CHANGE GINA SETTINGS FOR

This submenu is called up from GINA Domains domains.

In this menu, the settings for the selected GINA domain can be changed individually. In addition to the technical settings, the design can be adapted to the corporate identity via the Edit GINA Layout button (see LAYOUT).

Sections on this page:

•Secure GINA host

•Master template

•Admin

•IDP settings

•Mandatory registration fields

•SOAP

•Event login

empty

(omitted in 12.0)

Attention:

When using frontend servers (see Cluster Add this device as frontend server), every change to this menu is to be made public by saving at the frontend server again (Save).

Secure GINA host

Parameters

Description

Hostname

Unless the [default] GINA domain has been selected for editing, the hostname is already pre-filled with the value entered during the creation (see CREATE NEW GINA DOMAIN Create new GINA domain).

empty

Attention:

The hostname entered here should not be changed in the productive operation! This would have the effect that the already sent GINA emails could no longer be decrypted by the recipient.

CheckBoxInactive Use virtual hosting

This is only visible if, in the superordinate menu GINA Domains Settings Use virtual hosting: "Use domain settings" has been selected.

By default, this option is inactive.

Additional hostnames

This option is only active if Use virtual hosting has been activated in this or in the superordinate menu GINA Domains Settings RETROSPECTIVELY.

If the setting Use virtual hosting has already been selected with the initial installation, this field is visible but remains inactive (grey).

If an already productive SEPPmail Secure E-Mail Gateway is subsequently changed to Use virtual hosting, for each individual GINA interface (except [default]) the existing Hostname is to be transferred to Additional hostnames. By doing so, it can be guaranteed that already sent GINA emails can still be read by the GINA recipient.

This allows the respective GINA interface to remain accessible under the URL as it was before the change, for example

https://securemail.msp.tld/customer1/web.app

as well as under the new URL with the FQDN entered under Hostname, for example

https://securemail.customer1.com/web.app

Additional paths

(new in 13.1.)

Additional paths can be added here under which the server can be reached.

Port

This option is only active if Use virtual hosting has been activated in this or in the superordinate menu GINA Domains Settings.

In this case, each GINAdomain can have a specific port selected for it.

SSL Certificate

This option is only active if Use virtual hosting has been activated in this or in the superordinate menu GINA Domains Settings.

Since each GINAdomain requires a separate FQDN in this setting, a suitable SSL key pair is to be used for each FQDN, which is to be generated and/or imported via Edit - analogously to SSL.

If no entry is made, the key pair in SSL is used.

The changes made are saved via the Save button.

Master template

This section only appears if a domain other than the [default] GINA domain is edited.

Parameters	Description
Master template	By selecting a master template, the settings of another GINA domain can be optionally adopted in the following sections. If this selection is made in a section, clicking the Save button will cause the input fields of this section to be greyed out and the settings of the selected master template displayed.

Parameters

Description

Master template

By selecting a master template, the settings of another GINA domain can be optionally adopted in the following sections.

If this selection is made in a section, clicking the Save button will cause the input fields of this section to be greyed out and the settings of the selected master template displayed.

The changes made are saved via the Save button.

Admin

Settings for sending GINA system messages.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

Admin e-mail

The email address entered here is used as the sender for GINA password and activation emails. If the field remains empty, the internal sender of the GINA email is also used as the sender for the corresponding GINA password and activation emails.

Additionally, for the corresponding varying situations of the subsequent Password recipient option, it can be defined that, if necessary, instead of the sender of a GINA email (Send to original sender), the email address entered here (Send to admin address) will be notified.

empty

Note:

We recommend using a hotline address which is set up under Users with a password and which should be allocated in Groups to at least to the webmailaccountsadmin to be able to edit GINA accounts.

In client-capable systems, the Customer administrators generally have access to their GINA accounts. Thus, the Admin e-mail should also be included in the corresponding Customer administrators.

Furthermore, leaving this field empty may cause problems with SPF filters, for instance if the SEPPmail Secure E-Mail Gateway is located centrally at a managed service provider (MSP), but the email server of the Managed domain (see column Server IP Address) of a customer/client is located on premises.

Password recipient

Determines the corresponding addressee for GINA password and activation emails for

For initial GINA password delivery:

•the initial GINA password email which is generated during the initial GINA email delivery to a still unknown recipient.

RadioButtonInactive Send to admin address

The initial password is sent to the entered Admin e-mail.

RadioButtonActive Send to original sender

Default setting.

The initial password is sent to the original sender of the GINA email.

For registered GINA account reset:

•A password reset query of users which have already gone through the registration process upon receipt of the initial GINA email.

RadioButtonInactive Send to admin address

The password query will be sent to the entered Admin e-mail .

RadioButtonActive Send to original sender

Default setting.

The password query is sent to the original sender of the GINA email.

empty

Attention:

The original sender of the email will be extracted from the original email, provided that the GINA portal has been opened from the carrier email by opening the secure-email.html file.

If the GINA portal is opened directly, for example via https://securemail.mycompany.tld/web.app, as original sender the Creator from GINA accounts is used. Since self-registered GINA users (see Extended settings Allow account self-registration in GINA portal without initial mail) have no internal Creator for system-related reasons, a password reset without Self-Service Password Management (SSPM) will fail in this constellation.

For this reason, this option is only recommended to a limited extent in the above-mentioned combination!

RadioButtonInactive Send to last sender

The password request is sent to the person who last sent the GINA email.

For unregistered GINA account reset:

•a password reset query of users which have not yet gone through the initial GINA email registration process.

empty

Note:

If no initial password is used (Initial password Password length has been set to "0" or the option Mail Processing Ruleset generator Encryption Outgoing e-mails "Create GINA users with empty password if the following text is in the subject:" is active and the corresponding trigger has been set in the initial GINA email), when attempting a password reset, a combination of the messages from msgid "no_reset" and "secmail_or_gosupport" (see EDIT TRANSLATIONS FOR LANGUAGE Edit translation file) will be issued.

RadioButtonInactive Send to admin address

The password reset email is sent to the entered Admin e-mail.

RadioButtonActive Send to original sender

Default setting.

The password reset email is sent to the original sender of the initial GINA email.

The changes made are saved via the Save button.

IDP settings

(new in 12.1)

Defines the settings for external identity providers (IDPs) for authentication on the GINA interface.

Parameters	Description
Use settings from master template	This option only appears if a domain other than the [default] GINA domain is edited and is active by default. Enabling this option will use the settings from the selected template under Master template.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

SAML authentication

New SAML authentication

<Name> SAML authentication

Creating new connections to SAML IDPs can be done in the section New SAML authentication.

For any configurations that have already been created, a section appears with the name given when the configuration was created, that is <Name> SAML authentication.

