Message Encryption Administration Guide
Google, Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 www.google.com Part number: ENCAD_R6.16_13 4 November 2008 © Copyright 2008 Google, Inc. All rights reserved. Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc.
library. Credit must be given in user-accessible documentation. This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.
Contents What This Guide Contains 7 Related Documentation 7 How to Send Comments About This Guide 8 Chapter 1: Introduction to Encryption Services 9 About Encryption Services 9 Transport-Layer Security 9 Policy Enforced TLS 10 Message Encryption, Portal Delivery 11 Message Encryption, Inbox Delivery 11 How Encryption Services Components Work Together 11 Chapter 2: Policy Enforced TLS 13 About Policy Enforced TLS 13 How Policy Enforced TLS Works 14 Set Up Policy Enforced TLS 16 Certificate Validation 18
How Inbox Delivery Works 44 Filtering 45 Reading Encrypted Messages 45 Inbox Delivery Branding 47 Set Up Inbox Delivery 48 Configure Encryption for an Organization 50 Configure Encryption for a User 50 View User Encryption Settings 50 Configure Content Manager for Message Encryption Troubleshooting Inbox Delivery 51 Chapter 5: Reports 53 About Reports 53 View a Report 53 Policy-Enforced by Domain 54 Outbound External Encryption by Domain 55 Outbound External Encryption by Account 56 Outbound External Encryp
About This Guide What This Guide Contains The Encryption Services Guide provides information about: • Descriptions of features and data flow of Policy Enforced TLS and Message Encryption. • Specific steps-by-step instructions to enable encryption. • Information on reporting and administration. This guide is intended for mail server administrators who are already familiar with mail server configuration and security. This guide is a supplement to the Email Security Service Administration Guide.
Document Description Message Encryption, Portal Delivery User’s Guide A simple user reference that explains features and data flow of Message Encryption, Portal Delivery. Message Encryption, Inbox Delivery User’s Guide A simple user reference that explains features and data flow of Message Encryption, Inbox Delivery. Message Encryption Release Notes Release notes on the most recent changes to Message Encryption. How to Send Comments About This Guide Postini values your feedback.
Chapter 1 Introduction to Encryption Services Chapter 1 About Encryption Services Our encryption offerings deliver policy-based, practical solutions for email encryption. Message Security has long supported the TLS (Transport-Layer Security) protocol which has an inherent best-effort delivery mechanism from gateway to gateway. The protocol easily converts to clear text if the recipient gateway can not perform the TLS handshake.
The protocol uses cryptography to provide endpoint authentication and communications privacy over the Internet. TLS is the email equivalent of HTTPS for web communications and has similar strengths and weaknesses. The key features of TLS are: • Message encryption TLS uses Public Key Infrastructure (PKI) to encrypt messages from mail server to mail server. This encryption makes it more difficult for hackers to intercept and read messages.
Message Encryption, Portal Delivery Message Encryption, Portal Delivery can be used on an on-demand basis to communicate with any recipient regardless of their capabilities. This secure-and post-feature easily enables a sender to create a message in their native email client and simply mark the message as confidential. For example, a Microsoft Outlook user would set setting Sensitivity to Confidential when sending the message.
When Encryption Services Apply Policy Enforced TLS applies to all inbound mail received from designated domains, and all outbound mail sent to designated domains. For each your inbound and outbound email configs, you can designate domains that require TLS connections, and optionally certificate validation. Message Encryption applies to outbound messages. For a group of users or an individual, you can enable Message Encryption for all outbound messages or only outbound messages with a specific header.
Chapter 2 Policy Enforced TLS Chapter 2 About Policy Enforced TLS The email security service includes Transport Layer Security (TLS) functionality which can be applied to all mail traffic. Policy Enforced TLS expands this functionality, by allowing domain-based control of TLS. You can use Policy Enforced TLS to set up a custom encryption policy to send and receive for specific domains.
Requirements Policy Enforced TLS is set up separately for inbound and outbound mail. To set up Policy Enforced TLS for inbound or outbound mail requires the following: • Support on your mail server for Transport Layer Security (TLS). • Administration Console read and write permissions for Inbound Transport Security on the email config level. To set up Policy Enforced TLS for outbound mail requires the following • Support on your mail server for Transport Layer Security (TLS).
