top of the Address Rewriting page.
Deleting address rewrite entries
Email or domain addresses in an address rewrite list can be deleted individually or in bulk.

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.

The selected entries are deleted. A success message displays at the top of the Address Rewriting page.
URL Sandbox
Administrator Help | Forcepoint Email Security | Version 8.5.x
The URL sandbox function provides real-time analysis of uncategorized URLs that are embedded in inbound email. When a user clicks an uncategorized URL, a notification message prompts the user to initiate URL analysis, because the link may not be safe. If the user chooses not to analyze the URL, the requested web page is not accessible.
If analysis determines that the link is not malicious, the user receives a notification that lists the URL and category or categories of the page, and clicks Continue to site.
If the link is deemed malicious or if applicable policy does not allow a user to access uncategorized web pages, the user is notified that the site is blocked:
The user may also be notified in the following cases:
?
?
If the protocol is not supported. Supported protocols are HTTP, HTTPS, and FTP. If you have selected the option Allow the recipient to follow links with an unsupported protocol, the user can proceed to view the page if desired; otherwise, the user cannot access the page.
Your subscription must include the Forcepoint Email Security Hybrid Module. URL sandbox capability is available only after the email hybrid service is successfully registered and enabled. See Email hybrid service configuration.
The URL sandbox configuration settings include three components:
?
?
?
Use the page Settings > Inbound/Outbound > URL Sandbox to configure the URL sandbox feature:


By default, the check box is not marked.

By default, the check box is not marked.


Leave this field blank to keep the original URL.



Wildcards are not permitted.

By default, the check box is not marked.

By default, the check box is not marked.


Leave this field blank to keep the original URL.

By default, the check box is not marked.

Do not use wildcards, and separate multiple entries with a comma.

The settings are saved.
To delete a set of recipient-specific settings, mark the check box next to the address list and click Delete.
Phishing detection and education
Administrator Help | Forcepoint Email Security | Version 8.5.x
Phishing involves an attempt to obtain personal information like passwords or credit card numbers via email while pretending to be a trusted entity. For example, an email message that purports to be from a known financial institution or popular web site may actually be an attempt to steal personal information.
The phishing detection and education function provides cloud-based analysis of an inbound message for phishing email characteristics. To use the phishing detection and education feature, your subscription must include the Forcepoint Email Security Hybrid Module. It is necessary to successfully register with the email hybrid service before you configure phishing detection and education capabilities. See Email hybrid service configuration.
Functionality requires rules to be defined that determine which sender domains are analyzed and how a suspected phishing email is handled. Suspect email may be treated the same as spam (blocked and saved to a spam queue) or be replaced by a message that educates the recipient about phishing attack email.
Dashboard charts and presentation reports can be configured to display suspected phishing attack data.
The page Settings > Inbound/Outbound > Phishing Detection includes the following tabs for configuring phishing detection:
?
Phishing Rules, which contains a list of all your phishing rules. A default rule applies to domains that are not included in any other defined rule. See Adding a phishing detection rule.
The default rule cannot be deleted. Delete any other phishing rule from the list by marking its associated check box and clicking Delete, then clicking Save to Cloud Service.
?
Phishing Education Pages, which contains a list of all the education pages you have defined. A default page applies when a custom page is not specified for a phishing rule. See Creating a phishing education page.
Delete any phishing education page (except the default page) from the list by marking its associated check box and clicking Delete. You may not delete a page that is being used by a phishing rule.
Click Save to Cloud Service only if you receive an error message regarding a synchronization issue with the cloud service.
Adding a phishing detection rule
Administrator Help | Forcepoint Email Security | Version 8.5.x
Use the following steps to configure a phishing detection rule:

The Add Rule page displays.

In the field Phishing rule name, enter a name for the rule.

In the field Domain names, specify the domains to which this rule applies.
Separate multiple domains with a semicolon.

?
Selection quarantines the suspected phishing message.
?

For example, you may want to select a different action for a particular user or group or present a different phishing education page for that user or group.

Click Add User Exception.
The Add User Exception dialog box displays.

In the text field Description, enter a brief description of this exception.

In the text field Email addresses, specify the email addresses for the users or groups to whom this exception applies.

?
Selection quarantines the suspected phishing message.
?

Click Add.

The phishing rule is saved.