CheckBoxInactive Authenticate GINA users from this domain with SAML

By default, this option is inactive.

Activates the "external SAML authentication" for GINA users.

CheckBoxInactive Automatically create GINA account if user can authenticate with SAML

By default, this option is inactive.

If this option is enabled, a GINA account is automatically created upon successful authentication via SAML, unless one already exists. The registration process for the initial registration is thus not necessary for the GINA users.

If this option is not enabled, the GINA accounts (unless there is also no alternative IDP setting or the External authentication is active) still need to be registered on the SEPPmail Secure E-Mail Gateway. Here, a local password must be set. However, this password is not used for authentication as long as authentication via IDP is active. A corresponding message is displayed during the initial registration of the account.

If, when logging in at the GINA portal, the local password is used instead of the IDP password (in this case only!), the user receives a corresponding note (see GINA Domains Domain GINA Edit CHANGE GINA SETTINGS FOR Language Settings Edit Translations Edit translation file Advanced view Edit translation file msgid "ext_auth_enabled").

If the option is deactivated retrospectively, the already existing GINA users will be asked to register when they next log in.

empty

Attention:

On client-capable systems, the notes in Customers Notes: regarding the assignment of GINA Domains are to be considered.

Used by managed domains DropDown

Selection menu, via which those Managed domains can be allocated for which the respective authentication set up is to be used.

Here the...

input field provides a search function for the configured Managed domains.

(un)select all

by means of select all and/or unselect all all Managed domains can be added or removed at the same time.

CheckBoxInactive / CheckBoxActive

the individual Managed domains are to be selected or deselected.

IDP service name

Freely selectable name of the service set up here.

IDP metadata XML file

Specification of the path to the XML configuration file of the SAML identity provider.

SP Entity ID

Indication of the unique ID of the operator ofthe SEPPmail Secure E-Mail Gateway.

This ID is usually provided by the IDP.

empty

Note:

The SP Entity ID always has to be entered with the prefix "spn:".

Email attribute

Indicates the attribute which includes the email address of the GINA accounts on the IDP side (see also User Data Email).

Name attribute

Indicates the attribute which includes the real name of the GINA accounts on the IDP side. If the input field remains empty, when creating (see also Automatically create GINA account if user can authenticate with SAML of this section) a new GINA accounts under real name (User Data Name), also the email address from Email attribute is entered.

Mobile attribute

Indicates the attribute which includes the mobile phone number of the GINA accounts on the IDP side. If the input field remains empty when the GINA accounts is created, the field User Data Mobile number also remains empty.

PKCS12 identity file

Certificate for authenticating queries to the IDP.

This file is usually provided by the IDP and has a password (see parameter PKCS12 password).

If the access to the IDP is successful, the following message appears at this point:

an operator certificate with valid password has been found.

empty

Note:

As of 30 days before the operator certificate expires, a message is added to the Daily Report on the IDP side (see also Groups admin and statisticsadmin), and the status of the Daily Report is changed to IMPORTANT.

PKCS12 password

Password to activate the PKCS12 identity file - "private keys".

This is also provided by the IDP.

Settings for the SAML login button.

CheckBoxActive Show SAML login button

(new in 13.0.8)

By default, this option is checked.

This option can be deactivated if, for example, SAML/OAuth authentication is to be used for the LFT bypass login in the Outlook add-in, but the button for the SAML login is not to be displayed in the GINA login of the web interface.

By default, this is set to "btn-default idp-btn".

Specifies the CSS class of the login button for further use in the GINA interface (please also refer to LAYOUT GINA CSS).

Allows you to insert an image file that is to be displayed with the login button as an icon.

Icon css class

By default, this is set to "idp-icon".

Specifies the CSS class of the login button icon for further use in the GINA interface (please also refer to LAYOUT GINA CSS).

Add

Add appears only in the section New SAML authentication.

Save Delete

The buttons Save and Delete buttons appear only in the case of existing configurations, that is <Name> SAML authentication.

OAuth authentication

New OAUTH authentication

<Name> OAUTH authentication

Creating new connections to OAUTH IDPs can be done in the section New OAUTH authentication.

For any configurations that have already been created, a section appears with the name given when the configuration was created, that is <Name> OAUTH authentication.

CheckBoxInactive Authenticate GINA users from this domain with OAUTH

By default, this option is inactive.

Activates the "external OAUTH authentication" for GINA users.

CheckBoxInactive Automatically create GINA account if user can authenticate with OAUTH

By default, this option is inactive.

If the option is deactivated retrospectively, the already existing GINA users will be asked to register when they next log in.

empty

Attention:

On client-capable systems, the notes in Customers Notes: regarding the assignment of GINA Domains are to be considered.

Used by managed domains DropDown

Selection menu, via which those Managed domains can be allocated for which the respective authentication set up is to be used.

Here the...

input field provides a search function for the configured Managed domains.

(un)select all

by means of select all and/or unselect all all Managed domains can be added or removed at the same time.

CheckBoxInactive / CheckBoxActive

the individual Managed domains are to be selected or deselected.

IDP service name

Freely selectable name of the service set up here.

Service provider DropDown

This selection menu is used to select the OAUTH IDP to be connected

Facebook

As a rule, an account must be created with the respective IDP. This then also results in the contents of the subsequent fields ID and Secret.

empty

Note:

The default CSS classes of the standard GINA LAYOUT can also be downloaded under GINA CSS by clicking on Download LESS template.

This means that, if necessary, they can also be manually integrated into existing, customised GINA interfaces.

empty

Attention:

If an IDP is chosen which is also an email provider (for example Google or Microsoft), there is a risk that a possible compromise of the mailbox could also allow access to its GINA messages.

Google

(new in 12.2)

M365

(new in 12.2)

Specify the ID for authenticating queries to the IDP.

This is usually generated when registering with the respective IDP, as is the associated Secret.

Secret

Password belonging to the ID.

By default, this is set to "btn-default idp-btn".

Specifies the CSS class of the login button for further use in the GINA interface (please also refer to LAYOUT GINA CSS).

Allows you to insert an image file that is to be displayed with the login button as an icon.

Icon css class

By default, this is set to "idp-icon".

Specifies the CSS class of the login button icon for further use in the GINA interface (please also refer to LAYOUT GINA CSS).

Add

Add appears only in the section New OAUTH authentication.

Save Delete

The buttons Save and Delete appear only in the case of existing configurations, that is <Name> OAUTH authentication.

Mandatory registration fields

(new in 12.1)

This section offers the possibility to make registration fields mandatory that are optional in the standard.

Parameters		Description
Use settings from master template		This option only appears if a domain other than the [default] GINA domain is edited and is active by default. Enabling this option will use the settings from the selected template under Master template.
Fields:
	Full name	By default, this option is inactive. If the option is activated, the "Full name" field of the registration process (see also Standard Process: Step 3 Figure 3b) becomes a mandatory field.
	Mobile number	By default, this option is inactive. If the option is activated, the field "Mobile phone number" of the registration process (see also Standard Process: Step 3 Figure 3b) becomes a mandatory field.

