Email Encryption. Administrator Guide

Email Encryption Administrator Guide

Email Encryption Administrator Guide Documentation version: 1.0 Legal Notice Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our website at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com

Contents Technical Support... 4 Chapter 1 Introduction to Email Encryption... 8 About Email Encryption... 8 Email Encryption video tutorials... 9 Cipher suites supported by Email Security TLS Services... 9 Chapter 2 TLS Enforcements... 14 Introduction to Encryption services... 14 TLS Enforcements and Enforcements Summary page... 15 Configuring default TLS settings... 17 Configuring custom TLS settings... 18 TLS enforcements with business partners... 18 Testing mail servers... 19 Adding a new enforcement... 20 Advanced TLS settings over VPN... 22 Configuring TLS enforcements between you and the email security infrastructure... 23 Configuring Advanced TLS settings... 26 Encryption policy for future domains... 27 Chapter 3 TLS Business Partners... 29 Introduction to TLS business partners... 29 TLS Business Partners summary page... 30 Adding a new business partner... 30 Editing a TLS business partner... 30 Adding a new, or editing an existing business partner domain... 32 Moving business partner domains... 35 Editing a TLS business partner domain... 36 Chapter 4 Policy Based Encryption... 39 Introduction to Policy Based Encryption... 39 About Policy Based Encryption... 39

Chapter 1 Introduction to Email Encryption This chapter includes the following topics: About Email Encryption Email Encryption video tutorials Cipher suites supported by Email Security TLS Services About Email Encryption Email is an inherently insecure means of communication, in that most email messages are sent in plain text over the public Internet. To safely exchange information between two organizations, some form of encryption technology should be used. Email Security Services (ESS) supports two types of email encryption: Transport Layer Security (TLS) Policy Based Encryption (PBE) TLS is the successor to the Secure Socket Layer (SSL) protocol, as defined in the Internet Engineering Task Force (IETF) RFC 4346. TLS is a protocol that ensures private communication between applications and the users of applications on the Internet. Once a TLS session is established between the client sending the message and the server receiving the message, a secure SMTP dialog can be performed. The secure SMTP dialog ensures that a message is not modified during transmission. TLS encryption uses Public Key Infrastructure (PKI) certificates as the means of authenticating the recipient mail server. PBE is an optional add-on service that uses Data Protection policies to determine if an outbound message that ESS receives should be encrypted. Unlike TLS, PBE

Introduction to Email Encryption Email Encryption video tutorials 9 does not require TLS, and therefore lets you send encrypted email to the third-party mail servers that do not support TLS. TLS is commonly used with PBE to ensure messages with sensitive data, that trigger a PBE Data Protection policy, are transmitted securely to ESS. See the Boundary Encryption MTA Setup Guide for information about how to set up your mail servers to support TLS. Email Encryption video tutorials Click on these links to open video tutorials to assist you with your Email Encryption configuration. Email Encryption video tutorials Configuring TLS enforcements against your domains Enforcing TLS encryption between you and the Email Security Service Getting visibility into your enforcements Setting up a new business partner Moving domains from one business partner to another Cipher suites supported by Email Security TLS Services Opportunistic cipher set ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA

Introduction to Email Encryption Cipher suites supported by Email Security TLS Services 10 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-DSS-AES256-SHA256 DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA SEED-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA RC4-SHA

Introduction to Email Encryption Cipher suites supported by Email Security TLS Services 11 EDH-RSA-DES-CBC3-SHA @STRENGTH Enforced cipher set ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA

Introduction to Email Encryption Cipher suites supported by Email Security TLS Services 12 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES128-GCM-SHA256 DHE-DSS-AES128-SHA256 DHE-DSS-AES128-SHA DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA256 DHE-DSS-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA128-SHA DHE-DSS-CAMELLIA256-SHA CAMELLIA128-SHA CAMELLIA256-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA @STRENGTH Enforced / Export cipher set EXP-KRB5-RC4-SHA EXP-KRB5-RC2-CBC-SHA EXP-KRB5-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA

Introduction to Email Encryption Cipher suites supported by Email Security TLS Services 13 EXP-DES-CBC-SHA Opportunistic / CESG 2.0 cipher set DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA Enforced / CESG 2.0 cipher set DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA

Chapter 2 TLS Enforcements This chapter includes the following topics: Introduction to Encryption services TLS Enforcements and Enforcements Summary page Configuring default TLS settings Configuring custom TLS settings TLS enforcements with business partners Testing mail servers Adding a new enforcement Advanced TLS settings over VPN Configuring TLS enforcements between you and the email security infrastructure Configuring Advanced TLS settings Encryption policy for future domains Introduction to Encryption services The encryption settings consist of three areas: TLS Enforcements, TLS Business Partners, and Policy Based Encryption. TLS Enforcements settings apply enforcements to individual domains. You can configure policies to enforce encryption between your mail servers and the Email Security Service infrastructure. You can also configure policies to enforce TLS encryption between your domains and the domains of third-party business partner organizations.

