The menu item Mail Processing is used to configure the ruleset of the SEPPmail Secure E-Mail Gateway.
This set of rules is comparable to a workflow system and represents the central element of the SEPPmail Secure E-Mail Gateway.
To set up specific encryption methods for individual targets, Edit policy table... provides access to the submenu . This submenu can be used to define corresponding rules, also separated by clients.
(new in 13.0.0)
Via Edit extended fields..., the submenu is available. Here, additional configuration fields can be defined, with which indicators (general or specific for the Managed Domain or the Customer) can be created that later can be used to trigger specific behaviours via the SMTP Ruleset.
Sections on this page:
Displays the creation data of the active ruleset.
Parameters |
Description |
|
|---|---|---|
Displays the firmware version with which the current ruleset was created and/or uploaded. |
||
Displays the user who has activated the current ruleset. |
||
Displays the activation date of the current ruleset. |
||
Displays how the ruleset was created. |
||
|
Via Generate ruleset with the settings displayed and/or made under Ruleset generator. |
|
Via Upload Ruleset |
||
Accessing Show ruleset displays the Ruleset code. |
||
Generate Ruleset generates a ruleset with the settings displayed and/or made under Ruleset generator.
|
If a ruleset of the Type "Upload" is active, Generate Ruleset is greyed out. To be able to change the Type to "Generator", in the Ruleset generator, the button Save must be clicked twice! |
Upload ruleset... imports a code that may have been written manually with the help of the Reference Of The Ruleset Instructions from the selected file.
Generally, this is not recommended, since this ruleset may have to be adapted during version updates. It usually makes more sense to adapt the code individually using Custom commands of the Ruleset generator.
Other settings.
Parameters |
Description |
|||
|---|---|---|---|---|
|
Enables access to the encryption certificates of external communication partners available on the SEPPmail Secure E-Mail Gateway, which are listed under X.509 Certificates.
|
|||
|
Default setting.
|
|||
Activates the LDAP key server function of the SEPPmail Secure E-Mail Gateway for the certificates listed under X.509 Certificates. |
||||
|
This option is inactive by default and pre-set to "sendpgpkeys". If an OpenPGP key pair is created for a user on the SEPPmail Secure E-Mail Gateway, irrespective of whether this is done manually or automatically (see section Ruleset generator of this menu under Key generation, the option Issue local OpenPGP keys for users), by activating this option, the public key of the automatically generated key pair is sent to the newly created user using the selected email template (please also refer to ). This enables this user to pass on their public key to communication partners themselves. These are, in turn, enabled to communicate with this user in an OpenPGP-encrypted manner. The email template used for sending can be individually overridden for each Managed domain (see Send OpenPGP keys). The sender of this email is the global postmaster, if no individual postmaster has been stored.
|
|||
The changes made are saved via the Save button.
With the Ruleset generator, a "workflow system" is defined for incoming and outgoing emails.
|
When using frontend servers (see Cluster Add this device as frontend server), every change in the Ruleset generator is to be made public by saving at the frontend server again (Generate Ruleset). |
The input fields available in this section for subject line keywords (text in subject) are to be filled with "regular expressions". This means special characters must be marked as such with a backslash "\". It is possible to string several keywords together by separating them with the pipe character "|".
Example:
If as subject line keywords <abc> are to be used, this must be entered as follows: \<abc\>
If as subject line keywords |<abc> and also [def] are to be used, this must be entered as follows: \<abc\>|[def]
(see also Regular Expressions)
Upper/lower case is ignored when entering the keyword in the subject line.
When using the COM Add-In for MS Exchange/Outlook on premises in the subject line mode (see Registry value "subject-mod=1”), care should be taken to ensure that when the keywords are changed in the SEPPmail Secure E-Mail Gateway, these are either added as additional values, or the values in the add-in (see Registry values "s-sm...") are adapted to the values of the appliance.
