I have Symantec Encryption Server managed environment.
Can we send encrypted emails to our customers emails IDs like gmail etc. and vice versa; can we receive encrypted emails from the customers?
Yes you can. You can use for this purpose a Symantec Encryption Management Web Email Protection.
So all users who are not part of your domain will be an external user for SEMS.
Please be familiar with the following KB:
Symantec Encryption Management Server 3.3.0 Administrator's Guide
(page 14, Other Email Users)
First, the Symantec Encryption Management Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Smart Trailer, and Symantec Encryption Web Email Protection mail.
The quickest way is to:
a) enable on your SEMS - "Web email Protection" so navigate to Services and make sure that Web Email Protection is enabled.
b) add one rule to Mail > Mail Policy > Outbound > Add Rule
Name the rule for example "External Email Users". Set the priority for the rule as 1
Condition of the rule:
If none of the following are true: Recipient address contains (put your domain example: ag.dom)
Send (encrypted/signed), encrypt to recipient's key
When suitable key not found use Web Email Protection
Preferred enconding format:Automatic
I have also attached this settings please so have a look into attachment.
If an external user sends us an email, it would be on internet cloud before reaching us, would it be encrypted all the way until we receive it?
..and I presume that the external user must use outlook to send us email and should have PGP client installed.
When the key is not found email will be delivered to external user via outlook to logon to web email online page to setup a password. External users (like yahoo, gmail etc....) will be able to communicate with internal users from your company by using online webpage called Web Email Protection. IF external user would like to send an encrypted email to your company, he will have to do it online via web email. So external users doesn't need PGP client. External users will receive a notification in (gmail or yahoo or any other external emails ) about the email to read and will have to logon to Web Email to read and reply securely for the message.
There are two straightforward options to communicate in a secure way with external users.
1. You can have the Web Email Protection (aka Web Messenger) service enabled.
Here the external user logs in a portal under your control to communicate with your internal users.
2. You can exchange public keys and each one uses the application they like more. The only think is that they need to work with the same protocol.
From the asymmetric cryptographic principles: the message is kept encrypted, until it reaches the destination which possesses the private portion of the key used to decrypt the message.
The external user will need to use an application able to work with the protocol you are using, either OpenPGP (PGP keys) either S/MIME (X.509 certificates). SEMS can handle both.
Here is the complete documentation of how to setup web messenger.
Blonde question: do we need to place our PGP Server after the messaging server (Gateway Placement) in secure layer.
In a Gateway placement, your encryption server needs to be at the edge of your network (recommended DMZ placement), otherwise it will be unable to encrypt outgoing email and decrypt incoming email.
The server itself is hardened so placing it within a DMZ poses little security risk.
Forgot to mention, for external uses to utilise Web Messenger then the encryption server needs to be accessible from outside your network
port 443 (SSL) inbound from the internet through the firewall to the Symantec Encryption Management Server in the DMZ should be sufficient for Web Email Protection (aka Web Messenger) to function for external users.
Thanks for documentation very easy and complete
Can we use web messenger functionality when PGP server is acting only as KMS and not as mail proxy? Email encryption is handled by PGP Desktop.
Thank you dcats
I have a certain scenario and need help in designing the solution. The details are following:
The solution needs to be designed for email encryption and whole disk encryption. The client is using office 365 for email so the only option for email encryption is Desktop email encryption???. The client also wants to have the web messenger functionality for interaction with external clients not using an encryption solution. Lastly the encryption management server has to be placed in two data centers for high availability and failover.
I am not sure about placement of the encryption management server/s for this design to achieve the functionality of email encryption and web messenger. What do you suggest?
According to the release notes Symantec Encryption Desktop 10.3.2 for Windows Release Notes - DOC7053 and Symantec Encryption Management Server 3.3.2 Release Notes - DOC7056, there is no mention of Office 365 under the Mailserver requirement for SESM, only the notes for SED mention compatibility with Office 365 Cloud Server.
Perhaps will help if you review the Symantec Encryption Management Server 3.3.2 Installation Guide - DOC7067. See in particular the "Non-mailstream Placement Configuration" section.
Regarding the high availability, check HOW TO: Ensure High Availability in a PGP Universal Server Cluster - TECH193552.
Look up internal placement for the Universal Server. They are what you should be looking at using if you have a hosted email solution