Configuration Guide. CompanyCRYPT v1.4.0

Transcription

1 Configuration Guide S.I.T. GmbH & Co. KG Goseriede Hanover Telephone: Telefax: Internet: info@companycrypt.com Copyright by S.I.T. GmbH & Co. KG Subject to change The materials contained herein are the sole property of S.I.T.. No part of this publication may be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise stored in any retrievable system or otherwise used in any manner whatsoever without the express permission of S.I.T.. S.I.T. provides this publication in the form as is and does not take any liability for this documentation. The non liability includes expressed or implicit guarantees or suitability for defined purposes. The reader or user carries full responsibility for any usage of the information provided in this documentation. Under no condition shall S.I.T. be liable for any direct or indirect, coincidental, special or resulting damage or loss, derived from any error within or related to the provided information, even and especially when the possibility of loss or damage was stated. Furthermore S.I.T. claims the right to change, modify, nullify or update this documentation at any given time without the obligation to inform persons or organisations. The usage of the software related to this documentation is part of and regulated by the licence agreement of S.I.T.. Trademarks MIMEsweeper and MAILsweeper are registered trademark (TM) of the company CLEARSWIFT. CompanyCRYPT is a registered trademark (TM) of the company S.I.T. GmbH & Co. KG. Any other trademark, brand, product names or logo not named above but used in this documentation is to be considered a registered trademark of the registered trademark holder. [ ] Seite: 1 / 111

2 1. Content 1.1. List of content 1. Content List of content Document content Expressions Support / Contact Quick Access Configuration of CompanyCRYPT Entering the CompanyCRYPT-Licence Define default (Key-) values Define Passphrases... 8 PGP passphrase...8 S/MIME passphrase Generating a CA-certificate Generating the company key (CSA) Generate a key for an internal user Import of external (public) keys Configuring MIMEsweeper Setting up address lists for external encryption partner Setting up Classifications for decryption Setting up Classifications for encryption Setting up Scenario Folder for encryption Setting up the Scenario for PGP/MIME encryption Setting up the Scenario for S/MIME encryption Setting up the Scenario for decryption Save and activate the De/Encryption in the MIMEsweeper Functionality CompanyCRYPT Starting the CompanyCRYPT-WebGUI CompanyCRYPT integrated as a virtual site in the IIS...25 CompanyCRYPT-WebGUI (SSL)...25 CompanyCRYPT-WebGUI (Authentication) CompanyCRYPT SyncManager SyncManager call-up CompanyCRYPT Configuration First Start / Initializing Common Settings Default values for key generation...27 [ ] Seite: 2 / 111

3 Presentation of Verification/Decryption results (Decrypt Summary)...28 Processing behaviour upon unavailable public recipient key PGP specific settings Activate/Deactivate PGP processing...29 PGP passphrase S/MIME specific settings Activate/Deactivate S/MIME processing...29 Validating certificate chain...30 Parameter used while generating certificates...30 S/MIME passphrase Ad Hoc Encryption Mode of operation: Encryption...31 Activation of the Ad Hoc Encryption...31 Configuration Ad Hoc Encryption...32 Reference number...33 Mode of operation: Decryption...33 Configuration Ad Hoc Decryption...34 Decryption at the recipient User controlled encryption Activation of encryption or signing...35 Suppression of encryption or signing Keyserver Address configuration for automatic key distribution...37 Automatic key generation...38 Groupware-Interface (Reference list)...39 SMTP-Configuration for automatic key distribution...39 SMTP-Configuration for automatic key distribution using the SyncManager System Parameter (System) Backup / Restore Parameter...41 Automatic Backup...41 Manual Backup...41 System Restore...41 Deleting backup files...42 Reprocess Service...42 Reprocess Service - Configuration using the SyncManager...43 Reprocessor Log...44 Trace options and logging parameters...44 Trace Log...45 Control the CompanyCRYPT services...45 System re-initialisation...45 MIMEsweeper settings Distributed systems (Multi-Server) Mode: Single...46 Mode: Master...46 Modus: Master Configured by using the SyncManager...47 Mode: Slave...48 Mode: Slave Configured by using the SyncManager...49 Operational Log Key-Management Trusted CA Store List view...50 Certificate properties...51 Introducer Status Central Signing Account (CSA) Generate a CSA key...52 Display of the CSA key Local Root Certificate (Local CA) Generating a CA certificate...54 Using of a given CA certificate...55 Display of the CA certificate...56 CA passphrase...56 [ ] Seite: 3 / 111

4 Managing private keys List View...57 Key properties Private PGP Key...57 Key properties Private S/MIME Certificate...58 Send a public key by Generate a private key...59 Delete a private key...61 Sign a private PGP-key Managing public (external) keys List view...62 Key properties Public PGP Key...62 Key properties Public S/MIME Certificate...63 Separate encryption and signing key (S/MIME only)...64 Delete a public key...65 Sign a public PGP key...66 Generating private keys for external partner (S/MIME only) Import of key material Import of a private PGP key...68 Import of a private S/MIME certificate...69 Import of a public key (PGP and S/MIME)...71 Upload of key material Automatic Import Automatic key detection...73 Automatic import of public keys...74 Automatic import of private keys...74 Notification settings Site to Site Encryption Displaying site to site connections...75 Displaying key properties of site-to-site links...75 Setting up a site-to-site link...75 Deleting a site-to-site link...76 Deleting a site-to-site link including the associated key CompanyCRYPT Licence Enter licence...78 Enter licence using SyncManager...78 Delete licence...79 Delete licence using SyncManager MIMEsweeper for SMTP v5.x Starting the Policy-Editor MIMEsweeper for SMTP configuration Address lists Address list overview...81 Setting up an address list Classifications Overview of Classifications for CompanyCRYPT...83 Setting up the Classification for decryption...83 Setting up the Classification for encryption...85 Classification for automatic key exchange Scenario Folder Overview of the scenario folder...87 CompanyCRYPT Scenario Folder...87 Setting up scenario folder for encryption...88 Setting up scenario folder for automatic key exchange Scenarios Scenario position...90 CompanyCRYPT-Scenarios...90 Setting up the CompanyCRYPT Scenarios (Encryption)...91 Standard encryption vs. Site-to-Site encryption (Group-keys)...93 Setting up the CompanyCRYPT Scenarios (Decryption)...93 [ ] Seite: 4 / 111

5 Setting up the CompanyCRYPT Scenarios (MIKE - Mail Initiated Key Exchange) Extended Configuration Message-Areas (optional) Setting up Message Areas Classifications (optional) Setting up the Classifications for the monitoring Appendix Annex: Decrypt Decrypt Available scenarios Decrypt Processing details Annex: Encryption Encryption Available scenarios (Grouped by method) Normal Encryption Find your job Site-to-Site/Group key encryption Find your job Standard encryption vs. Site-to-Site encryption (Group-keys) User controlled encryption Processing logic Recommendations / Good practice [ ] Seite: 5 / 111

6 1.2. Document content This document describes the configuration of CompanyCRYPT and the integration into the product MIMEsweeper for SMTP by Clearswift. It supports you while implementing the encryption. The installation of CompanyCRYPT is described in a separate document titled Installation Guide Expressions For a better readability some expressions or simplifications/abbreviations are used within this document. Ad Hoc Encryption Classification CA Password based encryption method, that does not require any PGP or S/MIMED software at the recipient. Configuration/Policy item used within MIMEsweeper Certification Authority Verifying authority for S/MIME certificates/keys Decrypt summary A small text block (containing decryption results) added to an by CompanyCRYPT Detached (Clearsign) A form of digital signature where the signature itself is added (attached) to the signed data. The signed data itself remains unchanged. MIMEsweeper or SMTP The Software product MIMEsweeper for SMTP by Clearswift. Opaque A form of digital signature where the binary signature is merged with the signed data to a new data block. OpenPGP OpenPGP is a standard for encryption software. This internet standard is defined in RFC Inline-PGP Means an encryption/signing format in which the data blocks of an are processed individually (alt.: PGP/Inline ). PGP/MIME An extension to the MIME standard (described in RFC 3156) to apply PGP encryption and signing on s. Messages are usually processed as a whole leaving the internal structure of the intact. Scenario Configuration/Policy item used within MIMEsweeper S/MIME (Secure / Multipurpose Internet Mail Extensions) is an Internet standard for encrypting and signing using a public key crypto system. WebGUI The web based configuration interface of CompanyCRYPT 1.4. Support / Contact Telephone Hotline (workdays 09:00-17:00) support@companycrypt.com Internet After registration: Access to protected areas containing: - Current versions - Hotfixes, patches, updates - Technical FAQ - Documentation - Tech. Newsletter [ ] Seite: 6 / 111

7 2. Quick Access This chapter provides you with a step by step description of how to configure in CompanyCRYPT and MIMEsweeper to implement encryption. Main object is the a system that is capable of exchanging PGP- and S/MIME-encrypted s with external partner. The descriptions is aimed at configuring a stand alone system. In case of a distributed environment with multiple productive MIMEsweeper systems some configuration steps are required on all systems. The adjustments shown on the following chapters require a CompanyCRYPT installation including a fully functional Web interface. The correct installation procedure is described in a separate document named Installation Guide Configuration of CompanyCRYPT To access the web based administrative interface of CompanyCRYPT (WebGUI), open your internet browser. Enter the address (URL) for the WebGUI. Having installed CompanyCRYPT as a virtual site in the IIS, as described in the Installation Guide, the following address should be used: Entering the CompanyCRYPT-Licence WebGUI (Info) About Licence In order to do any configuration in CompanyCRYPT, a valid licence key has to be entered first. When starting the WebGUI the right page to do this is displayed automatically. In case the WebGUI was started for the first time an informative initiation screen is displayed which can be confirmed by clicking OK. Below Licence enter the information from your Licence Record into fields Company, Serial and Licence key. Please see for correct spelling: The company name is case sensitive. Save the entered data by clicking on Store Licence. Note: The letters of the licence key are not case sensitive. Important: If your MIMEsweeper is a Primary Configuration Server (PCS) only and no Policy Server (PS) is active on this system, the licence information is acquired during the first successful synchronisation contact with another CompanyCRYPT (Slave) system. See the Installation Guide first on how to set up a multi server environment. Only after a successful synchronisation will you be able to access all parts of the WebGUI on this (Master) system Define default (Key-) values To avoid repetitive entering of key data for generating keys, default values can be defined. WebGUI (Configuration) Encryption Common Settings Enter the desired values into the data fields. These values will be pre-selected every time you whish to generate a new key for an internal user. Again the fields Department and Location may be left empty. [ ] Seite: 7 / 111

8 Default Key Parameters Default SMTP domain: Default Company: Default Department: Default Location: Default Country code: Default keylength: Default S/MIME valid for: Default PGP valid domain> <Company name and/or identifier> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> 2048 (This key length offers sufficient security for the foreseeable future. Greater key lengths are not recommended for reasons of compatibility.) 3653 (This value stands for a validity of 2 years) 0 (This value stands for an unlimited validity.) Define Passphrases The pass phrases are needed and used for generation and administration of the key material. It is strongly recommended to use at least 10 characters, ideally a combination of letters and digits. Now Enter the following passphrases. PGP passphrase WebGUI (Configuration) Encryption PGP Passphrase Now define the passphrase for the PGP keys. This passphrase is needed to access and manage internal user keys as well as importing new external public keys. Enter your passphrase in the field New Passphrase and repeat the same passphrase in the field Confirm Passphrase. Save the passphrase by clicking on the button Set PGP Passphrase. S/MIME passphrase WebGUI (Configuration) Encryption S/MIME Passphrase Finally define the passphrase for the S/MIME certificates. This passphrase is needed to access and manage internal user certificates. Enter your passphrase in the field New Passphrase and repeat the same passphrase in the field Confirm Passphrase. Save the passphrase by clicking on the button Set S/MIME Passphrase. [ ] Seite: 8 / 111

9 Generating a CA-certificate WebGUI (Key Management) Central Accounts Local Certification Authority [CA] CA Status The CA-certificate is necessary, if you want to generate own internal user certificates. Step 1 First define the passphrase for the CA-Certificate. The CA-Certificate is needed for generating S/MIME certificates for internal user. Enter your passphrase in the field New Passphrase and repeat the same passphrase in the field Confirm Passphrase. Save the passphrase by clicking on the button Set CA Passphrase. Step 2 Enter the file name MailCA into the field CA Keyfilename. Save the settings by clicking on the button Save Storage values. Step 3 To generate a CA- certificate, click on the button Generate. Step 4 Enter the necessary data into the fields. Some entries are optional and can be left empty, like Department and Location. Example for CA-Certificate data entries: Name: <Company name> ca@<internetdomain> [ ] Seite: 9 / 111

10 Company: Department: Location: Country code: S/MIME valid for: Keylength: <Full company name and/or identifier> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> 3653 (This value represents a validity of 10 years) 2048 (This key length offers sufficient security for the foreseeable future. Greater key lengths are not recommended for reasons of compatibility.) Step 5 Start certificate generation by clicking on the button Generate. The result of this process is displayed on the next page. Return by clicking on OK Generating the company key (CSA) WebGUI (Key Management) Central Accounts Central Signing Account [CSA] CSA Status The company key is also named as the Central Signing Account (CSA). It is the most important key within the CompanyCRYPT system. Step 1 To generate the CSA-Key, click on the button Generate. Step 2 Enter the necessary data into the fields. Some entries are optional and can be left empty, like Department and Location. [ ] Seite: 10 / 111

11 Example for the Central Signing Account data: Name: Company: Department: Location: Country code: Default PGP valid for: S/MIME valid for: Keylength: SMIME:: Write CRL... SMIME:: Usage is limit... Central_Signing_Account <Company name and/or identifier> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> 0 (This value stands for an unlimited validity.) 3653 (This value stands for a validity of 10 years) 2048 (This key length offers sufficient security for the foreseeable future. Greater key lengths are not recommended for reasons of compatibility.) (Only for S/MIME certificates) If a link is configured under which the certificate revocation list (CRL) can be downloaded, it will be added to the certificate. (Only for S/MIME certificates) The v3 extension of the certificate are incorporated in such a way, that the certificate can only be used for the configured usage. (i.e. usage as SSL client is not possible anymore.) Step 3 Now select S/MIME + PGP, in order to get the CSA-key in both formats. Step 4 Start certificate generation by clicking on the button Generate. The result of this process is displayed on the next page. Return by clicking on OK Generate a key for an internal user WebGUI (Key Management) Internal New key Proceed to the Key-Management area Intern and click on the button New Key. Step 1 Fill in the name and the address in the appropriate fields. You may the leave the pre-selected data (derived from the Default page) in the other fields or change them to your needs. [ ] Seite: 11 / 111

12 Internal User Keypair Name: <User name> <User address> Step 2 Select S/MIME + PGP, to generate keys on both formats. Step 3 Start the key generation by clicking on the button Generate. Step 4 The result of this process is displayed on the next page Import of external (public) keys After a new or the first installation of CompanyCRYPT, it is necessary for the start to copy the public key files of your external partner into the Import folder of CompanyCRYPT. During later operation external keys are extracted and stored in this area automatically. WebGUI (Key Management) Import Step 1 If the desired key is not available in the import area, click on the button Search... ( Durchsuchen...) and select the keyfile. By clicking on Upload File the key will be uploaded to the server and copied into the import area. Select the key you intend to import by clicking on it in the list. [ ] Seite: 12 / 111

13 Step 2 Check the properties of the selected key. The are displayed below the list view. More details are displayed by clicking on the [+] in the upper right corner of the detail table. To validate a key it is common to verify Name, and Fingerprint. Step 3 Click on the button Import and Sign Key or Import Certificate to start the import process. If this key had been imported previously the description of the button changes to Re-Import and Sign Key or Re-Import Certificate. By default the file containing the key is deleted after a successful import. Do not Remove: Tick mark this option to prevent the deletion of the file. The result of this import process is displayed on the next page Configuring MIMEsweeper Open the Policy Editor or the MIMEsweeper by double clicking on the MIMEsweeper Policy Editor on your desktop. [ ] Seite: 13 / 111

14 Setting up address lists for external encryption partner Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Address Lists Step 1 Right click on Address List and select und New Manual Address List. The following steps describe the process without using a wizard. Step 2 In Properties of Manual Address List General enter the name of the address list. In this example: PGP-MIME (Encrypt Only) Step 3 In Properties of Manual Address List Address List enter the addresses of the recipients. In case there are no addresses available (= no external public keys have been imported yet) you have to enter a dummy address, for example dummy@dummy.org and save the entries with OK. Step 4 Set up a second address list named SMIME (Encrypt only), by repeating Step 1-3. Step 5 The configured address lists should be displayed in the list summary Setting up Classifications for decryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Classifications Step 1 Right-click on Classifications and the select New Classification. Name this new classification Decrypt OK. Step 2 Repeat the previous step to create a second classification named Decrypt failed. Step 3 Move the two new classifications above the (System-) classification Encrypted. [ ] Seite: 14 / 111

15 Step 4 Right-click on the classification Decrypt OK and select New Save. The following steps describe the process without using a wizard. Step 5 In Properties of Save General enter the name Save to Reprocessing Queue. Step 6 In Properties of Save Folder enter the folder name Reprocessing. It is vital to use this exact name and double check the spelling! Step 7 In Properties of Save Options activate the option As modified by MIMEsweeper. This too, is a vital setting. Include results from Text Analysis if available is left unmarked. Save the settings with OK. Step 8 Right-click on the classification Decrypt failed and select New Quarantine. The following steps describe the process without using a wizard. Step 9 In Properties of Quarantine General enter the name Quarantine (Encrypted). [ ] Seite: 15 / 111

16 Step 10 In Properties of Quarantine Message Area select Encrypted Messages. Step 11 In Properties of Quarantine Options activate the option In original form and confirm the settings with OK Setting up Classifications for encryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Classifications Step 1 Right-click on Classifications and the select New Classification. Name this new classification Encrypt OK. Step 2 Repeat the previous step to create a second classification named Encrypt failed. Step 3 The classifications need not to be moved to higher levels, however if they are moved, they need to be below blocking classifications like Virus-detect or Spam-Detect. Step 4 Right-click on the classification Encrypt OK and select New Deliver. The following steps describe the process without using a wizard. Step 5 In Properties of Deliver General enter the name Deliver and confirm with OK. Step 6 Right-click on the classification Encrypt failed and select New Quarantine. The following steps describe the process without using a wizard. [ ] Seite: 16 / 111

17 Step 7 In Properties of Quarantine General enter the name Quarantine (Undetermined). Step 8 In Properties of Quarantine Message Area select Undetermined Messages. Step 9 In Properties of Quarantine Options activate the option In original form and confirm the settings with OK Setting up Scenario Folder for encryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Outgoing Step 1 Right click on the Scenario Folder Outgoing and select New Folder. The following steps describe the process without using a wizard. Step 2 In Properties of Folder General enter a name a name that is self explanatory in relation to the function. In this example we will use PGP-MIME (Encrypt only). Step 3 In Properties of Folder Routes select the address list (intern) as the sender and for the recipient select the previously generated list that matches the desired function. In this case PGP-MIME (Encrypt only). Confirm your selection with OK. [ ] Seite: 17 / 111

18 Step 4 Repeat the above Steps 1-3 to create another Scenario-Folder named SMIME (Encrypt only). Step 5 The newly created folder should now be displayed in the scenario tree below Outgoing Setting up the Scenario for PGP/MIME encryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Outgoing Step 1 Right click on the scenario folder PGP-MIME (Encrypt only) and select New Virus Manager. The following steps describe the process without using a wizard. Step 2 In Properties of Virus Manager General enter the name PGP-MIME Encrypt only. Step 3 In Properties of Virus Manager Data Types select the option Include selected data types. When choosing the Data Types only mark the two container types Microsoft Transport Neutral Encoding Format (TNEF) and SMTP message. Please verify that no other data types are marked. [ ] Seite: 18 / 111

19 Step 4 In Properties of Virus Manager Application Details select OpenPGP-Encrypt only. Now activate the option Clean the detected virus in order to enable the encryption of the content. The option Strip infected files has to be left unchecked. Step 5 In Properties of Virus Manager Cleaned Annotation leave the option Insert annotation for cleaned items unchecked as well. Step 6 In Properties of Virus Manager Classification set the classifications On detected items cleaned to Encrypt OK (successful encryption) and On virus cannot be removed to Encrypt failed (encryption did not succeed). Save these settings with OK. [ ] Seite: 19 / 111

20 Setting up the Scenario for S/MIME encryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Outgoing Step 1 Right click on the scenario folder SMIME (Encrypt only) and select New Virus Manager. The following steps describe the process without using a wizard. Step 2 In Properties of Virus Manager General enter the name SMIME-Encrypt only ein. Step 3 In Properties of Virus Manager Data Types select the option Include selected data types. When choosing the Data Types only mark the two container types Microsoft Transport Neutral Encoding Format (TNEF) and SMTP message. Please verify that no other data types are marked. [ ] Seite: 20 / 111

21 Step 4 In Properties of Virus Manager Application Details select SMIME-Encrypt only. Now activate the option Clean the detected virus in order to enable the encryption of the content. The option Strip infected files has to be left unchecked. Step 5 In Properties of Virus Manager Cleaned Annotation leave the option Insert annotation for cleaned items unchecked as well. Step 6 In Properties of Virus Manager Classification set the classifications On detected items cleaned to Encrypt OK (successful encryption) and On virus cannot be removed to Encrypt failed (encryption did not succeed). Save these settings with OK. [ ] Seite: 21 / 111

22 Setting up the Scenario for decryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Incoming Step 1 Right click on the Scenario Folder Incoming and select New Virus Manager. The following steps describe the process without using a wizard. Step 2 In Properties of Folder General enter a name a name that is self explanatory in relation to the function. In this example we will use Decrypt (decrypt only). Step 3 In Properties of Virus Manager Data Types select the option Include selected data types. When choosing the Data Types only mark the two container types Microsoft Transport Neutral Encoding Format (TNEF) and SMTP message. Please verify that no other data types are marked. [ ] Seite: 22 / 111

23 Step 4 In Properties of Virus Manager Application Details select the matching CompanyCRYPT Scenario Decrypt-Expect decrypt only OK. Now activate the option Clean the detected virus in order to enable the decryption of the content. The option Strip infected files has to be left unchecked. Step 5 In Properties of Virus Manager Cleaned Annotation leave the option Insert annotation for cleaned items unchecked as well. Step 6 In Properties of Virus Manager Classification set the classifications On detected items cleaned to Decrypt OK (successful decryption) and On virus cannot be removed to Decrypt failed (decryption did not succeed). Save these settings with OK. [ ] Seite: 23 / 111

24 Save and activate the De/Encryption in the MIMEsweeper Policy Editor Save the configuration changes in the MIMEsweeper Policy Editor by clicking on the button Save the MIMEsweeper Policy. The encryption can be used thereafter Functionality After having performed all steps described in this chapter (2), you should now be able to exchange S/MIME and PGP encrypted s with any of your external partners. [ ] Seite: 24 / 111

25 3. CompanyCRYPT To administrate CompanyCRYPT a modern web based interface is included. Using this interface, all relevant settings and operational tasks in CompanyCRYPT can be done Starting the CompanyCRYPT-WebGUI After you have installed the CC-WebGUI according to the Installation Guide, the interface can be started by opening a browser and entering the correct address as described below. CompanyCRYPT integrated as a virtual site in the IIS Here the address is made of the host name and the (sub) domain defined for CompanyCRYPT. In this case the address should look like this: If you configured a safe connection via SSL, you have to substitute the http by https. Now the address should look like this: CompanyCRYPT-WebGUI (SSL) Using a SSL connection it may be necessary to confirm (in your browser) the usage of the certificate supplied by the server. In order to proceed, you have to confirm with Yes. CompanyCRYPT-WebGUI (Authentication) In case the anonymous user authentication was deactivated, you will see an authentication box when starting CompanyCRYPT. [ ] Seite: 25 / 111

26 In order to be able to use the administrative functions of the WebGUI the selected user need to be member of the user group Local Administrators or needs to have local administrative permissions CompanyCRYPT SyncManager CompanyCRYPT supports the installation and operation of distributed systems. This requires the configuration of a masterslave hierarchy. The setup of the slave system is done first, using the SyncManager. During operation the slave systems synchronise themselves automatically with the master system. Important: Before changing the configuration using the SyncManager the CompanyCRYPT Operational service has to be stopped first (To halt the synchronisation process)! Otherwise changes may not be effective or overwritten. After performing the changes the CompanyCRYPT Operational service should be started again. SyncManager call-up The SyncManager is located in the CompanyCRYPT installation directory. By default this is: C:\Programme\CompanyCRYPT\SyncMng.exe The SyncManager is started by double-clicking on the file SyncMng.exe CompanyCRYPT Configuration First Start / Initializing Upon the first start of the CompanyCRYPT-WebGUI the CompanyCRYPT installation is initialised. This automatic step is necessary to complete the installation, but takes no administrative action. The displayed screen is merely an informative summary of the completed of steps. Click OK to proceed. [ ] Seite: 26 / 111

