User Guide MailMarshal Secure 5.5 August 2006
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, MARSHAL LIMITED PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Marshal, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Marshal. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Marshal may make improvements in or changes to the software described in this document at any time. 2006 Marshal Limited, all rights reserved. U.S. Government Restricted Rights: The software and the documentation are commercial computer software and documentation developed at private expense. Use, duplication, or disclosure by the U.S. Government is subject to the terms of the Marshal standard commercial license for the software, and where applicable, the restrictions set forth in the Rights in Technical Data and Computer Software clauses and any successor rules or regulations. Marshal, MailMarshal, the Marshal logo, WebMarshal, Security Reporting Center and Firewall Suite are trademarks or registered trademarks of Marshal Limited or its subsidiaries in the United Kingdom and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.
Contents About This Book and the Library...vii Conventions...viii About Marshal...ix Chapter 1 Introducing MailMarshal Secure 1 What is S/MIME?...1 Encryption...2 Signing...2 How Does MailMarshal Secure Work?...2 Options for Using MailMarshal Secure...3 Online Help...3 Chapter 2 Configuration 5 Installing MailMarshal Secure...5 Configuring MailMarshal Secure...6 Server Properties: Secure Email...7 Security Policies dialog...9 Server Properties: Internet Access...13 Setting Up S/MIME Features...15 S/MIME Repair Functions...15 Repair Certificates...15 Repair Certificate Emails...16 Repair Certificate Key Containers...16 Repair Private Keys...16 Contents iii
Chapter 3 Certificates 17 Working with Certificates... 17 Backing Up Certificates... 18 Creating a Certificate Folder... 18 Creating a New Certificate... 19 General... 19 Extensions... 21 Subject Names... 22 Certificate Usage/Finish... 24 Certificate Tasks... 25 Checking Imported Certificates... 26 Exporting Certificates... 27 Certificate Search... 29 Main... 30 Conditions... 30 Status... 31 Trust Search Options... 31 Certificate Properties... 32 General... 32 Usage... 32 Certificate Details... 33 Certification Path... 33 Proxy Certificates... 34 New Proxy Certificate... 34 Domain Email Address... 34 Chapter 4 Private Keys 37 Backing Up Keys... 37 iv User Guide
Private Keys Tasks...38 Export Private Key...38 Create Key...39 Private Key Properties...40 Private Key...40 Details...40 Chapter 5 Certificate Requests 41 Creating a Certificate Request...42 Extensions...44 Subject Names...45 Finish/Export...45 Chapter 6 Certificate Revocation Lists 47 CRL Properties...47 General...48 Parameters...48 Entries...49 Chapter 7 Secure Email Rules 51 Basic Secure Email Rules...51 Contents v
Rule Conditions-Secure Email Rules... 53 Where message is encrypted and cannot be decrypted... 53 Where message is encrypted and can be decrypted... 53 Where encryption certificate is invalid... 54 Where message is not encrypted... 54 Where message is signed and cannot be verified... 55 Where message is signed and can be verified... 56 Where message is not signed...56 Where message cannot be encrypted for any secure recipient:... 56 Rule Actions-Secure Email Rules... 57 Copy unknown certificates to database folder... 57 Sign message with certificate... 57 Encrypt message with certificate... 59 Do not decrypt message... 62 Advanced Secure Email Rules... 62 Multiple Gateway-to-Gateway Encryption Partners... 63 Gateway-to-Desktop Encryption Partners... 63 Index 65 vi User Guide
About This Book and the Library The User Guide provides conceptual information about MailMarshal SMTP. This book defines terminology and various related concepts. Intended Audience This book provides information for individuals responsible for understanding MailMarshal SMTP concepts and for individuals managing MailMarshal SMTP installations. Other Information in the Library The library provides the following information resources: User Guide Provides conceptual information and detailed planning and installation information about MailMarshal SMTP. This book also provides an overview of the MailMarshal SMTP user interfaces and the Help. MailMarshal Secure User Guide Provides detailed information about how to configure and use the S/MIME secure email functionality in MailMarshal SMTP. Help Provides context-sensitive information and step-by-step guidance for common tasks, as well as definitions for each field on each window. About This Book and the Library vii
Conventions The library uses consistent conventions to help you identify items throughout the documentation. The following table summarizes these conventions. Convention Use Bold Window and menu items Technical terms, when introduced Italics Book and CD-ROM titles Variable names and values Emphasized words Fixed Font File and folder names Commands and code examples Text you must type Text (output) displayed in the command-line interface Brackets, such as [value] Optional parameters of a command Braces, such as {value} Required parameters of a command Logical OR, such as value1 value2 Exclusive parameters. Choose one parameter. viii User Guide
About Marshal With new threats disrupting business, productivity and wrecking reputations every day, Marshal content security solutions take a proactive approach to identifying email and web vulnerabilities to protect over seven million international users in 17,000 companies from the risks of email and Internet-based threats. Marshal Products Marshal's Content Security solution, which includes MailMarshal SMTP, MailMarshal Exchange and WebMarshal, delivers a complete email and Web security solution to these risks by acting as a gateway between your organization and the Internet. The products sit behind your firewall but in front of your network systems to control outbound documents and their content. By providing anti-virus, anti-phishing and anti-spyware protection at the gateway, Marshal's Content Security solution offers you a strategic, flexible and scalable platform for policy-based filtering that protects your network, and as a result, your reputation. Contacting Marshal Please contact us with your questions and comments. We look forward to hearing from you. For support around the world, please contact your local partner. For a complete list of our partners, please see our website. If you cannot contact your partner, please contact our Technical Support team. Telephone: Sales Email: Support: Website: +44 (0) 1256 848 080 (EMEA) +1 404 564-5800 (Americas) + 64 9 984 5700 (Asia-Pacific) info@marshal.com www.marshal.com/support www.marshal.com About Marshal ix
x User Guide
Chapter 1 Introducing MailMarshal Secure MailMarshal Secure is an additional module of MailMarshal SMTP that implements the S/MIME (Secure MIME) standard for encryption and signing of email messages using the Public Key Infrastructure. MailMarshal Secure can communicate securely with any other encryption product that uses the S/MIME standard; communication is not limited to MailMarshal sites. What is S/MIME? S/MIME is an industry standard method of protecting email privacy using the Public Key Infrastructure (PKI). MailMarshal Secure interoperates with other S/MIME aware products, whether server-based or workstation-based. PKI begins with two digital Keys, known as the Public and Private Key. Public Keys are made freely available, while Private Keys are kept secret and secure. The Public Key can be contained in a digital certificate and distributed. A Certificate may be generated within MailMarshal, or issued by a trusted authority. The Keys are known as an asymmetric pair ; messages encrypted using the Public Key can be read with the Private Key. Public Certificates are maintained in a database such as MailMarshal's Certificate Database. A Certificate may be exported into a file which is made available to sites with which S/MIME email will be exchanged. Chapter 1 Introducing MailMarshal Secure 1
PKI allows email to be processed in two ways, known as Encryption and Signing. They are often used together-a message may be both encrypted and signed. Encryption Signing Encryption is the scrambling of a message so that it is illegible until decrypted. Typically email sent to a site will be encrypted with the recipient's Public Key (which any sender may have); such messages can only be decrypted by the recipient using their Private Key. Signing involves processing a message using a Private Key, to generate a unique block of data known as the signature. The sender signs a message using her Private Key. This signature is sent with the original message. The recipient can verify that the message is unchanged and that it originated from the sender, by testing it using the sender's Public Key. How Does MailMarshal Secure Work? MailMarshal Secure allows the email administrator to set and enforce policies for the encryption, decryption, signing, and verification of S/MIME email messages. Within Server Properties, basic policies governing allowable standards of security are set. The policies are applied to email messages using an additional type of Rules, known as Secure Email Rules. These Rules are created and applied in the same way as standard MailMarshal SMTP Rules. MailMarshal Secure is also used to create, harvest, and manipulate the digital certificates used for S/MIME email. The security information may be stored in a software cryptographic provider (such as the one supplied by default with Windows 2000), or optionally in a third-party cryptographic accelerator such as those supplied by ncipher. 2 User Guide