• Stage 1: The sending server sends a message via TLS to the email protection service, which will always accept TLS messages and process them according to the TLS protocol. The message is encrypted from the sending server to the email protection service. • Stage 2: A TLS connection is attempted between the email protection service and your receiving mail server.
Outbound Policy Enforced TLS Mail Flow If you have Policy Enforced TLS enabled for outbound mail, you can specify a list of sending domains. Mail to these domains will always be encrypted. For outbound mail traffic, the email protection service acts as a proxy between the your mail server and the receiving server. This diagram shows the flow of TLS messages between servers: • Stage 1: The first connection is from your mail server to the email protection service.
3. Scroll to the Inbound TLS by Sender Domain section, at the bottom of the page. If you do not see this section, you do not have Policy Enforced TLS enabled. Contact your account representative for information. 4. Enter the domain name you wish to set as TLS-only. Type the exact domain name; wildcards and subdomains are not supported. 5. Click Add. The change takes effect immediately. 6. Recommended: Enable TLS Alerts so you will be notified if a problem occurs.
4. Enter the domain name you wish to set as TLS-only. Type the exact domain name. Wildcards and subdomains are not supported; each subdomain must be added separately. 5. Click Add. The change takes effect immediately. 6. Optional: Set Certificate Validation. The default setting, Encryption Only, should be sufficient for most domains, but you can validate the recipient’s certificate by changing this setting to Verify Certificate, Trust Check, or Domain Check.
To set up Certificate Validation: 1. Go to Outbound TLS settings in the Administration Console. 2. If the domain is not already listed in Policy Enforced TLS, add the recipient domain to Policy Enforced TLS. 3. Under “Domain-Specific Setting for Outbound TLS,” set TLS Certification to the appropriate setting and click Save Selected. Scope of Certificate Validation Certificate Validation examines SSL certificates to verify a recipient’s identity.
TLS Certification Description Encrypt Only Behavior: Policy Enforced TLS obtains the keys from the Server Certificate, extracts the keys, completes the TLS handshake, and begins the encrypted session. No further verification takes place. Errors that prevent key extract will result in a bounced connection, but any other certificaterelated errors are ignored. Recommendations: This setting provides the most reliable delivery of encrypted mail, and is recommended in most cases.
TLS Certification Description Check Trust Behavior: In addition to the certificate tests in Verify Cert, also verifies that the certificate is from a known valid Certificate Authority. Does not allow a self-signed certificate or certificate from an unknown trust. Requires a complete certificate chain. Will also block any certificate linked to an IP address instead of a hostname. Ends the mail session if the trust check fails.
2. Click Save as Default. TLS Alerts Policy Enforced TLS is intended for secured business partners who intend to encrypt all email communication between two parties. To prevent secure messages from being transmitted in the open, Policy Enforced TLS will refuse messages that come from specified domains when TLS sessions fail. TLS Alerts inform your administrators when Policy Enforced TLS rejects a message. If a TLS connection fails, this may indicate a problem which requires immediate administrator action.
4. Confirm the values by entering the following command into Step 2.5 and clicking “Submit job”: displayorg orgname is the name of your email config organization. Modify or Disable TLS Alerts 1. Log in to the Administration Console. 2. Go to the Batch page in the Orgs & Users tab. 3. Enter the following command into Step 2.5 and click “Submit job”: modifyorg , tls_notify_admin=, tls_notify_on= orgname is the name of your email config organization.
When Policy Enforced TLS blocks an inbound message, your administrator will see the following alert: This message is an automated alert from your email protection service. Your email protection service was unable to accept messages from the following domain, because the domain's mail server cannot use TLS: Your Inbound TLS by Domain encryption policy requires this domain to send messages using TLS.
Chapter 3 Message Encryption, Portal Delivery Chapter 3 About Message Encryption, Portal Delivery Message Encryption, Portal Delivery is a component that provides enhanced security for confidential email transmission by encrypting outbound mail. With Portal Delivery, an encrypted message is secured and posted on a web portal, which the recipient can then access and read.