27 Initialising steps: Config Version: Reprocess Service: Operate Service: Reprocess folder: EXE.INI: Normalises and adapts values stored in the CompanyCRYPT-Version configuration file Installs the CompanyCRYPT-Reprocess-Service Installs the CompanyCRYPT-Operational-Service Setting up the working folder for the Reprocess Service Adding the CompanyCRYPT-Scenarios to the EXE.INI file of the MIMEsweeper Common Settings Default values for key generation WebGUI (Configuration) Encryption Common Settings Default Key Parameters Here you can define default values, which will be pre-selected or used when generating internal keys. Default SMTP domain: Default company: Default department: Default location: Default country code: Default keylength: Default S/MIME valid for: Default PGP valid for: <Internet domain> <Company name> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> Key length in Bit (for PGP and S/MIME) Period of validity in days (Mandatory) Period of validity in days (0 =unlimited) (Mandatory) [ ] Seite: 27 / 111

28 Presentation of Verification/Decryption results (Decrypt Summary) WebGUI (Configuration) Encryption Common Settings Decrypt Summary Here you can define presentation properties of the summary that, if occurred, informs the internal user about the results of any decryption or verification process on this message. Summary language: HTML Style: HTML Font Size: Summary title: Activates or deactivates the insertion of the decrypt summary of decrypted or verified s along with its language. (It will be inserted at the beginning of the message text). Available settings are English, German, French and NONE=deactivated Select the kind of HTML formatting Style Description CSS based Presentation is based on CSS-definitions with graphical elements CSS with line wrap like CSS based with additional line wraps Simple HTML Presentation without graphical elements (Recommended for usage with Lotus Notes) Selects the font size. Available settings: Small, Medium, Large Customize the displayed title of the Decrypt Summary Processing behaviour upon unavailable public recipient key WebGUI (Configuration) Encryption Common Settings Processing This option lets you select the processing behaviour, if the recipients public key is not available. No encryption key?: Applies to PGP as well as S/MIME processes a) Abort and raise encryption fail condition: The CompanyCRYPT encryption job will return the value Failed to the MIMEsweeper (Classification Encrypt Failed ). The message will not be delivered. b) Process with CSA key only (Recommended setting): The encryption will only be done for the CSA key. The will be delivered to the recipient. Decryption however is only possible with the CSA key. The recipient cannot decrypt this message. It is recommended to select this option to ensure the correct processing also for messages containing embedded (inline) s PGP specific settings This section is to configure the usage of the OpenSource product GnuPG. [ ] Seite: 28 / 111

29 Activate/Deactivate PGP processing WebGUI (Configuration) Encryption PGP Processing Inline PGP: PGP/MIME: Path to GnuPG binary: PGP-Comment-Line: Activates or deactivates the processing of PGP objects of this type, if found in s. Activates or deactivates the processing of PGP objects of this type, if found in s. Folder in which the file gpg.exe is located. The default value will be set to the executable that comes with the installation package und should not be modified. Every PGP sign or encryption block can carry a (plain text) comment line. Enter the text you wish to annotate. This comment will be visible to anyone, who receives PGP encrypted or PGP signed data from you. (This refers to Inline PGP as well as PGP/MIME). PGP passphrase WebGUI (Configuration) Encryption PGP Passphrase Here you can enter the passphrase for the PGP key handling. The date of the last change (or a missing passphrase) is displayed in the headline. Current Passphrase: New Passphrase: Confirm Passphrase: Previous (old) passphrase The new passphrase Confirmation of the new passphrase S/MIME specific settings This section is to configure the usage of the OpenSource product OpenSSL. Activate/Deactivate S/MIME processing WebGUI (Configuration) General S/MIME Processing S/MIME: Path to OpenSSL binary: Activates or deactivates the processing of S/MIME messages. Folder in which the file openssl.exe is located. The default value will be set to the executable that comes with the installation package und should not be modified. [ ] Seite: 29 / 111

30 Validating certificate chain WebGUI (Configuration) General S/MIME Signatures + Verification Include CA certificates: Trust new certificates: When signing a message besides the signing certificate the signature may also contain the issuing certificate(s) (CA). Intermediate (Sub-) CA certificates are included up to the configured depth. This defines the level of verification done on a new or unknown certificate. (i.e. on signed messages or during import of new certificates). The following options are available: a) If next issuer/authority is found... If selected, an unknown certificate will already be declared trusted, if the certificate-signature of the next issuer/authority can be validated with the certificate in the trusted CA store. Even if the issuer certificate itself is a Sub-CA (has another issuer signature) no further validation is performed. b) Only if full chain of issuer/authorities can be validated... In this case an unknown certificate will only be declared trusted, if the complete chain of all issuer/authorities can be validated by certificates in the trusted CA store. Such a chain always ends with a self signed root certificate. Parameter used while generating certificates WebGUI (Configuration) General S/MIME Generating Certificates with CompanyCRYPT Adjustable v3 Extensions: Optional) The so called v3-extensions that declare the usage of a certificate are marked critical. A different usage from the declared one(s) (i.e. as SSL-Client) will not be possible. Certificate Revocation List (CRL): The (local) CRL is automatically invoked. It is updated daily by the operational service and available in two differently encoded files (CRL.crl und CRL.pem) in the directory <..CompanyCRYPT..>\Smime\. Those files can be made available to external partner in the internet. CRL Distribution URL: CRL contact: CRL expires after: (Optional) The internet url under which the CRL is downloadable. (Optional) The address under which external partner can request the CRL. (Optional) Die validity of the CRL (in days). Note: The CRL is not automatically publicised. It has to be copied to a ftp or http server in order to make it available to external partner. Only after that it makes sense to add the URL to a certificate upon generation. [ ] Seite: 30 / 111

31 S/MIME passphrase WebGUI (Configuration) Encryption S/MIME Passphrase Here you can enter the passphrase for the S/MIME certificate handling. The date of the last change (or a missing passphrase) is displayed in the headline. Current Passphrase: New Passphrase: Confirm Passphrase: Previous (old) passphrase The new passphrase Confirmation of the new passphrase Ad Hoc Encryption The Ad Hoc Encryption has been integrated as an alternative for the methods PGP and S/MIME. It is most useful in situations where the recipient cannot use the standard methods (PGP or S/MIME). The Ad Hoc Encryption can be used instantly and does not require any preparation. Especially the usual exchange of public keys is obsolete. To access the encrypted data the recipient merely needs a password. Mode of operation: Encryption During the Ad Hoc Encryption the bodytext as well as all attachments are merged into an encrypted archive. To enable the recipient to decrypt the data without any extra software, the output is a self extracting archive (original_mail.exe). This archive will then be compressed (ZIP), added to a template and send to the recipient. To further increase security, the original subject line can be moved into the encrypted body text. There it will be added to the beginning of the body text. The subject line during transmission is changed to a generic phrase. Since the content of the original is now within the new attachment (original_mail.zip), the message itself (message text with notes for the recipient) is made up from templates. Those template files can modified to meet individual requirements. They are located in the following directories. <CompanyCRYPT Installation>\Templates\AdHocEncrypt \Bodytext.htm <CompanyCRYPT Installation>\Templates\AdHocEncrypt \Bodytext.txt Activation of the Ad Hoc Encryption The Ad Hoc Encryption is activated by 2 Scenarios. 1. Ad Hoc Encryption Every message is encrypted using the Ad Hoc Encryption. Additional properties (Signing, password,...) are defined in the configuration (See next paragraph). [ ] Seite: 31 / 111

32 2. User Controlled Encryption Processing of messages is controlled by keywords in the subject line (or the MIME-Header value Sensitivity ). If either PGP keys are available for all recipients PGP is selected or if S/MIME keys are available for all recipients S/MIME is selected as the method of encryption. The signing depends on the configuration and/or subject control and availability of keys. If not all keys are available for PGP or S/MIME the Ad Hoc Encryption is used as fallback. Configuration Ad Hoc Encryption WebGUI (Configuration) General Ad Hoc Encryption This functionality allows to send encrypted s even to recipients that do not have either a PGP key or S/MIME certificate. The encryption is based in a symmetrical method. The recipient requires a password to access the content of the original Subject Protection: Move subject line into encrypted bodytext: If activated the original subject line is added to the beginning of the encrypted body text. The subject line itself is substituted by the phrase entered in the next field. Write this subject instead: Generic phrase that makes up the subject line for the transmitted message. Password method: Common Password: Confirm (Password): Random Password: Security: In this section you can decide what kind of password is used. Every Ad Hoc Encryption is done using this password. Password confirmation. For every Ad Hoc Encryption a new password is generated. The password together with a random reference number is automatically send back to the sender. The password itself is made up of the letters (a-z, A-Z) and digits (0-9). Security level for the automatic password generation. Each block contains 4 characters. 2 Blocks - equiv. 48 Bit 3 Blocks - equiv. 72 Bit 4 Blocks - equiv. 96 Bit 5 Blocks - equiv. 120 Bit (Recommended) 6 Blocks - equiv. 144 Bit 7 Blocks - equiv. 168 Bit 8 Blocks - equiv. 192 Bit Keep log of passwords and reference ID s: If activated the automatically generated passwords and the related reference number are being logged to a file <CompanyCRYPT Installation>\Logs\AdHoc_Pw.txt. Password notifications are being send from: This address will be used as the sender address for password notifications. [ ] Seite: 32 / 111

33 The password notification is also generated from templates. Those template files can modified to meet individual requirements. They are located in the following directories. <CompanyCRYPT Installation>\Templates\AdHocEncrypt \Bodytext_Pw.htm <CompanyCRYPT Installation>\Templates\AdHocEncrypt \Bodytext_Pw.txt Reference number For every generated password a reference number is added. The sole purpose of this 10-digit random number is to help the sender to relate a password to the right message. The reference number can be found in three places: In the subject line of the password notification (sender) In the message text of the password notification (sender) In the mask where the recipient enters the password (recipient) Mode of operation: Decryption The recipient receives an , that is made up of a description on how to unpack and decrypt the included attachment. The ZIP file will be saved and decompressed. After that the file original_mail.exe is executed. Once started, the archive automatically checks for the integrity of the encrypted data and locates the current directory. After that a window opens to the recipient asking for two values. One is the required password. The other one is the target directory to store the decrypted files in. A subfolder of the current directory is already pre-selected. The window presents itself in the language that was selected in CompanyCRYPT (Configuration of Ad Hoc Encryption ). The recipients may also choose the preferred language from English, German or French by clicking on the related button. The button decrypt starts the process. In the first step the password is checked for correctness. If wrong a message box for this problem will appear. If correct the target folder will be checked (and built if needed). During the decrypt and save processes the original message text will be saved as Bodytext.txt and/or Bodytext.htm for formatted message text. All other included attachments are being saved under their original name. If an attachment name already exists, a continuous number is added to the file name to keep files from being overwritten. [ ] Seite: 33 / 111

34 Configuration Ad Hoc Decryption WebGUI (Configuration) Encryption Ad Hoc Encryption Ad Hoc Decryption Properties Decrypt language: Pre-selects the initial language in which the decryption interface is presented to the recipient. English, German and French are currently available. Decryption at the recipient The recipient receives an with an attachment named original_mail.zip. The message text is made up of a step by step guide on how to decrypt and access the content. Step 1 The correct password has to acquired from the sender. Step 2 Save the file original_mail.zip into a directory of your choice. Step 3 Unpack the file in the same directory. For this double click on the attachment and select unpack or extract depending on the decompression program. Step 4 Open the encrypted archive original_mail.exe with a double-click and enter the password. Depending on the password mode a Reference number is displayed below the password field. This number helps the sender to provide the password, that was actually used on this message. In the field Target directory a subfolder of the current directory is pre-selected. This may individually be changed to a suitable location. To start the decryption click on Decrypt. Step 5 After the successful decryption click on Yes to open the directory that contains the decrypted files. [ ] Seite: 34 / 111