If the MS Outlook Cross-Platform-Add-In and/or COM Add-In for MS Exchange/Outlook on premises are run in X-Header mode (see Registry value "subject-mod=0"), it should be noted that the function triggered by the respective X-header is also active in the Ruleset generator.
|
Generally, all keywords defined here are removed from incoming emails, i.e. emails which do not originate from a Managed domain. This means that no external control commands can be transferred to the appliance, nor can cryptographic actions performed by the appliance (decryption, verification of signatures) be simulated. |
|
To prevent a creation of undefined conditions on the appliance, the simultaneous use of different and, in particular, contradicting control characteristics (key words, (X) headers) in outgoing emails must be avoided! Additionally, a keyword cannot be used to control two actions at the same time. |
Parameters |
Description |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
By default, this option is active and set to \[plain\]. If this option is active and the specified keyword is found in the subject of an outgoing email, it will be forwarded in a cryptographically untreated manner. The ruleset will not continue to run through. This may make sense if all of the following conditions are met: •Setting Always use S/MIME or OpenPGP if user keys are available active •The sender knows that the recipient can temporarily only receive emails on a mobile terminal device •The content of the email is not confidential |
|||||||||||||
(in 12.0 moved to Settings Disclaimer Initial disclaimer) |
|||||||||||||
(in 12.0 moved to Settings Disclaimer Reply disclaimer) |
|||||||||||||
|
reprocess@ decrypt.reprocess |
By default, this option is active. Enables a recipient to send an encrypted email from their inbox to the SEPPmail Secure E-Mail Gateway again for decryption. For this purpose, the encrypted email is to be attached to a new (carrier) email and sent to the address reprocess@decrypt.reprocess. "reprocess@decrypt.reprocess". The SEPPmail Secure E-Mail Gateway discards the carrier email, and the original, encrypted message in it is processed again and delivered. Naturally, one precondition is that the required private key for decryption on the SEPPmail Secure E-Mail Gateway is known. Application examples include: •Direct forwarding of encrypted emails to the internal email server if the appliance fails •Migration of local key material on the clients to the SEPPmail Secure E-Mail Gateway in the case of the simultaneous retention of encrypted emails in the inboxes of the recipient Likewise, this command allows OpenPGP to decrypt encrypted files from the file system by sending them as an email attachment to this address. |
||||||||||||
By default, this option is inactive. By activating this item, marks set by the appliance (e.g. see Add this text to message subject after decryption or Add this text to message subject if S/MIME signature check succeeds:) are placed at the beginning instead of the end. |
|||||||||||||
By default, this option is active. Activates the display of the subject line in Logs. This often simplifies the error analysis. However, for revision-related reasons, it might be prohibited in some cases. |
|||||||||||||
|
|
|||||||||||||
|
Users must be created manually on the appliance - if necessary also by bulk imports (see Administration Bulk Import Import users (CSV), Import X.509 keys and certificates and/or Import OpenPGP key pairs).
|
||||||||||||
Default setting. Senders who mark an email as to be encrypted or to be signed using an appropriate feature and who are not yet present as users (see Users) on the SEPPmail Secure E-Mail Gateway are automatically created. When using this option, it is to be ensured that sufficient free user licences are available (see Home Licenses Encryption/Signature licenses). If the number of available licences is exceeded, emails are rejected (bounced) with the information message "license violation" and a watchdog notification is created.
|
|||||||||||||
Each sender who sends an email via the SEPPmail Secure E-Mail Gateway is created as a user unless already present. It does not matter whether encryption/signing was requested or not. This setting is suitable, for example, for signing all emails from a company in general. Of course, it must then also be ensured that the users created here are provided with the corresponding key material (see also Key generation). This option can also be used if the SEPPmail Secure E-Mail Gateway is not directly located in the email flow but it is already decided via an upstream component which emails are to be treated cryptographically and only those are transferred to the SEPPmail Secure E-Mail Gateway.
|
|||||||||||||
|
|||||||||||||
Default setting. This option does not distinguish between outgoing emails from third-party or Managed Domains (see Mail System Managed domain). That is that, if an email contains an address in the FROM header which does not originate from a Managed domain, users are also created for senders of external addresses, provided that an option for automatic user creation (see above) is selected.
|
|||||||||||||
This option always sends emails by external senders unchanged, i.e. "plain" (see also General settings Do not touch mails with the following text in subject:).