TLS Enforcements TLS Enforcements and Enforcements Summary page 15 TLS Business Partners let you create groups of third-party domains (also called business partners). Creating a business partner does not mean that a TLS Enforcement is implemented. Create the business partner from this page, and then use the TLS Enforcements tab to configure the enforcements between your domain and the business partner. The Enforcements Summary page lets you download lists of your business partners and displays a summary of the TLS enforcements that are applied to them. See TLS Business Partners summary page on page 30.. See Configuring default TLS settings on page 17. See Configuring custom TLS settings on page 18. Policy Based Encryption is an optional add-on available at additional cost. Policy Based Encryption is a cloud-based email encryption service integrated with the email data protection service that enables you to encrypt specific emails based on a policy. Policy Based Encryption services provide alternative methods for recipients to read and reply securely to encrypted email. It also enables you to send encrypted email to the third parties that do not support TLS. Policy rules can apply to various parts of an email. The areas include the subject line, the body, file attachments, Microsoft Office documents, and PDF documents. If an email triggers a policy rule, then you can specify that it be delivered with encryption. You define your encryption policies in Services > Data Protection > Email Policies. TLS Enforcements and Enforcements Summary page Links within the table on the TLS Enforcements page open configuration pages for the Default Settings and Custom enforcement settings. Click the Default Settings link to configure a set of default TLS policies to apply to some or all of your email domains. Click a domain name in the Domain column to configure the Custom Settings or to specify that the domain use the Default TLS Settings. Click any column heading to sort the column Table 2-1 shows an overview of the currently implemented TLS enforcement policies on your email domains.

TLS Enforcements TLS Enforcements and Enforcements Summary page 16 Table 2-1 Column Title Domain Enforcements page descriptions Description This column contains the Default Settings link and a list of your provisioned email domains. Click the name of a domain to customize the TLS enforcements that are associated with that domain. TLS Enforcement with Business Partners Outbound TLS (from you to the Email Security Services infrastructure) Inbound TLS (from the Email Security Services infrastructure to you) Status Shows the number of TLS enforcements that are associated with your domains. Shows the outbound enforcement policy between your domains and the Email Security Services infrastructure. Outbound TLS means that the Email Security Services infrastructure only accepts email from your outbound Simple Mail Transport Protocol (SMTP) servers when sent over TLS. Shows the inbound enforcement policy between the Email Security Services infrastructure and your domains. Inbound TLS Enforcement means that the Email Security Services infrastructure always uses TLS to deliver email to your domain s inbound mail servers. Shows whether your domains use Custom Settings or if they inherit the TLS enforcements from the Default Settings. Enforcements Summary page Click a link in the TLS Enforcement with Business Partners column to open the Enforcements Summary page. Table 2-2 shows a summary of the TLS enforcements between your domain and your TLS business partners. Table 2-2 Column Title Enforcements Summary page descriptions Description Business Partner Name Shows the name of the business partner.

TLS Enforcements Configuring default TLS settings 17 Table 2-2 Column Title Enforcements Summary page descriptions (continued) Description Business Partner Domain Enforcement Direction Enabled Shows all the configured domain names that are associated with the Business Partner domain. Shows the type of enforcement policy. Shows the enforcement direction: Inbound, Outbound, or Inbound and Outbound. Shows if the Business Partner domain is enabled or disabled. You can also download the summary in a CSV file using the Download the full list as a CSV file link. See Configuring default TLS settings on page 17. See Configuring custom TLS settings on page 18. See Adding a new enforcement on page 20. Configuring default TLS settings To access TLS Default Settings click Encryption > TLS Enforcements, then click the Default Settings link from within the table. The default settings let you apply the same enforcement policy to multiple domains. You can add a new enforcement policy with Add New Enforcement. Note: When a new enforcement is added to the Default Settings, the new enforcement applies to all domains configured to use the Default Settings. Configuring the default settings consists of making selections under the following headings: TLS Enforcements with Business Partners TLS Enforcements between you and the Email Security Services infrastructure Encryption policy for domains provisioned in the future See TLS enforcements with business partners on page 18.