35 Step 6 To read the message text of the original messages open the file Bodytext.txt with a double-click. If the was sent using the HTML format the file Bodytext.htm also contains the message text. Included attachments are available in the same directory with their original filename User controlled encryption Besides a permanent (policy based) encryption, configured by the administrator on the mail gateway, CompanyCRYPT also supports a user controlled encryption. This method technically resembles the policy based encryption methods with the difference of the user while sending to decide upon wether the message should be encrypted and/or signed. Activation of encryption or signing WebGUI (Configuration) User Control Activation This option enables the internal user (sender) to activate encryption and signing. The following options are available. Subject control Activation by keyword in subject line. Mailoption Confidential Activation by selectable properties ( confidential, personal,.. ) within the client Custom Header Activation by MIME header line The applicable scenario is User Controlled Encryption, which only performs the configured processing steps upon detection of one of the selected activation options. User Controlled Encryption For more details on the processing steps see the program flow chart (User controlled encryption Processing logic). Note: Detected keywords are always being removed from the subject line If activated, it will also change the processing logic of following (sign-only-) jobs. Upon the detection of a keyword, the processing behaviour will be overwritten by what is configured for User controlled encryption. OpenPGP-Only Sign (Company) OpenPGP-Only Sign (User) PGP-Sign Mail (Company) PGP-Sign Mail (User) [ ] Seite: 35 / 111

36 PGP-Sign Text (Company) PGP-Sign Text (User) SMIME-Sign Detached (Company) SMIME-Sign Detached (User) SMIME-Sign Opaque (Company) SMIME-Sign Opaque (User) Note: Any other scenario, that already includes encryption as well as all site-to-site scenario s are not affected and will not show a different processing behaviour. Note: To see all available options you have to expand the view by clicking on the button More Options. Let user activate Encryption: Activates/deactivates a User Controlled Encryption By subject keyword: Case sensitive: By property: Activation by a keyword in the subject line If checked, the search for the keyword is done case sensitive Activation may also be triggered by a mail property. Some clients allow the user to mark the message as Personal, Private or Confidential. This should result in a header line starting with Sensitivity:. By custom value in header: The activation may alternatively be triggered by freely selectable MIME header fields. Encryption method: Ad Hoc encryption only: Select kind of encryption and processing behaviour.. In all cases the message will be encrypted with the Ad Hoc encryption method, regardless of the availability of PGP or S/MIME recipient keys. if possible use PGP or S/MIME, else: Whenever either all PGP or all S/MIME keys are available for the recipients, the matching method will be used to encrypt the message. [ ] Seite: 36 / 111

37 Encrypt Ad Hoc: Stop with Encrypt Fail: Send unencrypted: If not all PGP or S/MIME keys are available, the AdHoc encryption method will be used. The message processing will result in a encrypt fail condition, if not all PGP or S/MIME keys are available. The message will be delivered unchanged (plain), if not all PGP or S/MIME keys are available. When encrypt, always sign If activated, each encrypted will be automatically signed by the method chosen under User-Activated-Signing Let user activate Signing: By subject keyword: Case sensitive: Signing method: Signing key: Activates/deactivates a User Controlled Signing Activation by a keyword in the subject line If checked, the search for the keyword is done case sensitive Selection of the signing method PGP/MIME, S/MIME or Inline PGP Choose to use the company key (CSA) or the user key (Sender) for signing. If no user key is available the company key will be used as fallback. Suppression of encryption or signing WebGUI (Configuration) User Control Suppression This option, if activated, allows the internal sender to prevent encryption and/or signing by placing a keyword in the subject line. This feature can be enabled for encryption or signing separately and for different keywords. The keywords are not removed from the subject line. Note: - This policy will not have any effect on Site-to-Site encryption processes. - This is a global option, other scenarios might be affected. Suppress Encryption: By subject keyword: Case sensitive: Suppress Signing: By subject keyword: Case sensitive: Activates/deactivates the user controlled suppression of encryption Keyword that needs to be placed in the subject line to suppress encryption. If activated, the keyword search is case sensitive Activates/deactivates the user controlled suppression of signatures Keyword that needs to be placed in the subject line to suppress signing. If activated, the keyword search is case sensitive Keyserver Address configuration for automatic key distribution WebGUI (Configuration) Key Server MIKE Triggered by a key-request , CompanyCRYPT can automatically mail the requested key back. If the requested key is unavailable or the request doesn t even contain an address, a notification is send back. This feature is called MIKE (Mail Initiated Key Exchange). [ ] Seite: 37 / 111

38 Listener Address: Sender Address: Local Domains: s send to this address are processed by MIKE as key requests. This sender address will be used for all replies that don t contain key material (Quick Guide, No key notification,..). Additionally all messages sent to this address are ignored. Thereby loop effects are suppressed. Here all local (internal) domains are to be entered. This enables MIKE to differ between internal and external requests. Send Keys/Certificates from: Address from which key replies (not notifications) are send from. User address: The key will be send from the address of the key owner. (This address would be part of the key properties.) Listener address: The key will be send from the address entered into the field Listener Address. S/MIME key reply option: Additional feature for S/MIME key replies Always sign S/MIME reply with user key: By this option S/MIME-key replies are additionally signed with the sender key. This usually enables the recipient of such a message to import the certificate directly from the signature. It is recommended to activate this option. Quickguide option: The Quickguide describes how to use the key server (MIKE). It is the standard reply for external requests that do not contain an address in the subject line. Avoid reply by subject keyword: If MIKE receives an with this string in the subject, no reply is generated. This option can be used to receive public keys from external partner, without them getting an (unwanted) reply back. Case sensitive: Enables the case sensitivity of the above string Automatic key generation WebGUI (Configuration) Key Server On-demand Key Generation CompanyCRYPT is capable of automatically generating key pairs for internal user. Triggered by a key request, received by MIKE, a (not yet generated) key is then generated in reference to a (file-based) user list. Being available then, the public key is send to the requestor in form of a normal key reply. This function is being realized in the operational service. [ ] Seite: 38 / 111

39 Auto GENERATE: Enables or disables the automatic key generation of PGP- or S/MIME keys List File Location: Absolute path and file name of the reference list Check Interval: Time interval in which CompanyCRYPT checks for new key-generation requests. Generate max. Keys/Interval: Maximum amount of keys to be generated within an interval (Default: 5/10 min). Key generation consumes a high a amount of CPU processing time. For this reason this value should be left at a low level to avoid interference with other system processes. Groupware-Interface (Reference list) WebGUI (Configuration) Key Server On-demand Key Generation Synchronize Internal Keys with Groupware The reference list should contain information about user, in a way that CompanyCRYPT is able to identify keys that need to generated and upon request actually generate this user specific key with the correct details. Structure of the reference list The structure of the reference list follows this pattern (Per line): <Fieldname>: >Value><CRLF>. The following fields are available / mandatory: # Comment address of the user (Mandatory) Name: Full name or identifier of the user (Mandatory) Company: Company name Department: Department Location: Location / Town Country: Country code (2-letter) PGPValidity: Period of validity in days (0 =unlimited) SMIMEValidity: Period of validity in days Default Keylength: Key length in Bit (for PGP and S/MIME) Any missing or incorrect data (except and Name ) will be taken from the values defined in Default Key Parameters. SMTP-Configuration for automatic key distribution WebGUI (Configuration) Key Server MIKE Triggered by a key-request , CompanyCRYPT can automatically mail the requested key back. If the requested key is unavailable or the request doesn t even contain an address, a notification is send back. [ ] Seite: 39 / 111

40 Send to this Host/port: Use local Hostname: Default: Custom: Host name or IP address and port of the system, to which key replies should be mailed to (SMTP). The local system (i.e. the MIMEsweeper) is entered as default. Allows to customize the HELO/EHLO parameter. This may be necessary, if the key replies are rejected by the target system for a wrong (localhost-) name. The FQDN derived from the network settings is used. Custom host name Note: To enable key distribution via the MIMEsweeper for SMTP, the sending CompanyCRYPT system has to be added to the Relay Hosts in the MIMEsweeper configuration.. Note: In a distributed environment these settings are required to be done for every slave system individually. Do this by using the SyncManager. SMTP-Configuration for automatic key distribution using the SyncManager SyncManager Configuration Local System Key Replies Important: Before changing the configuration using the SyncManager, the Master-Slave synchronisation has to be suspended by stopping the Operational Service of CompanyCRYPT. An active synchronisation may revert any change to the configuration. The Operational Service has to be restarted afterwards. By default all key replies are forwarded to the local system. If changed, the new settings have to be applied to each slave system individually. Send to this Host/port: Use local Hostname: Default: Custom: Host name or IP address and port of the system, to which key replies should be mailed to (SMTP). The local system (i.e. the MIMEsweeper) is entered as default. Allows to customize the HELO/EHLO parameter. This may be necessary, if the key replies are rejected by the target system for a wrong (localhost-) name. The FQDN derived from the network settings is used. Custom host name [ ] Seite: 40 / 111

41 System Parameter (System) Backup / Restore Parameter WebGUI (Configuration) System Backup / Restore Common parameter The first section defines common parameter for the backup and restore function. Backup/Restore folder: Common password: Folder to which backup files are stored to and restore files are taken from Password to encrypt and protect the backup file. The CompanyCRYPT licence key is used for the automatic scheduled backup. An individual password can be used for a manual backup, but will not be stored permanently. Automatic Backup WebGUI (Configuration) System Backup / Restore Automatic Backup CompanyCRYPT allows to perform a scheduled saving of the key material and the complete configuration. Daily job activated: Activates or deactivates the automatic backup Keep History (Days): Amount of backups to keep, older files will be automatically deleted Schedule Job (HH:MM): Time of the day at which the backup is being performed The settings are saved by clicking on the button Save. Manual Backup WebGUI (Configuration) System Backup / Restore Manual Backup To trigger a manual backup first enter the desired file name into the field Manual Backup filename and the click on the button Backup Now. System Restore WebGUI (Configuration) System Backup / Restore Restore To restore a CompanyCRYPT system from a backup move to the restore section. The list view there will display the files detected in the Common folder. [ ] Seite: 41 / 111

42 Should the system now be restored from one of those files, click on the desired file. If it is a CompanyCRYPT backup file, the properties will be displayed and an automatic check verifies the access to the file with the default password. By clicking on Restore the CompanyCRYPT data will be restored from this file. If no access with the default password is given, the restore process is inhibited. Please enter the correct password into the field Common password and click on Apply. Deleting backup files WebGUI (Configuration) System Backup / Restore Restore Simply click on the desired file in the restore list view and then click on the button Delete File. Reprocess Service WebGUI (Configuration) System Reprocess Service The Reprocessing service is an SMTP agent, that processes s from the Reprocessing queue. Some working parameters can be set in this section. [ ] Seite: 42 / 111

43 Service status: Display of the service status and service control of the Reprocess Service. The button label and function changes according to the service status. Service Status Installed and Running Installed and Stop pending Installed and Stopped Installed and Start pending Not installed - Button-Label Stop Service Query Status Start Service Query Status Reprocess to Host/Port: Host name or IP and port of the target system, to which the s from the Reprocessing queue should be delivered. During the initialisation of CompanyCRYPT the default values will be set to the IP of the local system and the standard SMTP port (25). Reprocess folder: Folder of the Reprocessing-Queue Max reprocessing Cycles: Maximum amount of decryption cycles for a single (default: 5). This option enables CompanyCRYPT to decrypt multi-layer encryptions. Should after an decryption of an further encrypted parts be detected another decryption cycle is started. This value should only be changed, if clarified with S.I.T. support. Reprocessor log: Activates or deactivates of the output of processing information into a log file. The file can be found in the common log folder. The files are named by this pattern: RP-Log_yyyy-mm-dd.txt and will be automatically deleted after 7 days. Note: To enable the Reprocessing via the MIMEsweeper for SMTP, the sending CompanyCRYPT system has to be added to the Relay Hosts in the MIMEsweeper configuration.. Reprocess Service - Configuration using the SyncManager SyncManager Configuration Local System Reprocess Service The Reprocess Service is a SMTP-Agent, that processes from the Reprocessing-Queue. By default all key replies are forwarded to the local system. If changed, the new settings have to be applied to each slave system individually. Important: Before changing the configuration using the SyncManager, the Master-Slave synchronisation has to be suspended by stopping the Operational Service of CompanyCRYPT. An active synchronisation may revert any change to the configuration. The Operational Service has to be restarted afterwards. Reprocess to Host/Port: Host name or IP and port of the target system, to which the s from the Reprocessing queue should be delivered. During the initialisation of CompanyCRYPT the default values will be set to the IP of the local system and the standard SMTP port (25). [ ] Seite: 43 / 111

44 Reprocessor Log WebGUI (Configuration) System Reprocess Service Reprocessor Log In this part the log files of the CompanyCRYPT Reprocess service are displayed. By default only the last lines are shown in a smaller window. By clicking on the button Expanded View more log entries are shown in a larger window. For performance reasons even in the expanded view only the last 100 kb of a log file are loaded. The buttons below the display window allow you to switch between the existing daily logs. Trace options and logging parameters WebGUI (Configuration) System Trace / Logging Trace and Logging CompanyCRYPT allows to enable more detailed logging on it s integrated modules for trouble shooting. Log folder: Trace options enabled: Activate Tracelog: Verbose Tracelog: Show SMTP talk: Keep temporary files: Verbose CMDline: Verbose key processing: Directory in which all CompanyCRYPT logs are saved. Global activation or deactivation of all trace options. All processing (Encrypt/Decrypt) is logged into the file Tracelog.txt in the common log folder or in the CompanyCRYPT home directory. Extend the trace log to also include OpenSSL and GnuPG processing information When manually sending a public key from the WebGUI the SMTP commands and replies are displayed. Temporary files from the de- and encryption processes are not deleted. You will find these files in the temporary folder used by the MIMEsweeper. (Tmp-variables of the environment) Enables command line orientated troubleshooting (rather for developer) Additional information are displayed in the key generation / key import summary Operational Log Debug Mode: Extend the Operational log to also include internal status changes [ ] Seite: 44 / 111

45 Trace Log WebGUI (Configuration) System Trace / Logging Trace and Logging Trace Log If enabled the CompanyCRYPT trace log are displayed in this part. By default only the last lines are shown in a smaller window. By clicking on the button Expanded View more log entries are shown in a larger window. For performance reasons even in the expanded view only the last 100 kb of a log file are loaded. The buttons below the display window allow you to switch between the existing daily logs. Control the CompanyCRYPT services WebGUI (Configuration) System Service Control / MIMEsweeper Service Control This option allows to control the CompanyCRYPT services via the Web interface. Installation parts Reprocess service: Operational Service: Start/Stop and Install/Uninstall the CompanyCRYPT Reprocess Service Start/Stop and Install/Uninstall the CompanyCRYPT Operational Service System re-initialisation WebGUI (Configuration) System Service Control / MIMEsweeper Remove / ReInitialise This section allows to reinitialise the CompanyCRYPT parameters in case of a corrupt configuration. It is also used when deinstalling the product. EXE.INI: Configuration: Add/Remove the CompanyCRYPT amendments in the MIMEsweeper configuration file EXE.INI Trigger the re-initialisation of the CompanyCRYPT installation. This checks various parameter of the configuration and attempts to correct values, if necessary. MIMEsweeper settings WebGUI (Configuration) System Service Control / MIMEsweeper MIMEsweeper [ ] Seite: 45 / 111

46 EXE.INI location: Reprocess folder: Max size: Shows the path to the MIMEsweeper configuration file EXE.INI Shows the path to the Reprocessor Queue Maximum size in Mbyte, to be processed by CompanyCRYPT (Default: 75). This value depends on the CPU performance and should only be changed in accordance to CompanyCRYPT support recommendations Distributed systems (Multi-Server) WebGUI (Configuration) Sync CompanyCRYPT can be used on a stand alone system, but it is also suitable for a distributed environment with multiple server. By this it supports centralized management much like the Multi server ability of the MIMEsweeper. According to the requirements CompanyCRYPT can be switched to the desired mode. Currently Master, Slave and Single are supported. Mode Single Master Slave Standalone system Synchronisation is deactivated Central configuration system offering configuration changes to the slave systems. Key- Generation-Requests (MIKE) are being processed by this system. Takes over configuration changes from the master system. New keys from the import folder as well as key generation requests are being transmitted to the master system. Mode: Single WebGUI (Configuration) Sync Synchronisation To work CompanyCRYPT in the Single-Mode without any synchronisation, set the option This server acts as: to Single. This is the default setting. Mode: Master WebGUI (Configuration) Sync Synchronisation To work CompanyCRYPT in the Master-Mode, set the option This server acts as: to Master. This mode acts very much like the single mode, additionally communication requests by a slave systems are being served. Use port: IP port used for the Master-Slave communication [ ] Seite: 46 / 111

47 Sync/Encrypt Password: Password: The Master-Slave communication is encrypted and protected by a password. By default this is set to the CompanyCRYPT licence key (Auto). When using CompanyCRYPT systems with different licences, this option needs to be set to Manual and a matching password needs to be set (on one side). (Available if Manual password is set) Password for the Master-Slave communication Start Service: Start the CompanyCRYPT Operational service Note: In order to deactivate synchronisation select the Single mode. The entered values (host name, password, ) remain. On the Master-System all valid Slave systems have to be entered. Otherwise the incoming communication requests will be rejected after a connect. Accepted Slave Hosts: Last Status: Last Connect: Query Status: Reset Status: Host name or IP address of valid slave systems Displaying the last known status: Unreachable: Ping failed IP reachable: Ping succeeded Abort Connect: Connection closed by remote host CONNECT:Unknown Host: IP connect succeeded, but Handshake failed CONNECT:Wrong Password: IP connect succeeded, but password failed CONNECT:Qualified Host: IP connect succeeded, Password OK SYNC in progress: Synchronisation process running SYNC failed: Synchronisation failed for serious reason(s) SYNC OK: Successful synchronisation Daytime stamp of last status The current status is read from the system (= Refresh display) Reset the status to Unknown Modus: Master Configured by using the SyncManager SyncManager Configuration Important: Before changing the configuration using the SyncManager, the Master-Slave synchronisation has to be suspended by stopping the Operational Service of CompanyCRYPT. An active synchronisation may revert any change to the configuration. The Operational Service has to be restarted afterwards. Under Configuration select This Server act as: Master and enter the IP addresses or the FQDN of the slave system(s) in the fields Valid Sync Host. Save the settings with Apply. [ ] Seite: 47 / 111

48 Use port: Password Source:: Password: Sync Interval: Valid Sync Hosts: Last Status: Last Connect: IP-Port of the master-slave communication The Master-Slave communication is encrypted and protected by a password. By default this is set to the CompanyCRYPT licence key (Auto). When using CompanyCRYPT systems with different licences, this option needs to be set to Manual and a matching password needs to be set (on one side). (Available if Manual password is set) Password for the Master-Slave communication Time interval in seconds in which the Slave system starts a synchronisation attempt. (Default: 30 seconds) Hostnames or IP-addresses of the Master systems Displaying the last known status: Unreachable: Ping failed IP reachable: Ping succeeded Abort Connect: Connection closed by remote host CONNECT:Unknown Host: IP connect succeeded, but Handshake failed CONNECT:Wrong Password: IP connect succeeded, but password failed CONNECT:Qualified Host: IP connect succeeded, Password OK SYNC in progress: Synchronisation process running SYNC failed: Synchronisation failed for serious reason(s) SYNC OK: Successful synchronisation Timestamp of the last connection Mode: Slave WebGUI (Configuration) Sync Synchronisation To work CompanyCRYPT in the Slave-Mode, set the option This server acts as: to Slave. In this mode CompanyCRYPT receives all configuration settings (except local parameter) and the key material from a Master system. Use port: Sync/Encrypt Password: Password: Slave Sync Interval: IP-Port for Master-Slave communication The Slave-Master communication is encrypted and protected by a password. By default this is set to the CompanyCRYPT licence key (Auto). When using CompanyCRYPT systems with different licences, this option needs to be set to Manual and a matching password needs to be set (on one side). (Available if Manual is set above) Password for the Slave-Master communication Time interval in seconds in which the Slave system starts a synchronisation attempt. [ ] Seite: 48 / 111

49 Note: In order to deactivate synchronisation select the Single mode. The entered values (host name, password, ) remain. On a Slave System up to four Master systems can be entered (by IP address). The synchronisation cycle however will be completed with the first successful connect (Handshake+Password OK). Available Master Hosts: Last Status: Last Connect: Query Status: Reset Status: Host names or IP addresses of Master systems Displaying the last known status: Unreachable: Ping failed IP reachable: Ping succeeded Abort Connect: Connection closed by remote host CONNECT:Unknown Host: IP connect succeeded, but Handshake failed CONNECT:Wrong Password: IP connect succeeded, but password failed CONNECT:Qualified Host: IP connect succeeded, Password OK SYNC in progress: Synchronisation process running SYNC failed: Synchronisation failed for serious reason(s) SYNC OK: Successful synchronisation Daytime stamp of last status The current status is read from the system (= Refresh display) Reset the status to Unknown Mode: Slave Configured by using the SyncManager SyncManager Configuration Important: Before changing the configuration using the SyncManager, the Master-Slave synchronisation has to be suspended by stopping the Operational Service of CompanyCRYPT. An active synchronisation may revert any change to the configuration. The Operational Service has to be restarted afterwards. Under Configuration select This Server act as: Slave and enter the IP addresses or the FQDN of the master system(s) in the fields Valid Sync Host. Save the settings with Apply. Use port: Password Source:: Password: IP-Port of the master-slave communication The Master-Slave communication is encrypted and protected by a password. By default this is set to the CompanyCRYPT licence key (Auto). When using CompanyCRYPT systems with different licences, this option needs to be set to Manual and a matching password needs to be set (on one side). (Available if Manual password is set) Password for the Master-Slave communication [ ] Seite: 49 / 111

50 Sync Interval: Valid Sync Hosts: Last Status: Last Connect: Ignored in master mode Hostnames od IP-addresses of the slave systems Displaying the last known status: Unreachable: Ping failed IP reachable: Ping succeeded Abort Connect: Connection closed by remote host CONNECT:Unknown Host: IP connect succeeded, but Handshake failed CONNECT:Wrong Password: IP connect succeeded, but password failed CONNECT:Qualified Host: IP connect succeeded, Password OK SYNC in progress: Synchronisation process running SYNC failed: Synchronisation failed for serious reason(s) SYNC OK: Successful synchronisation Timestamp of the last connection Operational Log WebGUI (Configuration) Sync Operational Log In this part the log files of the CompanyCRYPT Operational service are displayed. By default only the last lines are shown in a smaller window. By clicking on the button Expanded View more log entries are shown in a larger window. For performance reasons even in the expanded view only the last 100 kb of a log file are loaded. The buttons below the display window allow you to switch between the existing daily logs Key-Management Trusted CA Store The Trusted CA Store contains S/MIME certificates from trustworthy issuer and authorities. From there they are used to verify signatures from unknown user certificates and to validate new or unknown certificates. Two general types are being considered: Root-CA Sub-CA This certificate is self signed and usually the last certificate in a certificate chain. This certificate is signed by another issuer or authority. Sub-CA certificates can build up certificate chains. Depending on the configuration (General PGP, S/MIME and MSW S/MIME) the whole chain may be necessary to decide the trustworthiness of a new or unknown certificate. List view WebGUI (Key Management) Central Accounts Trusted CA Store This view provides access to the trusted CA certificates. The list view can be sorted by the columns. [ ] Seite: 50 / 111

51 Expires Issuer/Authority Added Type Validity / Expiration date of the certificate (Red = Certificate is expired / not valid) Issuer name by certificate details. Certificates with the same name are differed by adding a continuous number. Date when the certificate was added to the store. Root-CA or Sub-CA. Certificate properties WebGUI (Key Management) Central Accounts Trusted CA Stores S/MIME certificate properties Below the list view the details and properties of the selected certificate are displayed. Introducer Status This status is relevant for the automatic key import. A certificate can only be automatically imported, if it is signed (=issued) by a certificate that is listed in the Trusted CA Store and marked as a Introducer. By default all certificates in the Trusted CA Store are marked as such. A small green star symbol indicates this. To disable the Introducer status simply click on the button Introducer On/Off Central Signing Account (CSA) WebGUI (Key Management) Central Accounts Central Signing Account [CSA] The Central Signing Account (CSA) is the most important account/key in CompanyCRYPT. It fulfils three tasks within the system: [ ] Seite: 51 / 111

52 1. PGP key generation It takes over the task of a Certification Authority for the generated PGP. All PGP keys generated with CompanyCRYPT achieve a common level of trust by this signature of the CSA key. 2. Company signing (PGP and S/MIME) If outgoing s are to be signed by the company, this key will be used. For this reason the CSA key is also described as the Company Key. 3. Additional encryption to revision account (PGP and S/MIME) To comply with legal obligations the CSA account acts as an revision account. All outgoing encryption is also encrypted to this key. Generate a CSA key WebGUI (Key Management) Central Accounts Central Signing Account [CSA] CSA Status Step 1 To generate a CSA key click on the button Generate.... If there is already a CSA key the label on the button will change to Re- Generate. Step 2 Enter the necessary data into the offered fields. Please notice, that the data entered is visible to external partner and should therefore be as self explanatory as possible for this (technical) account. Central Signing Account (CSA) Name: Company: Department: Location: Country code: PGP valid for: Displayed name for the certificate < address> <Company name> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> Period of validity in days (0 =unlimited) [ ] Seite: 52 / 111

