Example Deployment: User Registration

An example of SPX deployment that uses the SPX Secure Email Portal for password self-registration.

This example uses many of the default template settings. If you need to customize any of these to suit your needs, see the SPX Encryption documentation for detailed descriptions of each option.

Deploying SPX to allow user-registered passwords requires the following steps:

  1. Creating a template
  2. Configuring the portal that recipients use to register their passwords
  3. Configuring expiry times and password strength
  4. Configuring a policy rule
  5. Testing your configuration

Configuring SPX: Passwords Set by User-Registration

  1. Creating a template
    1. First, create a template. This includes customizing the appearance of encrypted messages, setting up the SPX portal, defining the content for messages, and specifying the method used to set passwords.
      On the Configuration > Policy > Encryption page, select the SPX Encryption tab, and click Add.

      The template wizard launches.
    2. On the Encrypted PDF Options page of the wizard, you can set the properties of encrypted messages, including the cover page and the page size for the page(s) containing the body of the message.

      In this example, you will upload a Sophos cover page, and accept the default settings for Page size and Template language.
    3. Click Preview. A sample PDF loads, allowing you to view the SPX cover page and the email layout.
    4. Click Next.
    5. On the Password Settings page of the wizard, select Allow the message recipient to choose their own password.

      First, accept the default Subject line for encrypted messages. Although you can customize both the body and the subject of the email message that notifies SPX recipients of encrypted email messages, make sure that the text does not suggest contacting the sender for password information. If user registration is selected, senders do not manage recipient passwords. Click Next to proceed to the Recipient Instructions page.
    6. You can edit the text as necessary to convey decryption instructions. For the sake of this example, however, accept the default text.
    7. Under End user password options, select Password change, Password reset, and Password recovery.This will create links in the recipient instructions (next wizard page) that allow recipients to access password management pages on the SPX portal. Accept the default number of password challenge questions (3). Recipients will be prompted to set a series of questions that they must answer if they need to reset or recover their password. Click Next.

    8. On the Portal Settings page, configure the settings for the SPX portal. Make sure that Enable Secure Reply is set to On, then select the Sophos option for both the header and footer images.
      Note See the references at the end of this example for information about creating PDF cover pages, and custom header and footer images.
    9. On the Template Name page, enter a descriptive name for the template you have just created. This is the name that is displayed in the list of templates. In the Organization name text box, enter the name that you want to be displayed in instructions to recipients. The text specified here is used by the %%ORGANIZATION_NAME%% template variable. In the System email address text box, enter the address that you want to appear in auto-generated communications sent by the appliance. Click Save.

      View the SPX Encryption tab. You will see the new template that has been created. If you want to change anything, you can click the name of the template to edit it. Note that the SPX portal is now active, indicated by the green icon.

  2. Configuring the SPX Secure Email Portal
    1. On the SPX Encryption tab, click the Settings button.

      The Configure SPX Portal dialog box is displayed. The dialog box shows that the Email Appliance is using its default, self-signed certificate. Sophos recommends never using the default, self-signed certificate for services exposed to the internet. Instead, obtain a valid certificate. This ensures that the appliance references the desired hostname instead of the internal hostname that it uses by default.
    2. To obtain a certificate for the appliance, close the Configure SPX Portal dialog box. Then, on the Configuration > System > Certificates page, click Add.

      This opens the Add certificate dialog box, where you select Initiate Certificate Signing Request. Click Next.
    3. In the Initiate CSR dialog box, enter the information required to obtain a certificate. In this example, enter a Description, and use msgportal.example.com for the Hostname/Domain. Click Next. A certificate signing request (CSR) will be generated that you can send to the certificate authority (CA) of our choice in order to purchase a valid certificate.
    4. In the CSR text box, click Download. Use your web browser to save the text as a .pem file. Click Close.
    5. In the list of certificates shown on the Configuration > System > Certificates page, the new certificate request is shown as a Pending CSR. Next to its description will be an upload certificate link. After you've obtained your new certificate from the authority, click this link to upload it.

