Determining whether a message or attachment is encrypted

book

Article ID: 224591

calendar_today

Updated On:

Products

Gateway Email Encryption Encryption Management Server

Issue/Introduction

Encryption Management Server almost always receives email from an MTA that routes only encrypted messages to it. A typical scenario of the mail flow is as follows where SEMS is Symantec Encryption Management Server and SMG is any one of Symantec Messaging Gateway, Cisco IronPort, ProofPoint, Microsoft Exchange or similar:

  • Inbound:  External Sender -> SMG -> SEMS -> SMG -> Internal Recipient
  • Outbound: Internal Sender -> SMG -> SEMS -> SMG -> External Recipient

For both Inbound and Outbound mail, SMG needs to determine when to route the message to Encryption Management Server. It does this using rules.

With Outbound mail, SMG can mirror the rules used in Encryption Management Server. By default, Encryption Management Server attempts to secure a message if:

  • The Subject contains [pgp].
  • The message is classified as Company Confidential.
  • The message is classified as Private.

If the Encryption Management Server administrator changes these default conditions, so long as the rules used by SMG are also changed, outbound mail will be routed correctly.

With Inbound mail, Encryption Management Server needs to determine if the message or a message attachment is signed and/or encrypted. Therefore SMG will also need to determine this. Otherwise, SMG will bypass Encryption Management Server and the recipient will receive an encrypted message that they cannot open.

Environment

Symantec Encryption Management Server release 10.5 and above.

Resolution

SMG will need to be able to route inbound messages that fulfil any of the following conditions to Encryption Management Server:

  1. Has a *.pgp attachment.
  2. Has a *.gpg attachment.
  3. Contains BEGIN PGP MESSAGE in the message body.
  4. Contains BEGIN PGP SIGNED MESSAGE in the message body.
  5. Has a Message.p7m attachment (only if Encryption Management Server uses S/MIME).
  6. Has a Message.p7s attachment (only if Encryption Management Server uses S/MIME).

Please see article 203838 for a list of the PGP and S/MIME encoding types supported by Encryption Management Server.

Note that many of the messages Encryption Management Server routes outbound via SMG will also fulfil the above criteria. To prevent such messages being routed back to Encryption Management Server, consider adding an X-Header to any message processed by Encryption Management Server. Please see article 216698 for details.