|
|||||||||||||
This option rejects any emails from third-party senders. |
|||||||||||||
|
|
|||||||||||||
By default, this option is inactive. Automatically creates an OpenPGP key pair. |
|||||||||||||
|
S/MIME certificates for users |
By default, this option is inactive. Automatically generates an S/MIME key pair. The public key is signed by the local CA (self-signed certificate). |
||||||||||||
|
By default, this option is inactive. Automatically generates an S/MIME key pair. The public key is signed by the CA set under MPKI.
|
||||||||||||
|
|
|||||||||||||
By default, this option is active and has the keyword \[secure\] stored. Incoming emails which are decrypted by the SEPPmail Secure E-Mail Gateway are marked with the keyword in the subject line.
|
|||||||||||||
By default, this option is inactive. For incoming emails which are decrypted by the SEPPmail Secure E-Mail Gateway, the header "Sensitivity" with the value "Company-Confidential" is set. |
|||||||||||||
|
S/MIME decryption fails |
By default, this option is active. Incoming, encrypted emails are rejected (bounced) if they could not be decrypted by the SEPPmail Secure E-Mail Gateway.
|
||||||||||||
|
|
|||||||||||||
By default, this option is active and has the keyword \[confidential\] stored. If the specified keyword is found in the subject line of an outgoing email, it will be encrypted.
|
|||||||||||||
By default, this option is active. If an outgoing email includes the header "Sensitivity" with the value "Company-Confidential", the email will be encrypted. |
|||||||||||||
|
This option is active by default and has the keyword \[priv\] stored. If the specified keyword is found in the subject line of an outgoing email, encryption is enforced using the GINA technology.
|
||||||||||||
|
By default, this option is inactive. If an outgoing email includes the header "Sensitivity" with the value "Private", encryption is enforced using the GINA technology.
|
||||||||||||
|
By default, this option is inactive and has the keyword \[emptypw\] stored. If the indicated keyword is found in the subject line of an outgoing email, no initial password will be required for the initial use of the GINA technology. This means that, in some cases, GINA version 2a (see Different Registration Types) is activated. |
||||||||||||
|
S/MIME or OpenPGP if user keys are available |
By default, this option is active. Outgoing emails are always encrypted if a public key – S/MIME (see X.509 Certificates) or OpenPGP (see OpenPGP Public Keys) – is available for the communication partner (recipient).
|
||||||||||||
By default, this option is inactive. Calendar entries as well as RTF-formatted emails are excluded from the automatic encryption of the higher-level option.
|
|||||||||||||
|
By default, this option is inactive. Outgoing emails are always encrypted by means of the GINA technology, provided that the SEPPmail Secure E-Mail Gateway does not have a public key – neither S/MIME nor OpenPGP – but a GINA account is available for the communication partner (recipient). |
||||||||||||
|
By default, this option is inactive and has the keyword \[noenc\] stored. If the specified keyword is found in the subject line of an outgoing email, any encryption is suppressed in any case. Other cryptographic actions (signing) are not affected. |
||||||||||||
By default, this option is inactive. Emails sent from one Managed Domains to another are marked as "secure" (please also refer to Incoming e-mails Add this text to message subject after decryption).
|
|||||||||||||
By default, this option is inactive. TLS encryption is recognised as a valid email encryption option for target domains which have been entered under Mail System TLS Settings with more stringent security settings than "may". Thus, the Encryption Hierarchy of these target domains changes as follows (please refer to point 5.): 1.Verified S/MIME certificate of the recipient 2.Verified public OpenPGP key of the recipient 3.Verified S/MIME domains certificate of the recipient domain 4.Verified public OpenPGP domains key of recipient domain 5.TLS encryption higher than "may" - whereby this is also used if one of the higher-priority methods has already been applied. If none of the previous (standard) methods are available 6.GINA with stored recipient password 7.GINA with initial password
|
|||||||||||||
|
S/MIME encryption |
By default, this option is inactive. Global use of OAEP as a padding method for signing via S/MIME (see also https://en.wikipedia.org/wiki/Padding) and https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding). OAEP is downward-compatible. |
||||||||||||
|
S/MIME encryption: |
By default, this option is inactive. When enabled, the algorithm of the session key used for S/MIME encryption can be selected via this selection menu. If this setting remains deactivated, Triple-DES is used.
|
||||||||||||
Lowest security standard but highest compatibility (e.g. with Outlook 2003 and earlier, secure-email-gateway manufacturers which only support this cipher for Domain encryption or hardware used by the recipient (e.g. card reader)). |
|||||||||||||
Partially still required (for example EDIFACT) |
|||||||||||||
Partially still required (for example EDIFACT) |
|||||||||||||
Default setting. Current security standard. Should be supported by all common email clients in their current version. |
|||||||||||||
Specifies the method for OpenPGP encryption based on domain keys (see also OpenPGP Public Keys Local OpenPGP Keys.
|
|||||||||||||
With inline PGP, each attachment of an email - whereby the email body is also an attachment - is encrypted separately.
