Encryption profile configuration

andrea.donaggio · ‎11-21-2007

Hi all,
we have configured the new encryption feature using the hosted key service. All is working fine and external accounts reach to open the securedoc.html. The problem is to open the file the user have to be connected to Internet for download the encryption key.
Is there a way to configure the encryption profile to include the encryption key in the securedoc.html to permit offline users to open the files?
Thanks in advance.
Regards,
Andrea Donaggio

jaigill · ‎12-06-2007

You cannot open envelopes offline if encryption is performed on the ESA. However, if you have deployed an Ironport encryption appliance(IEA), then you may follow the following procedures:

There are two main methods for configuring offline envelopes: OfflineEnvelope and OfflineEnvelopeEnrolled. OfflineEnvelope uses a predetermined password to open the message. OfflineEnvelopeEnrolled uses registration as a means of authentication. Below are the recommended instructions for each method.

OfflineEnvelope

Adding the OfflineEnvelope Application

1) In the Admin GUI, click on the Configuration tab. Make sure Select View is on Advanced.
2) Navigate to SMTPModule->Applications. You should see Add Application at the bottom.
3) For the Name, enter "OfflineEnvelope". For the Type, select "PostX Envelope". Click the Add Application button. Your new application should show up as a link.
4) Click on the link of your new application.
5) For versions 6.2.8 and newer, change the Envelope drop-down to "Offline". For versions older than 6.2.8, make sure the Envelope drop-down is set to "Default".
6) Click Deploy Changes and Restart SMTP Adapter.

Predetermining the Password for the OfflineEnvelope

In order to predetermine the password for the envelope, the message must have a X-PostX-Key header. The value of this header will be the password for the OfflineEnvelope. You can either have this configured on the MTA before the mail gets to the PostX server or you can create a Modify Headers App to add the header. If you plan to use the Modify Headers App, make sure the message goes through this application first then link it to the OfflineEnvelope application.

For versions 6.2.7 and newer, you have the option to use a random key and embed it within the OfflineEnvelope. Thus, the end user will not even need to enter a password to open the message. If you would like to configure this, click on your OfflineEnvelope application. Then, click on the Encryption Key Lookup tab. Check both the "Embed Key in Envelope" and "UseRandomKey" checkboxes.

OfflineEnvelopeEnrolled

Adding the OfflineEnvelopeEnrolled Application

1) In the Admin GUI, click on the Configuration tab. Make sure Select View is on Advanced.
2) Navigate to SMTPModule->Applications. You should see Add Application at the bottom.
3) For the Name, enter "OfflineEnvelope". For the Type, select "PostX Envelope". Click the Add Application button. Your new application should show up as a link.
4) Click on the link of your new application.
5) For versions 6.2.8 and newer, change the Envelope drop-down to "Offline". For versions older than 6.2.8, make sure the Envelope drop-down is set to "Default".
6) Click on the Encryption Key Lookup tab.
7) Check the "Key Lookup" check box. For the Key Lookup Provider, select "userlookup".
8) Click Deploy Changes and Restart SMTP Adapter.

Setting up Registration

We can configure the server to send a registration link to new users. Keep in mind the users have to be online for this one time registration process. To do so, we will need an Email Queue application (typically named QueueMessage). Make sure all messages are sent to the QueueMessage application which then should link to the OfflineEnvelopeEnrolled application.