Options for Using MailMarshal Secure MailMarshal Secure can be used to encrypt messages from gateway to gateway, desktop to desktop, or gateway to desktop. Brief explanations of these options are given below. Details of the MailMarshal Rules required to implement these options may be found elsewhere in this Manual. 1. Gateway to Gateway: All encryption and decryption of messages is completed at the server. Internal networks are trusted for security purposes. This mode is easy to set up and run, because all setup and maintenance is done at the server. Users simply send and receive email. MailMarshal can stamp incoming encrypted messages as valid, and can also perform content checks on the messages. The basic rules given in Chapter 7, Secure Email Rules, support this method. 2. Desktop to Desktop: Encryption and decryption takes place at the email client (such as Microsoft Outlook). In this case, MailMarshal can still perform content checks if the messages are also encrypted with a certificate for which MailMarshal holds the private key. Messages for which MailMarshal does not hold the key may be passed through unscanned, or rejected, according to local policy. 3. Gateway to Desktop: MailMarshal can sign outbound messages with a proxy certificate so that the receiving email client recognizes the message as validly signed from the sending email address. MailMarshal must hold public keys for all external addresses to which messages are to be encrypted. This option is used where MailMarshal performs gateway encryption, but the remote recipient uses desktop encryption software. Example rules to support this method are given in Chapter 7, Secure Email Rules. Online Help MailMarshal provides online help for assistance during installation and use of the software. Help is accessed through the Help menu or by pressing the [F1] key. Extended up-to-the-minute support is available on the Marshal website. The website at http://www.marshal.com features news, a support Knowledge Base, Discussion Forum, and maintenance upgrades. Chapter 1 Introducing MailMarshal Secure 3
4 User Guide
Chapter 2 Configuration Installing MailMarshal Secure MailMarshal Secure is available on the MailMarshal CD-Rom or in the downloadable MailMarshal SMTP installation file. The product requires an S/MIME enabled License Key, available from Marshal. MailMarshal Secure requires Windows 2000, Windows XP Professional, or Windows Server 2003, and MSDE or a Microsoft SQL server to host the Public Certificate Database. To install the MailMarshal Secure module, run the MailMarshal installer from the Windows Control Panel. If MailMarshal is already installed, on the Welcome page select Modify. On the Select Setup Type page, choose to install MailMarshal S/MIME Server. (For additional details of the installation process, please see the chapter Installation in the MailMarshal SMTP User Guide.) Chapter 2 Configuration 5
After installation, open the License Info tab of Server Properties and enter the S/MIME enabled License Key. Notes It is very strongly recommended, for speed, security, and availability reasons, that the Certificate Database be installed on the MailMarshal Server computer. In some cases (for instance, a cluster installation) the Certificate Database can be created on a different server. We recommend a 128 Bit Encryption version of the operating system. Some early international releases of Windows 2000 were only 40 bit. To check the encryption level of a machine, within Internet Explorer click on Help > About. The 'Cipher Strength' value shows the encryption level of the machine. Configuring MailMarshal Secure Once the S/MIME module is installed and licensed, two tabs of Server Properties are used to configure this module: Secure Email and Internet Access. 6 User Guide
Server Properties: Secure Email On this tab, check the box Enable Secure Email to enable MailMarshal Secure.. Certificate Database Click the button Choose Database to connect to a Certificate Database. In the Create/Select Database dialog, enter the location of the SQL Server or MSDE computer where the database will reside. It is very strongly recommended for speed, security, and availability reasons that this be the MailMarshal server. The database will not grow large. If a database exists in the location selected, check recreate database to delete it. Chapter 2 Configuration 7
Click OK to return to the Secure Email tab. Cryptographic Service Provider Select a provider from the list. The Cryptographic Service Provider is the software or hardware used to store and manipulate Private Keys. Note Changing Cryptographic Service Providers may cause Keys stored in the old Provider to be lost. This will occur if changing between software and hardware Providers, or if changing from a higher to a lower level of encryption. When changing Providers, you should be prepared to restore all Keys from backup (though this will not typically be necessary). Default Key Exchange Algorithm Select an algorithm from the list. This setting defines the level of encryption used when appending a key to an email message. The available choices may vary depending on the Cryptographic Service Provider selected. Higher encryption levels are more secure but will require additional processing resources. Default Encryption Algorithm Select an algorithm from the list. This setting defines the default level of encryption that will be used when Secure Email Rules are created. Select the highest level compatible with the software at other locations with which encrypted email is exchanged. The available choices may vary depending on the Cryptographic Service Provider selected. Default Hashing Algorithm Select an algorithm from the list. This setting defines the default hashing or thumbprint that will be used for signing by Secure Email Rules. SHA-1 is preferred but other settings may be used where necessary for compatibility with remote locations. 8 User Guide
Security & Certificate Policies Select a security level using the radio buttons. Alternatively, click Policies to view and change the options in force using the Security Policies dialog. Note The Strict option selects a restrictive set of security policies, which would typically be used by a site requiring all email to be encrypted and signed with Certificates guaranteed by a third-party Certificate Authority. The Moderate option selects a looser set of policies, which would typically be used by a site using self-signed Certificates to encrypt and sign email for exchange with known and trusted partners. Custom allows a locally created set of policies to be created; however selecting the Strict or Moderate button resets any customizations. Security Policies dialog This dialog allows selection of several settings governing the creation and application of Secure Email Rules. Chapter 2 Configuration 9
The dialog has three tabs: General Permit generation of certificates: When this option is checked, MailMarshal can create self-signed Certificates and also create proxy individual certificates on the fly. De-selecting (unchecking) this option is the more secure choice. Permit exportable private keys: Private Keys created when this option is checked can be exported to other products or locations. De-selecting (unchecking) this option is the more secure choice. Allow manual editing of email addresses: When this option is checked, email addresses associated with Certificates can be added, changed, and deleted. (Addresses which form part of the original Certificate cannot be edited.) De-selecting (unchecking) this option is the more secure choice. Continue to use Certificate Revocation Lists: This option is used to provide a default grace period for technical delays in retrieving CRL updates. Enter the grace period. A Certificate will still be usable during the grace period after the replacement time of the CRL. This setting may be overridden in the properties of each CRL (See below). Algorithms Note If keys are marked non-exportable, they cannot be backed up routinely. MailMarshal Secure offers the option to back up non-exportable keys once, when they are created. This tab allows selection of the order of preference in which algorithms will be used or exposed for each function (key exchange, encryption, and hashing). In general, the stronger (higher bit count) algorithms are preferred as more secure, but also require additional processing time and may raise compatibility issues. The selections made here affect the options available during Secure Email Rule creation. 10 User Guide
For each algorithm type, select a specific algorithm and use the up and down arrows to set its place in the list. Click Delete to remove it from the list of usable algorithms. Click Add to add any algorithm available from the selected Cryptographic Service Provider to the list. (Set the default choice for each algorithm using the drop-down boxes on the Secure Email tab of Server Properties.) Processing Expose algorithm capabilities on outbound email: When this option is selected, MailMarshal will encode information on the algorithms it can use within outbound secure email messages. A remote server could use this information to determine the most secure settings to be used on mail between the two servers (See Below). Mail administrator when private key certificates are due to expire: When this option is selected, MailMarshal will monitor the upcoming expiry of Certificates and send email warnings to the administrator. Select the number of days prior to expiry when these warnings should start. Chapter 2 Configuration 11
Retrieve new certificates from a designated LDAP servers when certificates are due to expire: When this option is selected, MailMarshal will attempt to retrieve updated public-key Certificates to replace ones which are nearing expiry. Select the number of days prior to expiry when these attempts should start. To configure groups for which automatic retrieval will occur, use the final page of the Certificate server LDAP connection wizard. See the chapter LDAP Connections in the MailMarshal SMTP User Guide. 12 User Guide
Server Properties: Internet Access This tab of Server Properties is used to define the path for HTTP and FTP connection to the Internet. This connection is used by MailMarshal Secure to retrieve certificate revocation and renewal information. Select the configuration method using the radio buttons: Chapter 2 Configuration 13
Preset Configuration MailMarshal uses the configuration settings for the account under which the MailMarshal Controller service is running. Note By default the Controller service runs under the Local System account. For this selection to be useful the Controller should be run using another account with administrator privilege. Direct access No special configuration is required; the Internet is available from this computer without a proxy. Proxy MailMarshal connects to the Internet using the proxy server details provided. Only Basic Authentication is supported. Proxy Name: The name of the proxy server computer. This may be a local computer name, fully qualified domain name, or IP address. Port: The port number on which the proxy server accepts requests (typically port 8080). User Name: The user name may include NT domain information in backslash format (e.g. ourcompany\username). Password: The password associated with the user name (entered twice for confirmation). 14 User Guide
Setting Up S/MIME Features In addition to the configuration options selected in Server Properties, preparing MailMarshal Secure's S/MIME features for use involves three steps: 1. Create or import a Domain Certificate (also known as a Server Certificate) for each local domain that will use signing and/or encryption. The same certificate may be used to process email for several domains using Gateway-to-Gateway encryption. See Chapter 3, Certificates. 2. Exchange certificates with other sites. Since email messages will typically be encrypted and signed in both directions between two or more organizations, each must have the appropriate information to encrypt for, and validate signatures from, the other. See Chapter 3, Certificates. 3. Configure Secure Email Rules. A basic set of Secure Email Rules is required to ensure the security of encrypted links with other sites. See Chapter 7, Secure Email Rules. S/MIME Repair Functions The following functions are available on the All Tasks submenu of the Secure Email node of the Configurator. No harm can come from selecting any of these actions, although they may take some time to complete if a large number of Certificates are present. Note See Chapter 3, Certificates, and Chapter 4, Private Keys, for more information on these elements. Repair Certificates This action checks the certificate information in MailMarshal's Certificate database against the information in the Certificates (which are stored in the selected Cryptographic Provider). The database is corrected if necessary. Chapter 2 Configuration 15
Repair Certificate Emails This action checks the email addresses for each certificate in MailMarshal's Certificate database against the email addresses coded in the actual Certificates. The original values are restored. Repair Certificate Key Containers This action ensures that the Key references in MailMarshal's Certificate Database point to the correct Key containers in the Cryptographic Provider. This action may be useful where problems are encountered due to a change in Provider. Repair Private Keys This action checks the Private Key information for each Certificate in MailMarshal's Certificate database against the information in the Cryptographic Provider. This action may be useful where Private Keys may have been changed or imported into the Provider by other applications. 16 User Guide
Chapter 3 Certificates Certificates are used to store and exchange Public and Private Keys. Typically certificates containing Private Keys are generated locally or requested from a, then stored securely. They are generally only exported for backup purposes. These Certificates contain the information needed to decrypt email, or to sign email from a site. Certificates containing Public Keys may be imported from other sites, or exported from MailMarshal for use on other sites. These Certificates contain the information needed to encrypt email for sending to a site, or to validate the signature on email from a site. Working with Certificates Select the node Certificates in the left pane of the Configurator to work with S/MIME Security Certificates. When the node is selected, a listing of Certificate folders is shown in the right pane. Open any folder to see the available S/MIME Certificates it contains. Chapter 3 Certificates 17
A certificate is shown with a lock icon if it has an associated Private Key. A certificate shown with a red border indicates that the Private Key cannot be found or is invalid. Note When a folder has the status Held, certificates in that folder will not be used for email encryption. This allows for importation and storage of certificates which have not yet been verified manually. Once approved for use, Certificates should be moved to other folders. Right-click on the Certificates node and click New > Folder to create a new Certificate Folder. Right-click on the Certificates node or a Certificate Folder and click New > Certificate to create a new Certificate (if this action is permitted by the Security Policies). Choose New > Advanced Certificate to see the full range of options. See Creating a New Certificate, below, for details. Backing Up Certificates This is very important. Keep a copy of all Certificates and the associated Private Keys. Export a Certificate to a file by right-clicking on it then clicking Export. The exported information should be kept securely (e.g. on a floppy disk in a safe). If the backup includes a Private Key, the password for the backup file should be kept separate from the file itself. Creating a Certificate Folder Right-click on the node Certificates and click New > Certificate Folder to create a Certificate folder, which will appear in the Configurator under the Certificates node. Enter the name of the folder to be created. 18 User Guide
If the box Certificates placed in this folder will not be considered for use is checked, Certificates placed or imported into this folder will not be available for email processing. This allows for importation and storage of Certificates which have not be manually verified as trustworthy. If this box is checked when a Folder is created, the Folder will be notated as Held when shown in the left pane of the Configurator. Click OK to create the folder. Creating a New Certificate General Right-click on the Certificates node or a Certificate Folder and click New > Certificate to create a new S/Mime Security Certificate (if this action is permitted by the Security Policies). Choose New > Advanced Certificate to see the full range of options. The Certificate may be self-signed. Alternatively, if the MailMarshal certificate database contains a CA certificate with the necessary attributes, the new Certificate may be signed using this CA Certificate. The General and Usage/Finish pages of the Wizard are always shown. When Advanced Certificate is selected, the Extensions and Subject Names pages are also shown. Common name (required field): This field typically shows the issuer name or certificate purpose. Subject email: This may be an individual email address or a domain email address. The Certificate will be valid to encrypt and sign email related to this address. Note In most cases, for the Certificate to be used by MailMarshal the subject email should be a domain email address (see below for a definition). Use the arrow to the right of the field to enter the local part of a domain email address. Chapter 3 Certificates 19
Organization name: the name of the organization which will use this certificate. Private key: Select a key from the list, or create a new one by clicking Create Key. Folder: Select the Certificate Folder into which to place this Certificate. (If a folder was selected earlier, its name will be entered in this field and cannot be changed.) A new folder may also be created - enter a name for it. Note To allow the Certificate to be used immediately, do not place it in a Folder marked Held. Validity dates: Select starting and ending validity dates for this Certificate. The default is a validity of one year beginning immediately. Issued by: Select the authority for the new certificate to be issued by. The choices in this list will include self-signing and any Certificates in the database marked as CA certificates that include a Private Key. (See Below). 20 User Guide
Extensions This page allows addition of optional information to the Certificate. It is only shown in the Advanced version of the wizard. Key Usage: Check the boxes corresponding to the purposes for which this certificate is to be used. By default the first four boxes are checked as these items are required for MailMarshal to use the Certificate. Digital Signature: Certificate can be used to sign a message assuring its origin and integrity. Non-Repudiation: Certificate can be used to guarantee acceptance of a transaction (e.g. to provide a receipt). Key Encryption: Certificate can be used to encrypt a key for inclusion with an email. Data Encryption: Certificate can be used to encrypt the data in an email. Certificate Signing: Certificate can be used to verify the trust of another Certificate. Chapter 3 Certificates 21
