I Q.S UITE C RYPT - E NCRYPTION WITH S/MIME
7.8 Encryption with S/MIME
7.8.1 Sample Job: Encrypting Emails with S/MIME
Copy the Encrypt/Sign with S/MIME job to MAIL TRANSPORT JOBS. Activate the job56.
If encryption is configured for a sender-recipient combination, such a sender will normally be unable to send an unencrypted email to one of the configured recipi-ents. However, it could be desirable to reach some of these recipients with an unencrypted email. To do this, select in the iQ.Suite a command: CONDITIONS ->
CONDITION: ...WITHFOLLOWINGSUBJECTCOMMAND. When the sender add this com-mand to the email‘s subject line, the job will not be executed and the email will be sent in unencrypted form.
Searching for the command is not case-sensitive. The search is stopped as soon as the command has been found and it is removed from the subject.
5. Open the Crypt Engine tab:
In the Crypt Engine tab, specify the encryption method for this job.
56. This example only illustrates the job-specific details. For a description of the settings under stan-dard tabs, please refer to “Stanstan-dard Tabs of Mail Transport Jobs” on page 51.
The subject command may only contain characters from the 7-bit ASCII charac-ter set (US-ASCII - 126 characcharac-ters possible).
The conditions set in both the Addresses and Conditions tabs must come true for the job to be run (logical AND).
IQ.SUITE CRYPT - ENCRYPTIONWITH S/MIME
Select method: Select ‘S/MIME’ for encryption.
Select crypt engine: Select the previously configured Crypt engine for S/MIME2.Specify in the following fields how exception emails (special cases) are to be handled, e.g. TNEF emails:
‘Ignore’: The email is passed to the next job without being further processed by this job. The email is not encrypted.
‘Execute actions’: The actions specified in the Actions tab are performed.
‘Proceed’: The job processes the email like those that do not fall into this category.The special cases are:
When emails is in TNEF format, then: The Outlook TNEF format cannot be processed by iQ.Suite Crypt. The TNEF format is used by Exchange when an Outlook user (not Outlook Express!) sends an email within an Exchange organization. This format is not used for communication via the Internet or when using other email clients.
When email is already S/MIME or PGP/MIME encrypted/signed, then:Emails that arrive on the server have been encrypted and/or signed with S/MIME or PGP/MIME by the client, i.e. by the internal user. In your corporate email policies, specify how such emails are to be handled.
When email is already S/MIME or PGP/MIME signed only, then: Emails that arrive on the server have been signed with S/MIME or PGP/MIME by the client, i.e. by the internal user. In your corporate email policies, specify how such emails are to be handled.
Certificate options: These fields work only properly when using the‘S/MIME 2’ Crypt engine. If you are using the outdated Crypt engine
‘S/MIME’, please keep the preconfigured job settings.
‘Ignore certificate purpose’: The certificate purpose defines the usage of the certificate, e.g. “server authentification” or “encryption”. If you enable this option, the iQ.Suite will ignore the intended purpose specified within the certificate. With this, the Crypt job is executed even if the intended purpose and the job functionality do not match, e.g. the intended purpose‘encryption’ with a job for signature creation.
‘Allow expired certificates for encryption’: For email encryption, expired certificates are not used from Crypt jobs, by default. Enable this option if the emails are to be encrypted though the corresponding certificate is expired.
‘Allow expired certificates for signing’: For signature creation, expired cer-tificates are not used from Crypt jobs, by default. Enable this option if the emails are to be signed though the corresponding certificate is expired.
‘Allow unknown trust status for encryption’: By default, certificates with the trust status “trusted” are used from Crypt encryption jobs only. Enable this option to use certificates with the trust status “unknown”.
‘KeyManager tenant’: This field is relevant for iQ.Suite KeyManager only.Keep this field empty.
6. Open the Crypt Mode tab:
In the Crypt Mode tab, specify the encryption mode and security settings (VPN channel) to be called with this job.
IQ.SUITE CRYPT - ENCRYPTIONWITH S/MIMEThe Crypt Mode selected in this example is ‘Sign and encrypt’. The available options are:
‘Sign and encrypt’: The email is signed and encrypted.
‘Encrypt’: The email is encrypted but not signed.
‘Sign’: The email is signed but not encrypted.The individual options show the possible security settings for outgoing emails (VPN channels). The options only apply to encryption, since signatures are added with the private key. Signing fails if this certificate is missing, in which case the actions specified in the Actions tab are performed.
‘Optional encryption’: The emails are encrypted with the existing public keys.Any emails to recipients for whom no valid key is available are sent unencryp-ted and, if configured, the information from the Subject extension field (General tab) is added to the email subject.
‘Low security’: Emails are encrypted with the existing public keys. Emails to recipients for whom a valid key exists are sent encrypted. For all recipients without a valid key, the actions specified in the Actions tab are performed.
‘Medium security’: Emails are encrypted with the available public keys only if at least one valid key exists. All outgoing emails are encrypted. Recipientswith a valid key can open the emails with their private key. Thus, recipients without a valid private key that matches one of the public keys used will not be able to open the encrypted emails. The actions specified in the Actions tab are performed only if no valid key exists at all.
‘High security’: Emails are encrypted with the available public keys only if valid keys exist for all recipients. The actions specified in the Actions tab are performed as soon as one key is invalid or missing.
‘Send additional user information for KeyManager certificate request’: This option is relevant for iQ.Suite KeyManager only.7. Open the Mapping tab:
In the Mapping tab, specify the type of address mapping for encryption and, if necessary, create your own mapping table. You can, for example, use a mapping table to use one certificate for a certain group of communication partners (e.g. a company certificate of a business partner). With the address mapping, this company certificate will be used for all recipients of the partner company.
Jobs are performed only for recipients specified in the Addresses tab. If you enter only the communication partners with a valid public key, you can select a high security setting to create tap-resistant channels without missing certificates triggering the actions specified in the Actions tab. Create a separate job for each security setting, i.e. in order to send mail at maximum security to some reci-pients while offering others optional decryption, set up two jobs.
IQ.SUITE CRYPT - ENCRYPTIONWITH S/MIME
‘First use mapping list below’: The entries in the user-defined mapping table below have priority. If this table contains a key ID for a recipient address, the job looks for this key ID in the local Windows certificate store and uses the associated certificate. The encryption job looks for a key ID under the recipi-ent address in the certificate store only if no suitable recipi-entry has been found in the mapping table. In this case, the key ID must be the email address in the certificate. This setting is advisable for implementing encryption with a speci-fic company through secure VPN channels.
‘First use public key ring’: The entries in the certificate store have priority. If no entry matching the recipient address is found in the certificate store, the job looks for a key ID in the mapping table below.
‘Use public key ring only’ (default): Certificates are exclusively searched for in the certificate store by way of the recipient address. In this case, the mapping table is not enabled. Any table entries are kept.
‘Use global mappings’: If specific recipient addresses are to be used in multi-ple Crypt jobs, you can create these addresses as "global mappings". Refer to “Global Mappings” on page 146.Enable this option if you want the job to use all recipient addresses defined as global. Please note that local addresses are read before the global addres-ses.