Skip to content

Secure Message policy

You can use Secure Message policies to secure emails and control the way users access their secure incoming emails.

This option is only available with an Email Advanced license.

You can apply rules to different users, groups of users and domains. You can add external users and domains to policies, not just those in your organization.

You use Secure Message policies in a similar way to other polices in Sophos Central. See Create or Edit a Policy.

To find out more about the security methods we use and how they interact, see Secure message methods.

You can also clone policies. See Cloning a policy.

Migration policies

The Secure Message policy replaces the options that were available in General Settings to control message security settings.

When we migrated you, we created new Secure Message policies containing your TLS settings and encryption settings from General Settings. We added the users and domains you were protecting to the migration policies.

You can see the new policies we created for you in My Products > Email Protection > Policies > Secure Message. The policy names all start with Migrated and describe the purpose of the settings they replaced.

We've finished migrating now, so you can edit, delete, or merge your policies. You can also change the name and remove Migrated, if you want.

Create a Secure Message policy

To create a Secure Message policy, do as follows:

  1. Go to My Products > Email Protection > Policies.
  2. Click Add Policy.
  3. Select Secure Message and click Continue.
  4. Enter a name for the policy.
  5. Add INTERNAL users, groups, or domains for the policy.

    The policy applies to users in any of the users, groups, or domains lists. You can hover over a user's name to see their email address.

  6. Add EXTERNAL users and domains for the policy, if you want to.

    The policy applies if accounts in the internal users, groups, or domains lists send messages to addresses or domains in your external list. See External users and domains.

  7. Click Settings and select Inbound or Outbound.

To change the settings for inbound messages, do as follows:

  1. Turn on Secure inbound messages.
  2. In Select the method to secure messages, choose one of the following:

    • Secure using TLS
    • Secure using S/MIME
  3. Based on the security method you selected, do one of the following:

    • If you selected TLS, choose one of the following:

      • Preferred TLS 1.3: If the sender doesn't support TLS 1.3, TLS 1.2 is used. If the sender also doesn't support TLS 1.2, the messages are rejected, unless unencrypted delivery is turned on.
      • Required TLS 1.3: If the sender doesn't support TLS 1.3, messages are rejected.
      • Required TLS 1.2: If the sender doesn't support TLS 1.2, messages are rejected.

      Note

      You can allow unencrypted delivery if the sender doesn't support TLS.

      Warning

      If you select Required TLS 1.3 or Required TLS 1.2, this stops email communication over any TLS version other than the one you select.

      We recommend Preferred TLS 1.3, which attempts to use TLS 1.3, and then switches to TLS 1.2 if needed. This is more flexible and is less likely to cause a breakdown in the message exchange.

      By default, we try to secure messages by sending them over TLS whenever a TLS connection is feasible.

    • If you selected S/MIME, you can choose to verify and decrypt messages.

      For more details on S/MIME for inbound messages, see Inbound message processing.

  4. Click Policy enforced to turn the policy on or off.

    Note

    You can also set a date and time to disable the policy.

  5. Click Save.

The new policy appears in your list.

To change the settings for outbound messages, do as follows:

  1. Turn on Secure outbound messages
  2. In Select the method to secure messages, choose one of the following:

    • Secure using TLS
    • Secure using S/MIME
    • Push Encryption

      • Encrypt entire message
      • Encrypt attachments only
    • Portal Encryption

      Note

      You need a Sophos Email Portal Encryption add-on license to use Portal Encryption. You also need to create a new Secure Message policy.

  3. Based on the security method you selected, do one of the following:

    • If you selected TLS, select the preferred TLS version.

      Note

      • If the recipient doesn't support TLS, you have two options:

        • Allow unencrypted delivery
        • Use Push Encryption (recommended)
      • We don't support TLS 1.1 or TLS 1.0 due to security concerns. Additionally, if neither TLS 1.3 nor TLS 1.2 are supported, the messages can't be delivered over TLS. We recommend customers select Fallback to push encrypt the entire message to avoid delivery issues.

      For more details about outbound TLS authentication, see TLS authentication.

    • If you selected a push or portal encryption option, choose the language for the notification and registration messages we send to the recipient.

      For more details about push and portal encryption, see Push Encryption and Portal Encryption.

    • If you selected S/MIME, you can choose to sign and encrypt messages.

      For more details on S/MIME for outbound messages, see Inbound message processing.

  4. In Choose how to secure, you can let users decide which messages to encrypt, or encrypt all of them.

    If you've deployed the Sophos Outlook Add-in for Office 365 users, you can set a subject line tag that will be added to secured outbound messages.

    All emails with a tag at the start of the subject will be encrypted, while others remain unencrypted.

    Warning

    The default subject line tag for Secure Message policies is secure:. This always takes effect, even if you have set other tags in your policy.

    If a user tags an email subject with secure:, and if a policy is set to match against messages with subject tags, the Secure Message policy that applies to the message is triggered.

  5. Click Policy enforced to turn the policy on or off.

    Note

    You can also set a date and time to disable the policy.

  6. Click Save.

The new policy appears in your list.

External users and domains

You can apply policies to external users and domains as well as your own. You can apply the policies to both inbound and outbound messages.

When you create or edit a policy, click the EXTERNAL tab.

You can add individual email addresses or domains, or import them from a file. You can include or exclude your list from the policy. The default is Include all.

Cloning a policy

If you want to make similar changes to a number of users, you can clone a policy.

Cloned policies are set to Policy Bypassed by default.

To clone a policy, do as follows:

  1. Go to My Products > Email Protection > Policies.
  2. Select the policy you want to clone.
  3. Click Clone.
  4. In Clone Policy, edit the name of the new policy, and then click Continue.

    The new policy appears.

    When the base policy is cloned, the new policy has no users, groups, or domains. You must select these before using the cloned policy.

  5. Click Save.

  6. Check that the cloned policy is correct, and then click Policy Bypassed > Policy is enforced to turn it on.

By default the cloned policy takes priority over the original policy. You can change the priority. See How are policies prioritized?.