Advantage: Inline PGP is supported by most open source products and thus increases the compatibility among the communication partners.
Disadvantage: Formatting problems, e.g. the content of inline tables are displayed, but not the table itself.
|
|||||||||||||
Default setting. PGP/MIME encrypts the entire email (as with S/MIME).
Advantage: No formatting problems.
Disadvantage: Possible compatibility problems and thus illegibility of the email at the communication partner. |
|||||||||||||
Specifies the method for OpenPGP encryption based on domain keys (see also Manual OpenPGP Domain Keys.
|
|||||||||||||
|
|
|||||||||||||
|
|
|||||||||||||
S/MIME signature check succeeds: |
By default, this option is inactive and has the keyword \[signed\sOK\] stored. Incoming S/MIME signed emails whose signatures have been checked by the SEPPmail Secure E-Mail Gateway and found to be OK, will be marked with the indicated keyword in the subject line.
|
||||||||||||
|
S/MIME signature check succeeds |
By default, this option is inactive. Removes the S/MIME email signature after a successful check.
|
||||||||||||
By default, this option is active and has the keyword \[signed\sINVALID\] stored. Incoming S/MIME signed emails whose signatures have been checked by the SEPPmail Secure E-Mail Gateway and found to be invalid will be marked with the indicated keyword in the subject line. In addition, under Logs Mail log a corresponding OpenSSL error is issued. |
|||||||||||||
By default, this option is inactive. Removes the S/MIME email signature after a failed verification.
|
|||||||||||||
|
By default, this option is inactive and has the keyword \[signed\sok\] stored. Incoming OpenPGP MIME-signed emails whose signatures have been checked by the SEPPmail Secure E-Mail Gateway and found to be valid will be marked with the indicated keyword in the subject line.
|
||||||||||||
|
By default, this option is inactive and has the keyword \[signed\sINVALID\ stored. Incoming OpenPGP-signed emails whose signatures have been checked by the SEPPmail Secure E-Mail Gateway and found to be invalid will be marked with the indicated keyword in the subject line. |
||||||||||||
|
(new in 12.1) |
By default, this option is inactive. Activates the "Triple Wrapping" support (see RFC2634).
|
||||||||||||
|
|
|||||||||||||
|
By default, this option is active and has the keyword \[sign\] stored. If the specified keyword is found in the subject line of an outgoing email, the email is signed using S/MIME.
|
||||||||||||
|
S/MIME certificate available |
By default, this option is active. Signs all outgoing emails (excluding calendar entries and/or RTF-formatted messages!) of SEPPmail Secure E-Mail Gateway users (Users) with a valid S/MIME certificate.
|
||||||||||||
|
By default, this option is inactive. Emails that use OpenPGP due to the Encryption Hierarchy are automatically signed with OpenPGP if the sender has a valid OpenPGP key pair on the appliance.
|
||||||||||||
|
By default, this option is active and has the keyword \[nosign\] stored. If the specified keyword is found in the subject line of an outgoing email, automatic S/MIME signing (see "Sign all outgoing mails if S/MIME certificate available") is suppressed in any case. Other cryptographic actions (encryption) are not affected.
|
||||||||||||
By default, this option is inactive. Generally, email signatures are attached in plain text. Thus, a signed email can be read without checking the signature and thus with any desired email client. With the opaque signature, the email content and the signature are stored together in a MIME part. Thus, emails with an opaque signature can be read with S/MIME-enabled email clients exclusively. |
|||||||||||||
|
(new in 12.1) |
By default, this option is inactive. Activates "Triple Wrapping" (see RFC2634) when sending emails.
|
||||||||||||
By default, this option is inactive. When enabled, the hash algorithm to be used for signing can be selected via this selection menu. If this setting remains deactivated, SHA-256 will be used.
|
|||||||||||||
Lowest level of security but highest level of compatibility. Should no longer be used as this procedure is not considered to be secure. |
|||||||||||||
Default setting (recommended). Current security standard. Usually supported by the current email client products in the context of signature verification. |
|||||||||||||
Highest level of security However, this can lead to compatibility problems on the receiver side. |
|||||||||||||
|
S/MIME signatures |
By default, this option is inactive. Global use of PSS as a padding method for Sign via S/MIME (see also https://en.wikipedia.org/wiki/Padding and https://en.wikipedia.org/wiki/Probabilistic_signature_scheme).
|
||||||||||||
|
(only functioning with the corresponding Large File Transfer (LFT) licence (see Home Licenses Large File Transfer (LFT) licenses), as well as via the GINA Domains activated Large File Transfer. |
|||||||||||||
|
By default, this option is active and has the keyword \[lfm\] stored. If the specified keyword is found in the subject line of an outgoing email, it is sent – regardless of its size – by means of the Large File Transfer (LFT) technology. This implies a valid Large File Transfer (LFT) licence |
||||||||||||
|
By default, this option is inactive and has the keyword \[nolfm\] stored. If the specified keyword is found in the subject line of an outgoing email, the use of the LFT technology is suppressed even if the set size threshold (see Large File Transfer Outgoing policy Size (in KB) above which messages are treated as large files (set to 0 to treat all messages as large files)) is exceeded. |
||||||||||||
|
(new in 14.0.0) |
In this section, the global LFT quota is defined.
These global settings can be overwritten by local settings per customer, managed domain, mail processing group and user. |
||||||||||||
Defines the global quota. LFT will not exceed this value. |
|||||||||||||
The default is "80,90,95". If the global quota exceeds one of these values, a notification email is sent. |
|||||||||||||
If activated, the global quota is strictly adhered to. If not, then only a warning is issued if the global quota is overwritten. |
|||||||||||||
|
Defines the quota per user. |
||||||||||||
If activated, users are allowed to use LFT. |
|||||||||||||
|
(only functioning with the corresponding Protection Pack (PP) licence (see Home Licenses Protection Pack (AntiSpam / AntiVirus)), as well as under Mail System Antispam according to the activated functions. |
|||||||||||||
|
By default, this option is inactive. Activates the virus scan function. Infected emails are redirected to the optional email address to be entered (quarantine). If the input field for the email address remains empty, infected emails are rejected (bounced).
|
||||||||||||
|
By default, this option is inactive. If ClamAV generates "false positive" messages after a signature update, exceptions to the virus scan can be defined here. This can be •heuristic partial check (see www.clamav.net, if applicable) •individual virus names as can be seen in the log (as regular expression, i.e. special characters are to be marked as such (see Regular Expressions). . By default, the scan engine uses the ClamAV signatures as well as other signatures from Sanesecurity (http://sanesecurity.com(see Mail System AntiSpam Enable unofficial signatures for ClamAV). |
||||||||||||
|
By default, this option is inactive. Sends notifications about any viruses found to the specified email address. |
||||||||||||
By default, this option is inactive. Emails containing Windows executable file formats will be rejected.
|
|||||||||||||
By default, this option is active. If this option is activated, ZIP archives are also searched for executable Windows file formats.
|
|||||||||||||
By default, this option is inactive. Emails that contain common executable script file formats will be rejected. |
|||||||||||||
By default, this option is active. If this option is activated, ZIP archives are also searched for executable script file formats.
|
|||||||||||||
|
|||||||||||||
|
By default, this option is inactive and has the keyword [SPAM] stored. Emails classified as SPAM are provided with the specified text in the subject line and forwarded to the recipient. The basis of the classification is the specified Tag level: (see next option).
|
||||||||||||
Selection of the SPAM detection threshold. The lower this value (0.5 to 19.5) is set, the stricter the SPAM detection criteria. By default, the value "2" is set. Low values increase the risk of false positives, so that legitimate emails may also be detected and marked as SPAM. |
|||||||||||||
|
By default, this option is inactive. Emails classified as SPAM are forwarded to the optional email address to be entered (quarantine). If the input field for the email address remains empty, the classified emails are rejected (bounced). The basis of the SPAM detection is the specified Spam level (see next option).