TLS Enforcements Configuring custom TLS settings 18 See Configuring TLS enforcements between you and the email security infrastructure on page 23. See Adding a new enforcement on page 20. See Encryption policy for future domains on page 27. Configuring custom TLS settings To access TLS Custom Settings click Encryption > TLS Enforcements, then in the Domain column, click a domain name. The custom settings let you apply a specific set of policies to a domain and add advanced TLS settings. If necessary, you can also add a new enforcement policy. See Adding a new enforcement on page 20. The Use Default Settings radio button applies the Default Settings to this domain and prevents any changes other than in the Advanced TLS Settings. See Configuring default TLS settings on page 17. To configure the custom settings, you make selections in the following areas: TLS inbound mail server test TLS Enforcements with Business Partners TLS Enforcements between you and the Email Security Services infrastructure Advanced TLS Settings See TLS enforcements with business partners on page 18. See Configuring default TLS settings on page 17. See Configuring Advanced TLS settings on page 26. See Configuring TLS enforcements between you and the email security infrastructure on page 23. TLS enforcements with business partners To access this function click Encryption > TLS Enforcements, then click a domain name or Default Settings in the Domain column. This section contains the Add New Enforcement function that lets you add a new enforcement policy to an individual domain. You can also sort the list, and delete TLS Enforcements to an existing Business Partner. See Adding a new enforcement on page 20.

TLS Enforcements Testing mail servers 19 Testing mail servers You can test both your inbound mail servers and your business partner mail servers. The Test function checks TLS connectivity between the mail servers. The Test function starts a sequence of connectivity tests that may take a few moments to complete. After the test completes, a pop-up window appears that displays the test results. If the test fails, details explaining why the failure has occurred and how to resolve the problem appear. The window may have scroll bars and expanding text with additional information. Note: When a domain name presents multiple MX records, then each MX record is tested. If an MX record presents multiple IP addresses as A records in the DNS, then a randomly selected IP address is tested. Testing your own inbound mail servers 1 Navigate to Encryption > TLS Enforcements. 2 Click a domain name in the Domain column. 3 Click Test under the heading TLS inbound mail server test to check the connectivity of your own inbound mail servers. Testing existing Business Partner's mail servers 1 Navigate to Encryption > TLS Business Partners. 2 Click the name of a Business Partner. 3 Click a domain name in the Business Partner column. 4 Test checks connectivity to your business partner domain's inbound mail servers. Testing new Business Partner's mail servers 1 Navigate to Encryption > TLS Business Partners. 2 Click the name of a Business Partner to edit. 3 Click Add New Business Partner Domain. 4 Enter your configuration settings in the Add New TLS Business Partner Domain window. 5 Click TLS Test to test the inbound mail servers for the new domain. 6 When the connectivity tests pass, click Save. See Configuring custom TLS settings on page 18.

TLS Enforcements Adding a new enforcement 20 See Editing a TLS business partner on page 30. Adding a new enforcement To access Add New Enforcement click Encryption > TLS Enforcements, then from within the table, click Default Settings or a domain name. Add New Enforcement lets you add a new enforcement policy to the Default Settings or to an individual domain. Note: When a new enforcement is added to the Default Settings, the new enforcement applies to any domains configured to use the Default Settings. Add New Enforcement opens a dialog with the following drop-down lists: Business Partner Encryption Policy Direction Inbound (from the business partner's domains to you through the Email Security Services (ESS) infrastructure) Outbound (from you to the business partner's domain through the Email Security Services infrastructure) Inbound and Outbound If your domain has no TLS enforcements configured, you can still send and receive email by Opportunistic TLS. If the Email Security Services (ESS) infrastructure receives an email from you or a third party over Opportunistic TLS, then ESS attempts to deliver the email to the recipient by using Opportunistic TLS. Additionally, when Opportunistic TLS is used ESS falls back to clear text delivery if the recipient mail server does not support TLS. If ESS receives an email in clear text, and no TLS enforcements are configured, then ESS delivers the email to the recipient in clear text. Adding a new TLS encryption policy (Add New Enforcement) 1 From the TLS Enforcements click either Default Settings or a domain name link. 2 Click Add New Enforcement. 3 Make a selection from the Business Partner drop-down list. 4 Make a selection from the Encryption Policy drop-down list. 5 Make a selection from the Direction drop-down list.

TLS Enforcements Adding a new enforcement 21 6 Click Add. 7 Ensure that you click Save at the bottom of the final page. Securing SMTP connections to a business partner with TLS enforcement 1 To send email to a business partner that has outbound TLS enforcement enabled, your outbound mail server must issue a STARTTLS command to the ESS server. Note: If your outbound mail server fails to negotiate TLS with the ESS, then ESS rejects the SMTP connection. 2 After ESS receives the email using TLS, then ESS processes the email and applies your outbound scanning policy. 3 After the email is processed, ESS attempts to establish a secure SMTP connection to the business partner recipient over Enforced TLS. Figure 2-1 TLS-enforced mail flow during outbound enforcement with a business partner Outbound Inbound TLS-enabled traffic Outbound Inbound Your mail server Email Security Services (ESS) Third-party mail server Note: Email is not delivered when a Business Partner's mail server does not support TLS, or if ESS fails to authenticate the certificate that the third-party recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to you.