On the Phishing Rules tab, click Save to Cloud Service.
The phishing detection settings are sent to the email hybrid service.
Creating a phishing education page
Administrator Help | Forcepoint Email Security | Version 8.5.x
Create a new phishing education page by copying an existing page and renaming it. You can also customize the default message template to suit your needs. A default page is used when a custom page is not specified for a phishing rule.
Copy an existing phishing education page



Create a custom phishing education page

The Add Phishing Education Page screen displays.


In the text field Page title, specify a title for the page.
This title appears as the browser window name.


 
 
If you receive an error message regarding a synchronization problem with the cloud service, click Save to Cloud Service on the tab Phishing Education Pages to send your phishing education page settings to the email hybrid service.
Managing message queues
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Main > Message Management > Message Queues is used to view, create, and configure message queues. You can also modify the following default queues:
?
?
?
?
?
?
?
?
?
?
All blocked messages across all queues are accessed on the page Main > Message Management > Blocked Messages (see Managing the blocked message queue). Temporarily delayed messages can be viewed on the page Main > Message Management > Delayed Messages (see Managing the delayed message queue).
Message queues list
Administrator Help | Forcepoint Email Security | Version 8.5.x
The following table details the information available in the Queue List on the Message Queues page.
 
From the Status column, click Referenced to display a list of the email functions that use the queue. During a queue move operation, an icon in this column indicates whether the move is in progress or has failed.
Indicates the total number of messages in the queue. The number of messages a delegated administrator sees may be less than the total displayed in this column, depending on the permissions granted to that administrator.
Displays the location of queue storage (Local, via Network File System [NFS], or via Samba).
Remove a user-created queue by marking the check box next to the queue name in the Queue List and clicking Delete. You cannot delete a default queue.
Creating a message queue
Administrator Help | Forcepoint Email Security | Version 8.5.x
Use the following steps to create a new message queue on the page Main > Message Management > Message Queues:

The Add Queue page displays.

In the text field Queue name, enter a name for the new queue.

?
?
Use the NFS protocol for file storage; click Via Network File System (NFS). Enter the IP address or hostname of the storage location, along with its shared path.
 
?
?
?
?
?
?

Default is 180 for default queues, 30 for administrator-created queues.

Default is 1024.


The settings are saved.
Changing message queue properties
The Edit Queue page is used to change a message queue's properties.

The Edit Queue page displays.

The settings are saved.
Viewing a message queue
Administrator Help | Forcepoint Email Security | Version 8.5.x
The View Messages in a Queue page displays the messages in a message queue, with functionality to view by a specific time or date range, search messages, or perform actions such as Deliver, Delete, and Reprocess.
?
The View Messages in a Queue page displays.
View messages by date/time range
Use the View from/to fields to specify the desired date/time range for viewing entries. The calendar includes the following options:
?
?
?
Click Clean to clear the current date/time calendar selection.
?
Click Today to set the calendar date to today's date.
Set the time range in hours and minutes in the entry fields to the right of the calendar.
?
Click the arrow to the right of the View date/time range to display the desired queue items.
Search messages by keyword
Use the Search functionality to perform a keyword search of the message queue, and to refine a search by message IDs, senders, recipients, subjects, or policies applied. You can also search on the name of the appliance that processed the messages (Processed By category). The Search functionality includes the following options:


From the pull-down menu, click a category on which to search; ID, Subject, Sender, Recipient, Policy/Rule, Processed By, or All.

Click Search.
The messages matching the search parameters display.
Configure the number of messages to display
Use the Per Page menu to configure how many messages to view on each page of the queue.
?
From the pull-down menu per page, select the number of messages to display on each page; 25, 50, or 100.
The default is 25.
The following table details the information displayed in the list of messages.
 
Click View Incident to open the DLP incident information in the Data module, where the message was processed.
Type of message (for example, spam, virus, exception, commercial bulk, advanced malware detection - cloud, advanced malware detection - on-premises, spoofed email, URL analysis, encryption error, or decryption error).
?
?
Archive feature (a setting on the page Settings > Inbound/Outbound > Message Control)
?
For a message attachment analyzed by Forcepoint Advanced Malware Detection for Email - Cloud, click View report(s) to open a pop-up box with links to an Advanced Malware Detection - Cloud report on each file examined.
 