The changes made are saved via the Save button.

Initial password

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

Password length

0 is the pre-selected default value.

The password length specified here refers to the initial GINA password generated by the appliance.

If the password length is set to zero "0", no password is required for the initial GINA registration. This means that, in general, GINA version 2a (see Different Registration Types) is activated.

empty

Note:

While the setting zero "0" is the most convenient, for security reasons, a value which is higher than or equal to "8" is recommended.

Possible values are between 4 and 16.

Initial password via SMS:

(new in 12.2)

If the SMS password sending (see SMS passwords) is active, this option offers the possibility that the GINA password sending is not triggered instantly but only after delivery of the initial GINA message (when the recipient opens securemail.html).

CheckBoxInactive Send SMS when GINA mail attachment was opened by recipient

By default, this option is inactive.

Activating this option activates the delayed SMS password sending.

Enabling this option means that the delayed password sending can only be triggered by including an SMS-enabled call number in the format [sms:...] in the email subject (see also Function Sequence point "2. a) I." and/or subject line keywords/(X) Headers)

empty

Note:

If this option is deactivated, all GINA initial messages already sent up to this point in time remain unaffected by this. If the recipient opens the GINA- initial message for the first time, the password SMS is triggered even with deactivated option.

For all GINA initial messages sent after this point in time, the standard SMS process applies.

If the option is active and it is attempted to deactive the SMS Password sending (see SMS passwords), in the followup menu (?) one of the following options must be selected.

RadioButtonInactive Send all passwords that have not yet been delivered immediately.

RadioButtonInactive Do not use the option for the newly added passwords only. All passwords that have not yet been delivered remain unaffected by the activation.

The changes made are saved via the Save button.

Extended settings

General settings for the functions provided via the GINA web interface.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

Default forward page

If the URL of the GINA page is to be opened without the "/web.app" suffix, a redirection to another page, for example the homepage of the company, can be added here.

Should nevertheless be redirected to the GINA portal, enter the URL as it is displayed above the input line.

Keeping the example from the section Secure GINA host the following could be seen:

Note: If you want to show the GINA login page by default, enter "https://securemail.mycompany.tld/customer1/web.app" (without the quotes)

empty

Note:

If the entry remains empty, you will be forwarded to the manufacturer's homepage, if applicable.

empty

Attention:

If under System Advanced view... GINA GUI a forwarding has already been set up, this setting is obsolete.

CheckBoxInactive Always zip HTML attachments when encrypting e-mail with GINA technology

By default, this option is inactive.

The encrypted HTML attachment (if applicable, see also Customise the secure attachment file name:) of the GINA email is put into a zip file.

empty

Note:

This is required for compatibility with older OWA versions. For individual emails, this function can also be controlled with the subject line keyword [zip].

empty

Attention:

By activating this option, the independence from the software used by the recipients which the GINA emails provide is partially lost since, because the corresponding software must be available for unpacking the HTML file from the ZIP file.

CheckBoxActive Show "Send copy to myself" checkbox when writing GINA mails
(new in 14.0.0)

By default, this option is active.

In this case, the checkbox "Send copy to myself" is shown in the GINA GUI.

CheckBoxInactive "Send copy to myself" checked by default when writing GINA mails

By default, this option is inactive.

Sets the checkmark for sending a copy to the sender, by default for emails written via the GINA interface.

This way the GINA user upon sending an email receives a copy of the GINA email and thus has a corresponding proof of dispatch.

CheckBoxInactive Sender receives notification when recipient reads GINA mails

By default, this option is inactive.

The read confirmation when sending GINA emails is the default but can be changed individually for each user under Users USER 'USER@DOMAIN.TLD' User Data Notifications.

empty

Note:

If a read confirmation was requested in the email client (disposition-notification-to header), the reliable GINA read confirmation is requested.

CheckBoxActive Allow account self-registration in GINA portal without initial mail

By default, this option is active.

Allows users that call up the GINA portal (see example from section Secure GINA host "https://securemail.mycompany.tld/customer1/web.app") to register without initial GINA email.

This enables an external communication partner to start a secure email communication via the GINA portal also self-initiated. The prerequisite for this is that they also know a valid email address within the email domain of the SEPPmail Secure E-Mail Gateway operator or an appropriate selection of recipients is given under Default recipients.

This is also connected to the activation of the option Allow GINA users to write new mails.

empty

Note:

By extending the GINA URL

https://[default]Hostname/<Hostname>/web.app

, for instance

https://securemail.msp.tld/customer1/web.app

by the parameter

?op=register

, the self-registration page can be opened directly.

empty

Note:

The self-registration process in itself does not yet create a GINA account! Instead, initially, an email is sent to the newly registered email address to verify it.

The confirmation link in this email is encrypted with a key that is unique for each gateway. This makes an abusive, manual creation of such a link impossible.

By clicking on the link, the data contained therein is transmitted to the SEPPmail Secure E-Mail Gateway. This data will only be decrypted after entering the password assigned during registration. This means that the GINA account will only be created after the correct input of the password, and the link contained in the email is therefore invalid.

empty

Attention:

This option can not be used in combination with an Event login!

CheckBoxInactive Prevent associated managed domain accounts from registering in GINA portal

By default, this option is inactive.

If the option is activated, no user can use an email address from a Managed domain by self-registration to create a GINA account.

The creation of a GINA account by sending emails remains unaffected.

CheckBoxInactive Allow account self-deletion in GINA portal:

By default, this option is inactive.

Allows GINA users to delete their own account via their "Profile settings" of the GINA interface.

empty

Attention:

By deleting their own profile, the GINA account and all keys/certificates the GINA users can manage and which are allocated to them are removed.

The reading of GINA mails still in the user’s account GINA is afterwards no longer possible.

Certificate search and management in GINA: DropDown

This way, it is possible for the logged-in GINA user

•to search the key material of internal SEPPmail Secure E-Mail Gateway users.

empty

Note:

The search function is limited to key material that belongs to Users of the Managed domain that is allocated to the corresponding GINA Domain (see also GINA Domain).

•to upload own key material via the GINA interface in order to receive S/MIME or OpenPGP-encrypted emails in the future instead of GINA-encrypted emails.

empty

Note:

Which S/MIME certificates (quality) can be imported, if applicable, depends on the selection made under ADVANCED SETTINGS Advanced Settings Policies Refuse import of certificates with a signature algorithm using SHA-1 or lower.

empty

Attention:

If the option Allow account self-registration in GINA portal without initial mail is active, the certificate management should be deactivated here for security reasons.