TLS Enforcements Advanced TLS settings over VPN 22 Securing SMTP connections from a business partner with TLS enforcement 1 To receive an email from a business partner that has Inbound TLS enforcement enabled, the business partner s outbound mail server must issue a STARTTLS command to the ESS server. Note: If the Business Partner s outbound mail server fails to negotiate TLS with the ESS, then ESS rejects the SMTP connection. 2 After ESS receives the email using TLS, then ESS processes the email and applies your inbound scanning policy. 3 After the email is processed, ESS attempts to establish a secure SMTP connection to your mail server over Enforced TLS. Figure 2-2 TLS-enforced mail flow during inbound enforcement with a business partner Outbound Inbound Outbound Inbound Your mail server Email Security Services (ESS) TLS-enabled traffic Business partner mail server Note: Email is not delivered if your inbound mail server does not support TLS, or ESS fails to authenticate the certificate that your recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to the business partner. See Introduction to Encryption services on page 14. Advanced TLS settings over VPN Advanced TLS settings over VPN are not typically available to Email Security Services infrastructure customers. They are only visible if you have an infrastructure that is connected to the Security Services infrastructure over a dedicated VPN. To access Advanced TLS settings over a VPN click Encryption > TLS Enforcements, then select either Default Settings or a domain name under the

TLS Enforcements Configuring TLS enforcements between you and the email security infrastructure 23 heading Advanced TLS settings if you are connecting to the Email Security Services infrastructure over a VPN. Select the Never enforce TLS outbound from my domain to the Email Security Services infrastructure or Never enforce TLS inbound from the Email Security Services infrastructure to my domain check boxes. Never enforce TLS outbound from my domain to the Email Security Services infrastructure lets you send email in clear text from your domain to the Email Security Services infrastructure, regardless of other TLS enforcements. Never enforce TLS inbound from the Email Security Services infrastructure to my domain lets you receive email in clear text from the Email Security Services infrastructure to your domain, regardless of other TLS enforcements. See Configuring default TLS settings on page 17. See Configuring custom TLS settings on page 18. Configuring TLS enforcements between you and the email security infrastructure To access this function, click Encryption > TLS Enforcements, then select Default Settings or a domain name from within the Domain column. You can select TLS Outbound, Inbound, or both Outbound and Inbound email enforcements to always be enforced with the associated check boxes. Outbound TLS enforcement means that the Email Security Services infrastructure only accepts SMTP connections from your outbound servers when sent over TLS. Inbound TLS enforcement means that the Email Security Services infrastructure always uses TLS to secure SMTP connections to your domain's inbound mail servers. Figure 2-3 shows the portion of the process that is encrypted during outbound encryption from your domain to the Email Security Services (ESS) infrastructure.

TLS Enforcements Configuring TLS enforcements between you and the email security infrastructure 24 Figure 2-3 Always enforce TLS encryption outbound from my domains to the ESS encrypted area Outbound Outbound My domain Inbound Email Security Services (ESS) Inbound Third-party mail server Note: Ensure that your outbound mail servers are TLS-enabled and configured to deliver outbound email over TLS.

TLS Enforcements Configuring TLS enforcements between you and the email security infrastructure 25 Sending an email with TLS always enforced outbound from your domain to the Email Security Services 1 To send an outbound email to a third party with Always enforce TLS outbound from your domain to the Email Security Services enabled, your outbound mail server must issue a STARTTLS command to the ESS server. When using this feature, you must always send over TLS regardless of whether the recipient is a business partner or not. Note: If your outbound mail server fails to negotiate TLS with ESS, then ESS rejects the SMTP connection. 2 After ESS receives the email using TLS, ESS processes the email and applies your outbound scanning policy. 3 After the email is processed, ESS attempts to secure an SMTP connection to the third-party recipient with the following condition: If the recipient is part of an outbound TLS enforcement with a business partner, then TLS is enforced for onward delivery. See TLS enforcements with business partners on page 18. Note: If the recipient is not part of an outbound business partner TLS enforcement, then ESS delivers the email to the third party by Opportunistic TLS. If the third-party mail server supports TLS, then the email is delivered by TLS. If TLS is not supported, then the email is delivered in clear text. When email is delivered by Opportunistic TLS, the recipient mail server is not authenticated and ESS does not validate the SSL certificate that the third-party mail server presents. Figure 2-4 shows the portion of the process encrypted during inbound encryption to your domain from the ESS. Figure 2-4 Receiving an email with TLS always enforced inbound from Email Security Services to your domain Outbound Inbound Email Security Services (ESS) Outbound Inbound My domain TLS-enabled traffic Third-party mail server