You will also need to enable Transport Layer Security (TLS) on your mail server. Setting up TLS on your server ensures that your confidential email is secure throughout transmission. For information on implementing TLS on your mail server, check your mail server documentation. If you are using multiple servers, enable TLS on each server that routes mail to the email protection service, and configure TLS in the Administration Console.
1. Sender to Email Security Service Your outbound email is routed through the email protection service. To assure that your email is secure, set up TLS on your mail server and transmit only encrypted messages to the email protection service. Confidential messages are sent to Secure Portal. Other messages are delivered directly to the recipient’s mail server. You can send messages up to 10MB in size through Message Encryption. Larger messages will be bounced with a 554 error message. 2.
If the message expires without being read, the sender will receive a notice. If the recipient replies to a message, Portal Delivery sends the reply back to the email protection service, which routes the message to your inbox. Replies are filtered by the email protection service using the same protection as any other inbound messages. Filtering Before a message is routed to Message Encryption, the email security service applies the same filter rules as all outbound mail.
Custom Portal For an additional cost, you can custom-brand your Secure Portal. Contact your account representative for more information about customizing branding for your portal.
Set Up Portal Delivery To set up Portal Delivery, you’ll work with an account representative to enable the service. If you will be setting up a Custom Portal, additional design time may be required. Prerequisites Using Message Encryption, Portal Delivery requires that you route your mail through Outbound Services. For instructions on how to do this, see the Outbound Services Configuration Guide. You will also need to enable Transport Layer Security (TLS) on your mail server.
Activate Message Encryption An Activation Specialist will walk you through activating the Message Encryption service. Here is an overview of the steps that will be required to enable Message Encryption, Portal Delivery. Each step is described in detail in the sections below.
Activation Specialist Adds Domains and Portal Once you have specified your domain (and, if you are using Custom Portal, portal options), your account representative will work with portal designers to create your custom Secure Portal. This process requires special implementation and testing and may take up to 10 days. Add DNS Records for Your Domain Message Encryption uses ZixCorp encryption technology, which provides encryption services and message portal access.
Configure Message Encryption Set Message Encryption Settings in the Administration Console for organizations or individual users. You can also set up Content Manager rules to encrypt some of your mail based on the content of the mail. • For information on organization Encryption Settings, see “Configure Encryption for an Organization” on page 35. • For information on user Encryption Settings, see “Configure Encryption for a User” on page 37.
Encrypt all mail for a select group of users. Encrypt mail for other users if it contains a certain custom phrase in the subject or header 1. In org-level Message Encryption, for each organization that contains users, set Encryption to “Messages with this subject or header text:” 2. Enter the custom phrase you want to use. 3. Save your settings. 4. In user-level Message Encryption for each user who should have mail encrypted, set Encryption to “All messages”. 5. Save your settings.
In this scenario, Message Encryption will also apply for messages from with “Sensitivity: Company-Confidential” in the subject or header, but only if they are sent by these users. Configure Encryption for an Organization After setting up Message Encryption, you can configure encryption settings for a specific organization in the Administration Console. Encryption settings are available through the user interface or through batch commands.
Setting Description No messages Messages will not be sent through Message Encryption. Content Manager rules for Encryption are disabled. All messages All Messages will be sent through Message Encryption. Messages with this subject or header text Messages will be sent through Message Encryption if the exact text entered is found somewhere in the header, including the subject line. If left blank, the text defaults to “Sensitivity: Company-Confidential.” Content Manager rules also apply.
Configure Encryption for a User After setting up Message Encryption, you can configure encryption settings by individual user in the Administration Console. Normally, all users will apply the organization settings, but if you need to have individual users with different settings, you can configure Message Encryption for users. Encryption settings are available through the user interface or through batch commands.
Setting Description Only messages with this subject or header text: “Sensitivity: CompanyConfidential” Messages will be sent through Message Encryption if the exact text “Sensitivity: Company-Confidential” is found somewhere in the header, including the subject line. The text “Sensitivity: Company-Confidential” which is a special header detailed in RFC 1327. Microsoft Exchange also adds this header text when Sensitivity is set to Confidential. Content Manager rules also apply.