53 S/MIME valid for: Keylength: SMIME: Write CRL... SMIME: Usage is limit... Period of validity in days Key length in bit (Only for S/MIME certificates) If a link is configured under which the certificate revocation list (CRL) can be downloaded, it will be added to the certificate. (Only for S/MIME certificates) The v3 extension of the certificate are incorporated in such a way, that the certificate can only be used for the configured usage. (i.e. usage as SSL client is not possible anymore.) Step 3 Now select the format(s) in which the CSA key should be generated (PGP and/or S/MIME). It is highly recommended to do both in one step. Note: S/MIME is only available if a usable CA certificate was found. Should you generate the keys for PGP and S/MIME separately it is vital to use the same address. Step 4 Start the key generation process by clicking on the Generate. Please note the additional information about generating keys displayed in the bottom part of the page. The result of this process is displayed afterwards in a short summary. Display of the CSA key WebGUI (Key Management) Central Accounts Central Signing Account [CSA] CSA Status Here you can view the properties of the CSA key for PGP and S/MIME. By clicking on [+] additional properties are displayed. This view provides an easy access to the fingerprint and the validity of the keys. [ ] Seite: 53 / 111

54 Local Root Certificate (Local CA) The CA-certificate is only needed to generate internal S/MIME certificates. Generating a CA certificate WebGUI (Key Management) Central Accounts Local Certification Authority [CA] CA Status Step 1 Enter the file name of the CA certificate in the field CA Keyfilename. Proposed name: MailCA Step 2 To generate a CA-certificate click on the button Generate. Step 3 Enter the necessary data into the offered fields. Please notice, that the data entered is visible to external partner and should therefore be as self explanatory as possible for this (technical) account. [ ] Seite: 54 / 111

55 Fill-in options for the fields within the CA certificate: Name: Company: Department: Location: Country code: S/MIME valid for: Keylength: Displayed name of the certificate < address> <Company name> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> 3653 (This equals a validity of 10 years) 2048 (This key length provides sufficient security for the foreseeable future. Longer key lengths are not recommended for compatibility reasons.) Step 4 Start the certificate generation process by clicking on the Generate. Please note the additional information about generating keys displayed in the bottom part of the page. The result of this process is displayed afterwards in a short summary. Note: The generated certificate is automatically added to the Trusted-CA-Store. Using of a given CA certificate WebGUI (Configuration) Central Accounts Local Certification Authority [CA] CA certificate storage You can use an already given CA certificate, if it is available as a pair of files with the following properties: Step 1 Private and public key file carry the same filename Private key carries the file extension.key Public key carries the file extension.pem Both are in the PEM format To use the certificate in CompanyCRYPT, enter the file name and the folder of the certificate into the fields CA Keyfilename and Public/Private Keypath. You may also copy the files into the default folders indicated in the screenshot below. [ ] Seite: 55 / 111

56 CA certificate storage CA Keyfilename: Public key path: Private key path: Common file name of the CA certificate Folder in which the public key file of the CA certificate is stored Folder in which the private key file of the CA certificate is stored Step 2 Save the settings by clicking on the button Save storage values. Display of the CA certificate WebGUI (Key Management) Central Accounts Local Certification Authority [CA] CA Status Here you can view the properties of the CA certificate. By clicking on [+] additional properties are displayed. This view provides an easy access to the fingerprint and the validity of the certificate. CA passphrase WebGUI (Key Management) Central Accounts Local Certification Authority [CA] CA Passphrase Here you can enter the passphrase for the CA-certificate. The date of the last change (or a missing passphrase) is displayed in the headline. Current Passphrase: New Passphrase: Confirm Passphrase: Previous (old) passphrase The new passphrase Confirmation of the new passphrase Managing private keys WebGUI (Key Management) Internal This area provides access to the key material of the internal user (Private keys). The main functions include generation, signing or deletion of keys. It also allows to view the key details and includes the means to send the public key instantly to an external partner. [ ] Seite: 56 / 111

57 List View WebGUI (Key Management) Internal Internal private keys This area is the main access to the private keys. The list can be sorted descending or ascending by column. Columns of the list view Type: Expires: Name: Symbol details : Symbol delete : Key format (PGP or S/MIME). Date up to which the key will be valid. If the key never expires the word unlimited is displayed. If a key passed the expiration date an exclamation mark is displayed. address of the key. The display of the address is limited to the column width. Name of the key owner or identifier for the key. The display of the name is limited to the column width. By clicking on this symbol (small i letter) the key details will be displayed. By clicking on this symbol (waste basket) the key will be deleted. Key properties Private PGP Key WebGUI (Key Management) Internal PGP key properties By clicking on the button [+] an extended property view is displayed for the key and a possibly existing sub-key. Primary key properties (PGP): Name: Fingerprint: Status: Name or identifier of the key address associated with the key Unique fingerprint value for this key (calculated by MD5 algorithm) Usability of this key. Possible indication: OK-usable, Not usable (more information in the extended display) [ ] Seite: 57 / 111

58 Extended key properties (PGP): Single PGP key: Sub-Key: Comment: Algorithm: Keylength: KEY-ID: Valid from: Valid until: Trustlevel: Data of the main key Data of the subkey for encryption May contain information about the company, department, location and country Algorithm in use Length of key in bit Unique key ID in long form First day of validity (date of issue) Last day of validity (date of expirations) Displays the usability of this key for CompanyCRYPT Key properties Private S/MIME Certificate WebGUI (Key Management) Internal S/MIME certificate properties By clicking on the button [+] an extended property view is displayed for the key. Primary key properties (S/MIME): Name: Fingerprint: Status: Name or identifier of the key address associated with the key Unique fingerprint value for this key (calculated by MD5 and SHA algorithm) Usability of this key. Possible indication: OK-usable, OK-usable [Encryption only], OK-usable [Signatures only], Not usable (more information in the extended display) [ ] Seite: 58 / 111

59 Extended key properties (S/MIME): Key-ID: Unique identification number (if provided) Single S/MIME certificate: Details of the S/MIME certificate Comment: Subject Serial: Usage: Keylength: Serial: Valid: Trustlevel: (If set by the issuer) comment Additional details of the key owner (subject): Company, Department, location, country code Serial number of the certificate Details concerning the usage of the certificate (as contained in the v3 extensions) Length of key in bit Serial number of certificate (as picked by issuer) Period of validity Displays the usability of this key for CompanyCRYPT Available Issuer/Authority Details Issuer: Issuer details (if provided): Name, company, department, location, country code and address. Key-ID: Unique identification number of the issuing certificate (if provided) Status: If the issuing certificate(s) are available in the Trusted CA Store and the verification result is positive the status will be displayed in green letters. Send a public key by WebGUI (Key Management) Internal Send public key to address Any internal public key can be send to a chosen recipient by . Simply type the address into the field Send public key to address. By clicking the Send button, the will be send and a short summary is displayed. Generate a private key WebGUI (Key Management) Internal New key Within the internal key management area click on the button New Key. This will lead you the page, where you can build new keys manually. [ ] Seite: 59 / 111

60 Step 1 Enter the desired details for the key. The pre-selected values may be overwritten. Internal User Keypair Name: Company: Department: Location: Country code: Default PGP valid for: S/MIME valid for: Keylength: SMIME: Write CRL... SMIME: Usage is limit... Name or identifier for this key < address> <Company name> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> Validity of the PGP key in days (0 = no expiration) Validity of the S/MIME certificate key in days Key length in bit (Only for S/MIME certificates) If a link is configured under which the certificate revocation list (CRL) can be downloaded, it will be added to the certificate. (Only for S/MIME certificates) The v3 extension of the certificate are incorporated in such a way, that the certificate can only be used for the configured usage. (i.e. usage as SSL client is not possible anymore.) Step 2 Now select the type of key you wish to generate. PGP is only available if an valid CSA key exists. S/MIME is only available if a valid CA certificate exists. Step 3 Start the key generation by clicking on the button Generate. If you see a question similar to the one below, a key and/or certificate to this address already exist. Warning: Overwrite will permanently delete the currently existing key and generate whole new keys. With Cancel you can return and change the address. Step 4 Please note the additional information about generating keys displayed in the bottom part of the page. The result of this process is displayed afterwards in a short summary. [ ] Seite: 60 / 111

61 New keys are immediately visible in the list view of the internal keys. Delete a private key WebGUI (Key Management) Internal Step 1 Select a key by clicking on the address, the name or the symbol Details. The click on the button Delete Key/Certificate. Alternatively click on the symbol Delete (waste basket) in the list view. Step 2 The extended properties of this key are now displayed for confirmation purposes. By clicking on the button Delete Key/Certificate again the deletion will be performed. Deletion of keys is permanent and irreversible! There is no possibility for retrieval.. Note: Deleting a private key always means to delete the key pair Private and public key! Sign a private PGP-key WebGUI (Key Management) Internal Under certain circumstance, it may become necessary manually sign a key (again). By this step the trustworthiness and thereby the usability of this key is restored. [ ] Seite: 61 / 111

62 Step 1 Select a key by clicking on the address, the name or the symbol Details. The click on the button Sign Key. Step 2 The result of this process is displayed afterwards in a short summary Managing public (external) keys WebGUI (Key Management) External This area provides access to the public keys of the external partners. The managing functions include signing of PGP keys, generating keys for external partner (S/MIME only), removal of keys and the display of key details. List view WebGUI (Key Management) External External public keys In this area all public keys of external partners are listed. The list can be sorted descending or ascending by column. Columns of the list view Type: Expires: Name: Symbol details : Symbol delete : Key format (PGP or S/MIME). Date up to which the key will be valid. If the key never expires the word unlimited is displayed. If a key passed the expiration date an exclamation mark is displayed. address of the key. The display of the address is limited to the column width. Name of the key owner or identifier for the key. The display of the name is limited to the column width. By clicking on this symbol (small i letter) the key details will be displayed. By clicking on this symbol (waste basket) the key will be deleted. Key properties Public PGP Key WebGUI (Key Management) External PGP key properties By clicking on the button [+] an extended property view is displayed for the key and a possibly existing sub-key. [ ] Seite: 62 / 111

63 Primary key properties (PGP): Name: Fingerprint: Status: Name or identifier of the key address associated with the key Unique fingerprint value for this key (calculated by MD5 algorithm) Usability of this key. Possible indication: OK-usable, Not usable (more information in the extended display) Extended key properties (PGP): (Single PGP key: (Sub-Key: Comment: Algorithm: Keylength: KEY-ID: Valid from: Valid until: Trustlevel: Data of the main key) Data of the sub-key for encryption) May contain information about the company, department, location and country Algorithm in use Length of key in bit Unique key ID in long form First day of validity (date of issue) Last day of validity (date of expirations) Displays the usability of this key for CompanyCRYPT Key properties Public S/MIME Certificate WebGUI (Key Management) External S/MIME key properties By clicking on the button [+] an extended property view is displayed for the key. Primary key properties (S/MIME): Name: Fingerprint: Status: Name or identifier of the key address associated with the key Unique fingerprint value for this key (calculated by MD5 and SHA algorithm) Usability of this key. Possible indication: OK-usable, OK-usable [Encryption only], OK-usable [Signatures only], Not usable (more information in the extended display) [ ] Seite: 63 / 111

64 Extended key properties (S/MIME): Key-ID: Unique identification number (if provided) Single S/MIME certificate: Details of the S/MIME certificate Comment: Subject Serial: Usage: Keylength: Serial: Valid: Trustlevel: (If set by the issuer) comment Additional details of the key owner (subject): Company, Department, location, country code Serial number of the certificate Details concerning the usage of the certificate (as contained in the v3 extensions) Length of key in bit Serial number of certificate (as picked by issuer) Period of validity Displays the usability of this key for CompanyCRYPT Available Issuer/Authority Details Issuer: Issuer details (if provided): Name, company, department, location, country code and address. Key-ID: Unique identification number of the issuing certificate (if provided) Status: If the issuing certificate(s) are available in the Trusted CA Store and the verification result is positive the status will be displayed in green letters. Separate encryption and signing key (S/MIME only) WebGUI (Key Management) External External public keys Sometimes 2 key pairs with different functions are associated to the same address. If the difference is based on the separation of encryption and signing and both keys carry the same address CompanyCRYPT will display such keys in the same line, but with 2 icons ( e and s, see screenshot below). By clicking on either the e or the s symbol on the right, the encryption or the signing key is selected and displayed in the area below. [ ] Seite: 64 / 111