TLS Enforcements Configuring Advanced TLS settings 26 Note: Ensure that your inbound mail server is correctly TLS-enabled. Receiving an email with TLS always enforced inbound from the Email Security Services to your domain 1 When ESS receives an inbound email from a third party, and the third party is not subject to inbound TLS enforcement as a business partner, then the third party can send email to the ESS over TLS or in clear text. To guarantee end-to-end TLS enforcement from a specific third party, create the third party as a business partner and apply an inbound enforcement against the Business Partner. See TLS enforcements with business partners on page 18. 2 After ESS receives the email, ESS processes the email and applies your inbound scanning policy. 3 After the email is processed, ESS attempts to secure the SMTP connection to your inbound mail server over enforced TLS. Always enforce TLS inbound from Email Security Services to your domain sets TLS enforcement from ESS to your mail server even if ESS received the email in clear text from the third party. Note: Email is not delivered when your inbound mail server does not support TLS, or ESS fails to authenticate the certificate that your recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to the third party. See Configuring default TLS settings on page 17. See Adding a new enforcement on page 20. Configuring Advanced TLS settings To access Advanced TLS settings, click Encryption > TLS Enforcements, then in the Domain column click a domain name. The settings are under the heading Advanced TLS Settings. The Advanced TLS settings include the following: Excluded sub-domains (an optional setting). Exclude individual sub-domains from TLS Enforcement by entering them in the text box one sub-domain per line, for example subdomain.parentdomain.com. Sub-domains inherit TLS enforcement policy and settings by default.

TLS Enforcements Encryption policy for future domains 27 Trusted Certificate Common Names (an optional setting). This setting is only applicable with Strong certificate validation. In this field, supply a list of trusted certificate common names (CN). The names are compared to the CN value of the receiving mail server's SSL certificate when the receiving mail server is authenticated. This feature is useful to deliver mail in the following situations: When you route mail to your inbound mail servers by IP address rather than by a host name. In this situation there is no host name to validate the certificate against. However, in these situations a better resolution might be to modify your Inbound Routes to be host names, rather than IP addresses. See Managing your inbound email routes and Viewing your inbound routes. When you deliver your mail to a trusted Mailhost and the CN or the SAN on the certificate does not match the host name of the mail server. This method may let you work around an authentication issue with your inbound mail servers. A best practice is to install certificates on your mail servers with CN or SAN DNS entries that match the host names of your mail servers. Mail Delivery can be set to Inbound route or Static route delivery. Email that is sent to this domain by TLS is delivered to the receiving mail server by your domain's inbound routes or Static Route. A static route delivers the email to a specific server. Your inbound mail servers are typically configured in the inbound routes screen. Only use the TLS static routes if you need to enforce TLS delivery to your mail server. The TLS Static Route refers to a specific inbound mail server. This static route can be Host name, IP address, Host name: Port, or IP: Port. Certificate Validation Strong means that the inbound mail server certificate must be within date, have a full trust chain and be signed by a trusted root Certification Authority. The CN or the SAN value on the certificate must also match the host name of the mail server, or the list of Trusted Certificate Common Names. Relaxed validation means that the certificate checks are not applied. Warning: Relaxed validation makes it easier for an attacker to masquerade as your domain, either through a DNS poisoning or man-in-the-middle attack. See Adding a new enforcement on page 20. Encryption policy for future domains To access this function, click Encryption, then TLS Enforcements under the heading Encryption policy for domains provisioned in the future.

TLS Enforcements Encryption policy for future domains 28 This section contains the Automatically apply this encryption policy to new domains check box. When Automatically apply this encryption policy to new domains is checked, it means that when you provision a new domain for Email Security Services the new domain has the Default TLS Enforcements automatically applied. If Default TLS Enforcements is not checked, then newly provisioned domains are created without TLS enforcements. Leaving Automatically apply this encryption policy to new domains unchecked lets you run TLS tests against the domains before subjecting them to the TLS enforcement policies. Note: When you apply encryption policies to new domains automatically, ensure that any new domains are TLS-enabled before provisioning them with Email Security Services (ESS) infrastructure. See TLS Business Partners summary page on page 30. See Adding a new business partner on page 30.

Chapter 3 TLS Business Partners This chapter includes the following topics: Introduction to TLS business partners TLS Business Partners summary page Adding a new business partner Editing a TLS business partner Adding a new, or editing an existing business partner domain Moving business partner domains Editing a TLS business partner domain Introduction to TLS business partners To access the TLS Business Partners page, click Services > Email Services Encryption > TLS Business Partners. On this page you can configure groups of third-party domains, also called Business Partners. Before adding a Business Partner you should contact the business partner's email system administrator to discuss the implementation and to check that their mail servers are correctly TLS-enabled. The table on the page shows the Business Partner organizations you have configured, and a summary of the TLS Enforcement policies that are implemented between those business partners and your email domains. Click on the name of a business partner to view the business partner's domains and configure the TLS settings of the business partner domains. See TLS enforcements with business partners on page 18.