Disabled

Completely deactivates the key management and key search via the GINA interface.

Enabled

Default setting.

Activates the key management and key search via the GINA interface both for S/MIME and OpenPGP.

S/MIME only

Activates the key management and key search via the GINA interface for S/MIME exclusively.

OpenPGP only

Activates the key management and key search via the GINA interface for OpenPGP exclusively.

CheckBoxActive Allow download of public domain keys/domain certificates

By default, this option is active.

Additionally, this enables the search of public domain keys of the Managed domains to which this GINA is allocated.

empty

Note:

If desired, the display of individual domain keys may be suppressed, as described in the note under EDIT MANAGED DOMAIN S/MIME domain encryption.

empty

Note:

Domain certificates that are generated automatically without setting up the appliance's internal CA are not offered for download. To obtain downloadable domain certificates that are to be used for encrypting to third-party systems, the appliance-internal CA must be configured (see also Domain certificates are not offered for download in GINA).

empty

Note:

The functioning of these options requires a setting other than Disabled in the option Certificate search and management in GINA:

CheckBoxActive Allow unregistered users to search public keys/certificates of internal users

By default, this option is active.

This allows anyone (without login) to conduct a key search via the GINA interface.

empty

Note:

Since a key search via the GINA interface always requires the email address of the recipient to be entered, address harvesting is impossible.

CheckBoxInactive Publish local CA certificate on the search page to allow recipients to perform S/MIME signature verification

By default, this option is inactive.

By activating this option, on the GINA search page a link for downloading a CA certificate appears between the input field for the email address and the search button, provided that the local CA has been set up.

CheckBoxInactive Allow GINA users to write new mails

By default, this option is inactive.

Allows GINA users to send initial emails to recipients within the Managed domains to which this GINA is allocated.

Generally, this setting is required if Allow account self-registration in GINA portal without initial mail is active.

CheckBoxInactive Do not allow GINA users to edit recipient when replying to e-mails

By default, this option is inactive.

Allows editing the recipient(s) when replying to GINA emails. The entered recipients, however, must all be within the Managed domains to which this GINA is allocated.

CheckBoxInactive Only allow GINA users to write new emails to default recipients

By default, this option is inactive.

Allows addressing initial GINA messages (excluding replies) exclusively to Default recipients.

CheckBoxInactive Allow GINA users to reply to external recipients of GINA messages

By default, this option is inactive.

Allows GINA users to reply to all recipients of a GINA email, including external users, that means those who do not belong to the Managed domains to which this GINA is allocated.

empty

Note:

If this option has been selected and if the option Do not allow GINA users to edit recipient when replying to e-mails has been deactivated, only already existing recipients can be removed by the GINA user, but no additional users can be added.

SMTP sender address for sending to external recipients:

Since the emails are to be sent to external recipients with an existing email address within the Managed Domain of the original sender (keyword: SPF check), the sender address for the above-mentioned reply emails is to be entered here.

empty

Note:

The email address specified here may receive system notifications, such as bounce or non-delivery report (NDR) emails.

CheckBoxInactive Allow messages to be downloaded as Outlook message (.msg) files

By default, this option is inactive.

Provides the recipient of an GINA email in the GINA interface with a button for downloading the email in the format msg - that is Outlook. This enables the recipient to save the originally GINA encrypted email in plain text in Outlook.

empty

Attention:

If, after saving the message in plain text, a reply is sent via the "Reply" button in the email client, this is done in an unencrypted manner!

It is therefore recommended to proceed with caution when activating this option.

empty

Note:

A download may also be possible in the case of LFT emails, but only the email itself is saved in this case, that means without attachments, in order to prevent risking the functionality of the email client with oversized attachments.

The downloaded file then contains a reference to the attached files.

CheckBoxInactive Allow messages to be downloaded as MIME (.eml) files

By default, this option is inactive.

Provides the recipient of an GINA email in the GINA interface with a button for downloading the email in the format eml for the import in an email client. This enables the recipient to save the originally GINA encrypted email in its email client in plain text.

CheckBoxInactive Allow messages to be downloaded as PDF (.pdf) files

By default, this option is inactive.

Provides the recipient of an GINA email in the GINA interface with one button each for the preview and for downloading the email as pdf file for archiving purposes.

A download may also be possible in the case of LFT emails, but only the email itself is saved as PDF in this case, that means without attachments.

empty

Note:

For security reasons, embedded data, for example images, may only be attached as attachment when generating the PDF file.

The capability of displaying the attachments separately depends on the PDF reader used.

CheckBoxInactive When encrypting email with GINA technology, use text-only mails

By default, this option is inactive.

Sends the GINA carrier email in text format instead of HTML format.

This may be necessary if a recipient does not allow the receipt of emails in HTML format.

CheckBoxInactive Extract user IP from proxy request header (use with care)

By default, this option is inactive.

When accessing the GINA portal, the headers X-Original-Remote-Addr and X-Forwarded-For are queried in this order. The content of the first header found is then accepted as the IP address of the accessing user and entered in the GINA log. In the event of X-Forwarded-For, this may be a list.

empty

Note:

This function can be used so that, for instance, in a Cluster with upstream load balancer, the GINA log does not exclusively show the IP address of the load balancer as source IP for GINA accesses.

empty

Attention:

This setting is not recommended for security reasons, as the correctness of the original header content cannot be guaranteed. If this option is active, a user could set the mentioned headers manually and thus manipulate the log entries and, if applicable, their evaluation.

To prevent this, an additional proxy system would be required in the user's own infrastructure, which could delete the false headers beforehand and then set them to the correct value. Additionally, it is to be ensured that the GINA portal can only be reached via this proxy.

CheckBoxInactive Do not add the clients user agent to the session protector originator

(new in 12.1)

By default, this option is inactive.

Activating this option suppresses the appending of the "User Agent" of the client for the identifier of the respective GINA session.

empty

Note:

On mobile devices, especially iOS, the "User Agent" sometimes changes.

As a result, requests from the client – that means indirectly the GINA user – could no longer be correctly allocated after a change of the "User Agent". Consequently, the communication breaks off.

CheckBoxInactive Do not regenerate session id after successful login

(new in 12.1.9)

By default, this option is inactive.

Especially older browsers cause a so-called double post when logging on to GINA. In such cases, affected GINA recipients receive an error upon login.

The authentication was successful, but due to technical problems the login failed.

To counteract this browser problem, session rotation can be deactivated with this option.

empty

Note:

This option has to be activated in a DNS Round Robin scenario, as the GINA frontend requires session persistence.

empty

Attention:

When activating this option, an attacker would theoretically be able to perform a session hijacking.

For this, however, they would need to

•be in possession of the session id (and the its token) before the actual login.

•meet additional requirements.