65 If only one keys of this kind is available, usage is limited to either encryption or signing, the other symbol will be displayed inactive (grey). Note: Signing key only: If only the signing key is available CompanyCRYPT can only verify signatures made by the external partner. It is not possible to encrypt messages for this partner. Encryption key only: If only the encryption key is available CompanyCRYPT can only encrypt messages for the external partner. It is not possible to verify signatures made by the partner. Note: CompanyCRYPT can extract certificates from signatures. However if the external partner uses separate encryption and signing keys, the signature will only contain the signing key. In this case please ask the external partner to add his (public) encryption key to the signed message as an attachment. Delete a public key WebGUI (Key Management) External Step 1 Select a key by clicking on the address, the name or the symbol Details. The click on the button Delete Key/Certificate. Alternatively click on the symbol Delete (waste basket) in the list view. Step 2 The extended properties of this key are now displayed for confirmation purposes. By clicking on the button Delete Key/Certificate again the deletion will be performed. [ ] Seite: 65 / 111

66 Deletion of keys is permanent and irreversible! There is no possibility for a retrieval.. Sign a public PGP key WebGUI (Key Management) External Under certain circumstance, it may become necessary manually sign a key (again). By this step the trustworthiness and thereby the usability of this key is restored. Step 1 Select a key by clicking on the address, the name or the symbol Details. The click on the button Sign Key. Step 2 The result of this process is displayed afterwards in a short summary. Generating private keys for external partner (S/MIME only) WebGUI (Key Management) External New Partner Key CompanyCRYPT allows to generate S/MIME key material for external partner (This includes the private key). This is useful in case the external partner has no access to a certificate or does not want to invest in an official certificate. The issuer for this certificate is the CA certificate integrated in CompanyCRYPT. To start the process click on New Partner Key. Step 1 Enter the details of the external partner into the fields. [ ] Seite: 66 / 111

67 External Partner Certificate Store public key: Store private key: Select type/purpose: Client certificate... Server certificate... Name: Company: Department: Location: Country code: PGP valid for: S/MIME valid for: Keylength: SMIME:: Write CRL... SMIME:: Usage is limit... Folder where the public key is stored Folder where the private key is stored, Here you will find the certificate that the external partner needs. Select this option, if the certificate should be used to protect s. Select this option, if the certificate should be used as an SSL Server certificate (i.e.: for protecting the CompanyCRYPT WebGUI within the IIS using SSL). Displayed name for the certificate (url for SSL Server certificates) < address> <Company name> (Optional) <Organisational unit> (Optional) <City, Region> <Two letter country code> Period of validity in days (0 =unlimited) Period of validity in days Key length in bit (Only for S/MIME certificates) If a link is configured under which the certificate revocation list (CRL) can be downloaded, it will be added to the certificate. (Only for S/MIME certificates) The v3 extension of the certificate are incorporated in such a way, that the certificate can only be used for the configured usage. (i.e. usage as SSL client is not possible anymore.) Step 2 In the next section enter a pass phrase for this key. It will protect the access to the file afterwards. This has to be passed to the external partner, as well as the key file(s). Since this pass phrase is given to a third party, it should absolutely be different from the ones already used within CompanyCRYPT. Passphrase: Confirm passphrase: Password used for the partner certificate Confirmation of the password (retype password) Step 3 Now select the type of key you wish to generate. This option is only available if a valid CA certificate exists. [ ] Seite: 67 / 111

68 Step 4 The result of this process is displayed afterwards in a short summary. In this view you will also find additional information about where the key files are stored. By default the filename consists of the s address associated with the certificates owner Import of key material Import of a private PGP key WebGUI (Key Management) Import Import Area You can import private PGP key pair into CompanyCRYPT. The required form for import is a single ASCII encoded file containing the public and the private key. To verify this you may open the file in a text editor. There you should see the lines: BEGIN PGP PRIVATE KEY BLOCK,END PGP PRIVATE KEY BLOCK, BEGIN PGP PUBLIC KEY BLOCK and END PGP PUBLIC KEY BLOCK enclosing the key data (The sequence has been omitted here for better readability). Note: - Only one key pair per file. - The filename can be freely chosen. Step 1 Select the file for import by clicking on the displayed file name. Step 2 Check the properties of the selected key. They are displayed below the list view. Being a private key pair you should see the word (PRIVATE KEY) displayed in the key properties. The extended key properties are visible by clicking on [+]. The field names and meaning are the same as in the internal key management. [ ] Seite: 68 / 111

69 To access the key, it is necessary to enter the passphrase that currently protects the key file in the field below the key properties. During import the passphrase for this key will be automatically changed to the central passphrase used by CompanyCRYPT. The import file itself remains unchanged. Step 3 Click on the button Import and Sign Key to start the import process. The labelling of the button changes depending on the existence of this key in the key store (Re-Import and Sign Key). Do not Remove: By default the file containing the key will be deleted after a successful import. Activate this check-box to keep the file. Step 4 The result of this process is displayed afterwards in a short summary. Import of a private S/MIME certificate WebGUI (Key Management) Import Import Area You can import private S/MIME certificates into CompanyCRYPT. The required form for import is a single P12 encoded file containing the public and the private key. To verify this you may double click on the file within the MS file Explorer. The dialog of the certificate import wizard should start. Following this import dialog for up to 3 windows is suitable to verify the passphrase on the file. The dialog may be aborted safely after entering and verifying the passphrase without actually importing the certificate into Windows. [ ] Seite: 69 / 111

70 Note: - Only one key pair per file. - The filename can be freely chosen. Step 1 Select the file for import by clicking on the displayed file name. Step 2 The p12 file may be protected by a passphrase. In order to access the file content enter the passphrase into the field shown below and click on the button Apply. Step 3 Check the properties of the selected key. They are displayed below the list view. Being a private key pair you should see the word (PRIVATE KEY) displayed in the key properties. The extended key properties are visible by clicking on [+]. The field names and meaning are the same as in the internal key management. During import the passphrase for this key will be automatically changed to the central passphrase used by CompanyCRYPT. The import file itself remains unchanged. Step 4 Click on the button Import Certificate to start the import. If a key with this associated address has already been imported the labelling in the button changes to Re-Import Certificate. [ ] Seite: 70 / 111

71 Do not Remove: By default the file containing the key will be deleted after a successful import. Activate this check-box to keep the file. Step 5 The result of this process is displayed afterwards in a short summary. Import of a public key (PGP and S/MIME) WebGUI (Key Management) Import Import Area You can import new public keys (from external sources) into CompanyCRYPT. Step 1 Select a key for import from the list view by clicking on the displayed file name. Step 2 Check the properties of the selected key. They are displayed below the list view. The extended key properties are visible by clicking on [+]. The field names and meaning are the same as in the external key management. The most important issue at this point is to verify, that the key in question actually belongs to the intended person or institution. In other words: Does this data block really belong to its stated owner or has it been changed or tampered with. This is most easily achieved by verifying the name + + fingerprint with a trustworthy reference or in direct contact with the owner. On S/MIME certificates a trustworthy issuer may be also be sufficient. Issuer signatures are verified, if the certificate is in the Trusted CA Store. [ ] Seite: 71 / 111

72 Step 3 Click on the button Import and Sign Key / Import Certificate to start the import. If a key with this associated address has already been imported the labelling in the button changes to Re-Import and Sign Key / Re-Import Certificate. Do not Remove: By default the file containing the key will be deleted after a successful import. Activate this check-box to keep the file. Step 4 The result of this process is displayed afterwards in a short summary. Upload of key material WebGUI (Key Management) Import Import Area If the a desired key is not present in the import area of the mail gateway, you may upload the key material from your PC using the CompanyCRYPT Web GUI. Step 1 Below the list view of the import area click on the button Search.. (Durchsuchen). [ ] Seite: 72 / 111

73 Step 2 Navigate to the file containing the key and confirm your selection by clicking on Open (Öffnen). Step 3 The filename including the path of the selected file is displayed in the field next to the Search button. By clicking on the button Upload the file is transferred into the import area. Depending on the type of key contained in the uploaded file the previously described steps are to be followed to complete the import Automatic Import WebGUI (Key Management) Import Auto-Detect / Auto-Import To simplify administration import of key material may run automatically under CompanyCRYPT. Automatic key detection WebGUI (Key Management) Import Auto-Detect / Auto-Import Auto-Detect New Keys CompanyCRYPT automatically detects new not yet imported keys contained within s and extracts them from the message. Extract new keys: All Decrypt Jobs: Only MIKE Jobs: Save new keys to: Selects when the keys should be extracted (Default) Keys are extracted from every message that is processed by a CompanyCRYPT decrypt job. Only keys from messages addressed to MIKE are extracted. (= Processed by the scenario job Keyserver extern ) Folder to which the key files are saved to (Import area) [ ] Seite: 73 / 111

74 Maintenance: Activates / Deactivates the deletion of unused key files from the import area. Automatically remove unused files from import area after days: Extracted keys are deleted after the configured period of time. Automatic import of public keys WebGUI (Key Management) Import Auto-Detect / Auto-Import Auto-Import Keys and Certificates With this feature public keys may automatically be imported from the import area. Public Key Import: Configures the automatic import of public keys PGP keys: Activates / Deactivates the automatic import of public PGP keys Overwrite existing keys: An existing PGP key with the same address is replaced by the newer key S/MIME certificates: Activates / Deactivates the automatic import of public S/MIME certificates Overwrite existing certificates: An existing S/MIME certificates with the same address is replaced the newer certificate. The automatic import of certificates is only possible if the certificate of the issuing CA can be found in the Trusted CA store and is marked as an Introducer. Automatic import of private keys WebGUI (Key Management) Import Auto-Detect / Auto-Import Auto-Import Private Keys Private Key Import: Use Passphrase: Configures the automatic import of private keys Password that may be required to access the private key files Notification settings WebGUI (Key Management) Import Auto-Detect / Auto-Import Notifications Notify by to: And (optionally): Notification Events: Key Extracted: Auto-Import Successful: Auto-Import Failed: Notifications are being sent to this address Additionally notifications are being sent to this address Select the events in which notifications are to be sent Informs about a new key being extracted Informs about a successful key import process Informs about a failed key import process [ ] Seite: 74 / 111

75 Site to Site Encryption WebGUI (Key Management) Site to Site This feature realizes a very comfortable kind of encryption that is based on the recipients domain instead of the explicit single recipient address. Any that is directed at a certain domain is always encrypted with the same single key, regardless of the amount of recipients for this domain. This way, a whole domain can be secured without the need for all the recipients keys. Of course this opportunity will require a certain infrastructure on both sides. This is most likely the default solution, if the external partner already has a Gateway solution. Unfortunately most of the desktop solutions do not support this technique for S/MIME currently. Displaying site to site connections WebGUI (Key Management) Site to Site Current Site-to-Site connections Moving to Key Management Site to Site, you will find a list view of all current site-to-site links. Up to 9 links are shown in one page. With more than 9 links a scroll bar on the right will help to navigate through the list. Columns of the list view Domain: Key: Symbol details : Symbol delete : SMTP target domain address of the key associated with this link. By clicking on this symbol (small i letter) the key details will be displayed. By clicking on this symbol (waste basket) the link will be deleted. Displaying key properties of site-to-site links WebGUI (Key Management) Site to Site PGP / S/MIME key properties By clicking on the domain, the address or the symbol Details the primary properties of the selected key are displayed. Additionally the selected link of the selected key is coloured blue. By clicking on the button [+] an extended property view is displayed for the key. Setting up a site-to-site link WebGUI (Key Management) Site to Site Add Link Step 1 Click in the button Add Link and select a key from the displayed list of available keys (only external public keys will be displayed) by clicking on it. [ ] Seite: 75 / 111

76 Step 2 Check on the key properties if needed. Step 3 Enter the desired target domain, beginning with character and click on the button Save. Step 4 The result of the link creation is displayed afterwards. Newly created links are immediately displayed in the list view of all site-to-site links. Deleting a site-to-site link WebGUI (Key Management) Site to Site Step 1 Select the desired link by clicking on the domain, the address or the symbol Details. Then click on the button Only Remove Link. Alternatively click on the symbol Delete (waste basket) in the list view. [ ] Seite: 76 / 111