Key Agreement: Certificate can be used to agree on a private key over insecure networks. Constraints: Select whether this Certificate is to be recognized as coming from a Certificate Authority. If it is, specify the path length or number of intermediate certificates in a chain of trust which it can guarantee. Email Addresses: This list should contain any email addresses (in addition to the domain email address) for which this Certificate should be valid. Click Add to add an entry to the list. Select an entry and click Delete to remove it from the list. Doubleclick an entry to edit it. When adding or editing an address, use the arrow to the right of the field to enter the local part of a domain email address. CRL Distribution Point: Optionally enter one or more URLs where Certificate Revocation Lists affecting this Certificate may be found. Subject Names Note This option must be selected if the Certificate is to be used to generate Proxy Certificates. This page shows a list of all text fields within the Subject of the certificate. It is only shown in the Advanced version of the wizard. Select any existing field to edit or delete it. To edit, click Edit then modify the text in the edit field. To delete the selected field click Delete. 22 User Guide
To add a new field, choose an available field name from the drop-down list, enter the desired text in the edit field, then click Add. Chapter 3 Certificates 23
Certificate Usage/Finish This page shows several parameters which affect the purposes for which the Certificate may be used. Trust Choose the level of trust for the certificate. If the new Certificate is signed by a CA Certificate, typically it should inherit trust from the issuer. Always Trusted allows the certificate to be used for encryption or signing of messages (subject to the expiry or revocation of the certificate). Never Trusted will cause messages related to this certificate to be rejected. Inherits Trust from Issuer (only available for CA issued certificates) bases the trust level on the trust for the root or intermediate certificate to which this certificate is chained (See Below). 24 User Guide
Preferred Use Check the appropriate boxes to indicate whether the certificate is preferred for encryption and/or signing purposes. Note If the preferred certificate is not usable (e.g. because it is out of date), another certificate for the same domain will be used, if available. This may cause an encrypted message to be undecryptable if the recipient does not have the appropriate key for the other certificate. For Messages Signed with this certificate: Choose whether to leave or strip (remove) a signature based on this key when it is found on incoming email. Leave the signature: The signature is left on the email delivered to the client. Strip the signature (default action): The signature is stripped from all incoming email signed with this certificate. Strip the signature when domain signed: The signature is stripped from incoming email signed with this certificate when it is domain signed (e.g. signed by another MailMarshal gateway). The signature should be left in desktop to desktop encryption situations so it can be verified by the client software. Otherwise it may safely be stripped (since MailMarshal will have verified it). Certificate Tasks Double-click any Certificate to view and edit its properties in the Certificate Properties dialog. Right-click a Certificate Folder and click Import to import one or more Certificates into this folder from a file. (This includes CA Certificates which have been requested using MailMarshal's Certificate Request facility.) Chapter 3 Certificates 25
When importing a Certificate, you may be prompted to choose whether the certificate is trusted. When importing a Certificate with a Private Key, you will be prompted for a password. Right-clicking a Certificate presents the following options. Not all options are available for every Certificate. Export: Export this certificate to a file. (This action will only be available for some Certificates.) See below for export options. New Proxy Certificate: Generate a new Proxy Certificate from a Domain Certificate. This action will only be available for Certificates marked as CA Certificates. Proxy Certificates: Search for all Proxy Certificates generated from this Certificate. The results will be shown in the Certificate Search Results. Reload Private Key: Attempt to re-synchronize the Private Key for this Certificate with the Encryption Provider. Go To Private Key: Find the related Key in the Private Keys node. Delete: Delete this certificate. Deleting the Certificate does not affect the Private Key. Warning Before deleting a Certificate ensure that no Secure Email Rules use it (i.e. it is not required for decryption or signing of messages). Checking Imported Certificates A certificate contains the encryption key for the related addresses. If the wrong certificate is installed, encryption may not function correctly and security may be broken. To check that the correct certificate is installed, compare the thumbprint of the certificate against the thumbprint of the certificate installed at the other site. In the MailMarshal Certificate Manager, select the certificate to be checked then click View Details. Two versions of the thumbprint, SHA1 and MD5, are given if available. Confirm the thumbprint string with the administrator or user at the other site. Perform this action for both sites' certificates. 26 User Guide
Exporting Certificates To export a Certificate (for backup or to exchange with another site), right click on a Certificate and select Export to use the Export Certificate Wizard. The first page of the wizard gives several important notes and warnings. Click Next to continue. In the next page (Format), select a file format for the export. X.509 format can be used for single certificates without private keys. PKCS#7 format can be used for multiple certificates or chains of certificates. PKCS #12 format can be used to export certificates with their associated private keys (if the keys are exportable), including chains of certificates. Note Private keys should only be exported for backup or other defined need. They should not be sent to ordinary encryption partners. Keep PKCS #12 Certificates and their passwords in separate secure locations. In the next page (Details), check Base64 Encoding to export the certificate in plain text format. This format may be required by some other software. To include all certificates in the chain of trust (PKCS#7 and PKCS#12 format only), check the box Include all certificates in certification path. Use this option to ensure that your encryption partner has everything they need to verify the trust of your certificate. If you selected PKCS #12 format, enter (and confirm) a password for the certificate. This should be a long, non-obvious password. Chapter 3 Certificates 27
In the next page (Details), check Base64 Encoding to export the certificate in plain text format. This format may be required by some other software. To include all certificates in the chain of trust (PKCS#7 and PKCS#12 format only), check the box Include all certificates in certification path. Use this option to ensure that your encryption partner has everything they need to verify the trust of your certificate. If you selected PKCS #12 format, enter (and confirm) a password for the certificate. This should be a long, non-obvious password. In the final page of the wizard, information on the certificate to be exported appears in the lower pane. Enter or browse to a file location and name. Click OK to export the certificate. 28 User Guide
Certificate Search To search for a particular certificate or for all certificates with a certain expiry date, rightclick on the Certificates node then select Find to see the Search for Certificates dialog. If a certificate with a particular issuer is selected, the search will be limited to Certificates with that issuer. Note All entries on all tabs of this dialog are optional; however at least one choice must be made for any results to be returned. When all conditions have been entered, click OK to begin the search. Results will be shown in the Certificate Search Results node (shown in the right pane of the Configurator). Chapter 3 Certificates 29
Main Subject Contains: Fields in the Subject area of the certificate will be searched for this string. (This will include the issuer, common name, and other detail fields.) The wildcards * and? may be used. Email Address: Complete addresses (as visible on the General tab of Certificate Properties) will be searched for using this string. The wildcards * and? may be used. Expiry date and time (optional): (use the pull-down and spin boxes to change the entries). Typically this option will be used to find certificates nearing expiry. Conditions Select the desired attributes of the certificate to search for by checking the boxes. Where detailed information must be entered, click the red hyperlinks in the lower pane to enter it. Trust Type: choose the trust types to search for using the Trust Types dialog. Private Key: select this option to limit the search to certificates which have a Private Key. Self Signed: select this option to limit the search to certificates which are Self Signed. Certificate Authority: select this option to limit the search to certificates which are signed by a Certificate Authority (including MailMarshal self-signed CA certificates). Proxy: select this option to limit the search to Proxy Certificates (individual address certificates created from a Domain Certificate). Folder: choose the folders to search in using the Select Folder dialog. 30 User Guide