 
Select a message in the queue and perform the following actions:
 
The pull-down menu More Actions includes the following operations:
 
Managing the blocked message queue
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Main > Message Management > Blocked Messages lists all blocked messages from most queues across all appliances together in a single table, with a column entry that indicates the name of the queue in which a message is stored. Messages in the archive and Delayed Messages queues are not included on this page.
View messages by date/time range
Use the View from/to fields to specify the desired date/time range for viewing entries. The calendar includes the following options:
?
?
?
Click Clean to clear the current date/time calendar selection.
?
Click Today to set the calendar date to today's date.
Set the time range in hours and minutes in the entry fields to the right of the calendar.
?
Click the arrow to the right of the View date/time range to display the desired queue items.
Search messages by keyword
Use the Search functionality to perform a keyword search of blocked messages, and to refine a search by message IDs, senders, recipients, subjects, or policies applied. You can also search on an individual queue or on the name of the appliance that processed the messages (Processed By category). The Search functionality includes the following options:


From the pull-down menu, click a category on which to search; ID, Subject, Sender, Recipient, Policy/Rule, Processed By, or All.

Click Search.
The messages matching the search parameters display.
Configure the number of messages to display
Use the Per Page menu to configure how many messages to view on each page of the queue.
?
From the pull-down menu per page, select the number of messages to display on each page; 25, 50, or 100.
The default is 25.
The following table details the information displayed in the list of blocked messages.
 
Click View Incident to open the DLP incident information in the Data module, where the message was processed.
Queue in which the message is stored (for example, spam, virus, exception, encryption-fail, or decryption-fail).
Type of message (for example, spam, virus, exception, commercial bulk, advanced malware detection - cloud, advanced malware detection - on-premises, spoofed email, URL analysis, encryption error, or decryption error).
?
?
Archive feature (a setting on the page Settings > Inbound/Outbound > Message Control)
?
For a message attachment analyzed by Forcepoint Advanced Malware Detection for Email - Cloud, click View report(s) to open a pop-up box with links to an Advanced Malware Detection - Cloud report on each file examined.
Select a message in the blocked messages queue and perform the following actions:
 
The pull-down menu More Actions includes the following operations:
 
Managing the delayed message queue
Administrator Help | Forcepoint Email Security | Version 8.5.x
Email that is temporarily undeliverable as a result of various connection issues is sent to the delayed messages queue. Delayed messages may be automatically resent by the system. See Handling undelivered messages for information about setting the delayed messages delivery retry interval and configuring a notification message to be sent for undelivered email.
Delayed message delivery may also be scheduled for a future date using a custom content filter action. See Custom content for information about custom content filters and Creating and configuring a filter action for details about scheduling a delayed message delivery.
View the messages in this queue and manually perform necessary processing activities on the page Main > Message Management > Delayed Messages.
View messages by date/time range
When the Delayed Messages page displays, the most recent messages are shown. Use the View from/to fields to specify the desired date/time range for viewing messages. The calendar includes the following options:
?
?
?
Click Clean to clear the current date/time calendar selection.
?
Click Today to set the calendar date to today's date.
Set the time range in hours and minutes in the entry fields to the right of the calendar.
?
Click the arrow to the right of the View date/time range to display the desired queue items.
Search messages by keyword
Use the Search functionality to perform a keyword search of delayed messages, and to refine a search by message IDs, senders, recipients, subjects, or reasons for delay. If appliances are configured in a cluster, you can also search on the name of the appliance that processed the messages (Processed By category). The Search functionality includes the following options:


From the pull-down menu, click a category on which to search; ID, Subject, Sender, Recipient, Processed By, Reason for Delay, or All.

Click Search.
The messages matching the search parameters display.
Configure the number of messages to display
Use the Per Page menu to configure how many messages to view on each page of the queue.
?
From the pull-down menu per page, select the number of messages to display on each page; 25, 50, or 100.
The default is 25.
The following table details the information displayed in the list of delayed messages.
 