CheckBoxInactive Use the new api.app instead of the old web.app.

(new in 13.1.0)

By default, this option is inactive.

Activates the new GINA interface. Be careful with this setting because the api.app is still under development.

When saved, certain sections are deactivated in the GINA domain settings (with the note "Disabled because [Extented Settings] > [use new api.app] is enabled. See [New Webapp settings] instead."). All these settings can then be found in the new section "New Webapp settings".

Force sending of GINA e-mails from this address:

If an email address is entered here, it will always be used as the sender address for GINA carrier, password and read confirmation emails. In the email text of the carrier email, the original sender is given.

You have received an encrypted email from <original sender>.

Subject: <original subject line>

If the email address specified here exists as user (see Users) with valid S/MIME key material, the GINA carrier, password and read confirmation emails are signed additionally.

empty

Note:

The sender address specified here must come from a Managed domain to which the corresponding GINA domain is allocated (see table Mail System Managed Domains). Additionally, the address should exist as a user on the appliance, ideally with a valid S/MIME certificate (see Users User details S/MIME), so that GINA carrier, password and read confirmation emails can be signed. The address should also exist on the groupware server so that any direct replies which were mistakenly not created via the GINA interface can be accepted, if applicable.

In the case of GINA-only licences, the activation of a signature licence per GINA domain must be applied for via the support (support@seppmail.ch).

Customise the secure attachment file name:

By default, the name of the HTML container which contains the actual email in a GINA carrier email is secure-email.html. If an alternative name is to be used instead (for instance some-secure-email.html, it is to be entered in the input field of this option without file extension (that is html), for the example given this would be some-secure-email.

empty

Note:

Due to the different handling of special characters of the various email clients, there may be deviations from the file name entered here. For example, umlauts could be replaced by the equivalent vowels. In the most unfavourable case a new, abstract, dynamic name could be created by the email client!

The changes made are saved via the Save button.

New Webapp settings

(new in 13.1.0)

Only available if the new GINA web interface is activated.

Contains the specific collection of parameters for the web interface (which are deactivated in the other sections of the old interface).

Section Storage Settings

(new in 14.0.0)

Storage settings for S3.

If the option Use global S3 storage configuration is selected, the overall settings apply, see Storage Settings.

Otherwise, independent settings can be made for the domain.

Server side caching

(new in 13.0)

The GINA cache mode enables caching of the encrypted secure attachment "secure-email.html" on the server.

Parameters

Description

CheckBoxInactive Use server side caching for GINA mails

By default, this option is inactive. If can only be used with an active LFT device.

Activating this option caches the encrypted secure attachment "secure-email.html" on the server.

empty

Note:

The encrypted secure attachment "secure-email.html" is attached to the GINA email even with active cache. Example link as it could be found in the email:

https://seppmail-vm/api.app?uilang=d&read=RKxsjUyvKtlmkWnVmojsJnfRilyCtNSMJBnOhjWOWYcfvmsm

The server-side cache contains the secure attachment as attached to the email. It is also additionally encrypted. The key for this is only contained in the cache link and not stored anywhere else. Without this link, the server-side cache cannot be read.

Days after cache entry can be deleted

Number of days after which cache entries may be deleted manually. The default is 30 days.

Note that every hour the cleanCache script is running and deletes all mails older than this setting. So usually, nothing needs to be done manually. However, the actually applied setting depends on the setting per GINA domain.

If the space is not enough, the oldest mails will be deleted automatically. In this case, the cache link in the GINA email will no longer work.

Used storage type

Possible options are local or - if available - network drive (S3).

x files using x MB from cache. x mails are expired.

Information about the file number and data volume in the cache, as well as the number of emails older than the limit given under Days after cache entry can be deleted.

With the button Cleaning cache to default values the cache can be deleted manually.

The changes made are saved via the Save button.

Default recipients

Used to pre-fill the "TO" field via a selection menu when the option Extended settings Allow GINA users to write new mailsis active.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

Default e-mail addresses within a managed domain and their display text in the GINA e-mail composition form:

Displayed name

CheckBoxInactive Remove

Email address of the user to be selected.

In the selection, the latter one is not visible to the GINA user!

The address specified here must come from a Managed domain to which this GINA domain is allocated.

Name as offered to the GINA user for selection.

Placing a checkmark and subsequently saving removes the corresponding entry.

empty

Note:

When creating a new GINA message, only one recipient can be selected.

The changes made are saved via the Save button. After saving an entry, another input field is displayed.

empty

Note:

If, for example, a link with one or more predefined recipients shall be placed on a website, this can be done by extending the GINA URL

https://[default]Hostname/<Hostname>/web.app

for instance

https://securemail.msp.tld/customer1/web.app

by the parameter

?rcpt=

Here, the recipients must first be entered separated by means of a semicolon ";" and then be encoded in Base64 (see www.base64encode.org).

Entering Default recipients is not required in this context.

This method is only applicable to already registered GINA users.

Example:

Fixed defined recipients

info@customer1.com;sales@customer1.com

encoded via www.base64encode.org

aW5mb0BjdXN0b21lcjEudGxkO3NhbGVzQGN1c3RvbWVyMS50bGQ=

resulting link of the above-mentioned example:

https://securemail.msp.tld/customer1/web.app?rcpt=aW5mb0BjdXN0b21lcjEudGxkO3NhbGVzQGN1c3RvbWVyMS50bGQ=

Similarly, the subject line can be pre-defined in the same way by means of the parameter

?subject=

The language of the GINA interface may also be defined in advance for the query by means of

?lang=

where the respective identifier of the language - for example "e" for English - is to be placed behind the =.

If several arguments are to be entered, they are to be connected by means of "&".

Extended example:

Subject line to be provided

Application

encoded via www.base64encode.org

QmV0cmVmZg==

resulting overall link from both examples in connection with the language specified as English

https://securemail.msp.tld/customer1/web.app?lang=e&rcpt=aW5mb0BjdXN0b21lcjEudGxkO3NhbGVzQGN1c3RvbWVyMS50bGQ=&subject=QmV0cmVmZg==

Large File Transfer

Settings for the Large File Transfer. This option is only available if Large File Transfer (LFT) has been licensed and activated.

empty

Note:

If one of the criteria is indicated for the delivery as LFT message but no corresponding licence is available, the message is sent as a normal "normal" email.

empty

Attention:

After the activation of LFT, the ruleset must be generated again (see Mail Processing Ruleset generator Save and create ruleset).

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

Outgoing policy

The mode used for outgoing messages DropDown

Selection of the default LFT procedure for outgoing messages (direction of the Internet).

Off

Default setting.

Deactivates the function.