View User Encryption Settings You can view a list of user Message Encryption settings through the Administration Console. To view Encryption Settings for All Users 1. In the Orgs & Users, click Users. 2. Click Settings Summary on the far right of the page. External Encryption settings are listed for each user, on the right side of the page. This will show a list of Message Encryption settings for all users. If the user’s Message Encryption is set to the org default, the setting will show as blank (-).
To set up a Content Manager rule for Message Encryption Before you can set up Content Manager to use Message Encryption, you must set Message Encryption to match specific text (or default text). See “Configure Encryption for an Organization” on page 35 for more information. 1. In the Administration Console, go to the organization that contains your users. 2. In the Org Management page, scroll down to the Outbound Services section and click Content Manager. 3.
• Mozilla Firefox 1.06 or later, including Firefox 2.0. • Netscape Navigator 8.0 or later. • Safari 2.0. • Blackberry mobile devices. • Windows Mobile 5.0 devices. Portal Delivery also requires JavaScript support in the browser. The recipient didn’t receive a notification when an encrypted message was sent. When secure mail routes through Portal Delivery, a notification is sent by normal email to the recipient’s mail server.
The Secure Portal times out as user is responding to a message When a user logs in to the portal, they have a limited time to complete their activity before having to log in again. If the recipient tries to reply and takes longer than the timeout, the recipient is prompted to log in again and all reply text is lost. The default session timeout in the Encryption Portal is 20 minutes. This timeout can be set in a Custom Portal.
Chapter 4 Message Encryption, Inbox Delivery Chapter 4 About Message Encryption, Inbox Delivery Message Encryption, Inbox Delivery is a component of Encryption Services that provides enhanced security for confidential email transmission by enforcing encryption of outbound mail. It allows end users easy access to secure, encrypted messages. With Inbox Delivery, an encrypted message is sent to a customer as an encrypted attachment, which can be opened with a JavaScript-enabled browser.
Requirements Using Message Encryption requires that you route your mail through Outbound Services. For instructions on how to do this, see the Outbound Services Configuration Guide. You will also need to enable Transport Layer Security (TLS) on your mail server. Setting up TLS on your server ensures that your confidential email is secure throughout transmission. For information on implementing TLS on your mail server, check your mail server documentation.
3. Recipient Decryption When the recipient receives the message, the message includes explanatory text and an HTML attachment. The recipient opens the attachment using a standard web browser, which launches JavaScript functions to allow secure reading. If necessary, the recipient will enter a password for future decryption. The recipient can only the message, read the text, and reply or forward the message if desired.
The first time the user opens a message, the user will be prompted to add a password. On subsequent messages, the user is prompted to enter that password to read the message. Key information is stored by Inbox Delivery in a separate server used to manage keys for decrypting messages. The browser connects to that server to update password information and verify keys. Depending on the recipient’s browser settings, passwords are also stored as cookies on the recipient’s local browser.
Once the password is entered and the message is decrypted, the message text is displayed. Because the message is stored in the attachment, message text can be displayed even when the recipient is working offline. Recipients reading the message can then forward or reply to the message securely using the same browser. Recipients can also change passwords securely using the same attachment. If a password changes, previous messages will not be legible until the message is recovered.
Set Up Inbox Delivery To set up Inbox Delivery, you’ll work with an account representative to enable the service. Prerequisites Using Message Encryption, Inbox Delivery requires that you route your mail through Outbound Services. For instructions on how to do this, see the Outbound Services Configuration Guide. You will also need to enable Transport Layer Security (TLS) on your mail server. Setting up TLS on your server ensures that your confidential email is secure throughout transmission.
List Branding Preferences (optional) You can custom the Inbox Delivery messages with your support email address, logo, password requirements, and any additional text you wish to add. See “Inbox Delivery Branding” on page 47 for the complete list of options. Contact your account representative about setting up customized branding of your Inbox Delivery message.
