This article provides best practices for Gateway Email Encryption when using Symantec Encryption Management Server.
Outbound “From:” line validation
If Symantec Encryption Management Server is configured to use Server Key Mode (SKM) keys and also digitally sign outbound email, then the upstream Message Transfer Agent (MTA) that sends outbound email to Encryption Management Server must be configured to enforce that all email messages contain a valid RFC 822 “From:” header. Encryption Management Server examines this header to determine which internal user sent an email message and thus determine which internal user’s key to sign with. The server relies on the upstream Message Transfer Agent (MTA) to enforce that all mail claims to be from the actual sender.
Each internal user of an Gateway Email Encryption Server must have a unique key and the server creates one key per user by default. However, Encryption Management Server policy is highly flexible and thus it is possible to configure Encryption Management Server in such a way that many users effectively share the same key. Such a key is often called a domain key as there is one per email domain. Use of a domain key allows anyone with an email address at that domain to decrypt email sent to any other user at that domain. The practice is thus insecure.
Denial of Service Protection
Gateway Email Encryption contains basic anti-denial-of-service (DoS) mechanisms. To ensure Encryption Management Server continues to run smoothly, Symantec recommends that customers ensure that all SMTP systems that Encryption Management Server will accept email from have their own anti-DoS mechanisms. Specifically, the total environment should limit the number of parallel SMTP connections processed by an individual Encryption Management Server cluster member to approximately 20-50 connections depending on the underlying hardware.
Encryption Management Server supports both forced encryption policies and Opportunistic Encryption. Earlier versions of Encryption Management Server (3.1.x) shipped with Opportunistic Encryption enabled by default. With Opportunistic Encryption, Encryption Management Server encrypts email only if the recipient’s key can be found and lets email through unprotected when no key can be found. While this protects against eavesdropping by agents that cannot interfere with key lookup traffic between multiple Encryption Management Server systems, it does not protect against more sophisticated attacks. Symantec recommends that customers ensure their mail policy’s Key Not Found setting is one of: Block, Web Email Protection, or PDF Email Protection. This ensures that all sensitive email remains secure.
Verifying signatures processed by Encryption Management Server
Annotations appearing inside the email body are for convenience only. Users must not rely on these annotations when determining whether to trust the message’s integrity. This is because a forged email message may contain annotations that look similar to the ones that Encryption Management Server adds. Thus there is no way for an internal user of Gateway Email to verify the integrity of a received message.
Placement of Encryption Management Server
When deploying GWE, always place a Message Transfer Agent (MTA) such as Symantec Messaging Gateway (SMG) between Encryption Management Server and the Internet. This lets the MTA throttle inbound email and remove spam email before Encryption Management Server attempts to apply security policy. It also ensures that message delivery time does not increase the number of parallel messages being processed by Encryption Management Server, thus improving total message throughput.