Plain

Displays the LFT email in the GINA portal immediately and without entering a password, simply by opening the HTML attachment.

empty

Note:

Plain LFT cannot be replied to since, in this case, no "true" GINA recipient account is generated. Similarly, no GINA read confirmation is issued in this mode.

empty

Note:

The standard procedure selected here can be overridden at any time by the triggers defined in the Ruleset generator.

•Do not touch mails with the following text in subject

•Always encrypt mails with the following text in subject

•Always encrypt mails with Outlook "confidential" flag set

•Always use GINA technology for mails with the following text in subject

•Always use GINA technology for mails with Outlook "private" flag set

•Do not encrypt outgoing mails with the following text in subject

and/or the analogue x-headers (see Controlling The Appliance).

Secure

When selecting this option, the recipient of an LFT email must run through the GINA registration process to be able to read the LFT email.

Size (in KB) above which outgoing messages are treated as large files

By default, this value is set to 10000.

Specifies the limit - in KB - upon the exceedance of which an email to be sent to the Internet is treated as an LFT email. Here, it is to be observed that email attachments grow to approximately 4 / 3 of the original size.

empty

Note:

Overriding is possible by using the options available under Mail Processing Ruleset generator Large files.

If LFT is to be controlled via trigger (see above and/or Controlling The Appliance) exclusively, a correspondingly high threshold value is to be selected (e.g. 9999999999) so that it can never be reached.

Maximum size (in KB) for large files of outgoing messages (set to 0 for no limit, but will not exceed xxxxxx KB)

By default, this value is set to 0.

Defines a maximum size for LFT files.

If "0" (zero) is entered here, no limit is set. However, a natural limit results from the size of the LFT partition. A maximum of one quarter of the disk size can be used per LFT email. This limit would then also be displayed in the GINA interface as "maximum size of the attachments".

If, when delivering an oversized email per SMTP, the limit is exceeded, the message is rejected with the notification "523 5.3.4 - Message too large (LFT)".

In the GINA interface, an additional notification is displayed: "Maximum size of message exceeded (xxxx.x MB)"

empty

Note:This value must be greater than the one specified under Size (in KB) above which outgoing messages are treated as large files!

Incoming policy

empty

Note:

Generally, GINA accounts are capable of transferring larger data volumes to internal recipients via the Large File Transfer. Here, the internal recipients are assigned a Large File Transfer (LFT) licence.

For this reason, special attention is to be paid to some settings.

For instance, Maximum size (in KB) for large files of incoming messages (set to 0 for no limit, but will not exceed xxxxxx KB) should be handled more restrictively than in the Outgoing policy. If no limit is defined here, a GINA account may occupy the entire memory for the period set in the retention policy with only four messages.

Similarly, the Extended settings are to be monitored in this respect, to prevent one GINA account from possibly occupying all LFT licences for, in the worst case, 30 days due to addressing an LFT message with a large number of recipients.

•If Allow account selfregistration in GINA portal without initial mail is active, this enables every potential communication partner to register and subsequently send large files to any internal recipient.

•If the above-mentioned option is inactive, additionally deactivating the option Allow GINA users to write new e-mails (not reply) can prevent GINA accounts from creating initial large messages.

•The internal addressees of a large message can also be restricted by activating Do not allow GINA users to edit recipient when replying to e-mails and/or Only allow GINA users to write new e-mails to default recipients.

•The deactivation of Allow GINA users to reply to external recipients of GINA messages ("Reply All") provides another restriction option in this respect.

The mode used for incoming messages DropDown

Selection of the default LFT procedure for incoming messages.

empty

Note:

LFT for incoming messages works exclusively via the GINA technology.

Incoming SMTP emails remain unaffected.

empty

Attention:

If no LFT licence is free or available for the internal recipient of an incoming LFT message, the internal email system may reject this message due to a size restriction as it will be sent as a "normal" email. In this case, it is to be ensured that any bounce email consequentially generated by the system reaches the sender.

This is particularly relevant if the SEPPmail Secure E-Mail Gateway is operated as a standalone solution for LFT.

Off

Default setting.

Deactivates the function.

Plain

Displays the LFT email in the GINA portal immediately and without entering a password, simply by opening the HTML attachment.

empty

Note:

Since the internal email path from the SEPPmail Secure E-Mail Gateway to the email client must already be secured and any replies to LFT emails from internal recipients are generally not required, this setting is sufficient under normal circumstances.

empty

Note:

If an LFT message from an internal sender (that is from a Managed Domains) to an internal recipient is sent directly via the GINA interface and if this message does not exceed the threshold set under Size (in KB) above which outgoing messages are treated as large files, this message would be received as a GINA message. This means that the recipient would be asked to enter their password despite the "Plain" setting.

Secure

When selecting this option, the recipient of an LFT email must run through the GINAregistration process to be able to read the LFT email.

empty

Note:

The login process for internal users may be significantly simplified with the option EDIT MANAGED DOMAIN External authentication.

Size (in KB) above which outgoing messages are treated as large files

By default, this value is set to 10000.

Indicates the threshold - in KB - after which an incoming GINA GINA message is treated as an LFT email.

Maximum size (in KB) for large files of incoming messages (set to 0 for no limit, but will not exceed xxxxxx KB)

By default, this value is set to 0.

Defines a maximum size for LFT files.

If, when delivering an oversized email per SMTP, the limit is exceeded, the message is rejected with the notification "Maximum size of message exceeded (xxxx.x MB)" in the GINA interface.

empty

Note:This value must be greater than the one specified under Size (in KB) above which outgoing messages are treated as large files!

Retention policy

How long (in days) to store large files (set to 0 for no limit. Make sure you have enough storage space, else messages will be dropped)

By default, this value is set to 7.

Retention time - in days - of LFT emails on the SEPPmail Secure E-Mail Gateway. The recipient is notified of the expiration date in the subject line of the GINA notification email. The setting "0" zero means that LFT emails are never deleted.

If there is not enough memory available on the system, LFT emails are bounced.

empty

Note:

If the LFT email has not been read by the recipient, the sender will be notified at least 24 (and at most 48) hours prior to expiry.

CheckBoxInactive Archive Large File Messages on external server

By default, this option is inactive.

Archives all LFT emails - whether incoming or outgoing - once per hour. Here, in the specified directory (see Path on server), a separate directory is created for each message; the name of this directory, among others, includes the message ID of the message as well as the device ID of the appliance from which the LFT email has been sent. This directory is used to save the attachments with their original file name, as well as the mail text (body) as the file "messagebody.eml".

Files that cannot be transferred to the specified destination remain in a separate export area on the appliance for the time being. If the transfer of a file takes longer than six hours, a watchdog message is sent to the postmaster (see Mail System SMTP Settings) and repeated every six hours. If the affected file could not be transferred within 24 hours, it will be deleted.

The log entries of the archiving can be found in the "maillog" (see Logs Show other logs... OTHER LOGS Mail log archive Download complete log).

