Secure message methods
Sophos Email uses different methods of securing and encrypting messages. When we can't use a method we go to the next most secure method. You can control the order in which we apply security methods.
Here you can find out how each method works and how they work together. If we're unable to use a particular method, we use a different one, depending on your environment and the environment of those you communicate with.
Note
You must turn on TLS on your email server or email service to use any of these secure message methods.
Do this before you configure your secure message methods. If you don't, the connection between Sophos and your email server or service breaks, and you aren't able to send or receive emails.
We recommend TLS 1.3. The cipher string is 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'. For more information, see FIPS mode and TLS.
In a Secure Message policy, you can choose from the following methods.
- Secure using TLS: This uses push based email encryption using AES 256 during email transport. Users manage their encrypted emails with their usual email client.
- Secure using S/MIME: You exchange certificates and keys with organizations you communicate with. S/MIME signs messages, they're not necessarily encrypted.
- Push Encryption: Outbound messages only. Encrypted emails are converted to PDF files and attachments are natively encrypted. These are delivered to the users' email client.
- Portal Encryption: Outbound messages only. This delivers encrypted emails to Sophos Secure Message. Recipients manage their secured emails in Sophos Secure Message.
TLS authentication
Transport Layer Security (TLS) prevents eavesdropping and tampering with messages in transit.
In a Secure Message policy, you can choose TLS versions. You can also choose the action to take if the sender or recipient doesn't have the right TLS version, or doesn't support TLS.
- Preferred TLS 1.3: If the sender doesn't support TLS 1.3, TLS 1.2 is used.
- Required TLS 1.3: If the sender doesn't support TLS 1.3, messages are rejected. Outbound messages can be sent using push encryption instead.
- Required TLS 1.2: If the sender doesn't support TLS 1.2, messages are rejected. Outbound messages can be sent using push encryption instead.
Warning
If you select Required TLS 1.3 or Required TLS 1.2, this stops email communication over any TLS version other than the one you select.
We recommend Preferred TLS 1.3, which attempts TLS 1.3, and then switches to TLS 1.2, if needed. This is more flexible and is less likely to cause a breakdown in message exchange.
If the message can't be delivered over TLS, you can select Fallback to push encrypt the entire message so the message will be sent as a push encrypted email.
You can choose to allow unencrypted delivery of messages, if the sender doesn't support TLS. We don't recommend this.
You can also choose to verify certificates for outbound TLS connections. If you select Required TLS 1.3 or Required TLS 1.2, you can click Verify certificate. The TLS certificate will be verified to ensure it was issued for the recipient domain. If the check fails, the message won't be delivered.
You can view the TLS version details through Message History. In Message History, you can filter the messages by selecting Secure message in Category and then selecting a TLS version you want to use for filtering in Sub Category.
To know more about the message, click the subject to view its details. In Message Details, hover over any ellipsis (three dots) in Status, and you'll see that the connection is secured over TLS. You can also see the TLS version being authenticated.
Note
If Sophos Email was unable to check the issuing CA signature, then SMTP Text will state that the TLS delivery was untrusted.
S/MIME protection
You can protect messages using Secure/Multipurpose Internet Mail Extensions (S/MIME). It protects inbound messages, outbound, or both.
You must turn on and set up S/MIME protection in My Products > General Settings > S/MIME settings > Secure MIME Settings before you can use it in policies. See S/MIME settings.
You can verify inbound messages against the certificates attached to the emails.
Sophos Email Security can't verify inbound messages signed by a third party's self-signed certificate until they send you their certificate. You must upload these certificates in My Products > General Settings > S/MIME settings > External S/MIME Certificates. See External S/MIME Certificates.
If Sophos Email Security doesn't have all the S/MIME certificates to encrypt and sign an outgoing message, we try to encrypt the message using Push Encryption instead. See Outbound message processing.
You can decrypt inbound messages and encrypt outgoing messages.
You can choose the following actions to take if a message fails an S/MIME check.
- Quarantine, delete, or deliver inbound emails with a message added to the subject line to alert the recipient.
- Delete, quarantine, deliver, or bounce outbound emails.
- For outbound messages, you can select Push encrypt entire message on release. See Outbound message processing.