Status Limit the certificates to search for by checking any of the boxes. To choose to search on the presence or absence of the attribute, click the red hyperlinks in the lower pane to use the Certificate Status dialog. Valid: choose to limit the search to valid or invalid certificates. Trusted: choose to limit the search to trusted or untrusted certificates. Verified: choose to limit the search to verified or unverified certificates. Revoked: choose to limit the search to revoked or unrevoked certificates. Missing CRL: choose to limit the search to certificates which have (or are missing) a CRL. Missing Issuer: choose to limit the search to certificates without (or with) a named issuer. CRL Expired: choose to limit the search to certificates whose Certificate Revocation List has expired (or not expired). CRL Distribution Point: choose to limit the search to certificates which have or lack a CRL Distribution Point. Trust Search Options This dialog allows the Certificate search results to be limited to Certificates with particular trust characteristics. Select one or more trust types by checking the appropriate boxes. Trusted: certificates which are marked as implicitly or always trusted. Not Trusted: certificates which are marked as never trusted, or implicitly not trusted. Inherited: certificates which have been set to inherit their trust level from a chain of trust (intermediate and/or root certificates). Chapter 3 Certificates 31
Certificate Properties General Usage This dialog has four tabs which allow many properties of a Certificate to be viewed and edited. The issuer and validity dates, type and status, and location of the Certificate are shown. A list of the email addresses for which the Certificate can be used is given. If the Certificate is used for domain encryption or signing, a domain email address will be shown in the list. If permitted by the Security Policies, this list can be edited. Click Add to add a new address to the list. Double-click any address to edit it. Highlight an address and click Delete to remove it. Addresses which cannot be edited (because they are permanently encoded in the Certificate) are indicated by a no writing icon. Use the arrow to the right of the field to enter the local part of a domain email address. This tab shows several parameters which affect the purposes for which the Certificate may be used. Trust View or choose the level of trust for the certificate. Note that the trust level for some individual and domain certificates may depend on the level of trust granted to intermediate certificates. Always Trusted allows the certificate to be used for encryption or signing of messages (subject to the expiry or revocation of the certificate). Never Trusted will cause messages related to this certificate to be rejected. Inherits Trust from Issuer (only available for CA issued certificates) bases the trust level on the trust for the root or intermediate certificate to which this certificate is chained. 32 User Guide
Preferred Use Check the appropriate boxes to indicate whether the certificate is preferred for encryption and/or signing purposes. Note If the preferred certificate is not usable (e.g. because it is out of date or revoked), another certificate for the same domain will be used, if available. This may cause an encrypted message to be undecryptable if the recipient does not have the appropriate key. For Messages Signed Choose whether to leave or remove a signature based on this key when it is found on incoming email. Typically the signature will be removed in gateway to gateway encryption situations (since MailMarshal has verified it). The signature should be left in desktop to desktop encryption situations so it can be verified by the client software. Certificate Details This tab of Certificate Properties shows detailed information about the certificate. Select any item on the top pane to see details in the bottom pane. Certification Path The upper pane of this tab shows the chain of trust through which this certificate is issued. The chain may include intermediate and root certificates from a Certificate Authority, as well as the certificate itself. For instance, MailMarshal Proxy Certificates are chained to the appropriate Domain Certificate. If other certificates appear in the chain of trust, select one and click Properties to view its details in a new Certificate Properties dialog. Chapter 3 Certificates 33
Proxy Certificates A Proxy Certificate is a S/MIME Security Certificate for a specific user in a domain which has a Domain Certificate. These certificates may be used in desktop-to-desktop encryption for the specific user. A Proxy Certificate can be generated from any Domain Certificate which is marked as a CA Certificate. See the information on Secure Email Rule Actions for uses of Proxy Certificates. Note MailMarshal Secure will generate Proxy Certificates on the fly and retain them for future use. It is not normally necessary to create Proxy Certificates manually. Proxy Certificates require a specific Domain Certificate for each domain supported. New Proxy Certificate In order to be used to create a Proxy Certificate, the parent Certificate must be marked as a CA certificate and must contain one of the domain email addresses for the domain. Enter an email user name to be used as the subject of this Certificate and click OK. The Proxy Certificate will be placed in the Certificate folder Proxy Certificates (which will be created if necessary). The error Invalid ascendant email address indicates that the parent Certificate is not a valid domain Certificate for the email address entered. Domain Email Address In order for a Certificate to be fully usable for Domain Encryption, Domain Signing, and creation of Proxy Certificates, it must have a special subject email. The three acceptable email addresses for these purposes are: 34 User Guide
Domain-Confidentiality-Authority@domain Domain-Signing-Authority@domain Review-Authority@domain Note When adding or editing an email address, use the arrow to the right of the field to enter the local part of a domain email address. Add the appropriate domain portion. Within MailMarshal's Certificate dialogs, the local part of these email addresses may also be entered in abbreviated form as <dca>, <dsa>, and <ra>. MailMarshal will use these shorthand versions of the email addresses when displaying the Certificate in the main Configurator view. The full addresses are shown in the Certificate Properties dialog. If a Domain Certificate has been created without a suitable email address, it may be possible to add the address later. See Certificate Properties on page 32. Chapter 3 Certificates 35
36 User Guide
Chapter 4 Private Keys This node of the Configurator shows all Private Keys which have been created or imported in MailMarshal, and other keys found in the Cryptographic Service Provider. Private Keys are used to sign and decrypt email. IMPORTANT The security of your encrypted email depends on keeping Private Keys secure. Backing Up Keys This is very important. Keep a copy of all Private Keys and the associated Certificates. Export a Private Key to a file by right-clicking on it then clicking Export. The exported information should be kept securely (e.g. on a floppy disk in a safe). The file password should be kept in a separate secure location. Note By default MailMarshal creates Private Keys marked non-exportable (for security reasons). When a non-exportable key is created by MailMarshal, you are given the option to make a backup immediately after creating the Key. There is no other opportunity to back up non-exportable keys. The choice to create exportable Private Keys is made on the Security Properties dialog reached from the Secure Email tab of Server Properties. Chapter 4 Private Keys 37
Private Keys Tasks A Key shown in red indicates that the Key is not validly present in the current Cryptographic Provider. A key shown in blue indicates that the Key is present in the Cryptographic Provider but is used only by other applications and not by MailMarshal. (These Keys are available for use by MailMarshal.) Double-click any key in the right pane (or in a sub-node) to see a list of all Certificates which use this key. Right-click on the node then choose New > Private Key to open the Create Key dialog. Choose Import to import a Key created elsewhere. Right-click on any private key to select from the following options: Properties: See detailed information about this Key. New > Certificate: Create a certificate using this Key. Delete: Delete the Key. Warning Deleting a private key will render any Certificates based on it useless. MailMarshal will raise a warning if any Certificates depend on the Key. Export Private Key This dialog is used to export Private Key information to a file. The file may be used as a backup. There is normally no reason to share this file with anyone inside or outside the organization. Select a location and name for the export file. Enter a password (used to import the file). 38 User Guide