Via the

Indication of the IP address or the name under which the archive server can be reached.

Indication of the communication port to be used for the connection to the archive server. The default SCP/SFTP port is 22.

Protocol DropDown

The desired network protocol for transmission can be selected via the selection menu.

SCP

Default setting.

SFTP

User name

Input of a correspondingly authorised user for writing the archives to the archive server.

Key

Via the Download gateway public key function, the public key of the appliance can be downloaded for the encrypted communication with the archive server. This key must be added to the list of authorised public keys on the archive server. On Unix-based systems, this list can normally be found in the home directory of the corresponding user (see SCP user name) under ~/.ssh/authorized_keys.

Path on server

At this point, the path on the archive server is specified, under which the LFT archiving is to store files.

If the path is specified with a leading slash "/", an absolute path is used. If no leading slash is specified, the path is created relatively in the home directory of the corresponding user (see SCP user name).

The following variables are available for specifying the path:

%e	Email address of the sender of the LFT email
%y	current year
%m	current month
%d	current day
%i	Device ID of the appliance used to process the LFT email

empty

Attention:

All sizes are given in kilobyte (please also refer to http://de.wikipedia.org/wiki/Byte)!

The changes made are saved via the Save button.

SOAP

Alternatively, emails from third-party systems can be delivered to the SEPPmail Secure E-Mail Gateway via SOAP interface for encryption.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

CheckBoxInactive Enable SOAP Handler

By default, this option is inactive.

XML data received via the SOAP access point /WebCrypt.Core/services/Service is processed as MIME messages by the script webcrypt.app and processed directly by the rule engine. The result is sent back to the SOAP consumer as XML data via HTTP. No mail is sent, with the exception of any generated password mails or bounces.

CheckBoxInactive Deliver messages received via SOAP directly via SMTP

By default, this option is inactive.

Changes the behaviour of the rule engine described above. The email transferred via XML is delivered directly via SMTP after encryption. The delivery status is sent back to the SOAP consumer as an XML message via HTTP.

empty

Note:

Since it is no longer possible to distinguish between successful and unsuccessful deliveries with multiple recipients, the interface ensures that only one recipient was specified for each SOAP message.

The changes made are saved via the Save button.

Settings regarding general terms of use.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

CheckBoxInactive Require new users to accept terms of use

By default, this option is inactive.

Displays an additional checkbox for accepting the general terms of use in the GINA registration menu.

Input of the URL to the general terms of use of the GINA, for example https://www.mycompany.tld/agb/GINA.

The changes made are saved via the Save button.

Language Settings

Language settings of the GINA domain and its notifications.

Parameters			Description
Use settings from master template			This option only appears if a domain other than the [default] GINA domain is edited and is active by default. Enabling this option will use the settings from the selected template under Master template.
Default language:			English is the pre-selected default language. The selection menu is used to select the default language for the respective GINA interface. If, under Available Languages, no language is marked as Enabled, the GINA interface (registration, welcome and profile page as well as in the local secure attachment (secure- email.html)) will not display a drop-down menu for selecting the language. In this case, only the language selected here is available. If one or more languages were marked under Available Languages as Enabled, the Default language must correspond to one of these selected languages.
Available languages:			When selecting the languages, it is to be considered that each additional language increases the length of the initial(!) GINA carrier email as well as of the password email.
	Language	Enabled	With the button , the EDIT TRANSLATIONS FOR LANGUAGE submenu of the corresponding language is opened, via which the texts of all GINA components can be individually adapted.	With the button , any changes made to the language file can be reset. This button is only active if the language settings have been changed via Edit Translations.	With the button , the respective language file can be downloaded. If it is subsequently adapted, it can be uploaded again via the [default] GINA settings.
	German (d)	By default, the first five languages are active. Activates or deactivates the respective language.
	English (e)
	French (f)
	Italian (i)
	Spanish (s)
	Czech (c)
	Dutch (n)
	Polish (p)
	Russian (r)

If the [default] GINA domain is edited, additional languages can be added via the Add new button. The easiest way to create a new language file is downloading an already existing file via the Download button (see table above), translating it and then uploading it again via the Add new button.

The changes made are saved via the Save button.

empty

Note:

Only the initial GINA notification email - if configured - is multilingual. Each additional GINA notification email will only be sent in the language selected during the registration process.

However, the more languages are activated, the longer the initial GINA notification and password emails.

Therefore, the following principle should apply:

As many as necessary, as few as possible.

empty

Note:

By extending the GINA URL

https://[default]Hostname/<Hostname>/web.app

for instance

https://securemail.msp.tld/customer1/web.app

by the parameter

?lang=e

GINA is opened in the defined language, here English.

Account login

In this section the password criteria as well as the options for resetting GINA passwords are specified.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

Choose how the user can retrieve lost passwords

Selection of password reset options for the GINA user.

default

Default setting

This corresponds to the option "Reset by hotline".

Reset by email verification

•The GINA user must answer their security question in order to continue with the reset process.

•The user is then prompted to enter a new password and verify it.

•The user will then receive an email with a link. The newly assigned password only becomes valid when this link is activated.

empty

Attention:

Since this version is based solely on emails, security is restricted to a certain extent. For this reason, this variant of the SEPPmail is not recommended.

Reset by email verification, no reminder question/answer

•The GINA is prompted to enter a new password and verify it without a security question.

•The user will then receive an email with a link. The newly assigned password only becomes valid when this link is activated.

•However, this only works if the GINA portal is opened via a GINA email, that is not by mere login.

empty

Attention:

The fact that this version is based on email alone means that security is impaired to a certain extent (see above).

In addition, the access of an attacker to the inbox of a GINA user is sufficient to be able to reset the password. A second verification factor, that is the answer to a security question, is not required. This means a further impairment of security.

For this reason, this variant of the SEPPmail is not recommended.

Reset by hotline

This is the default setting.

•The GINA user must answer their security question in order to continue with the reset process.

•The user is prompted to enter a phone number for the helpdesk to call them back.

•The hotline or the original sender (see Admin) receives an email with the new password and the callback number of the GINA user.

•The GINA user is given their new password by the recipient of the password email.

Reset by hotline, no reminder question/answer

•The GINA user is prompted to enter a telephone number for the callback by the hotline without a security question.

•However, this only works if the GINA portal is opened via a GINA email, that is not by mere login.

•The hotline or the original sender (see Admin) receives an email with the new password and the callback number of the GINA user.

•The GINA user is given their new password by the recipient of the password email (hotline / original sender).

empty

Note:

This setting has the problem that the person implementing the reset (hotline / original sender) would theoretically be required to verify the identity of the GINA user again, since, otherwise, an attacker could request a password by simply owning a GINA email.

Reset by SMS

This setting requires the integration of an SMS service (see GINA Domains SMS passwords).

