Open with table of contents

Configure the encryption/decryption default settings

This area of the Email Gateway is used to configure two types of settings:

Global settings for logging, the decryption summary language, and so on.
Default settings for password and PGP and S/MIME key encryption.

These can then be overridden in mail encryption endpoints.

To configure the encryption/decryption default settings:

Point to the System tab.
Under Encryption, click Encryption/Decryption Defaults.
For each group of settings, click Click here to change these settings, and then follow the instructions on screen.
- You will find extra information about some of the settings later in this topic.
- Some of the settings may not be available in FIPS mode.
Click Save.
Apply the configuration.

Group	Setting	Description	Available in FIPS mode?
Password Encryption	The password used will be the phrase	Type a maximum of 128 characters. Double-byte characters are not allowed. Some zip tools may not support a password of this length: make sure that recipients have a suitable zip tool if you use this setting.	No
Password Encryption	The Zip file format used will be secure (AES)	Windows recipients will require a suitable utility such as WinZip (version 9.0 or later), 7-Zip, or IZArc to access the content of the zip file.	No
PGP	There is no extra information about this group of settings.		No
S/MIME	Messages will be signed using the detached format	S/MIME signatures are usually detached signatures where the signature information is separate from the text being signed. The MIME type for this is multipart/signed with the second part having a MIME subtype of application/(x-)pkcs7-signature. It is possible, however, for mailing list software to change the textual part and invalidate the signature.	Yes
S/MIME	Messages will be signed using the opaque format	The secured content in S/MIME messages is actually made up of Multipurpose Internet Mail Extension (MIME) body parts. A plain text message can, therefore, contain an attached signature. This is called a clear-signed message because the message can be read without verifying the signature. An opaque-signed message contains the message and signature combined in a single part that cannot be read except by verifying the signature.	Yes
Decryption Summary	There is no extra information about this group of settings.		Yes
Encryption/Decryption Logging	By default no information is written to the encryption and decryption logs, as these logs can get very large if a lot of messages are being decrypted or encrypted. We recommend that you only increase the log level temporarily to diagnose decryption or encryption problems.		Yes
Original Encrypted Messages	If an email message meets the following criteria, you can configure the Email Gateway to deliver the original digitally-signed or encrypted message instead of re-encrypting it when applying any relevant encryption endpoints: The email message was decrypted by the Email Gateway. A delivery disposal action for the message specifies that the message should be encrypted. It has not been modified by policy (for example, by adding a disclaimer).		Yes
Key Resolution	There is no extra information about this group of settings.		Yes
Automatic Encryption	There is no extra information about this group of settings.		Yes
Automatic Signing	There is no extra information about this group of settings.		Yes
Online Certificate Status Protocol	OCSP is used for obtaining the revocation status of an X.509 digital certificate when verifying the signature in the S/MIME layers of a message. Only certificates provided by Trust Centers supporting the OCSP extension are checked. If an OCSP extension is detected within the certificate, the Email Gateway will attempt to connect to the Trust Center and verify the status of the certificate. The Trust Center will return a status of unknown, good or revoked. You can configure the Email Gateway (using the Digital Signature Validation clause in a content rule) to react to the returned status. What else do I need to know? The OCSP query and reply may require you to make the following changes to your proxy and firewall settings: Allow access to the server providing the OCSP service. Allow HTTP traffic to and from the OCSP service provider. Allow binary data over HTTP.		Yes
Key Extraction	Select the extracted keys to automatically enable for encryption when they are added to the certificate store.		Yes

See also...

© 1995–2018 Clearswift Ltd.