Click View Incident to open the DLP incident information in the Data module, where the message was processed.
?
Scheduled delay. An intentional delay that is scheduled via a custom content filter action (see Creating and configuring a filter action for information).
Select a message in the queue and perform the following actions:
 
The pull-down menu More Actions includes the following operations:
 
Viewing a message in a queue
Administrator Help | Forcepoint Email Security | Version 8.5.x
Use the View Message page to view details about a message or the message contents from any message queue, including Blocked Messages, Delayed Messages, or any default or custom queue on the page Message Queues. Click the link for a message in the Subject column of a queue to open the View Message page.
The Back link at the top of the page returns you to the View Queue page. The Previous and Next links let you navigate to the previous or next message in the queue messages list.
The following information about a selected message is displayed on the View Message page:
 
All message actions available ton any View Queue page are also available on the View Message page, except Clear All Messages or Release All Messages. See Viewing a message queue. You can also choose to view message contents in either text or HTML format or to Clear message queue from the pull-down menu More Actions.
Configuring message exception settings
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Inbound/Outbound > Exceptions specifies how to handle messages that cannot be processed for some reason. Configure message exception settings as follows:

?
?
?
?
?
?
?
Select the desired folder from the pull-down menu (default is exception). The list includes all the default queue names and any administrator-created queues. To add a new queue, select Add Folder from the pull-down menu to open the Add Queue screen.
 

Send a notification regarding the unprocessed message; mark the check box Send notification to enable the Notification Properties section.

?
This is the default.
?
If you use this option, you must configure a valid administrator email address on the page Settings > General > System Settings (see Setting system notification email addresses).
?
Specify a single email address in this field.

?
?
?
This is the default. If you use this option, you must configure a valid administrator email address on the page Settings > General > Settings (see Setting system notification email addresses).
?

In the text field Subject, specify the subject line of your notification message.

In the text field Content, enter the body of your notification message.


The settings are saved.
Handling undelivered messages
Administrator Help | Forcepoint Email Security | Version 8.5.x
Message delivery options help you control how undeliverable mail is handled. Options for these operations are configured on the page Settings > Inbound/Outbound > Message Non-Delivery Options.
Use the following steps to determine how to handle messages that are temporarily undeliverable due to error situations:

In the field Retry interval, enter the time for the message retry interval, in minutes.
 
Important 

In the field Maximum retry period, enter the time for the maximum period for retrying message delivery, in minutes.
The default is 1440.

In the field Notification email address, enter an email address to which to send notifications that a non-delivery report (NDR) cannot be delivered to the original sender at the end of the retry period.
Mark the check box Use Administrator email address to send these messages to the administrator.
You must configure the administrator address on the page Settings > General > System Settings (see Setting system notification email addresses).

The settings are saved.
Traffic shaping options
Administrator Help | Forcepoint Email Security | Version 8.5.x
The page Settings > Inbound/Outbound > Traffic Shaping is used to determine the rate of traffic delivery for a specified source or destination group based on domain group or user directory settings. For example, these settings allow you to send large volumes of email at a rate that prevents possible blacklisting of the domain.
Change the order of a traffic shaping group by marking its associated check box and using the Move Up and Move Down buttons. Copy an existing traffic shaping group by marking its associated check box and clicking Copy. You can delete a traffic shaping group by marking its associated check box and clicking Delete.
In addition to specifying source and destination user groups, the following message delivery settings may be modified as part of traffic shaping:
?
?
?
?
The default traffic shaping group contains no traffic source or destination user groups.
Add message traffic shaping controls in your system

The Add Traffic Shaping Group page displays.

In the text field Traffic shaping group name, enter a name.

From the pull-down menu Order, specify the location in which this group should appear in the traffic shaping group list.


From Source type, designate one of the following source types:
?
?
This is the default. Select the domain group from the pull-down menu. Modify the selected domain group by clicking Edit.
?
Select a user directory from the list, or create a new user directory by clicking Add user directory.

From Destination type, designate one of the following destination types:
?
?
This is the default. Select the domain group from the pull-down menu. Modify the selected domain group by clicking Edit.
?
Select a user directory from the list, or create a new user directory by clicking Add user directory.

In the field Maximum number of concurrent connections, enter the maximum number of simultaneous message deliveries to an individual routing address.
The range of values is 5–50; default value is 20.

In the field Maximum number of messages per connection, enter the maximum number of messages per connection within a defined time period.
The range of values for number of messages is 1–10000; default value is 10000. The time range is 60 seconds to 30 minutes; default value is 60 seconds.

In the field Maximum number of recipients, enter the maximum number of message recipients per message delivery.
The range of values is 5–100; default value is 50.

This is the default.

Range of values is 5–100; default is 10. Enter zero (0) to specify an unlimited number of messages per session.

Range of values is 60–600 seconds; default value is 300 seconds.