TLS Business Partners TLS Business Partners summary page 30 TLS Business Partners summary page to access this page, click Enforcements > TLS Business Partners. The table shows the business partner organizations that are configured on your account. From here you can begin the following tasks: Add a new business partner with Add New Business Partner. Use the Search tool to locate business partners or business partner domains. Download a summary of all Business Partners and their domain information in a CSV file with Download All. Click the name of a business partner from within the table to view the business partner's domains and configure their TLS settings. Click a link in the Enforcements column to view a summary of the TLS Enforcements that are associated with the business partner. Click a link in the Business Partner Domain column to view the business partner's domains. Click any column heading to sort the column. Click on the name of a business partner within the table to view the business partner's domains. See TLS enforcements with business partners on page 18. See Adding a new business partner on page 30. Adding a new business partner To add a new business partner 1 Click Add New Business Partner on the TLS Business Partners page. 2 Enter the business partner name and click Continue. See Adding a new, or editing an existing business partner domain on page 32. Editing a TLS business partner To access this page, click Services > Encryption > TLS Business Partners, then click a name in the Business Partner column. The table lists the third-party domains that are associated with this business partner. From here you can begin the following tasks: Edit the business partner name.

TLS Business Partners Editing a TLS business partner 31 Use Add New Business Partner Domain to add a new business partner domain. Use Search to locate business partner domains. Use Download to download a summary of the business partners domains in a CSV file. Click a link in the Business Partner Domain column to begin editing that domain. Use Test to start a TLS connectivity test against a business partner domain. Table 3-1 Column heading Editing TLS business partner page descriptions Description Business Partner Domain Mail Delivery Route Validation This field shows the name of the Business Partner Domain. Click the domain name to edit the TLS settings for that domain. This field shows the type of mail delivery route (either MX or Static) applied to the domain name. This field shows the level of SSL certificate validation that is applied when Email Security Services infrastructure authenticates the Business Partner domain's inbound mail servers. Strong validation means that the certificate must be signed by a trusted root Certification Authority, be within date, and have a full trust chain. The CN or the SAN value of the certificate must also match the host name of the mail server, or match a trusted certificate common name that is supplied by you. Relaxed validation means that the certificate checks are not applied. Enabled Comments This column indicates whether the Business Partner Domain is included or excluded from the TLS policies that are associated with the Business Partner. This field shows the custom comments that are configured against a Business Partner Domain.

TLS Business Partners Adding a new, or editing an existing business partner domain 32 See TLS Business Partners summary page on page 30. See Adding a new, or editing an existing business partner domain on page 32. Adding a new, or editing an existing business partner domain Adding a new business partner domain and editing an existing business partner domain both use the same process. The main difference is how you navigate to the processes. Adding a new business partner domain 1 Access the Add New Business Partner Domain function from Services > Encryption > TLS Business Partners. 2 Click a Business Partner name from within the table. 3 Click Add New Business Partner Domain and configure the necessary parameters. Editing a TLS business partner domain 1 Access the Edit TLS Business Partner function from Services > Encryption > TLS Business Partners. 2 Click a business partner name (that has at least one associated domain) from within the table. 3 Click the domain name that you want to edit and configure the necessary parameters. Table 3-2 Parameter Business partner domain configuration parameters Description Business Partner Domain This field lets you specify the name of a business partner domain. This field can only be edited when the domain is initially added. Sub-domains inherit the policy unless specifically mentioned in the Excluded sub-domains field.

TLS Business Partners Adding a new, or editing an existing business partner domain 33 Table 3-2 Parameter Business partner domain configuration parameters (continued) Description Excluded sub-domains Mail Delivery Static Route Certificate validation Use this field to exclude specific sub-domains from the TLS enforcement policy. Add each excluded sub-domain on a separate line, for example subdomain.parentdomain.com. This is an optional field. Sub-domains inherit the TLS enforcement policy and settings by default. Email that is sent to this domain by TLS is delivered to the receiving mail server by an MX or Static Route. Static Routes deliver the email to a specific server. This field lets you enter a specific inbound mail server for the business partner domain. The Email Security Services infrastructure then uses the static route to deliver TLS-enforced email to the domain. The field can contain a Host name, IP address, Host name: Port, or IP: Port. This field lets you specify the level of SSL certificate validation. The validation is applied when the Email Security Services infrastructure authenticates the business partner's inbound mail server. Strong validation means that the certificate must be signed by a trusted root Certification Authority. It must also be within date, and have a full trust chain. The CN or the SAN value on the certificate must also match the host name of the mail server, or match a Trusted Certificate Common Name. Relaxed validation means that the certificate checks are not applied.