Inbound message processing
For inbound messages, if you only configure one of the S/MIME options (Verify inbound messages or Decrypt inbound messages), only the outer layer of the message is processed. If the selected option doesn't match the inbound message type, the message fails.
For inbound messages, you can set the failure action to Deliver if messages are to be verified or decrypted after Sophos Email Security has processed them. For example, a user could have their certificates and private keys stored in their email software.
For example, if you've selected Verify inbound messages and the message isn't signed, the message fails. Or, if you've selected Decrypt inbound messages and the message isn't encrypted, the message fails.
The way inbound messages are processed depends on which S/MIME settings are turned on.
If you set Verify inbound messages on, and Decrypt inbound messages off, the messages are processed as follows.
| Inbound message conditions | Actions |
|---|---|
| Encrypted, then signed. | Message verified and delivered. If verification fails, we take your chosen action. We don't decrypt the message. |
| Signed, then encrypted. | No S/MIME actions. We take your chosen action. |
| Signed, not encrypted. | Message verified and delivered. If verification fails, we take your chosen action. |
| Encrypted, not signed. | No S/MIME actions. We take your chosen action. |
| Not signed or encrypted. | No S/MIME actions, message delivered. |
If you set Verify inbound messages off, and Decrypt inbound messages on, the messages are processed as follows.
| Inbound message conditions | Actions |
|---|---|
| Encrypted, then signed. | No S/MIME actions. We take your chosen action. |
| Signed, then encrypted. | Message decrypted and delivered. If decryption fails, we take your chosen action. |
| Signed, not encrypted. | No S/MIME actions. We take your chosen action. |
| Encrypted, not signed. | Message decrypted and delivered. If decryption fails, we take your chosen action. |
| Not signed or encrypted. | No S/MIME actions, message delivered. |
outbound message processing
Sophos Email Security can deliver messages encrypted with Push encryption if it isn't possible to use S/MIME. For example Sophos Email Security might not have all the certificates it needs for S/MIME to work.
To turn this feature on, do as follows:
- In Failure Action for Outbound messages, select Quarantine or Deliver.
- Select Push encrypt entire message on release.
If you select Deliver and S/MIME encryption fails, Sophos Email Security uses Push encryption to encrypt the message, and sends it immediately.
If you select Quarantine and S/MIME encryption fails, Sophos Email Security uses Push Encryption to encrypt the message and sends it when you release the message from quarantine. For more information on Push Encryption, see Push Encryption.
Push Encryption
Push Encryption converts emails to PDF files. Users must be able to read PDF files.
- Microsoft Office files, ZIP files and PDF files have built-in encryption. We may generate multiple attachments from these files.
- We encrypt all other files, for example plain text and HTML, as PDF files. Email content is encrypted as a PDF file.
- You need to install Adobe Reader to view encrypted emails and attachments.
- You can view and reply to messages on mobile devices.
The first time a user is sent a secure email, Sophos Secure Message sends them a notification email. The notification email contains a link to Sophos Secure Message and asks them to set up a Sophos Secure Message password. The link in the notification email expires after 30 days.
Note
Users can only use the password for emails within the region that the original email came from. If users receive an encrypted email from another region, they need to set another password.
After setting their password, the user receives their secure email from Sophos, including any encrypted attachments. To open the secure email, the user enters the password they set.
Users reply to secure emails from their email client. They click Reply in the encrypted PDF file.
Users follow the same process whether you select Encrypt entire message or Encrypt attachments only.
Portal Encryption
You need a Sophos Email Portal Encryption add-on license to use Portal Encryption. You also need to create a new Secure Message policy.
The add-on license allows you to customize the branding of your encryption emails and the Secure Message portal.
If you turn on Portal Encryption, users manage their secured emails from Sophos Secure Message.
The first time a user is sent an encrypted email, Sophos Secure Message sends them a notification email. The notification email contains a link to Sophos Secure Message and asks them to set up a Sophos Secure Message account. The link in the notification email expires after 30 days.
Note
Users can only use the account for emails within the region that the original secured email came from. If users receive a secured email from another region, they must set up another account.
After setting up their account, the user goes to Sophos Secure Message to read and reply to their secured emails.