Log TLS emails using Email Data Protection

book

Article ID: 178856

calendar_today

Updated On:

Products

Email Security.cloud

Resolution

This guide assists you in the creation of a Data Protection policy to log TLS emails. This policy passively provides you with feedback on the flow of email using TLS, especially for emails with a sender for which you don't have TLS enforcement.

An email sent using TLS will have the cipher used listed in the email headers; we will use this information to register TLS emails. This is useful in situations where you need to know if email from a specific address was received through TLS.

For more information, see TLS ciphers supported by Email Encryption.cloud

Access the Clientnet portal > Services > Data Protection

Create a policy to log TLS emails

  1. Go to Services > Data Protection > Email Policies.
  2. Click New policy.
  3. Name the policy "Log TLS emails."
  4. Configure the policy as follows:
    • Apply to: Inbound mail only
    • Execute if: All rules are met
    • Action: Log Only
    • Administrator email: Use a non-production administrator email address

      Note: This must be a non-production email because Data Protectionpolicy administrators are automatically whitelisted from all Data Protection policies to avoid mail loops.
       
    • Notifications: None
  5. Add a new Rule named "Log TLS Emails."
  6. Set the rule to ALL conditions are met.
  7. From the Add a condition drop-down list, select Content Keyword List.
  8. Name the list "Supported TLS ciphers."

    Note: The following entries are the current TLS ciphers supported by Symantec.cloud
     
    • AES128-GCM-SHA256
    • AES128-SHA
    • AES128-SHA256
    • AES256-GCM-SHA384
    • AES256-SHA
    • AES256-SHA256
    • CAMELLIA128-SHA
    • CAMELLIA256-SHA
    • DES-CBC3-SHA
    • DHE-DSS-AES128-GCM-SHA256
    • DHE-DSS-AES128-SHA
    • DHE-DSS-AES128-SHA256
    • DHE-DSS-AES256-GCM-SHA384
    • DHE-DSS-AES256-SHA
    • DHE-DSS-AES256-SHA256
    • DHE-DSS-CAMELLIA128-SHA
    • DHE-DSS-CAMELLIA256-SHA
    • DHE-DSS-SEED-SHA
    • DHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES128-SHA
    • DHE-RSA-AES128-SHA256
    • DHE-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES256-SHA
    • DHE-RSA-AES256-SHA256
    • DHE-RSA-CAMELLIA128-SHA
    • DHE-RSA-CAMELLIA256-SHA
    • DHE-RSA-SEED-SHA
    • ECDH-ECDSA-AES128-GCM-SHA256
    • ECDH-ECDSA-AES128-SHA
    • ECDH-ECDSA-AES128-SHA256
    • ECDH-ECDSA-AES256-GCM-SHA384
    • ECDH-ECDSA-AES256-SHA
    • ECDH-ECDSA-AES256-SHA384
    • ECDH-ECDSA-DES-CBC3-SHA
    • ECDH-ECDSA-RC4-SHA
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES128-SHA
    • ECDHE-ECDSA-AES128-SHA256
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-SHA
    • ECDHE-ECDSA-AES256-SHA384
    • ECDHE-ECDSA-DES-CBC3-SHA
    • ECDHE-ECDSA-RC4-SHA
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES128-SHA
    • ECDHE-RSA-AES128-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-SHA
    • ECDHE-RSA-AES256-SHA384
    • ECDHE-RSA-DES-CBC3-SHA
    • ECDHE-RSA-RC4-SHA
    • ECDH-RSA-AES128-GCM-SHA256
    • ECDH-RSA-AES128-SHA
    • ECDH-RSA-AES128-SHA256
    • ECDH-RSA-AES256-GCM-SHA384
    • ECDH-RSA-AES256-SHA
    • ECDH-RSA-AES256-SHA384
    • ECDH-RSA-DES-CBC3-SHA
    • ECDH-RSA-RC4-SHA
    • EDH-DSS-DES-CBC3-SHA
    • EDH-RSA-DES-CBC3-SHA
    • IDEA-CBC-SHA
    • KRB5-DES-CBC3-MD5
    • KRB5-DES-CBC3-SHA
    • KRB5-IDEA-CBC-MD5
    • KRB5-IDEA-CBC-SHA
    • KRB5-RC4-MD5
    • KRB5-RC4-SHA
    • PSK-3DES-EDE-CBC-SHA
    • PSK-AES128-CBC-SHA
    • PSK-AES256-CBC-SHA
    • PSK-RC4-SHA
    • RC4-MD5
    • RC4-SHA
    • SEED-SHA
  9. Click Save.
  10. Configure the condition as follows:
    • Email contains: a number of matches for the keywords in the selected lists
    • At least: 1
    • Count only unique matches: No
    • Case sensitive: No
    • Look in: Header
  11. From the Add a condition drop-down list, select Content Keyword List.
  12. Name the list "Encrypted SMTP Check."

    Note: The following entries are also found in the headers:
    • Encrypted SMTP
    • ESMTP
    • ESMTPA
    • ESMTPS
    • ESMTPSA
    • TLSv1/SSLv3
    • TLSv1
    • Microsoft SMTP Server (TLS)
    • TLS secured channel
       
  13. Click Save.
  14. Configure the condition as follows:
    • Email contains: a number of matches for the keywords in the selected lists
    • At least: 1
    • Count only unique matches: No
    • Case sensitive: No
    • Look in: Header

Set a scheduled report

The data is available up to 30 days for reporting purposes. You can decide whether or not to set a scheduled report for this policy. Alternatively, you can run this report on a per-case basis. For example, you can provide a recipient address as criteria when setting up the options in advanced settings.

To set a scheduled report:

  1. Click Reports > Report Requests, and then click Request a new report.
  2. Name the report "TLS emails Report."
  3. Click Continue.
  4. Select Data.
  5. Select Email Detailed Report (CSV).
  6. Check Data Protection.
  7. Click Advanced Settings.
  8. Under Policy Name, ensure that the name matches the exact name of the policy (for example "Log TLS emails").
  9. Click Continue.
  10. Configure the Reporting period as follows:
    • Time zone: GMT (pick your time zone)
    • Report period: last 1 day(s) (a good value to start)
    • Schedule: Checked
    • Run the report request: Daily at 8:00AM (pick a time that suits you)
    • Every: 1 Days
    • Until: forever
  11. Click Continue.
  12. Configure the Delivery options as follows:
    • Report available: as an email attachment
    • Recipient(s): you can add up to 5 recipients
    • The other options can be left default
  13. Click Continue.
  14. Review your selections, and then click Submit request.