Infected emails are sent to the optional email address to be entered (quarantine). If the input field for the email address remains empty, infected emails are rejected (bounced).
|
||||||||||||
Selection of the SPAM detection threshold. The lower this value (0.5 to 19.5) is set, the stricter the SPAM detection criteria. By default, the value "4" is set. Low values increase the risk of false positives, so that legitimate emails may also be classified as SPAM and redirected or bounced. |
|||||||||||||
|
By default, this option is inactive. If the sender in the envelope or FROM header (or SENDER header, if applicable) of an incoming email is from a Managed domain, the email will be rejected.
|
||||||||||||
|
By default, this option is inactive. If the FROM header (and SENDER header, if applicable) of an email contains no valid email address, the email will be rejected.
|
||||||||||||
|
By means of "Header Tagging", the setting of an extended, so-called x-header and an associated value for different situations (see following options) is made possible by the SEPPmail Secure E-Mail Gateway. This extended information can be evaluated by downstream components. An example for such additional downstream email processing component could be a data loss prevention (DLP) system.
|
|||||||||||||
By default, this option is inactive. Sets the specified X header with the assigned value for all incoming and internal emails (please also refer to Set header ñ to value ñ for all internal mails). |
|||||||||||||
By default, this option is inactive. Sets the specified X header with the assigned value for all outgoing emails. |
|||||||||||||
By default, this option is inactive. Sets the specified X header with the assigned value for all internal emails, i.e. from one Managed domain to a Managed domain.
|
|||||||||||||
By default, this option is inactive. Sets the specified X header with the assigned value for all emails encrypted by the SEPPmail Secure E-Mail Gateway. |
|||||||||||||
By default, this option is inactive. Sets the specified X header with the assigned value for all emails decrypted by the SEPPmail Secure E-Mail Gateway. |
|||||||||||||
By default, this option is inactive. Sends a 1:1 copy of all emails transported via the SEPPmail Secure E-Mail Gateway before encryption and/or after decryption - to the specified email address. |
|||||||||||||
|
Using the command set defined in the Ruleset instructions, specific requirements can be added at the appropriate point in the ruleset via Custom commands.
|
|||||||||||||
By default, this option is inactive. Inserts the code in the input field at the position in the ruleset for incoming emails BEFORE decryption. |
|||||||||||||
By default, this option is inactive. Inserts the code in the input field at the position in the ruleset for incoming emails AFTER decryption. |
|||||||||||||
By default, this option is inactive. Inserts the code in the input field at the position in the ruleset for outgoing emails BEFORE the encryption. |
|||||||||||||
By default, this option is inactive. Inserts the code in the input field at the position in the ruleset for incoming GINA emails. |
|||||||||||||
By default, this option is inactive. Replaces the code for the default procedure for creating new users which has been selected under User creation. The code, provided that the option is active and upon selection of •Do not create accounts (also disables custom commands for user creation) never •Create accounts for new users if user tries to sign/encrypt will only be executed with the encryption/signature attempt •Create accounts for all users always .
|
|||||||||||||
By default, this option is inactive. Here, Macros - i.e. code blocks which are defined once and can then be used as often as desired in the Custom commands - can be created. These are placed at the top of the ruleset (see SMTP Ruleset Display Ruleset). Thus, a code may also be placed before the actual "Mail Processing". |
|||||||||||||
|
Key Server enables the additional retrieval of public keys from communication partners. Thus, if applicable, an encryption is also possible if no key material of the recipient is available on the SEPPmail Secure E-Mail Gateway but is present on the entered key server. The key server query takes place before the query of the proprietary key memory (see X.509 Certificates and/or OpenPGP Public Keys). The query is always executed by the email processing system. If this is a frontend server, it transfers the key material obtained in this way to the backend system for storage.