TLS Business Partners Adding a new, or editing an existing business partner domain 34 Table 3-2 Parameter Business partner domain configuration parameters (continued) Description Trusted Certificate Common Names This setting only applies with Strong certificate validation. The field is optional and lets you enter a list of trusted certificate common names. The names are compared to the CN value of the receiving mail server's SSL certificate when the receiving mail server is authenticated. This feature is useful for: Delivery by static route to an IP address Cases in which the CN or SAN on the certificate does not match the host name of the mail server Comments Enabled Test This field lets you enter custom comments about this business partner domain for future reference. This check box lets you enable or disable the business partner domain from TLS enforcement policies. Test checks the TLS connectivity from the Email Security Services infrastructure to the inbound mail servers that are associated with the business partner domain. The test reports whether the test succeeds or fails. If the test fails, details of what happened and how to resolve the problem are shown. Adding a new or editing an existing business partner domain 1 To Edit a business partner domain, click a name from within the table, then click the domain name. To Add a new business partner domain, Click a Business Partner name from within the table, then click Add New Business Partner Domain. 2 Enter a name in the Business Partner Domain field. 3 Enter any sub-domains to be excluded from TLS policy (if desired), one per line in the Excluded sub-domains field. For example: subdomain.parentdomain.com. 4 Select MX or Static Route from the drop-down list in the Mail Delivery field.

TLS Business Partners Moving business partner domains 35 5 If a static route is required, add it in the Static Route field. 6 Select Strong or Relaxed from the drop-down list in the Certificate validation field. Warning: Relaxed validation makes it easier for an attacker to masquerade as the TLS business partner domain, either through DNS poisoning or a man-in-the-middle attack. 7 Enter any CNs (if desired) one per line in the Trusted Certificate Common Names (CN) field. 8 Add any comments in the Comments field. 9 Use the Enabled check box to include or exclude this domain from TLS policies. 10 Test. The test feature enables you to check the TLS capabilities of the business partner domain's inbound mail servers. When making a change to this screen you should check that the TLS test passes. If the test fails, you can save the domain in a Disabled state to exclude it from TLS policy. 11 Click Save after the tests pass. See TLS Business Partners summary page on page 30. See Adding a new business partner on page 30. See TLS enforcements with business partners on page 18. Moving business partner domains A business partner can have multiple domains associated with it. You can move domains to other existing business partners, or create a new business partner at the same time as when you perform the move. To access the Move function, click Services > Encryption > TLS Business Partners, then click a business partner name from within the table. To move a business partner domain 1 Access the Move function from Services > Encryption > TLS Business Partners, then click a business partner name (with a domain assigned) from within the table. 2 Check Business Partner Domain to select all the domains, or click the text box next to each domain, to select individual ones.

TLS Business Partners Editing a TLS business partner domain 36 3 Click Move and the Move Business Partner Domains window appears. The Move Domains dialog box confirms the domains you previously selected. 4 Select the Existing business partner radio button and then a business partner name from the drop-down list, or the New business partner radio button and enter a new business partner name. Choose to copy or not copy the TLS enforcements with your selected domains by using the Copy TLS enforcements check box. The check box only appears when you select a new business partner name. 5 Click Save. See Editing a TLS business partner domain on page 36. Editing a TLS business partner domain Access the Edit TLS Business Partner function from Services > Encryption > TLS Business Partners. Click a business partner name (that has at least one associated domain) from within the table, then click the domain name to edit. After you click the domain, edit a business partner domain by configuring the following parameters in the pop-up window. Table 3-3 Parameter Editing TLS business partner domain configuration parameters Description Business Partner Domain Excluded sub-domains Mail Delivery Static Route This field lets you assign a domain name when the domain is initially added. Sub-domains inherit the policy unless specifically mentioned in the Excluded sub-domains field. Exclude sub-domains in the field. Sub-domains inherit TLS enforcement policy and settings by default. Email that is sent to this domain by TLS is delivered to the receiving mail server by an MX or Static Route. Static Routes deliver the email to a specific server. This field lets you enter a specific inbound mail server. This field can be a Host name, IP address, Host name: Port, or IP: Port.

