This article details Symantec Secure PDF Messenger, which is one of the features available when using Symantec Encryption Management Server (PGP Server) in the mailstream/Gateway Email. Using this feature enables users to send secure content to recipients who do not have PGP software installed using Portable Document Format (PDF).
The PGP Server can provide the storage of copies of messages sent as Secure PDFs on the PGP Server. This option allows recipients to access the stored messages through Web Email Protection (WEP), which is a secure inbox for external recipients.
This article goes over this functionality.
For a lot of great information on Web Email Protection, see the following article:
PGP Gateway Email or the PGP Server in Gateway Placement, can encrypt existing PDFs sent by the user, or also create secure PDFs out of normal email content. The design of this system enables secure delivery certification, ensuring that successful delivery of the message content to the recipient can be recorded at the PGP Server if selected by an Administrator.
Recipients receive Secure PDFs delivered to their inbox via the PGP Server, which can convert plain text email to PDF format and encrypts to the Web Email Protection passphrase. This PDF is then attached to the message by the PGP server.
If the email already has a PDF attachment, the PDF is encrypted to the recipient's passphrase, and the message body is not converted. If the email has a non-PDF attachment, the plain text body of the email is converted to Secure PDF. The non-PDF attachment is not converted, but is attached to the Secure PDF. The recipient can read the attachment by first opening the Secure PDF.
Note: Secure PDF may not open properly with macOS Preview, so it's best to use a proper reader like Adobe Acrobat Reader to view this content.
If a Secure PDF recipient does not have an existing PGP Web Email Protection account, the recipient receives a message generated by the PGP Server requesting that the recipient create a passphrase. After the recipient creates the passphrase, the Secure PDF is delivered.
When the recipient opens the Secure PDF, a password dialog appears in Adobe Acrobat. The recipient enters this passphrase and the PDF will then open. Existing PGP Web Email Protection users who receive a Secure PDF for the first time will receive a notification email requiring confirmation of the passphrase.
Aside from the Certified Email Delivery feature of PDF Messenger, emails can be secured to the contents of an encrypted PDF file. This means that if the message should be encrypted, PDF Messenger can be used to encrypt. One of the advantages of doing this is to have the contents of the message included in the PDF itself, and is not stored on the PGP Server secure inbox for the user.
If you look at the options for PDF Messenger, you'll see the following options:
As you can see above, PDF Email Protection has a few options. We'll first discuss the delivery options as they relate to "Replies". This will be located under the Consumer Policy and "Web Email Protection" options:
In order to include PDF Email Protection as a delivery option, this needs to be enabled. The additional settings allow for different functionality for end users:
"Provide users with the option to save Secure Reply messages on the server" -- This option allows the user to specify whether they want to save secure reply messages on the server or not. These will be saved to the Web Email Protection Inbox. This requires additional storage on the PGP server, but gives you more options to access past information
"Enable the "save Secure Reply messages" option by default -- This will enable the above setting by default so the user does not have to check the box and replies are saved in the Web Email Protection Inbox. This also requires additional storage as the previous setting does.
The next settings we want to discuss are a little further down in the policy:
"Retain sent PDF Email Protection messages on the Symantec Encryption Server and make them available to recipients through Web Email Protection" -- This setting as listed does much what it says. When the PDF Messenger message is sent to the recipient, the secure information is also stored in the recipients Web Email Protection Inbox. This will require additional storage and the user needs to know how the WEP feature works to retrieve their information.
"Require user authentication for Certified Delivery" -- This feature is discussed in more detail above.
"Discard Secure Reply information after X days" -- This will remove the reply messages saved in Web Email Protection. If it shows 90 days, these secure replies will be stored for 90 days and then will be removed.
The next location to view PDF Messenger settings are in the Mail rules. To view these rules, click on "Mail", then "Mail Policy".
Mail Rules for PDF Messenger could be different in your environment, but in a default setup, most likely these will be located under the "Outbound: Secure Message" Chain.
Once you click here, you will notice a default rule "Deliver To Known PDF Email Protection Users":
When you click on this rule, you will see this rule will be invoked only for users who have already set the designation to receive PDF Messenger emails as the delivery preference:
Click the Actions to see that if someone has chosen PDF Messenger, this will be invoked:
We will now review the settings listed here:
Encrypt body text and all attachments - As this describes, this will ensure that the email will encrypt both the body of the email and the text. The result will be an encrypted attachment called "PGPMessage.pdf". If you want to have both message body and attachments encrypted, then check this box.
This option is not the default and is not enabled because the default behavior will assume the message body will *not* need to be encrypted and is more of a form letter, but the attachments *do* need to be encrypted. If you leave this check box unchecked, then the recipient will receive the message with the original subject, and the body of the message will not be encrypted, and the attachment *will* be encrypted, but will retain its original attachment name (and not PGPMessage.pdf).
Require Certified Delivery - With this attachment, you can see that this is to require the recipient to enter a password that is sent along with the message in a readmefirst.html as described in the KB above.
Symantec Secure PDF Messenger also includes the capability of "Certified Email Delivery" so that emails sent are received and can then provide a read receipt to the sender.
Symantec PDF Email Protection with Certified Delivery creates and logs a delivery receipt when the recipient obtains the passphrase, or opens the message initially in Web Email Protection.
Certified Delivery messages are converted to secured PDF format, and must be opened with a passphrase. The original message is converted to PDF in the same way as the regular Symantec Secure PDF Messenger Email feature.
The recipient email contains two attachments: the message PDF and an HTML link called "Read Me First.html". The recipient retrieves the Symantec PDF Email Protection passphrase by clicking the readmefirst.html link.
The Symantec Encryption Management Server creates and logs the delivery receipt when the recipient obtains the passphrase (or accesses the message via Web Email Protection). You can download all delivery receipt logs from the External Users page. To specify how long the Symantec Encryption Management Server stores delivery receipts, see Configuring the Symantec Encryption Web Email Protection Service.
There are two ways to generate a passphrase:
User authentication not required: When the recipient clicks the readmefirst.html link, a web page appears with a randomly generated single-use passphrase. The user copies and pastes that passphrase into the Symantec PDF Email Protection passphrase field to open the PDF. Each passphrase is used only once, and all previously used passphrases are stored. This secure method does not require the user to create a login credential.
User authentication required: If you require login authentication, the recipient must create a Symantec Encryption Web Email Protection passphrase and log in using it to obtain the single-use passphrase that opens the Symantec PDF Email Protection message. When the recipient clicks the readmefirst.html link, a Symantec Encryption Web Email Protection passphrase creation page appears. When the user creates a passphrase, a web page appears with a randomly generated single-use passphrase. The user copies and pastes that passphrase into the Symantec PDF Email Protection passphrase field to open the PDF.
To require that certain external user groups use login authentication to open a Certified Delivery message, from Consumer Policy, select the policy you want to change, choose Symantec Encryption Web Email Protection and enable Require user authentication for Certified Delivery.
This option is not available when message processing is on the client unless Out Of Mail Stream support (OOMS) is enabled on the Messaging & Keys tab of Consumer Policy, or unless Symantec Encryption Management Server is in the outbound mail stream.
Add Secure Reply Link - This link provides a way for users to reply back to the PDF Messenger Message in a secure way. This will require the user to login to their Web Email Protection Inbox and then all replies back will be secured when done inside the Web Email Protection inbox. this will also provide a way for users to reset their passwords easily, or change the delivery preference.
Note: If your users opt to change their messaging type in their Settings page, be sure they have a copy of their messages downloaded as their messages may be removed from the SEMS Database: