Encryption
This feature requires a subscription in Sophos XG Firewall. It can be configured but cannot be enforced without a valid Email Protection subscription.
Mode Switch option
- MTA
- Legacy
SPX Configuration
- Default SPX Template
- Select the default SPX Template. SPX Templates can be created from . Default Template is used if any user explicitly SPX-encrypts an Email and no
template is selected in Content Scanning Rule. User can SPX-encrypt an Email by:
- Manually setting the Email header X-Sophos-SPX-Encrypt to yes.
- Installing the Sophos Outlook Add-in and clicking Encrypt before sending the Email.
If Default SPX Template is selected as None, then SPX encryption is not applied on Email.
- Allow Secure Reply for
- Enter the maximum time (in days) in which recipient can securely reply to an SPX-encrypted email using the SPX Reply Portal.
- Keep Unused Password for
-
Specify the expiry time in days of an unused password.
For example, if Keep Unused Password for is set to 30 days, then password will expire at 0 o'clock after 30 days from being generated if no SPX encrypted message was sent for a specific recipient.
Default: 30 days
- Allow Password Registration for
- Specify the time in days after which the link to Password Registration Portal
expires.
Default: 10 days
- Send Error Notification To
-
Specify whom to send a notification when an SPX error occurs. Select Sender Only to send notification to the sender or select Nobody if you do not want any notification to be sent. Error messages will always be listed in the SMTP log.
SPX Portal Settings
- Hostname
- Specify the IP Address or Domain on which Password Registration Portal is hosted.
- Allowed Network(s)
- Specify the networks from which password registration requests will be accepted.
- Port
-
Enter the port on which the SPX reply portal should listen.
Default: 8094
Figure: SPX Configuration 
SPX Templates
SPX (Secure PDF Exchange) encryption is a next-generation version of email encryption. It is clientless and extremely easy to set up and customize in any environment. Using SPX encryption, email messages and any attachments sent to the SF device are converted to a PDF document, which is then encrypted with a password. You can configure the SF device to allow senders to select passwords for the recipients, or the server can generate the password for the recipient and store it for that recipient, or the server can generate one-time passwords for recipients.
- User can download the Sophos Outlook Add-in from SF's User
Portal. After having it installed, an Encrypt button is displayed in the
Microsoft Outlook user interface. To encrypt a message, the user needs to click the Encrypt
button and then write and send the message. Only if something goes wrong, for example the
sender does not enter a valid password, a notification will be sent, if configured.Note
If you do not use Outlook you can also trigger SPX encryption by setting the header field
X-Sophos-SPX-Encrypt to yes.
- In the Data Protection feature, you can enforce SPX encryption for Emails containing sensitive data (see .
The encrypted message is then sent to the recipient's mail box. Using any PDF reader, the recipient can decrypt the message with the password that was used to encrypt the PDF. SPX-encrypted email messages are accessible on all popular smartphone platforms that have native or third-party PDF file support, including Android, IOS, Blackberry and Windows Mobile devices.
The SPX template defines the layout of the PDF file, password settings and recipient instructions. You can also define different SPX templates. So, if you are managing various customer domains, you can assign them customized SPX templates containing for example different company logos and texts. Use this section to add, edit and delete SPX Templates for Legacy and MTA modes.