MailSealer Policies

Policies determine how the REDDOXX Appliance handles incoming e-mails regarding encryption and signing.

  • Policies are applied in order from top to bottom and can be sorted via drag & drop.
  • E-mail addresses can be set either individually or with wildcard *, e.g. *@domain.tld or *@* for all
  • For an outgoing policy, the outgoing addresses should have at least *@* as an entry, * alone would otherwise prevent outgoing messages from being sent,
    as these do not have a sender and with * in the policy the MailSealer would try to find a MailSealer licence for this non-existent sender.
  • A meaningful comment for the policy is recommended

The following steps are necessary for an outgoing policy:

  1. Click Add and set a descriptive name for the policy.
  2. Select Outgoing as the direction
  3. If desired, the appliance can exclude calendar invitations from encryption (as this can lead to a decrypted mail appearing empty in the mailbox, especially for recipients with Outlook, as the calendar type is then no longer recognised by Outlook).
  4. Switch to the Addresses tab and enter the sender and recipient addresses one below the other, line by line.
    Wildcards are also possible here
    5.Switch to the Sign tab and choose one of the following three options:
    • Force signature: if this is not possible (if the sender's public key is missing), the e-mail will be bounced back to the sender.
    • Sign if possible: the e-mail will be sent unsigned if no public key of the sender is available, the sender will not be informed.
    • Do not sign: the e-mail is sent unsigned.
  5. Switch to the Encryption tab and select from the following options:
    • Force encryption: If encryption to a recipient is not possible, the sender will be notified
    • Encrypt if possible: Recipients for whom encryption is not possible will receive the e-mail unencrypted.
    • Do not encrypt: The e-mail is not encrypted but sent in plain text.
  6. If the option "Force encryption" is activated for an encryption policy, "Must be encrypted for all recipients" can also be activated.
    If, for example, there are different policies for two recipients, this setting prevents an unencrypted message from being sent to one of the recipients when sending to both recipients at the same time; the option then forces encryption for all other recipients.
    8.Save the policy with Save

Optionally, you can now re-open the policy and set it to disabled if it is not to be used at this time.

The processing when selecting several encoders at the same time (S/MIME + PGP) and depending on the selected signing and encryption variant is as follows:

Signing Encryption Used Methods
Force Force The first encoder that can sign and encrypt is used.
If possible Force The first encoder that can sign and encrypt is used. If no encoder is found that can do both, then the first encoder that can encrypt is used.
No signing Force The first encoder that can encrypt is used.
Force If possible The first encoder that can sign and encrypt is used.
If no encoder is found that can do both, then the first encoder that can sign is used..
If possible If possible The first encoder that can sign and encrypt is used.
If no encoder is found that can do both, then the first encoder that can encrypt is used.
If no encoder is found that can encrypt, then the first encoder that can sign is used.
No signing If Possible The first method that can encrypt is used.
Force No encryption The first method that can sign is used.
If possible No encryption The first method that can sign is used.
No signing No encryption No encoder is required.

The following steps are necessary for an incoming policy:

  1. Click Add and set a descriptive name for the policy.
  2. Select Incoming as the direction
  3. Set "Forward mail unchanged" if you want the client to take care of decryption
  4. Switch to the Addresses tab and enter the sender and recipient addresses line by line one below the other.
    Wildcards are also possible here
  5. Save the policy with Save

By default, the appliance decrypts e-mails automatically and without a policy if the keys necessary for decryption are available.
Incoming policies are therefore only necessary if, for example, decryption is to take place at the client via "Forward mail unchanged".

With the Encoding Options the encryption settings can be adjusted in detail based on the recipient addresses.
It is also possible to override the default settings of the MailSealer.
This is useful if, for example, communication with certain recipients explicitly requires different algorithms, or if so-called gateway certificates are to be used.

The following steps are necessary to adjust the encryption options:

  1. Click on Add
  2. Give the policy a suitable description
  3. Select which encryption methods (S/MIME, PGP, REDDCRYPT) are to be used and adjust the order of processing via drag & drop.
  4. Enter the e-mail addresses of the recipients for which this encryption policy is to be applied, line by line.

Then switch to the respective tabs of the encryption methods and adjust them, provided they have been activated in point 3

  • Here you can adjust the algorithms used for encryption and signature, if required by the other party.
  • Select a private certificate in the "Forced signing certificate" area if all e-mails sent via this policy are to be signed with a specific private certificate.
    (e.g. if you as the sender do not want to sign with your certificate, but with the certificate of another address, such as an info mailbox).
  • In the "Forced encryption certificate" section, select a public certificate of a remote station if all e-mails sent via this policy are to be encrypted with the public certificate of the remote station (this is often referred to as encryption via gateway certificate).
  • Save the settings with Save

  • Here you can adjust the algorithms used for encryption and signature if required by the other party.
  • Save the settings with Save

  • Select whether users are to be automatically created in your REDDCRYPT organisation via REDDCRYPT (Auto create Accounts); sufficient licences must be available for this.
    In addition, the domain must be configured as trustworthy (https://app.reddcrypt.com/settings/organization/trusted-domains) in the REDDCRYPT portal (via TXT DNS record in the REDDCRYPT portal under Settings -> My organisation -> My domains).
  • Select whether e-mails are to be sent directly (instead of via the REDDCRYPT Portal), the e-mails sent in this way will not be visible in other REDDCRYPT applications.
    This option is only recommended if the other party also uses a REDDOXX Appliance as encryption gateway.
  • Select whether random passwords for encryption are to be generated each time for recipients who do not yet have a REDDCRYPT account (Create random One Time Encryption Key) or whether a fixed one is to be used.
    If random passwords are used, the sender receives an e-mail with the correspondingly generated password, which must be communicated to the recipient in another way so that the recipient can read the encrypted e-mail.
  • Save the settings with Save

With the Decoding Options, the decoding settings can be adjusted in detail based on the sender addresses.
This is useful if communication with certain recipients is to take place via so-called gateway certificates, for example.

The following steps are necessary to customise the decoding options:

  1. Click on Add
  2. Give the policy a suitable description
  3. Select whether the e-mail should be sent back to the sender if the signature is invalid.
  4. Enter the e-mail addresses of the senders for which this decryption policy is to be applied, line by line.
    Then switch to the respective tabs of the decryption methods and adjust them as required

  • Select whether certificate validation should be disabled (Disable certificate validation).
  • Select whether signatures attached to an e-mail should be removed from the e-mail (Remove detached signature from message).
    This means that these signatures will not be displayed in the receiving e-mail clients.
  • With Allowed signing certificate you select a public certificate of the remote terminal which is also accepted for signature verification.
  • Save the settings with Save

  • Select whether the validity check of the OpenPGP keys should be deactivated (Disable key validation).

  • Select whether signatures attached to an e-mail should be removed from the e-mail (Remove detached signature from message).
    This means that these signatures will not be displayed in the receiving e-mail clients.

  • Save the settings with Save

  • If you use two REDDOXX Appliances together as a REDDCRYPT gateway and a fixed encryption password is stored in the sending REDDOXX Appliance (in the Encoding Options of the sending appliance), also set the encryption password here.

  • Save the settings with Save