•The user must answer their security question in order to continue with the reset process.

•The GINA user will see the mobile phone number they entered during registration to which their new password will be sent upon clicking on the "Send" button.

•If no mobile phone number was entered during registration, Reset by hotline applies.

Reset by SMS, no reminder question/answer

This setting requires the integration of an SMS service (see GINA Domains SMS passwords).

•During registration, the GINA user is required to enter a mobile phone number for the SMS reset.

•The GINAuser will see their mobile phone number entered during registration to which their new password will be sent upon clicking on the "Send" button.

•However, this only works if the GINA portal is opened via a GINA email, that is not by mere login.

•If no mobile phone number was entered during registration, Reset by hotline applies.

Let user choose between hotline and SMS

•The user must answer their security question in order to continue with the reset process.

•If a mobile phone number for the SMS reset was entered during registration, a selection appears in which the user can choose between their mobile phone number (for SMS reset) and a telephone number to be entered (the mobile phone number is pre-entered) for the helpdesk callback.

•If no mobile phone number is available, the user is prompted to enter a phone number for the helpdesk to call them back.

Let user choose between hotline and SMS, no reminder question/answer

(new in 12.0)

•However, this only works if the GINA portal is opened via a GINA email, that is not by mere login.

•If no mobile phone number is available, the user is prompted to enter a phone number for the helpdesk to call them back.

Disable user profile and password management

This setting prevents the creation of a profile. Resetting the password is not possible. The registration at the GINA interface is only possible by opening a GINA attachment (secure-email.html).
Generally, these settings are only used with automatically generated GINA accounts.

Minimum password length:

By default, "min. 8 characters" is pre-selected.

Specifies the minimum password length. Possible values are between 4 and 16.

empty

Note:

The password criteria entered here are the required minimum security level. Therefore, these criteria do not necessarily have to guarantee a good entropy. For this reason, the display of the password quality in the GINA interface is freely oriented to the characters used and represents a security recommendation beyond the criteria.

CheckBoxInactive Must contain at least one lower-case letter

By default, this option is inactive.

The password must contain at least one lower-case letter.

CheckBoxInactive Must contain at least one upper-case letter

By default, this option is inactive.

The password must contain at least one upper-case letter.

CheckBoxInactive Must contain at least one number

By default, this option is inactive.

The password must contain at least one number.

CheckBoxInactive Must contain at least one special character

By default, this option is inactive.

The password must contain at least one special character.

CheckBoxInactive Must not contain own name or email address

By default, this option is inactive.

The password must not contain the user's own email address.

CheckBoxInactive Must be different from previous Input password(s)

This option is inactive by default and pre-set to 4.

The password must be different from the last n passwords.

Possible values are between 1 and 28.

CheckBoxInactive Must be changed at least every Input days

This option is inactive by default and pre-set to 90.

The password must be changed after n days.

Possible values are 30, 60, 90, 120.

Accounts are locked for Input minutes after Input failed login attempts

By default, the lock time is set to 60 minutes and the number of failed attempts to 5.

Specifies the duration in minutes for which a GINA user is blocked after they have reached the defined number of failed login attempts.

empty

Note:

Predefined security questions for selection can be used in the respective language files (see Edit translation file, for example

msgid "question_preset1"

msgstr "What are the last 5 digits of your passport number?"

In general, the following rules apply to security questions (including those created by the user):

•The question must not contain the answer.

•The answer must not contain the email or the name.

•The answer must not contain any parts of the name or the email address which are larger than two characters, i.e. in the name for example the first or last name and/or, from the email address, the domain name or parts of the local component.

The selected password reset procedure impacts the degree of detail of the registration process (please also refer to Recipient – Login and one-time registration).

The changes made are saved via the Save button.

Event login

In this section, login and registration procedures deviating from the standard Account login can be set up.

empty

Note:

All "Event" procedures are based on the fact that an initial email has been received. This is the only way to generate a suitable, valid password.

The setting Extended settings Allow account self registration in GINA portal without initial mail can thus not be used in connection with the "Event" procedures.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

Password event:

empty

Attention:

Modifying the password event for an already existing GINA domain may have undesired consequences for existing GINA accounts.

This setting should therefore not be modified after the initial creation of the GINA domain if possible.

•non-client capable systems with several GINA domains

•client-capable systems, with one client with several GINA domains,

differently set up procedures may also lead to undesired behaviour.

No password event

This is the default setting.

With this setting, the Account login is active. All other settings deactivate the Account login.

Unique email password

Activating this option generally activates GINA version 4 (see GINA Webmail Different Registration Types) is activated.

For each GINA email, a separate email password is created which is only valid for this one GINA email. This is communicated to the sender via the known password email, which also contains the date and subject of the email originally sent to the recipient. This ensures that the sender can easily assign the password email to the GINA email sent.

empty

Note:

The registration process is completely omitted with this version.

For technical reasons, however, a GINA account is also created automatically if it does not exist yet.

The password behaviour remains unaffected.

One-time password via SMS only

Activating this option generally activates GINA version 3 (see GINA Webmail Different Registration Types) is activated.

Here, a phone number of the recipient, which is capable of receiving SMS, is mandatory.

The registration of the GINA user is still necessary since the SMS phone number still needs to be confirmed. The initial password is also subject to the settings under Initial password Password length.

Unless the GINA user has already received an initial password from the sender via SMS, they need to enter their mobile phone number during the registration process.

One-time password via SMS (account password available)

Same as One-time password via SMS only, with the exception that an account is created here in addition.

The GINA user can thus use both the password sent via email as well as their Account login password. They are thus able to independently change their mobile phone number for receiving SMS messages.

Password strength:

By default, the value 8 is preselected.

The password length indicated here refers to the password generated by the appliance for the respective set Password event:.

Possible values are between 5 and 16.

The changes made are saved via the Save button.

Certificate Login

Enables the login at the GINA portal by means of a client certificate. For this purpose, the root certificate of the CA issuing the login certificates must be entered in the input field.

Parameters

Description

CheckBoxActive Use settings from master template

This option only appears if a domain other than the [default] GINA domain is edited and is active by default.

Enabling this option will use the settings from the selected template under Master template.

The accessing user must have their corresponding user certificate installed in their browser.

If more than one GINA domain is to be configured, the option Use virtual hosting (see GINA Domains Settings) must be used.

Furthermore, this option is not compatible with the setting System GINA GUI Enable local https proxy.

The changes made are saved via the Save button.

If a GINA domain is to be deleted via the Delete button, it is to be ensured beforehand that it is not allocated to any Managed domain. Additionally, this could have the effect that GINA emails which still remain with the recipients of this GINA domain could no longer be decrypted!

Please enable JavaScript to view this site.

Keyboard Navigation