Example Deployment: Sender-Communicated Password

An example of SPX deployment in which individual senders communicate passwords to the recipients of SPX email messages.

This example uses many of the default template settings. If you need to customize any of these to suit your needs, see the SPX Encryption documentation for detailed descriptions of each option.

Deploying SPX to allow your senders to communicate passwords to recipients requires the following steps:

  1. Creating a template
  2. Configuring the portal that recipients use to register their passwords
  3. Configuring expiry times and password strength
  4. Configuring a policy rule
  5. Testing your configuration

Configuring SPX: Passwords Communicated by the Sender

  1. Creating a template
    1. First, create a template. This includes customizing the appearance of encrypted messages, setting up the SPX Secure Email Portal, defining the content for messages, and specifying the method used to set passwords.
      On the Configuration > Policy > Encryption page, select the SPX Encryption tab, and click Add.

      The template wizard launches.
    2. On the Encrypted PDF Options page of the wizard, you can set the properties of encrypted messages, including the cover page and the page size for the page(s) containing the body of the message.

      In this example, you will upload a Sophos cover page, and accept the default settings for Page size and Template language.
    3. Click Preview. A sample PDF loads, allowing you to view the SPX cover page and the email layout.
    4. Click Next.
    5. On the Password Settings page of the wizard, select Encrypt the message with a generated password.

      Leave the Always generate a new password for each message check box unselected. Accept the default Subject line for encrypted messages. Although you can customize both the body and subject of the email message that notifies SPX recipients of encrypted email messages, make sure that the text does not suggest contacting the sender for password information. If user registration is selected, senders do not manage recipient passwords. Click Next to proceed to the Recipient Instructions page.
    6. You can edit the text as necessary to convey decryption instructions. For the sake of this example, however, accept the default text.
    7. Under End user password options, select Password change, Password reset, and Password recovery.This will create links in the recipient instructions (next wizard page) that allow recipients to access password management pages on the SPX portal. Accept the default number of password challenge questions (3). Recipients will be prompted to set a series of questions that they must answer if they need to reset or recover their password. Click Next.

    8. On the Recipient Instructions page is default text that provides directions for the recipients of encrypted messages. Notice that the some of the text is tagged with HTML. You can format the text as desired using basic HTML tags. Although you can edit this page, accept the default text, and click Next.
    9. On the Portal Settings page, configure the settings for the SPX portal. Make sure that Enable Secure Reply is set to On, then select the Sophos option for both the header and footer images. Click Next.
      Note See the references at the end of this example for information about creating PDF cover pages, and custom header and footer images.
    10. On the Template Name page, enter a descriptive name for the template you have just created. This is the name that is displayed in the list of templates. In the Organization name text box, enter the name that you want to be displayed in instructions to recipients. The text specified here is used by the %%ORGANIZATION_NAME%% template variable. In the System email address text box, enter the address that you want to appear in auto-generated communications sent by the appliance. Click Save.

      View the SPX Encryption tab. You will see the new template that has been created. If you want to change anything, you can click the name of the template to edit it. Note that the SPX portal is now active, indicated by the green icon.

  2. Configuring the SPX Secure Email Portal
    1. On the SPX Encryption tab, click the Settings button.

      The Configure SPX Portal dialog box is displayed.

      The dialog box shows that the Email Appliance is using its default, self-signed certificate. Sophos recommends never using the default certificate for services exposed to the internet. Instead, obtain a valid certificate. This ensures that the appliance references the desired hostname rather than the internal hostname that it uses by default.
    2. To obtain a certificate for the appliance, close the Configure SPX Portal dialog box, then on the Configuration > System > Certificates page, click Add. This opens the Add certificate dialog box, where you select Initiate Certificate Signing Request. Click Next.
    3. Enter the information required to obtain a certificate. In this example, use msgportal.example.com for the Hostname/Domain, then click Next.
    4. A certificate signing request (CSR) will be generated that you can send to the certificate authority (CA) of our choice in order to purchase a valid certificate. In the CSR text box, click Download. Use your web browser to save the text as a .pem file. Click Close.

    5. In the list of certificates shown on the Configuration > System > Certificates page, the new certificate request is shown as a Pending CSR. Next to its description will be an upload certificate link. After you've obtained your new certificate from the authority, click this link to upload it.

