Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-policy-encryption-settings

Secure Message policy

You can use Secure Message policies to secure emails and control the way users access their secure incoming emails.

This option is only available with an Email Advanced license.

You can apply rules to different users, groups of users and domains. You can add external users and domains to policies, not just those in your organization.

You use Secure Message policies in a similar way to other polices in Sophos Central. See Create or Edit a Policy.

To find out more about the security methods we use and how they interact, see Secure message methods.

Migration policies

The Secure Message policy replaces the options that were available in Global Settings to control message security settings.

When we migrated you, we created new Secure Message policies containing your TLS settings and encryption settings from Global Settings. We added the users and domains you were protecting to the migration policies.

You can see the new policies we created for you in Email Security > Policies > Secure Message. The policy names all start with Migrated and describe the purpose of the settings they replaced.

We've finished migrating now, so you can edit, delete, or merge your policies. You can also change the name and remove Migrated, if you want.

Create a Secure Message policy

To create a Secure Message policy, do as follows.

  1. Go to Email Security > Policies.
  2. Click Add Policy.
  3. Select Secure Message and click Continue.
  4. Enter a name for the policy.

  5. Add Internal users, groups, or domains for the policy. The policy applies to users in any of the users, groups, or domains lists.

    You can hover over a user's name to see their email address.

  6. Add External users and domains for the policy, if you want to. The policy applies if accounts in the internal users, groups, or domains lists send messages to addresses or domains in your external list. See External users and domains.

  7. Click Settings and select Inbound or Outbound.

To change the settings for inbound messages, do as follows.

  1. Turn on Secure inbound messages.

  2. In Select the method to secure messages choose from the following:

    • Secure using TLS
    • Secure using S/MIME

  3. If you selected TLS, choose from the following:

    • Preferred TLS 1.3. If the sender doesn't support TLS 1.3, TLS 1.2 is used.
    • Required TLS 1.3. If the sender doesn't support TLS 1.3, messages are rejected, unless unencrypted delivery is turned on.

    • Required TLS 1.2. If the sender doesn't support TLS 1.2, messages are rejected, unless unencrypted delivery is turned on.

      1. You can allow unencrypted delivery, if the sender doesn't support TLS.

    Warning

    If you select Required TLS 1.3 or Required TLS 1.2, this stops email communication over any TLS version other than the one you select.

    We recommend Preferred TLS 1.3, which attempts TLS 1.3, and then switches to TLS 1.2, if needed. This is more flexible and is less likely to cause a breakdown in message exchange.

  4. If you selected S/MIME, you can choose to verify and decrypt messages.

    For more details on S/MIME for inbound messages, see Inbound message processing.

  5. Click Policy enforced to turn the policy on or off. You can also set a date and time to disable the policy.

  6. Click Save.

The new policy appears in your list.

To change the settings for outbound messages, do as follows.

  1. Turn on Secure outbound messages

  2. In Select the method to secure messages choose from the following:

    • Secure using TLS
    • Secure using S/MIME

    • Push Encryption

      • Encrypt entire message
      • Encrypt attachments only

    • Portal Encryption

  3. If you selected TLS, select the preferred TLS version.

    You can choose to use push encryption if the recipient doesn't support the preferred TLS version. We recommend this.

    You can allow unencrypted delivery of messages if the sender doesn't support TLS.

    You can choose to verify certificates.

  4. If you selected a push or portal option, choose the language for the notification and registration messages we send to the recipient.

    For more details about push and portal encryption, see Secure message methods

  5. If you selected S/MIME, you can choose to sign and encrypt messages.

    For more details on S/MIME for outbound messages, see Inbound message processing

  6. In Choose how to secure you can let users decide which messages to encrypt, or encrypt all of them.

    If you've deployed the Sophos Outlook Add-in for Office 365 users you can set a subject line tag that will be added to secured outbound messages.

  7. Click Policy enforced to turn the policy on or off. You can also set a date and time to disable the policy.

  8. Click Save.

The new policy appears in your list.

External users and domains

You can apply policies to external users and domains as well as your own. You can apply the policies to both inbound and outbound messages.

When you create or edit a policy, click the External tab.

You can add individual email addresses or domains, or import them from a file. You can include or exclude your list from the policy. The default is Include all.