After saving a key server entry, another input field is displayed.
|
|||||||||||||
Selection of the key material to be queried. The search filters for a key server query are standardised for the default technologies S/MIME and OpenPGP. However, if another search filter is required, there is an option of creating a user-defined query via Custom commands, by means of the commands ldap_getpgpkeys() and/or ldap_getcerts(). |
|||||||||||||
Default setting. Selection for S/MIME key search (default search filter (mail=<email address of the recipient>))
|
|||||||||||||
Selection for OpenPGP key search. (default search filter (pgpUserID=<email address of the recipient>)
|
|||||||||||||
Regular expression which determines the target email domain for the query. For instance, if the query shall only apply to one email domain, the expression could be as follows: @my-communicationspartner.tld\.com or, if valid for several e-mail domains, also @my-communicationspartner.tld\.com|@my-other-communicationpartner.tld\.com |
|||||||||||||
Indicates the path to the key server. Several values can be entered separated by commas. In this case, the next server is automatically accessed if the previous one cannot be reached. Examples: ldap://my-communicationspartner.tld\.com ldaps://my-communicationspartner.tld\.com ldaps://my-communicationspartner.tld\.com:1636 ldaps://server1.my-communicationspartner.tld,ldaps://server2.my-communicationspartner.tld\ |
The access data must be provided by the operator of the key server. |
||||||||||||
|
(optional) |
User entitled to make queries, e.g. cn=mycompany,ou=keys,o=my-communicationspartner.tld,c=com |
||||||||||||
|
(optional) |
Password belonging to the user
|
||||||||||||
LDAP search path in which the keys to be searched are stored. |
|||||||||||||
By default, this option is inactive. Prevents the rejection (bounce) of the email if the LDAP server cannot be reached. |
|||||||||||||
|
(new in 14.0.1) |
By default, this option is inactive. If checked, any S/MIME certificate that is downloaded from the key server will be checked against the root CAs, to see if the root is complete, trusted and present. |
||||||||||||
By default, this option is inactive. Completely deactivates the GINA technology. As a result, emails marked as "to be encrypted" will be rejected if no other encryption methods (S/MIME, OpenPGP, domain) are available.
|
|||||
|---|---|---|---|---|---|
By default, this option is inactive. Disables both the user-related S/MIME as well as the OpenPGP technology. This option is to be used if only domain and/or GINA encryption is to be applied.
|
|||||
|
By default, this option is inactive. If, for revision-related reasons, the GINA part must be in a different demilitarised zone (DMZ) than the SMTP processing part, a corresponding separation of the solution by means of this option is possible. The individual functional parts can even be distributed to different locations. All GINA emails to be encrypted will then be forwarded via the pseudo email address entered here (for example GINA@GINA pseudodomain.local) to the GINA satellite in an S/MIME encrypted manner, via SMTP. |
||||
By default, this option is inactive. Defines the counterpart to the option Use remote GINA server, reachable under the following e-mail address:, i.e. the GINA satellite. The satellite appliance must have the pseudo email domain (in the example above: "ginapseudodomain.local") as additional Managed domain (see Mail System Managed Domains). Similarly, the Managed Domains of the basis system must be registered. The GINA configuration and its allocation to the Managed Domains is implemented on the satellite system (see GINA Domains Domains). |
|||||
Here, the Managed Domains of the basic system must be entered as regular expressions (see Mail System Managed Domains). The domains are separated by a pipe character "|", i.e. domain1\.tld|domain2\.tld|domainn\.tld
|
|||||
Here, the same pseudo email address is to be entered as on the "basic"system under Use remote GINA server, reachable under the following e-mail address:. |
|||||
Here, the SHA1 fingerprints of the domain certificates of the "Relay for domain:" indicated under Managed Domains are to be entered as regular expression, each separated by a pipe character "|", i.e. fingerprint1|fingerprint2|fingerprintn (see S/MIME domain encryption). |
|||||
By default, this option is inactive. Activates the Swiss Incamail service instead of the GINA technology. |
|||||
By default, this option is empty. If an entry is present, the option is displayed in red. Determines the type of the email flow. For example, the option available before version 11.1.11 Re-inject mails to sending mailserver can be called up by entering "loop" (see also Config: Re-Inject Mails To Sending Mail Server), or the option Run in queueless mode can be called up by entering "queueless" (see also Config: Queueless Mode).
Furthermore, this option can be used to map a "Custom commands for outgoing e-mails AFTER encryption" (see also Config: Custom commands for outgoing e-mails AFTER encryption). |
|||||
The changes made are saved via the Save and create ruleset button. The ruleset is generated with the settings made.
