Symantec Encryption Product Community

 View Only
Expand all | Collapse all

Email Encryption

  • 1.  Email Encryption

    Posted Jan 16, 2014 01:20 AM


    I have Symantec Encryption Server managed environment.

    Can we send encrypted emails to our customers emails IDs like gmail etc. and vice versa;  can we receive encrypted emails from the customers?


  • 2.  RE: Email Encryption

    Broadcom Employee
    Posted Jan 16, 2014 03:00 AM

    Hi Mehmood,

    Yes you can. You can use for this purpose a Symantec Encryption Management Web Email Protection.
    So all users who are not part of your domain will be an external user for SEMS.

    Please be familiar with the following KB:

    Symantec Encryption Management Server 3.3.0 Administrator's Guide

    (page 14, Other Email Users)

    First, the Symantec Encryption Management Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Smart Trailer, and Symantec Encryption Web Email Protection mail.

    The quickest way is to:

    a) enable on your SEMS - "Web email Protection" so navigate to Services and make sure that Web Email Protection is enabled.

    b) add one rule to Mail > Mail Policy > Outbound > Add Rule

    Name the rule for example "External Email Users". Set the priority for the rule as 1
    Condition of the rule:
    If none of the following are true: Recipient address contains (put your domain example: ag.dom)
    Send (encrypted/signed), encrypt to recipient's key
    When suitable key not found use Web Email Protection
    Preferred enconding format:Automatic

    I have also attached this settings please so have a look into attachment.



  • 3.  RE: Email Encryption

    Posted Jan 16, 2014 03:59 AM

    Thanks Adam.. 

    If an external user sends us an email, it would be on internet cloud before reaching us, would it be encrypted all the way until we receive it?

  • 4.  RE: Email Encryption

    Posted Jan 16, 2014 04:03 AM

    ..and I presume that the external user must use outlook to send us email and should have PGP client installed.


  • 5.  RE: Email Encryption

    Broadcom Employee
    Posted Jan 16, 2014 04:45 AM


    When the key is not found email will be delivered to external user via outlook to logon to web email online page to setup a password. External users (like yahoo, gmail etc....) will be able to communicate with internal users from your company by using online webpage called Web Email Protection. IF external user would like to send an encrypted email to your company, he will have to do it online via web email. So external users doesn't need PGP client. External users will receive a notification in (gmail or yahoo or any other external emails ) about the email to read and will have to logon to Web Email to read and reply securely for the message.



  • 6.  RE: Email Encryption

    Broadcom Employee
    Posted Jan 16, 2014 09:24 AM

    Hi Mehmood,

    There are two straightforward options to communicate in a secure way with external users.

    1. You can have the Web Email Protection (aka Web Messenger) service enabled.
    Here the external user logs in a portal under your control to communicate with your internal users.


    2. You can exchange public keys and each one uses the application they like more. The only think is that they need to work with the same protocol.
    From the asymmetric cryptographic principles: the message is kept encrypted, until it reaches the destination which possesses the private portion of the key used to decrypt the message.
    The external user will need to use an application able to work with the protocol you are using, either OpenPGP (PGP keys) either S/MIME (X.509 certificates). SEMS can handle both.


  • 7.  RE: Email Encryption

    Posted Jan 19, 2014 10:47 PM
      |   view attached

    Hi Mehmood,

    Here is the complete documentation of how to setup web messenger.




  • 8.  RE: Email Encryption

    Posted Jan 20, 2014 12:42 AM

    Thank Anthony,

    Blonde question: do we need to place our PGP Server after the messaging server (Gateway Placement) in secure layer.

  • 9.  RE: Email Encryption

    Posted Jan 20, 2014 08:44 AM

    In a Gateway placement, your encryption server needs to be at the edge of your network (recommended DMZ placement), otherwise it will be unable to encrypt outgoing email and decrypt incoming email.


    The server itself is hardened so placing it within a DMZ poses little security risk.

  • 10.  RE: Email Encryption

    Posted Jan 20, 2014 08:45 AM

    Forgot to mention, for external uses to utilise Web Messenger then the encryption server needs to be accessible from outside your network

  • 11.  RE: Email Encryption

    Posted Jan 21, 2014 01:39 PM

    port 443 (SSL) inbound from the internet through the firewall to the Symantec Encryption Management Server in the DMZ should be sufficient for Web Email Protection (aka Web Messenger) to function for external users.

  • 12.  RE: Email Encryption

    Posted Feb 17, 2014 12:12 PM

    Hi Anthony,

    Thanks for documentation very easy and complete


  • 13.  RE: Email Encryption

    Posted Mar 05, 2014 12:53 PM

    Can we use web messenger functionality when PGP server is acting only as KMS and not as mail proxy? Email encryption is handled by PGP Desktop.


  • 14.  RE: Email Encryption

    Broadcom Employee
    Posted Mar 05, 2014 01:52 PM
    Hi nashraf, You can if you have the Mail Proxy license and configured Out Of Mail Stream (OOMS) option. The Web Messenger is a Key Not Found (KNF) feature. HTH, dcats

  • 15.  RE: Email Encryption

    Posted Mar 05, 2014 03:16 PM

    Thank you dcats

    I have a certain scenario and need help in designing the solution. The details are following:

    The solution needs to be designed for email encryption and whole disk encryption. The client is using office 365 for email so the only option for email encryption is Desktop email encryption???. The client also wants to have the web messenger functionality for interaction with external clients not using an encryption solution. Lastly the encryption management server has to be placed in two data centers for high availability and failover.

    I am not sure about placement of the encryption management server/s for this design to achieve the functionality of email encryption and web messenger. What do you suggest?



  • 16.  RE: Email Encryption

    Broadcom Employee
    Posted Mar 06, 2014 07:45 AM

    Hi nashraf,

    According to the release notes Symantec Encryption Desktop 10.3.2 for Windows Release Notes - DOC7053 and Symantec Encryption Management Server 3.3.2 Release Notes - DOC7056, there is no mention of Office 365 under the Mailserver requirement for SESM, only the notes for SED mention compatibility with Office 365 Cloud Server.

    Perhaps will help if you review the Symantec Encryption Management Server 3.3.2 Installation Guide - DOC7067. See in particular the "Non-mailstream Placement Configuration" section.

    Regarding the high availability, check HOW TO: Ensure High Availability in a PGP Universal Server Cluster - TECH193552.


  • 17.  RE: Email Encryption

    Posted Mar 06, 2014 09:28 AM

    Look up internal placement for the Universal Server.  They are what you should be looking at using if you have a hosted email solution