The exported information should be kept securely (e.g. on a floppy disk in a safe). The file password should be kept in a separate secure location. Note For security reasons, MailMarshal creates Private Keys marked non-exportable by default. When a non-exportable key is created by MailMarshal, you have the option to make a backup immediately after creating the Key. There is no other opportunity to back up non-exportable keys. The choice to create exportable Private Keys is made on the Security Properties dialog reached from the Secure Email tab of Server Properties. Create Key Use this dialog to create a new Private Key for use with S/MIME Certificates (See Below). A unique name is provided. You may edit it but for clarity it should not be the same as any other Private Key name in the database. Select a key size from the list. Larger keys are more secure in general, but may cause compatibility problems. Enter a description for the key if desired. The checkbox Key is not exportable controls whether the Key can be exported to a file later. If the Security Policies allow exportable private keys, this box will be enabled so that you can chose whether to make the key exportable. If the Security Policies do not allow exportable private keys, this box will be disabled and the new key will not be exportable. Chapter 4 Private Keys 39
Click OK to create the key. It will be stored using the selected Cryptographic Service Provider and will appear in the list of Private Keys. Important If Security Policies have been set to mark Private Keys not exportable, you are given the option to back up the key to a file. This will be the only opportunity to make a copy of the key. Best practice is to make a backup and store it securely (e.g. on a floppy disk in a safe). Private Key Properties Private Key Details This two tabs of this dialog shows information about a Private Key held by MailMarshal. This tab allows the name and optional description of the key to be viewed and changed. The date of creation, the number of certificates using the key, and whether the key can be exported are also shown. The key algorithm, unique container name, and associated public key are shown. 40 User Guide
Chapter 5 Certificate Requests Certificate Requests (also known as Certificate Signing Requests) are used to provide information to a Certificate Authority (CA). The CA undertakes to guarantee the identity of the organizations using Certificates it has issued. This may be desired to guarantee message security against spoofing. To obtain a Certificate from a CA, generate a Certificate Request. Send the Request (along with any other required information) to a CA. Be sure to indicate to the CA that the intended purpose of the Certificate is domain email encryption and signing. The Certificate Requests node of the Configurator shows any outstanding requests for new Certificates which have been generated through MailMarshal. Right-click and select New > Certificate Request or New > Advanced Certificate Request to generate a request for a new certificate. When the new Certificate is received, import it into a certificate folder. For details of this procedure, see Chapter 3, Certificates. In the right pane, double-click on any Certificate Request to view its properties. Right-click on a Certificate Request and click Export to send it to a file or the Windows clipboard. Chapter 5 Certificate Requests 41
Creating a Certificate Request Right-click the Certificate Requests node and select New > Certificate Request or New > Advanced Certificate Request to generate a request for a new certificate. 42 User Guide
Before creating the request, review the requirements and costs to have the request processed by the CA. Note In many cases (where S/MIME email is to be exchanged between a limited number of sites which trust each other), a self-signed Certificate is adequate. Self-signed Certificates can be created quickly and at no charge using MailMarshal's Certificate system - see Chapter 3, Certificates. MailMarshal's proxy certificate capabilities can only be used with self-signed Certificates. Common name (required field): Typically this name shows the user and intended function of the Certificate. Subject email: This may be an individual email address or a domain email address. The Certificate will be valid to encrypt and sign email related to this address. See Domain Email Address on page 34. Organization name: the name of the organization which will use this certificate. (By default MailMarshal inserts the organization name entered in the configuration wizard.) Private key: Select a key from the list, or create a new one by clicking New Key. Chapter 5 Certificate Requests 43
Extensions This page of the Advanced Certificate Request wizard allows selection of some parameters which determine how the certificate can be used. Key Usage Check the boxes corresponding to the purposes for which this certificate is to be used. By default the first four boxes are checked as these items are required for MailMarshal to use the Certificate. Digital Signature: Certificate can be used to sign a message assuring its origin and integrity. Non-Repudiation: Certificate can be used to guarantee acceptance of a transaction (e.g. to provide a receipt). Key Encryption: Certificate can be used to encrypt a key for inclusion with an email. 44 User Guide
Data Encryption: Certificate can be used to encrypt the data in an email. Certificate Signing: Certificate can be used to verify the trust of another Certificate. Key Agreement: Certificate can be used to agree on a private key over insecure networks. Email Addresses This list should contain any email addresses (in addition to the domain email address) for which this Certificate should be valid. Click Add to add an entry to the list. Select an entry and click Delete to remove it from the list. Double-click an entry to edit it. Subject Names This page of the wizard shows a list of all text fields within the Subject of the certificate. Select any existing field to edit or delete it. To edit, click Edit then modify the text in the edit field. To delete the selected field click Delete. To add a new field, choose an available field name from the drop-down list, enter the desired text in the edit field, then click Add. Finish/Export The Certificate Request is now ready to be sent to a Certificate Authority. Choose whether to copy your request to the Windows clipboard (e.g. for transfer to a Web form) or to a file (e.g. for later submission or attachment to an email). Chapter 5 Certificate Requests 45
If copying the request to a file, select the file format. Enter or browse to the file name to be used. 46 User Guide
Chapter 6 Certificate Revocation Lists Certificate Revocation Lists (CRLs) are issued by Certificate issuers to invalidate Certificates before their expiration date. Generally this happens when the Certificate is no longer trustworthy (e.g. because it has been stolen). Best practices for strict security require each Certificate to have a CRL which has regular updates and can be accessed from one or more CRL Distribution Points. This node is used to import and manage CRLs for use by MailMarshal's Secure Email Rules. For each CRL, MailMarshal displays the name, issue date, next issue date, and automatic reload status. To view additional information and settings, double-click on any CRL to view the CRL Properties dialog. CRL Properties This dialog displays detailed information on a CRL (Certificate Revocation List). Chapter 6 Certificate Revocation Lists 47
General This tab shows the issuer information, date received, date of update, date of next update, and expiry date for this CRL. Parameters This tab shows information about updating of this CRL. 48 User Guide
Entries The expiry delay defines the length of time for which a Certificate will still be usable after the replacement time of the CRL. This option is used to provide a grace period for technical delays in retrieving CRL updates. Enter a grace period. Note The setting entered here overrides the default setting entered on the General tab of Security Policies. If the setting here is 0 (zero), the default value from Security Policies will be used. Auto Update: The CRL will attempt to update from the distribution point automatically. Click Update Now to attempt update immediately. Distribution point URLs: These URLs will be used by the update process to retrieve CRL updates. If a CRL distribution point URL is included in a certificate, it will be entered in the list automatically when the certificate is imported. Additional distribution points may be entered by hand using the Add button. Where more than one distribution point URL is entered, use the checkbox next to each URL to determine which URL is used. This tab shows a list of the serial numbers of Certificates which have been revoked by this CRL. Chapter 6 Certificate Revocation Lists 49
50 User Guide
Chapter 7 Secure Email Rules MailMarshal controls S/MIME encryption and signing using Rules which are maintained in the same way as content checking rules. When MailMarshal Secure is installed and enabled, creation of Secure Email Rules is enabled in the Rule Wizard. Please refer to the chapter Rulesets and Rules in the MailMarshal User Guide for basic information on creating and editing Rules. Basic Secure Email Rules The following Ruleset entitled Encryption with OtherCompany contains a basic set of rules required to ensure that all email between the two sites is encrypted, signed, and verified. More complex rules are possible (especially if third-party CA Certificates are in use), but this set should be regarded as a minimum for secure communications. The Ruleset is created with no common User Matching entries. 1. The first two rules specify that outgoing messages are to be encrypted and signed, and state what should happen if encryption cannot be completed: When a message arrives Where addressed to 'othercompany.com' Sign message with an opaque domain certificate and encrypt message with the 'domain' certificate Chapter 7 Secure Email Rules 51
