This article describes best practices for Symantec Encryption Gateway Email.

Outbound “From:” line validation

If Symantec Encryption Management Server (SEMS) is configured to use Server Key Mode (SKM) keys and also digitally sign outbound email, then the upstream Message Transfer Agent (MTA) that sends outbound email to SEMS must be configured to enforce that all email messages contain a valid RFC 822 “From:” header. SEMS examines this header to determine which internal user sent an email message and thus determine which internal user’s key to sign with. SEMS relies on the upstream Message Transfer Agent (MTA) to enforce that all mail claims to be from the actual sender.

“Domain keys”

Each internal user of Symantec Encryption Management Server (SEMS) Gateway Email must have a unique key. SEMS creates one key per user by default. However, SEMS policy is highly flexible and thus it is possible to configure SEMS in such a way that many users effectively share
the same key. Such a key is often called a domain key as there is one per email domain. Use of a domain key allows anyone with an email address at that domain to decrypt email sent to any other user at that domain. The practice is thus insecure.

Denial of Service Protection

Symantec Encryption Management Server (SEMS) Gateway Email contains basic anti-denial-of-service (DoS) mechanisms. To ensure SEMS continues to run smoothly, Symantec recommends that customers ensure that all SMTP systems that SEMS will accept email from have their own anti-DoS mechanisms. Specifically, the total environment should limit the number of parallel SMTP connections processed by an individual SEMS cluster member to approximately 20-50 depending on the underlying hardware.

Opportunistic Encryption

Symantec Encryption Management Server (SEMS) supports both forced encryption policies and Opportunistic Encryption. Earlier version of SEMS (3.1.X) shipped with Opportunistic Encryption enabled by default. With Opportunistic Encryption, SEMS encrypts email only if the
recipient’s key can be found and lets email through unprotected when no key can be found. While this protects against eavesdropping by agents that cannot interfere with key lookup traffic between multiple SEMS systems, it does not protect against more sophisticated attacks. Symantec recommends that customers ensure their mail policy’s Key Not Found setting is one of: Block, Web Email Protection, or PDF Email Protection. This ensures that all sensitive email remains secure.

Verifying signatures processed by Symantec Encryption Management Server (SEMS)

Annotations appearing inside the email body are for convenience only. Users must not rely on these annotations when determining whether to trust the message’s integrity. This is because a forged email message may contain annotations that look similar to the ones that SEMS adds. Thus there is no way for an internal user of Gateway Email to verify the integrity of a received message.

Placement of Symantec Encryption Management Server (SEMS)

When deploying Gateway Email, always place a Message Transfer Agent (MTA) such as Symantec Messaging Gateway (SMG) between SEMS and the Internet. This lets the MTA throttle inbound email and remove spam email before SEMS attempts to apply security policy. It also ensures that message delivery time does not increase the number of parallel messages being processed by SEMS, thus improving total message throughput.