      The Upload Certificate dialog box is displayed, and you can either paste or upload your new certificate. This completes the certificate creation process.
      Note Although this example shows how to use the appliance’s built-in capabilities to obtain a new certificate, you can also use an existing certificate for your appliance.
    6. Configure your SPX portal to use the new certificate. On the Configuration > Policy > Encryption page, select the SPX Encryption tab. Under Portal, click Settings. In the Configure SPX Portal dialog box, select the Use hostname from SSL certificate option, and port 10443. Click OK.
      Note You should ensure that your firewall allows access to port 10443.
  3. Configuring expiry settings and password strength
    1. Under Expiry and user password settings, click Configure. Confirm that the expiry settings are correct, accept the default password length, and click OK.
  4. Configuring a policy rule
    1. Create a policy rule that uses the SPX template and the portal settings. You can configure multiple rules associated with SPX encryption, but an extremely useful rule is one that allows internal users to specify that a message be encrypted by setting a "confidential" option in the sender’s mail client (for example, Microsoft Outlook). To do this, on the Configuration > Policy > Additional Policy page, select the Outbound tab, then click Add. This opens the Policy wizard. Select the Use only message attributes option, then click Next.
      Note For SPX secure reply, the appliance determines whether a message is inbound or outbound by comparing whether the recipient’s domain appears in your list of incoming mail domains. A message to an external recipient may be considered inbound if you have an incoming mail domain that is the same as their domain name. In this case, the policy rule will not trigger, and emails to a recipient in this domain will not be encrypted.
    2. In the Identify message attributes section, click Add. This opens the Add Message Attribute dialog box. Since setting the "Confidential" option in Outlook creates a mail header called "Sensitivity", with a value of "company-confidential", the rule must use these keywords too. Select the Header option from the drop-down list. Then, in the Name text box, add a header Sensitivity, and select is (exact match).
    3. In the Value text box, enter company-confidential. Click Apply. In the list of message attributes, you will now see a single new attribute that is based on your selections. After you confirm this, click Next to set user and group options.
    4. Before applying this new rule to active users, you should ensure that it works. To do this, on the Select Users page of the wizard, add a custom group. This should consist of a single internal email address from which you can send test messages. Make sure it is included in this policy rule (ensure that the address is specified on the on the Include Sender tab), then click Next.

    5. On the Main Action page of the wizard, select the message action Encrypt the message using SPX. From the Template drop-down list, select the template you created. Select the Attach original email to PDF check box. Select the On failure, bounce to Sender option, then click Next.

    6. Now that you have finished configuring this rule, give it a descriptive name. Finally, be sure to select Activate this rule, and click Save.
      You are now ready to test your SPX encryption setup.
  5. Testing your setup
    1. Compose a message. To test properly, send this message to an external email address that you can access. Since this example uses Microsoft Outlook, you must change the email client’s settings to match those in the appliance. In Microsoft Outlook, click New to create a message. On the Message tab, click the dialog box launcher in the bottom right section of Options to open the Message Options dialog box. From the Sensitivity drop-down list, select Confidential. (If the email client is equipped with the Sophos Outlook Add-in, and configured to use Outlook’s Confidential sensititvity, you can simply click the Encrypt button on the Outlook toolbar. For more information, see “Sophos Outlook Add-in” in the Appendix.)

      After you have finished, send the message.
      Note If you are using a mail client other than Microsoft Outlook, see its product documentation for instructions on creating a mail header like the “Sensitivity: company-confidential” one used in this example.
    2. Next, check for a new message at your test email address. You should receive a message that looks something like this:

      In this example, users need to set their own passwords through the SPX portal. The encrypted email will be held by the Email Appliance until recipients register a password.
      Note With both user-registration passwords and sender-communicated passwords, once the password is set, the email user can access any subsequent email messages from that sender, and messages are sent to the recipient(s) immediately.
    3. After the password has been set, you will receive the original (but encrypted) message at your test account.

      Double-clicking the attached PDF opens it in Adobe Reader, where you are prompted to enter the password:



    4. After you enter the password, the PDF is decrypted, and the cover page is displayed. You can scroll past the cover page and read the original message, and download any attachments.


      A Reply button is displayed in the message. This lets the recipient send a secure, encrypted reply to the sender using the SPX portal. Clicking the Reply button opens the recipient’s default web browser and launches the secure reply portal.

      If the optional Reply All feature is configured and a message has been sent to multiple addresses, each recipient has the option to send a secure, encrypted reply to both the sender and to all of the original recipients using the SPX portal. Clicking the Reply All button opens a recipient’s default web browser and launches the secure reply portal.



      Note Recipients can also choose to reply directly from their email client. This form of reply is not encrypted, but may be suitable in instances where a secure reply is not essential.
    5. In the secure reply portal, you should compose and send a response to the original email message.

      After you have sent it, confirm that you received a response at your internal address. You have now confirmed that all aspects of your SPX deployment work correctly. The setup is ready for active users.