4. In section 2, click “Send by TLS if possible.” 5. Click Save to store your settings. Configure Message Encryption Set Message Encryption Settings in the Administration Console for organizations or individual users. You can also set up Content Manager rules to encrypt some of your mail based on the content of the mail. • For information on organization Encryption Settings, see “Configure Encryption for an Organization” on page 35.
To can view a list of user Message Encryption settings through the Administration Console, see “View User Encryption Settings” on page 39. Configure Content Manager for Message Encryption Inbox Delivery uses the same interface as Portal Delivery in the Administration Console. For information about setting up Content Manager for Message Encryption, see “Configure Content Manager for Message Encryption” on page 39.
• Mozilla Firefox 1.06 or later • Netscape Navigator 8.0 or later Inbox Delivery also requires cookies and JavaScript support in the browser. What privacy settings are needed? For supported browsers, use the default security settings or lower. Are secure messages ever sent directly to the recipient? If both the sender and the recipient are signed up with Message Encryption, messages are sent directly to the recipient’s mail server. Messages are encrypted on every step of transmission.
Chapter 5 Reports Chapter 5 About Reports Reports provide visibility into the traffic patterns across your organization. The Administration Console produces reports for Message Encryption under the name “External Encryption”. External Encryption reports give information about either Portal Delivery or Inbox Delivery, depending on which delivery method you use. Reporting provides extensive analysis into Message Encryption email message traffic over a span of time that you specify.
4. Click one of the External Encryption reports: Domain, Account or Activity Log, or the Inbound or Outbound TLS report: Policy-Enforced by Domain. Policy-Enforced by Domain This report contains information on Policy-Enforced TLS filtering, sorted by domain. For each sending or receiving domain, you will be able to view the number of messages sent and/or received by Policy-Enforced TLS, and traffic volumes measured in message size.
Item Description Msgs Number of messages sent or received through Policy-Enforced TLS. Msgs Bytes The total size (in bytes) of all messages sent or received through Policy-Enforced TLS. Outbound External Encryption by Domain This report contains Message Encryption information on outbound encryption, sorted by sender domain. Domains that sent the most messages are listed at the top.
Outbound External Encryption by Account Message Encryption information on outbound encryption, sorted by sender address. Senders who sent the most messages are listed at the top. Item Description Sender Email address of the sender. Account Shows as “Y” if the sender has a registered user account in the email protection service, or “N” if the sender is not a registered user account. Aggregate reports show as “-”. Msgs Encrypted and Relayed Number of messages sent through Message Encryption.
The logs contain data from the prior day. Timestamps are in PST for most systems, and GMT for System 200. The log contains a maximum of 5000 lines of data (the lines are tab-delimited.) Once the size limit is reached, logging continues, with the oldest data deleted first. A sample log entry looks like: 2007/03/24 10:13:21 clara@jumboinc.com jlee@mixateria.com 689 Following are the descriptions of each field in the log. Item Description Timestamp Time (in GMT) the message is sent.
58 Item Description Recipient Recipient’s email address. Size Size (in bytes) of the message sent.
Index A alerts for Policy Enforced TLS 22 B batch commands for Message Encryption 36, 38 for TLS Alerts 22 C certificate validation 18 comments about this guide, sending 8 Compose tab 29 Content Manager configuring for Inbox Delivery 51 configuring for Portal Delivery 39 Custom Portal 11, 29, 31 customizing the Inbox Delivery message 47 D DNS MX records Message Encryption, Inbox Delivery 49 Message Encryption, Portal Delivery 32 documentation, related 7 E Encryption Services how features work together 11 P
features and benefits 13 inbound mail flow 14 outbound mail flow 16 reports 53 requirements 14 Postini Email Security Administration Guide related documentation 7 R related documentation 7 reports Message Encryption 53 Outbound External Encryption Activity Log 56 Outbound External Encryption by Account 56 Outbound External Encryption by Domain 55 Policy Enforced TLS 53 Policy-Enforced TLS by Domain 54 RFC 2487 18 S setup Message Encryption, Inbox Delivery 48 Message Encryption, Portal Delivery 31 Policy Enf