TLS Business Partners Editing a TLS business partner domain 37 Table 3-3 Parameter Editing TLS business partner domain configuration parameters (continued) Description Certificate validation This field lets you specify the level of SSL certificate validation that is applied when the receiving mail server authenticates the mail. Strong validation means that the certificate must be signed by a trusted root Certification Authority, be within date, and have a full trust chain. Relaxed validation means that the certificate checks are not applied. Trusted Certificate Common Names This setting only applies with Strong certificate validation. The field is optional and lets you input a list of trusted certificate common names. The names are compared to the receiving mail server SSL certificate during the receiving mail server authentication process. This feature is useful for Delivery by static route to an IP address Where the CN or SAN on the certificate does not match the host name of the mail server Comments Enabled Test This field lets you enter custom comments into the field. This check box lets you enable or disable TLS enforcements. Test tests the TLS connectivity and reports the success or failure. If the test fails, details of what happened and how to resolve the problem display in a pop-up window. To edit a new business partner domain 1 Click a domain name and in the Edit TLS Business Partner Domain window begin editing. 2 Enter a name in the Business Partner Domain field (only when the domain is initially added).

TLS Business Partners Editing a TLS business partner domain 38 3 Add any sub-domains (if desired), one per line in the Excluded sub-domains field. 4 SelectMX or Static Route from the drop-down list in the Mail Delivery field. 5 Enter a static route domain in the Static Route field. 6 Select Strong or Relaxed from the drop-down list in the Certificate validation field. Warning: Relaxed validation makes it easier for an attacker to masquerade as your domain. For example, through a DNS poisoning or man-in-the-middle attack. 7 Enter any CNs (if desired) one per line in the Trusted Certificate Common Names (CN) field. 8 Add any comments in the Comments field. 9 Enable or disable the feature using the Enabled check box. 10 We recommend that you test these settings before saving with Test. See TLS Business Partners summary page on page 30.

Chapter 4 Policy Based Encryption This chapter includes the following topics: Introduction to Policy Based Encryption About Policy Based Encryption Introduction to Policy Based Encryption For further information on Policy Based Encryption (PBE), refer to these topics. Help on Policy Based Encryption E Help on Policy Based Encryption Z About Policy Based Encryption Policy Based Encryption is an optional add-on product that provides a higher level of encryption than TLS. Unlike TLS, PBE does not require TLS on the recipient's end. Therefore, PBE lets you send encrypted email to third parties who do not support TLS. Policy Based Encryption (PBE) is a cloud-based email encryption service integrated with the Email Data Protection service. Data Protection policies identify when messages should be encrypted by the PBE service. When an email triggers a policy rule, you can specify that it is delivered with encryption. Policy Based Encryption provides alternative methods for recipients to read and reply securely to encrypted email.

Policy Based Encryption About Policy Based Encryption 40 Warning: To ensure that policy rules are enforced and messages are TLS-encrypted from your domain to the Email Security Services (ESS) infrastructure, enable the Always enforce TLS outbound from the Email Security Services infrastructure to my domain setting. It is strongly recommend that all domains with PBE data protection policies defined have Always enforce TLS outbound from the Email Security Services infrastructure to my domain enabled. Without Always enforce TLS outbound from the Email Security Services infrastructure to my domain, messages that contain sensitive data may be sent in the clear text from your mail servers to ESS. Figure 4-1 shows the portion of the process that is encrypted during outbound encryption from your domain to the Email Security Services (ESS) infrastructure. Figure 4-1 encrypted area Outbound Outbound My domain Inbound Email Security Services (ESS) Inbound Third-party mail server Warning: To ensure that third-party replies to PBE-encrypted messages are encrypted from the Email Security Services infrastructure to your domains, it is strongly recommended that you enable the Always enforce TLS inbound from the Email Security Services infrastructure to my domain setting. The Always enforce TLS inbound from the Email Security Services infrastructure to my domain setting should be enabled for all domains where PBE data protection policies are applied. If Always enforce TLS inbound from the Email Security Services infrastructure to my domain is not enabled, third-party replies to PBE-encrypted messages may be sent in clear text from ESS to your mail server. Figure 4-2 shows the portion of the process encrypted during inbound encryption to your domain from the ESS.

Policy Based Encryption About Policy Based Encryption 41 Figure 4-2 Outbound Inbound Email Security Services (ESS) Outbound Inbound My domain TLS-enabled traffic Third-party mail server Policy Based Encryption customers with special encryption sub-domains provisioned must have the Always enforce TLS inbound from the Email Security Services infrastructure to my domain setting enabled for the special encryption sub-domain. Enabling Always enforce TLS inbound from the Email Security Services infrastructure to my domain for the special domains ensures that the messages that trigger PBE data protection policies are TLS encrypted from the Email Security Services infrastructure to the Encryption Service infrastructure. The special domains generally start with: encrypte-us encrypte-eu encryptz-us encryptz-eu zixvpm Policy rules can apply to various parts of an email, including the following: The subject line The body File attachments Microsoft Office documents PDF documents