      The Upload Certificate dialog box will be displayed, and you can either paste or upload your new certificate. This completes the certificate creation process.
      Note Although this example shows how to use the appliance’s built-in capabilities to obtain a new certificate, you can also use an existing certificate for your appliance.
    6. Now, configure your SPX portal to use the new certificate. On the Configuration > Policy > Encryption page, select the SPX Encryption tab. Under Portal, click Settings. In the Configure SPX Portal dialog box, select the Use hostname from SSL certificate option, and port 10443. Click OK.
      Note You should ensure that your firewall allows access to port 10443.
  3. Configuring expiry settings and password strength
    1. Under Expiry and user password settings, click Configure. Confirm that the expiry settings are correct, accept the default password length, and click OK.
  4. Configuring a policy rule
    1. Create a policy rule that uses the SPX template and the portal settings. You can configure multiple rules associated with SPX encryption, but an extremely useful rule is one that allows internal users to specify that a message be encrypted by setting a "confidential" option in the sender’s mail client (for example, Microsoft Outlook). To do this, on the Configuration > Policy > Additional Policy page, select the Outbound tab, then click Add. This opens the Policy wizard. Select the Use only message attributes option, then click Next.
    2. In the Identify message attributes section, click Add. This opens the Add Message Attribute dialog box. Since setting the "Confidential" option in Outlook creates a mail header called "Sensitivity", with a value of "company-confidential", the policy rule must use these keywords too. Select the Header option from the drop-down list. Then, in the Name text box, add a header Sensitivity, and select is (exact match).
    3. In the Value text box, enter company-confidential. Click Apply. In the list of message attributes, you will now see a single, new attribute that is based on your selections. Click Next to set user and group options.
    4. Before applying this new rule to active users, you should ensure that it works. To do this, on the Select Users page of the Policy wizard, add a custom group. This should consist of a single, internal email address that you can use for sending test messages. Make sure it is included in this policy rule (ensure that the address is specified on the Include Sender tab), then click Next.

    5. On the Main Action page of the wizard, select the message action Encrypt the message using SPX. From the Template drop-down list, select the template you created. Select the Attach original email to PDF check box. Select the On failure, bounce to Sender option, then click Next.

    6. Now that you have finished configuring this rule, give it a descriptive name. Select Activate this rule, and click Save.

      You are now ready to test your SPX encryption setup.
  5. Testing your setup
    1. Compose a message. To test properly, send this message to an external email address that you can access. Since this example uses Microsoft Outlook, you must change the email client’s settings to match those in the appliance. In Microsoft Outlook, click New to create a message. On the Message tab, click the dialog box launcher in the bottom right section of Options to open the Message Options dialog box. From the Sensitivity drop-down list, select Confidential. (If the email client is equipped with the Sophos Outlook Add-in, and configured to use Outlook’s Confidential sensititvity, you can simply click the Encrypt button on the Outlook toolbar. For more information, see “Sophos Outlook Add-in” in the Appendix.)

      After you have finished, send the message.
      Note If you are using a mail client other than Microsoft Outlook, see its product documentation for instructions on creating the “Sensitivity: company-confidential” mail header.
    2. Next, check your messages at your test email address. You should receive an email message that looks something like this:

      In this example, users need to set their own passwords with the SPX portal. The encrypted email will be held by the Email Appliance until the recipient registers a password.
      Note With both user-registration passwords and sender-communicated passwords, once the password is set, the email user can access any subsequent email messages from that sender, and messages are sent to the recipient(s) immediately.
    3. After the password has been set, you will receive the original (but encrypted) message at your test account.

      Double-clicking the attached PDF opens it in Adobe Reader, where you are prompted to enter the password that was set.

    4. After you enter the password, the PDF is decrypted, and the cover page is displayed. You can scroll past the cover page and read the original message, and download any attachments.

      A Reply button is displayed in the message. This lets the recipient send a secure, encrypted reply to the sender using the SPX portal. Clicking the Reply button opens the recipient’s default web browser and launches the secure reply portal.

      If the optional Reply All feature is configured and a message has been sent to multiple addresses, each recipient has the option to send a secure, encrypted reply to both the sender and to all of the original recipients using the SPX portal. Clicking the Reply All button opens a recipient’s default web browser and launches the secure reply portal.

      Note The recipient can also choose to reply directly from their email client. This form of reply is not encrypted, but may be suitable in instances where a secure reply is not essential.
    5. In the secure reply portal, compose and send a response to the original email message.

      After you have sent it, confirm that you received a response at your internal address. You have now confirmed that all aspects of your SPX deployment work correctly. The setup is now ready for active users.