On the Encryption > Options tab you can define the default policy to be used within the public key cryptography framework of Sophos UTM.

Default Policy: Specify your default policy for emails in terms of cryptography. These settings can, however, be overwritten by customized settings.

The following actions are available:

  • Sign outgoing email
  • Encrypt outgoing email
  • Verify incoming email
  • Decrypt incoming email

Click Apply to save your settings.

Note – For encryption to work, the sender must be within the Internal Users list. Outgoing emails for recipients whose S/MIME certificate or OpenPGP public key are existent on the gateway will be encrypted by default. If you want to disable encryption for these recipients, delete their S/MIME certificates or OpenPGP public keys. If certificates or public keys are unknown to Sophos UTM, emails will be sent unencrypted.

Automatic Extraction of S/MIME Certificates

When this option is selected, S/MIME certificates will automatically be extracted from incoming emails provided the certificate that is appended to the email is signed by a trusted certificate authority, that is, a CA present on the unit as shown on the Email Protection > Encryption > S/MIME Authorities tab. In addition, the time and date of Sophos UTM must be within the certificate's validity period for the automatic extraction of certificates to work. Once a certificate has been successfully extracted, it will appear on the Email Protection > Encryption > S/MIME Certificates tab. Note that this may take five to ten minutes to complete. Click Apply to save your settings.

OpenPGP Keyserver

OpenPGP keyserver host public PGPClosed Pretty Good Privacy keys. You can add an OpenPGP keyserver here. For signed incoming emails and for outgoing emails that shall be encrypted, Sophos UTM will try to retrieve the public key from the given server if the respective public key is yet unknown to Sophos UTM.