When a message arrives Where addressed to 'othercompany.com' Where message cannot be encrypted for any secure recipient Send a 'Can't Encrypt' notification message and move the message to 'Encrypt Problems' 2. The next three rules check that incoming messages are validly encrypted and signed, and warn the user (or other appropriate person) if they are not. Warning could be by stamping or by email notification. Note A more restrictive option would be to quarantine such messages in a Folder. When a message arrives Where addressed from 'othercompany.com' Where message is not encrypted Send a 'Not Encrypted' notification message and pass the message to the next rule for processing When a message arrives Where addressed from 'othercompany.com' Where message is not signed Stamp message with 'Message NOT signed' and pass the message to the next rule for processing When a message arrives Where addressed from 'othercompany.com' Where message is signed and cannot be verified due to 'no certificate' or 'altered' or 'not trusted' or 'revoked' Stamp message with 'Message NOT signed' and pass the message to the next rule for processing 3. The next rule blocks any email that MailMarshal can't decrypt. If MailMarshal cannot decrypt the message it will be unable to check the contents. When a message arrives Where addressed from 'othercompany.com' Where message is encrypted and cannot be decrypted Send a 'Can't Decrypt' notification message and move the message to 'Encrypt Problems' 52 User Guide
Rule Conditions-Secure Email Rules This section includes detailed information on the Rule Conditions available within Secure Email Rules. User Matching conditions are the same as those available in Standard Rules. Where message is encrypted and cannot be decrypted By default, MailMarshal attempts to decrypt all encrypted messages. Use this condition to detect and block messages that MailMarshal cannot decrypt and check. This condition triggers when both of the following are true: firstly, a message has been encrypted by someone else. In the case of an incoming message that someone else may be another MailMarshal server. In the case of an outgoing message it may be a user within your company, possibly using the encryption features in an email client such as Microsoft Outlook secondly, MailMarshal cannot decrypt the message (this occurs when the message was encrypted using a certificate for which MailMarshal does not hold the Private Key). Typically, MailMarshal has private decryption keys only for the site's server certificates.. Note If MailMarshal cannot decrypt a message, then it cannot scan it to check its content. Most companies will want to block email that cannot be decrypted by the MailMarshal server. Where message is encrypted and can be decrypted This condition can be used in conjunction with the previous condition (e.g. when the site wants to stamp incoming encrypted email to indicate its secure status). The condition will trigger when a message has been encrypted using the S/MIME protocol, and MailMarshal has a private key for the message and can read it. Chapter 7 Secure Email Rules 53
Where encryption certificate is invalid This condition will trigger when a message can be decrypted, but the Certificate used does not meet best security criteria. The criteria which may trigger this condition are: Certificate Expired: The validity period of the Certificate has passed, or has not yet started. Certificate Revoked: The Certificate has been revoked by the issuer (included in a Certificate Revocation List). Certificate Not Trusted: The Certificate (or a Certificate above it in the chain of trust) has been marked as not trusted by the administrator. Certificate Not Verified: The Certificate cannot be determined to be valid. E.g. a certificate above it in the chain of trust may be missing, or it may be farther down the chain of trust than is allowed. Certificate Invalid: Several issues may trigger this factor. E.g. if strict policies are enabled, it may not have a CRL or the CRL may have expired. If a message triggers this condition, typically the sender would be notified. The message could be refused, or stamped with a notice about the invalid certificate and delivered. Where message is not encrypted This condition is often used to double-check that all email from another site is secure. For example, another site may accidentally stop encrypting the email that it is sending, or the unencrypted email might be spoofed. The condition will trigger when a message is plain text without encryption. 54 User Guide
Where message is signed and cannot be verified This condition will trigger when the signature in the message matches the options set in the Signature Verification dialog box. A number of sub-conditions are available within this condition. More than one Rule could be implemented to inform administrators and recipients about the various outcomes. No certificate to verify with: The signature on a message cannot be checked because no matching certificate was found. Message has been altered: The content of the message has been changed since it was signed. (This may have occurred intentionally or accidentally.) Signing certificate has expired: The message has no valid signature. The signing certificate, or a certificate in the chain of trust, has expired (or has a starting validity date in the future). Signing certificate is not trusted: The certificate, or a certificate in the chain of trust, has been marked as distrusted by the administrator. Signing certificate could not be verified: MailMarshal has been unable to check the trust of the certificate (e.g. the certificate or its root are not in the database, or the email address for the sender does not match the address set up for the certificate). Chapter 7 Secure Email Rules 55
Signing certificate has been revoked: The certificate issuer has revoked the certificate (included it in a Certificate Revocation List). This means that the certificate is not to be used because (e.g.) it has been lost or stolen. Signing certificate could not be checked for revocation: The Certificate Revocation List for this Certificate cannot be retrieved or is out of date. Revocation status of this certificate cannot be determined. Where message is signed and can be verified This condition will trigger when the signature in the message matches the appropriate Certificate. Typically this option is used to check that messages from secure email partners are in fact signed. Where message is not signed This condition will trigger when a message is not signed. Typically this option is used to take action when messages from secure email partners, expected to be signed, are not in fact signed. They may not have originated from the apparent sender. Where message cannot be encrypted for any secure recipient: This condition triggers when the rules state that the message should be encrypted for a specific recipient, and MailMarshal cannot find a certificate to use for encryption. In this case, MailMarshal would have to encrypt the message for some recipients, but send a plain readable message to the others. This would compromise the security of the message. The recommended action in this case is to move the message to a folder and notify the sender and/or administrator. Note This Condition only applies to addresses for which encryption is required by the rules. It will not stop delivery of the same message to addresses that do not require encryption according to the rules. 56 User Guide
The Rule containing this Condition should be evaluated after any other encryption Rules. This condition overrides MailMarshal's default behavior which is to move the message to the Encryption DeadLetter folder and notify the administrator. Rule Actions-Secure Email Rules Copy unknown certificates to database folder Use this action to harvest certificates from incoming email messages. Select a Certificate folder to use from the Select Certificate Folder dialog. Typically, harvested Certificates will be placed in a folder marked Held so that they can be reviewed manually before being used. Sign message with certificate Sign Message for Domain: Uses the certificate for the domain from which the message originates. Note MailMarshal follows the latest Internet protocols but many applications (including some versions of Microsoft Outlook and Outlook Express) will not work correctly with domain signatures. These applications will read and display the email, but erroneously warn the user that the signature is invalid. If sending signed email which will be verified by a desktop client, use Proxy certificates. Sign Message for Sender: Use this option when communicating with applications that do not accept domain signatures. Chapter 7 Secure Email Rules 57
Generate Certs when needed: MailMarshal can sign messages for senders by creating proxy certificates automatically on the fly. For example, if the rules tell MailMarshal to sign a message from auser@ourcompany.com and MailMarshal holds a Domain CA certificate for ourcompany.com, MailMarshal will generate a new certificate for the user and will keep it in the database for later use. It is not necessary to give the certificate to the end user. Proxy certificates contain the same information as domain certificates but have an email address for an individual user. Attach signature as follows: if set to Opaque, the signature will be combined with the message in one block of data so that the format is unlikely to be changed accidentally when being transmitted via the Internet. If set to Detached, the signature will be saved into the message separately from the content. Therefore anyone can read the message-even if their email system does not support S/MIME. (Use this option if there are compatibility problems with another site.) Calculate the signature with the following algorithm: Select the algorithm to use from the drop down box. Two algorithms are in common use, SHA1 and MD5. Both provide adequate security protection but SHA1 may be preferred. (Use this option if there are compatibility problems with another site.) The choices available here may be limited by choices made in the Security Policies dialog. 58 User Guide
