Example Deployment: User Registration
An example of SPX deployment that uses the SPX Secure Email Portal for password self-registration.
This example uses many of the default template settings. If you need to customize any of these to suit your needs, see the SPX Encryption documentation for detailed descriptions of each option.
Deploying SPX to allow user-registered passwords requires the following steps:
- Creating a template
- Configuring the portal that recipients use to register their passwords
- Configuring expiry times and password strength
- Configuring a policy rule
- Testing your configuration
Configuring SPX: Passwords Set by User-Registration
-
Creating a template
-
First, create a template. This includes customizing the appearance of
encrypted messages, setting up the SPX portal, defining the content for
messages, and specifying the method used to set passwords.
On the Configuration > Policy > Encryption page, select the SPX Encryption tab, and click Add.The template wizard launches.
-
On the Encrypted PDF Options page of the wizard,
you can set the properties of encrypted messages, including the cover
page and the page size for the page(s) containing the body of the message.
In this example, you will upload a Sophos cover page, and accept the default settings for Page size and Template language. - Click Preview. A sample PDF loads, allowing you to view the SPX cover page and the email layout.
- Click Next.
-
On the Password Settings page of the wizard,
select Allow the message recipient to choose their own
password.
First, accept the default Subject line for encrypted messages. Although you can customize both the body and the subject of the email message that notifies SPX recipients of encrypted email messages, make sure that the text does not suggest contacting the sender for password information. If user registration is selected, senders do not manage recipient passwords. Click Next to proceed to the Recipient Instructions page. - You can edit the text as necessary to convey decryption instructions. For the sake of this example, however, accept the default text.
-
Under End user password options, select
Password change, Password
reset, and Password recovery.This
will create links in the recipient instructions (next wizard page) that
allow recipients to access password management pages on the SPX portal.
Accept the default number of password challenge questions (3).
Recipients will be prompted to set a series of questions that they must
answer if they need to reset or recover their password. Click
Next.
-
On the Portal Settings page, configure the
settings for the SPX portal. Make sure that Enable Secure
Reply is set to On, then select
the Sophos option for both the header and footer
images.
Note See the references at the end of this example for information about creating PDF cover pages, and custom header and footer images.
-
On the Template Name page, enter a descriptive
name for the template you have just created. This is the name that is
displayed in the list of templates. In the Organization
name text box, enter the name that you want to be
displayed in instructions to recipients. The text specified here is used
by the %%ORGANIZATION_NAME%% template variable. In the System
email address text box, enter the address that you want
to appear in auto-generated communications sent by the appliance. Click
Save.
View the SPX Encryption tab. You will see the new template that has been created. If you want to change anything, you can click the name of the template to edit it. Note that the SPX portal is now active, indicated by the green icon.
-
First, create a template. This includes customizing the appearance of
encrypted messages, setting up the SPX portal, defining the content for
messages, and specifying the method used to set passwords.
-
Configuring the SPX Secure Email Portal
-
On the SPX Encryption tab, click the
Settings button.
The Configure SPX Portal dialog box is displayed. The dialog box shows that the Email Appliance is using its default, self-signed certificate. Sophos recommends never using the default, self-signed certificate for services exposed to the internet. Instead, obtain a valid certificate. This ensures that the appliance references the desired hostname instead of the internal hostname that it uses by default. -
To obtain a certificate for the appliance, close the
Configure SPX Portal dialog box. Then, on the Configuration > System > Certificates page, click Add.
This opens the Add certificate dialog box, where you select Initiate Certificate Signing Request. Click Next. - In the Initiate CSR dialog box, enter the information required to obtain a certificate. In this example, enter a Description, and use msgportal.example.com for the Hostname/Domain. Click Next. A certificate signing request (CSR) will be generated that you can send to the certificate authority (CA) of our choice in order to purchase a valid certificate.
- In the CSR text box, click Download. Use your web browser to save the text as a .pem file. Click Close.
-
In the list of certificates shown on the Configuration > System > Certificates page, the new certificate request is shown as a Pending
CSR. Next to its description will be an upload
certificate link. After you've obtained your new
certificate from the authority, click this link to upload it.
The Upload Certificate dialog box is displayed, and you can either paste or upload your new certificate. This completes the certificate creation process.Note Although this example shows how to use the appliance’s built-in capabilities to obtain a new certificate, you can also use an existing certificate for your appliance. -
Configure your SPX portal to use the new certificate. On the Configuration > Policy > Encryption page, select the SPX Encryption
tab. Under Portal, click
Settings. In the Configure SPX
Portal dialog box, select the Use hostname
from SSL certificate option, and port
10443. Click OK.
Note You should ensure that your firewall allows access to port 10443.
-
On the SPX Encryption tab, click the
Settings button.
-
Configuring expiry settings and password strength
- Under Expiry and user password settings, click Configure. Confirm that the expiry settings are correct, accept the default password length, and click OK.
-
Configuring a policy rule
-
Create a policy rule that uses the SPX template and the portal
settings. You can configure multiple rules associated with SPX
encryption, but an extremely useful rule is one that allows internal
users to specify that a message be encrypted by setting a "confidential"
option in the sender’s mail client (for example, Microsoft Outlook). To
do this, on the Configuration > Policy > Additional Policy page, select the Outbound tab,
then click Add. This opens the Policy wizard.
Select the Use only message attributes option,
then click Next.
Note For SPX secure reply, the appliance determines whether a message is inbound or outbound by comparing whether the recipient’s domain appears in your list of incoming mail domains. A message to an external recipient may be considered inbound if you have an incoming mail domain that is the same as their domain name. In this case, the policy rule will not trigger, and emails to a recipient in this domain will not be encrypted.
- In the Identify message attributes section, click Add. This opens the Add Message Attribute dialog box. Since setting the "Confidential" option in Outlook creates a mail header called "Sensitivity", with a value of "company-confidential", the rule must use these keywords too. Select the Header option from the drop-down list. Then, in the Name text box, add a header Sensitivity, and select is (exact match).
- In the Value text box, enter company-confidential. Click Apply. In the list of message attributes, you will now see a single new attribute that is based on your selections. After you confirm this, click Next to set user and group options.
-
Before applying this new rule to active users, you should ensure that
it works. To do this, on the Select Users page of
the wizard, add a custom group. This should consist of a single internal
email address from which you can send test messages. Make sure it is
included in this policy rule (ensure that the address is specified on
the on the Include Sender tab), then click
Next.
-
On the Main Action page of the wizard, select
the message action Encrypt the message using SPX.
From the Template drop-down list, select the
template you created. Select the Attach original email to
PDF check box. Select the On failure, bounce
to Sender option, then click
Next.
-
Now that you have finished configuring this rule, give it a descriptive
name. Finally, be sure to select Activate this
rule, and click Save.
You are now ready to test your SPX encryption setup.
-
Create a policy rule that uses the SPX template and the portal
settings. You can configure multiple rules associated with SPX
encryption, but an extremely useful rule is one that allows internal
users to specify that a message be encrypted by setting a "confidential"
option in the sender’s mail client (for example, Microsoft Outlook). To
do this, on the Configuration > Policy > Additional Policy page, select the Outbound tab,
then click Add. This opens the Policy wizard.
Select the Use only message attributes option,
then click Next.
-
Testing your setup
-
Compose a message. To test properly, send this message to an external
email address that you can access. Since this example uses Microsoft
Outlook, you must change the email client’s settings to match those in
the appliance. In Microsoft Outlook, click New to
create a message. On the Message tab, click the
dialog box launcher in the bottom right section of
Options to open the Message
Options dialog box. From the
Sensitivity drop-down list, select
Confidential. (If the email client is
equipped with the Sophos Outlook Add-in, and configured to use Outlook’s
Confidential sensititvity, you can simply
click the Encrypt button on the Outlook toolbar.
For more information, see “Sophos Outlook Add-in” in the Appendix.)
After you have finished, send the message.Note If you are using a mail client other than Microsoft Outlook, see its product documentation for instructions on creating a mail header like the “Sensitivity: company-confidential” one used in this example. -
Next, check for a new message at your test email address. You should
receive a message that looks something like this:
In this example, users need to set their own passwords through the SPX portal. The encrypted email will be held by the Email Appliance until recipients register a password.Note With both user-registration passwords and sender-communicated passwords, once the password is set, the email user can access any subsequent email messages from that sender, and messages are sent to the recipient(s) immediately. -
After the password has been set, you will receive the original (but
encrypted) message at your test account.
Double-clicking the attached PDF opens it in Adobe Reader, where you are prompted to enter the password:
-
After you enter the password, the PDF is decrypted, and the cover page
is displayed. You can scroll past the cover page and read the original
message, and download any attachments.
A Reply button is displayed in the message. This lets the recipient send a secure, encrypted reply to the sender using the SPX portal. Clicking the Reply button opens the recipient’s default web browser and launches the secure reply portal.
If the optional Reply All feature is configured and a message has been sent to multiple addresses, each recipient has the option to send a secure, encrypted reply to both the sender and to all of the original recipients using the SPX portal. Clicking the Reply All button opens a recipient’s default web browser and launches the secure reply portal.
Note Recipients can also choose to reply directly from their email client. This form of reply is not encrypted, but may be suitable in instances where a secure reply is not essential. -
In the secure reply portal, you should compose and send a response to
the original email message.
After you have sent it, confirm that you received a response at your internal address. You have now confirmed that all aspects of your SPX deployment work correctly. The setup is ready for active users.
-
Compose a message. To test properly, send this message to an external
email address that you can access. Since this example uses Microsoft
Outlook, you must change the email client’s settings to match those in
the appliance. In Microsoft Outlook, click New to
create a message. On the Message tab, click the
dialog box launcher in the bottom right section of
Options to open the Message
Options dialog box. From the
Sensitivity drop-down list, select
Confidential. (If the email client is
equipped with the Sophos Outlook Add-in, and configured to use Outlook’s
Confidential sensititvity, you can simply
click the Encrypt button on the Outlook toolbar.
For more information, see “Sophos Outlook Add-in” in the Appendix.)