The settings are saved. The new group displays on the page Traffic Shaping.
Handling encrypted messages
Administrator Help | Forcepoint Email Security | Version 8.5.x
An email content policy configured in the Data Security module may specify that a message should be encrypted for delivery. To encrypt specific outbound messages, you must create an email DLP policy that includes an encryption action plan in the Data Security module (Main > Policy Management > DLP Policies).
The following types of message encryption are supported:
?
?
?
?
Specify the type of encryption to use on the page Settings > Inbound/Outbound > Encryption.
Mandatory Transport Layer Security encryption
Transport Layer Security (TLS) is an Internet protocol that provides security for all email transmissions—inbound, outbound, and internal. The client and server negotiate a secure "handshake" connection for the transmission to occur, provided both the client and the server support the same version of TLS.
Enable TLS encryption with no backup method
In the Email Security module, if you select only TLS for message encryption and the client and server cannot negotiate a secure TLS connection, the message is sent to a delayed message queue for a later delivery attempt.

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Transport Layer Security (TLS).

Use only TLS for message encryption; from TLS Encryption Backup Options, select Use TLS only (no backup encryption method; message is queued for later delivery attempt).

The settings are saved.
Enable TLS encryption with a backup method
If you select TLS for message encryption, you can designate another encryption option as a backup method in case the TLS connection fails. Specifying a backup option allows you a second opportunity for message encryption in the event of an unsuccessful TLS connection. If both the TLS and backup connections fail, the message is sent to a delayed message queue for a later connection attempt.

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Transport Layer Security (TLS).

?
This option is available only if your subscription includes the Forcepoint Email Security - Encryption Module.
?
?
Additional options display according to your selection.

See Third-party encryption application and Secure Message Delivery.

The settings are saved.
Forcepoint email encryption
The Forcepoint Email Encryption option enables the email hybrid service to perform message encryption on outbound messages. Forcepoint email encryption is available only if your subscription includes the Forcepoint Email Security Hybrid Module and the Forcepoint Email Security - Encryption Module, and if the email hybrid service is registered and enabled.
You can also specify Forcepoint Email Encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.
When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If the secure connection is not made, the message is placed in a delayed message queue for a later delivery attempt.
The SMTP server addresses used to route email to the email hybrid service for encryption are configured during the Forcepoint Email Security Hybrid Module registration process. Use the Delivery Route page under Settings > Hybrid Service > Hybrid Configuration to add outbound SMTP server addresses (see Define delivery routes).
If the email hybrid service detects spam or a virus in an encrypted outbound message, the mail is returned to the message sender.
The email hybrid service attempts to decrypt inbound encrypted mail and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.
The hybrid service does not encrypt inbound or internal mail. A DLP policy must be modified to designate only outbound messages for encryption when the email hybrid service is used.
See Forcepoint Email Security Message Encryption for more information.
Enable Forcepoint email encryption

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Forcepoint Email Encryption.

The settings are saved.
Third-party encryption application
The email protection system supports the use of third-party software for email encryption. The third-party application used must support the use of x-headers for communication with the email system.
You can also specify third-party application encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.
The email protection system can be configured to add an x-header to a message that triggers a DLP encryption policy. Other x-headers indicate encryption success or failure. These x-headers facilitate communication between the email system and the encryption software. You must ensure that the x-header settings made on the Encryption page match the corresponding settings in the third-party software configuration.
Configure third-party application encryption

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Third-party application.
Applicable configuration options display.



If you entered an IP address in the previous step, the MX lookup option is not available.

Click the arrow to the right of the Add Encryption Server box to add the server to the Encryption Server List.
Delete a server from the list; select it and click Remove.

In the pull-down menu Encrypted IP address group, specify an IP address group if decryption is enabled or if encrypted email is configured to route back to the email software.
The default is Encryption Gateway.

Configure users to present credentials to view encrypted mail; mark the check box Require authentication and supply the desired user name and password in the appropriate fields.
Authentication must be supported and configured on your encryption server to use this function.

In the field Encryption X-Header, specify an x-header to be added to a message that should be encrypted.
This x-header value must also be set and enabled on your encryption server.

In the field Encryption Success X-Header, specify an x-header to be added to a message that has been successfully encrypted.
This x-header value must also be set and enabled on your encryption server.