Annotate the message as domain signed: This option adds a flag to the signature. When email is received from another site the flag is used to tell whether the signature was created by the server software or by the end user. (Uncheck this option only if compatibility problems are reported, which is unlikely.) Check signing certificate for revocation: This option ensures that the certificate used for signing has not been included on a CRL. If no certificate is available, the message will be placed in the Encryption DeadLetter folder. Encrypt message with certificate Use this action to encrypt messages so that they can only be read by the intended recipient. There are several encryption options. Encrypt using the recipient's certificate: This option is used when a recipient is using S/MIME at desktop level. MailMarshal will look in the database for a certificate with an address that matches the To: address. It will not use a domain certificate. Encrypt using the recipient's domain certificate: This option is used when a recipient's site is using Email Gateway software such as MailMarshal. MailMarshal will look in the database for a domain certificate set up for anyone in that domain. Chapter 7 Secure Email Rules 59
Encrypt for both recipient and domain: This option is a combination of the two previous options. MailMarshal will encrypt using both certificates. Both the recipient's Email Gateway software and the recipient will be able to decrypt and read the message. This option would be used if message protection is required to the recipient level but the recipient's company email gateway software blocks messages that it cannot read. None of the above: MailMarshal will not encrypt with either the recipient's individual certificate or their domain certificate, it will only use the escrow certificate. Additional email addresses (for escrow): MailMarshal will use a certificate that matches the email addresses specified in this box. This option is used in situations where a third party may decrypt and read the messages (e.g. secure archive, proof of sending, auditing). Encrypt with sender's domain certificate: MailMarshal will also encrypt using the certificate for the sender so that the sender can reopen sent email. 60 User Guide
Encryption algorithm: MailMarshal can encrypt using several algorithms. It is recommended that you use the strongest, Triple DES. However, another setting may be used to allow for recipients who are running incompatible software. The default and available options can be changed from the Secure Email tab and Security Policies dialog of Server Properties. Check encryption certificate for revocation: This option ensures that the certificate used for encryption has not been included on a CRL. Search for certs on these LDAP servers: If no valid certificate is found in MailMarshal's Certificate Store, MailMarshal can try to retrieve a certificate from the LDAP servers specified in the list. LDAP can only be used for individual recipient certificates (domain certificates do not have a commonly used format). Chapter 7 Secure Email Rules 61
Click the Add button beside the LDAP servers list. Select an LDAP connection to be added to the list. If more than one connection is specified, MailMarshal will query the servers in order from top to bottom. To configure LDAP connections for certificates, see the chapter LDAP Connections in the MailMarshal SMTP User Guide. Note Use this feature only as a backup, or where certificates are known to be available for the addresses affected-for example, where a company stores certificates for all employees on the LDAP server. If a certificate is not available, the email message will be deadlettered (unless a Rule overrides this behavior-see the condition Where message cannot be encrypted). Do not decrypt message MailMarshal decrypts all messages received (for which it holds an appropriate Certificate) so that content Rules may be applied before delivery. If this action is specified MailMarshal will deliver the original encrypted version to the recipient. This action is used when email must be protected all the way to a desktop. Advanced Secure Email Rules Two enhancements to the basic Secure Email ruleset are suggested to cover additional cases: multiple gateway-to-gateway partners, and gateway-to-desktop encryption for external recipients who use a desktop encryption client such as Microsoft Outlook. Note In all cases described here, users within the MailMarshal site do not need to take any special action to encrypt email. They simply send messages, and MailMarshal does the rest. 62 User Guide
Multiple Gateway-to-Gateway Encryption Partners Create a User Group called Gateway Encryption Partners. Change the rule conditions Where addressed to and Where addressed from so that they refer to this User Group rather than a particular domain. To implement message encryption to an additional domain, first import the appropriate Certificate for the domain into MailMarshal's Certificate Store; then add the domain name to the User Group Gateway Encryption Partners. Gateway-to-Desktop Encryption Partners Create a User Group called Desktop Encryption Partners. Use this group to collect all individual email addresses for which gateway-to-desktop encryption is enabled. To implement message encryption to an address, first import the remote user's Certificate into MailMarshal's Certificate Store; then add the SMTP address to the User Group Desktop Encryption Partners. A ruleset implementing these features will appear as follows: 1. The first three rules specify that outgoing messages are to be encrypted and signed, and state what should happen if encryption cannot be completed. Gateway and Desktop recipients are treated separately: When a message arrives Where addressed to 'Gateway Encryption Partners' Sign message with an opaque domain certificate and encrypt message with the 'domain' certificate When a message arrives Where addressed to 'Desktop Encryption Partners' Sign message with a detached proxy certificate and encrypt message with the 'recipient' certificate When a message arrives Where addressed to 'Gateway Encryption Partners' or 'Desktop Encryption Partners' Where message cannot be encrypted for any secure recipient Send a 'Can't Encrypt' notification message and move the message to 'Encrypt Problems' Chapter 7 Secure Email Rules 63
2. The next three rules check that incoming messages are validly encrypted and signed, and warn the user (or other appropriate person) if they are not. Warning could be by stamping or by email notification. When a message arrives Where addressed from 'Gateway Encryption Partners' or 'Desktop Encryption Partners' Where message is not encrypted Send a 'Not Encrypted' notification message and pass the message to the next rule for processing When a message arrives Where addressed from 'Gateway Encryption Partners' or 'Desktop Encryption Partners' Where message is not signed Stamp message with 'Message NOT signed' and pass the message to the next rule for processing When a message arrives Where addressed from 'Gateway Encryption Partners' or 'Desktop Encryption Partners' Where message is signed and cannot be verified due to 'no certificate' or 'altered' or 'not trusted' or 'revoked' Stamp message with 'Message NOT signed' and pass the message to the next rule for processing 3. The next rule blocks any email that MailMarshal can't decrypt. If MailMarshal cannot decrypt the message it will be unable to check the contents. When a message arrives Where addressed from 'Gateway Encryption Partners' or 'Desktop Encryption Partners' Where message is encrypted and cannot be decrypted Send a 'Can't Decrypt' notification message and move the message to 'Encrypt Problems' 64 User Guide
Index A Algorithms 8, 10, 40, 58, 61 Default 8 Asymmetric Key Pair 1 B Back Up 10, 37 Backing Up 18 C Certificate Authority (CA) 22, 30, 33, 41 Certificate Folders 17, 18, 57 Held 18 Certificate Requests 41 Certificate Revocation List 47 Distribution Point 22, 31, 47, 49 Update 49 Certificates 15, 17 Creating 19 Email addresses 19, 22 Preferred use 25 Properties 32 Searching for 29 Certification Path 27, 28, 33 Configuration 5 Contact Information ix Cryptographic Accelerator 2 Cryptographic Service Provider 8, 11 D Database, Certificate 6 Decryption 52, 53 Desktop to Desktop 3 Domain Certificate 35, 57 Domain Email Address 34 E Encryption 1, 59 128 Bit 6 Escrow 60 Export Certificates 27 Private Keys 38 Index 65
F Folders, Certificate. See Certificate Folders G Gateway to Desktop 3, 63 Gateway to Gateway 3, 51, 63 H Help vii, 3 I Import Certificates 26 Installation 5 K Key, MailMarshal license 5 Keys, S/MIME 16, 37 L LDAP 12, 61 Proxy Certificates 26, 34 Public 1 Public Keys 1, 17 R Repair Functions 15 Requirements 5 S S/MIME 1 Secure Email Rules 52, 62 Actions 57 Advanced 51 Basic 51 Conditions 53, 57 Server Properties Internet Access 13, 15 Secure Email 7, 9 Security Policies Dialog 10, 13 Signature 25, 33 Signing 2 N Notifications 11 P PKI 1 Private Keys 1, 8, 10, 11, 40 Create Key 39 66 User Guide