In the field Encryption Failure X-Header, specify an x-header to be added to a message for which encryption has failed.
This x-header value must also be set and enabled on your encryption server.

?
Mark the check box Send messages to queue.
Select a queue for these messages from the pull-down menu. The default is the virus queue.
?
Mark the check box Send notification to original sender.
?
?
?
This is the default.
?


?
In the field Content type, enter the message content types to decrypt, separated by semicolons.
Maximum length is 49 characters. Default entries include multipart/signed, multipart/encrypted, and application/pkcs7-mime.
?
In the field X-Header, specify a message x-header that identifies a message to decrypt.
This x-header value must also be set and enabled on your encryption server.
?
In the field Decryption X-Header, specify an x-header to be added to a message that should be decrypted.
This x-header value must also be set and enabled on your encryption server.
?
In the field Decryption Success X-Header, specify an x-header to be added to a message that has been successfully decrypted.
This x-header value must also be set and enabled on your encryption server.
?
In the field Decryption Failure X-Header, specify an x-header to be added to a message for which decryption has failed.
This x-header value must also be set and enabled on your encryption server.
?
Forward a message that has failed decryption to a specific queue; mark the check box On decryption failure and select a queue for these messages from the pull-down menu.
The default is the virus queue.

The settings are saved.
Secure Message Delivery
Secure Message Delivery is an on-premises encryption method used to configure delivery options for a secure portal in which recipients of your organization's email may view, send, and manage encrypted email. For example, you may wish to include sensitive personal financial information in a message to a client. The portal provides a secure location for the transmission of this data.
Users within your organization who send and receive secure messages handle these messages via their local email clients, not the secure portal.
Secure messages are stored in a default secure-encryption queue (Main > Message Management > Message Queues). You can search for and delete messages in the secure-encryption queue view. Message details may not be viewed. The maximum queue size and number of days a message is retained are configured on the Edit Queue page. See Managing message queues.
You can also specify Secure Message Delivery as a backup encryption method for outbound email if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.
The Secure Message portal can be displayed in one of nine languages, which the end user selects during the registration process. The Forcepoint Secure Messaging User Help is available in Forcepoint Documentation, also in nine languages. It describes the user registration process and how to use the secure message portal.
Configure Secure Message Delivery encryption

Navigate to the page Settings > Inbound/Outbound > Encryption.

From the pull-down menu Encryption method, select Secure Message Delivery.

The maximum length for the hostname is 64 characters.
Entering a hostname rather than an IP address is recommended, to avoid potential Microsoft Outlook warning messages generated in an end user's inbox by the notification message.
Important 
If you have an appliance cluster, enter the IP address or hostname for one cluster appliance (primary or secondary). The cluster load balancing function directs traffic appropriately.
 

?
With this policy in force, an end-user password must meet the following requirements:
?
?
?
?
?
! " # $ & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
End users are prompted to create strong passwords in the Secure Messaging portal.
?
End-user message size includes any attachments. The default value is 50 MB; maximum value is 100 MB.
?
An end user may reply to all message recipients. However, if the option Internal domain email addresses only is selected for Allowed Recipients, the user may reply only to recipients inside your organization.
The recipient list cannot be modified for this type of message.
?
An end user may forward any secure message received to allowed recipients.
?
An end user may compose and send a new secure message to allowed recipients.
?
An end user may send an attachment in a secure message
These options are all selected by default.
The Allowed Recipients box offers options for the types of recipients to whom your customer may reply, forward, or send new secure messages. For security purposes, the recipient list must include at least one email address within your organization.
?
Internal domain email addresses only. Only email addresses within your organization's protected domains may be specified as recipients.
?
Internal and external domain email addresses (at least one internal email address required). Email addresses outside your organization's protected domains may be specified as recipients, but at least one address within your domains must be entered (default selection).
See Protected Domain group for more information about determining your protected domains.

Any customizations you make to the notification message template are lost when upgrading to a new version of Forcepoint Email Security. After upgrade, you will need to reconfigure your customized templates.
?
The $URL$ field must be included in your notification because it creates the link the end user clicks to access the secure email portal.
?
In the field Sender, enter one sender address for the notification.
The sender address must belong to your internal protected domain. Because you do not want responses to the notification, ensure that the sender address is configured to drop any direct replies to the notification.
?
In the field Subject, enter an email subject.


The settings are saved.
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2018 Forcepoint. All rights reserved.