77 Step 2 Confirm the deletion of the link by clicking on OK. Step 3 The result of this process is displayed afterwards. Deleting a site-to-site link including the associated key WebGUI (Key Management) Site to Site Step 1 Select the desired link by clicking on the domain, the address or the symbol Details. Then click on the button Remove Link AND Key. Step 2 Confirm the deletion of the link and the public key by clicking on OK. [ ] Seite: 77 / 111

78 Deletion of keys is permanent and irreversible! There is no possibility for retrieval. Step 3 The result of this process is displayed afterwards CompanyCRYPT Licence To be able to configure or administrate CompanyCRYPT it is necessary to enter a valid licence. Enter licence WebGUI (Info) About Licence To enter the licence please copy the entries Company, Serial and Licence key from your licence record. Please be aware that the company name is case sensitive. Save the entries by clicking on Store Licence. Note: The letters of the licence key are not case sensitive. Important: If your MIMEsweeper is a Primary Configuration Server (PCS) only and no Policy Server (PS) is active on this system, the licence information is acquired during the first successful synchronisation contact with another CompanyCRYPT (Slave) system. See the Installation Guide first on how to set up a multi server environment. Only after a successful synchronisation will you be able to access all parts of the WebGUI on this (Master) system. Enter licence using SyncManager SyncManager Licence Add / Edit Important: Before changing the configuration using the SyncManager, the Master-Slave synchronisation has to be suspended by stopping the Operational Service of CompanyCRYPT. An active synchronisation may revert any change to the configuration. The Operational Service has to be restarted afterwards. [ ] Seite: 78 / 111

79 In the fields Company, Serial und Licence key enter the data from your licence record. The letters in the field company are case sensitive. (Letters in the field Licence Key will be automatically converted to capitals.) Save the entered data by clicking on Apply and close the window with Close. Delete licence WebGUI (Info) About Licence For this delete the entries in the fields Company, Serial and Licence key and save the change by clicking on Store Licence. Delete licence using SyncManager SyncManager Licence Delete Important: Before changing the configuration using the SyncManager, the Master-Slave synchronisation has to be suspended by stopping the Operational Service of CompanyCRYPT. An active synchronisation may revert any change to the configuration. The Operational Service has to be restarted afterwards. Click on the button OK to confirm the deletion of the licence information. [ ] Seite: 79 / 111

80 4. MIMEsweeper for SMTP v5.x 4.1. Starting the Policy-Editor Start All Programs MIMEsweeper for SMTP MIMEsweeper Policy Editor During a default MIMEsweeper installation, a program group with this name is set up in the start menu. Step 1 Start the MIMEsweeper Policy Editor directly by double-clicking on the desktop shortcut the shortcut in the start menu. Step 2 Enter the log-on credentials and click on OK. Step 3 The Policy-Editor will open and you have access to the configuration of the MIMEsweeper. [ ] Seite: 80 / 111

81 4.2. MIMEsweeper for SMTP configuration The following steps are all performed using the MIMEsweeper Policy Editor. When placing larger changes, it is recommendable to save the changes in regular intervals. This way not all is lost in the event of an unexpected console error Address lists Address lists are simplifying the administration. New encrypted communication links are rather registered in these lists than individually set up. Once set up, they are used by the scenarios as a reference. By default only the address lists for the external partner (Outgoing) are needed administrated. This is mainly to select the method of encryption or signing that the partner is able to process (Example: One list for S/MIME recipients and one for PGP recipients). This of course can be elaborated to include signing functions. Practice has shown, that beginning with two lists (S/MIME and PGP) is a good basis to start from. More lists (and policies) should only be set upon valid demand. Address list overview Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Address Lists The amount of needed address lists depends on the used methods and their combination with encryption and/or signing. It is extremely useful to choose a name for the address list, that reflects the type of encryption or signing. Recommended naming conventions for address lists PGP-MIME (Encrypt only) PGP (Encrypt only) Recipient addresses, that receive PGP encrypted s without signature, the recommended format PGP/MIME is used Recipient addresses, that receive PGP encrypted s without signature, the format Inline- PGP is used PGP-MIME (Encrypt and Sign Company) Recipient addresses, that receive PGP encrypted s with a signature made by the company account, format PGP/MIME PGP-MIME (Encrypt and Sign User) Recipient addresses, that receive PGP encrypted s with a signature made by the sender account, format PGP/MIME [ ] Seite: 81 / 111

82 PGP-MIME (Sign only Company) Recipient addresses, that receive s with a signature (PGP signature) made by the company account, format PGP/MIME PGP-MIME (Sign only User) Recipient addresses, that receive s with a signature (PGP signature) made by the sender account, format PGP/MIME Incoming or Outgoing PGP-MIME (Site2Site) Domains with which encrypted messages should be exchanged using a Site-To-Site job, format PGP/MIME This naming pattern should also be applied when using S/MIME or OpenPGP (PGP/MIME) lists In special environments it may become necessary to set up policies depending on the internal recipient. There again should the above naming pattern be applied. Example: Incoming Expect Decrypt AND Signature Sender addresses, from which s are expected to be encrypted and signed Incoming Expect Signature Sender addresses, from which s are expected to be signed Setting up an address list Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Address Lists As an example setting up an address list for PGP encryption without signature is described here. Step 1 Right click on Address List and select und New Manual Address List. The following steps describe the process without using a wizard. If using a wizard the screens and the order of the following steps is different. Step 2 In Properties of Manual Address List General enter the name of the address list. In this example: PGP-MIME (Encrypt Only) Step 3 In Properties of Manual Address List Address List enter the addresses of the recipients. In case there are no addresses available (= no external public keys have been imported yet) you have to enter a place holder, for example dummy@dummy.org and save the entries with OK. When encountering large amounts of addresses it may become easier to administrate a text file containing the addresses (manual sorting possible) and import this into the MSW address list. In any case a single address should only appear once in all lists. Step 4 The configured address lists should be displayed in the list summary. [ ] Seite: 82 / 111

83 Classifications The content inspection performed within the scenarios lead to one ore more Classifications. If multiple classifications apply the first matching (in the classifications list, top down) will be chosen. After the encryption/signing itself within the Scenarios the reactions to the processing status of this happen in the Classification (Reply, notification, delivery with notification, ).. The following example shows Classifications and processing tasks ( Actions ) for the de- and encryption. Overview of Classifications for CompanyCRYPT Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Classifications The screenshot displays an example of the typical Classifications as they are needed for de- and encryption along with their positioning in a standard classifications-tree and the required Actions. The order positioning of the Classifications are to recognized as being relative. Important for the functionality is that decrypt Classification(s) are positioned above the MIMEsweeper- System-Classification Encrypted. Setting up the Classification for decryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Classifications Step 1 Right-click on Classifications, select New Classification and name the classification Decrypt OK. Step 2 Repeat the previous step, but this time name it Decrypt failed. Step 3 Move these two classifications above the system Classification Encrypted. [ ] Seite: 83 / 111

84 Step 4 Right-click on the classification Decrypt OK and select New Save. The following steps describe the process without using a wizard. Step 5 In Properties of Save General enter the name Save to Reprocessing Queue. Step 6 In Properties of Save Folder enter the folder name Reprocessing. It is vital to use this exact name and double check the spelling! Step 7 In Properties of Save Options activate the option As modified by MIMEsweeper. This too, is a vital setting. Include results from Text Analysis if available is left unmarked. Save the settings with OK. Step 8 Right-click on the classification Decrypt failed and select New Quarantine. The following steps describe the process without using a wizard. Step 9 In Properties of Quarantine General enter the name Quarantine (Encrypted). [ ] Seite: 84 / 111

85 Step 10 In Properties of Quarantine Message Area select Encrypted Messages. Step 11 In Properties of Quarantine Options activate the option In original form and confirm the settings with OK. Setting up the Classification for encryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Classifications Step 1 Right-click on Classifications and the select New Classification. Name this new classification Encrypt OK. Step 2 Repeat the previous step to create a second classification named Encrypt failed. Step 3 The classifications need not to be moved to higher levels, however if they are moved, they need to be below blocking classifications like Virus-detect or Spam-Detect. Step 4 Right-click on the classification Encrypt OK and select New Deliver. The following steps describe the process without using a wizard. Step 5 In Properties of Deliver General enter the name Deliver and confirm with OK. Step 6 Right-click on the classification Encrypt failed and select New Quarantine. The following steps describe the process without using a wizard. [ ] Seite: 85 / 111

86 Step 7 In Properties of Quarantine General enter the name Quarantine (Undetermined). Step 8 In Properties of Quarantine Message Area select Undetermined Messages. Step 9 In Properties of Quarantine Options activate the option In original form and confirm the settings with OK. Classification for automatic key exchange Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Classifications For the basic functionality it is not required to create a new classification. However needed is an (existing?) classification, that does not result in any kind of delivery, notification, reply or else. A classification the basically consists of a single quarantine action is sufficient. Step 1 Right-click on Classifications,select New Classification and name it Keyserver. Step 2 Move this classification Keyserver above the Encrypted-Classification. Step 3 Right-click on the classification Keyserver and select New Quarantine. The following steps describe the process without using a wizard. Step 4 In Properties of Quarantine General enter the name Quarantine (Keyserver). [ ] Seite: 86 / 111

87 Step 5 In Properties of Quarantine Message Area select an existing Message Area or create a new one. In or example its named Keyserver. Step 6 In Properties of Quarantine Options activate In original form and confirm this settings with OK Scenario Folder The scenario folder is the begin of the processing of an within the policies of the MIMEsweeper. Based on the senderrecipient combination as certain set of tasks is being performed on the . The process of finding the best matching senderrecipient combination within the policies starts at the root (Scenarios = *@* to *@*), leads through the tree, proceeds in matching branches and ends at the best combination match. Overview of the scenario folder Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios The screenshot shows an example of the positioning of the scenario folder for de- and encryption. The amount of folder needed for CompanyCRYPT depend on the variety of encryption methods and their combinations in use. CompanyCRYPT Scenario Folder Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios It is good practice to use a naming scheme for the scenario folder, that provides a good recognition of the function or the method in use. Recommended naming conventions for scenario folder PGP-MIME (Encrypt only) Recipients to receive PGP/MIME encrypted s without signature PGP (Encrypt only) Recipients to receive Inline-PGP encrypted s without signature [ ] Seite: 87 / 111

88 PGP-MIME (Encrypt and Sign Company) Recipients to receive PGP/MIME encrypted s with a signature made by the company account PGP-MIME (Encrypt and Sign User) Recipients to receive PGP/MIME encrypted s with a signature made by the sender account PGP-MIME (Sign only Company) Recipients to receive s with a PGP/MIME signature made by the company account PGP-MIME (Sign only User) Recipients to receive s with a PGP/MIME signature made by the sender account PGP-MIME (Site2Site) Recipients to exchange Site-To-Site encrypted s with, using the PGP/MIME format This naming pattern should also be applied when using S/MIME or OpenPGP (PGP/MIME) folder. For some special communication links it may become necessary to set up policies depending on the internal recipient. There again should the above naming pattern be applied. Example: From Crypto-Partner (Expect Decrypt AND Signature) Sender addresses, from which s are expected to be encrypted and signed From Crypto-Partner (Expect Signature) Sender addresses, from which s are expected to be signed From Crypto-Partner (Site2Site) Sender addresses, from which s are expected to be signed Setting up scenario folder for encryption Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Outgoing As an example, the following step illustrate how to set up a scenario folder for a PGP encryption (without signing). Step 1 Right click on the Scenario Folder Outgoing and select New Folder. The following steps describe the process without using a wizard. Step 2 In Properties of Folder General enter a name a name that is self explanatory in relation to the function. In this example we will use PGP-MIME (Encrypt only). Step 3 In Properties of Folder Routes select the address list (intern) as the sender and for the recipient select the previously generated list that matches the desired function. In this case PGP-MIME (Encrypt only). Confirm your selection with OK. [ ] Seite: 88 / 111

89 Step 4 Repeat the above Steps 1-3 to create another Scenario-Folder named To SMIME Partner (Encrypt only). Step 5 The newly created folder should now be displayed in the scenario tree below Outgoing. Setting up scenario folder for automatic key exchange Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Incoming Step 1 Right click on the Scenario Folder Incoming and select New Folder. The following steps describe the process without using a wizard. Step 2 In Properties of Folder General enter a name a name that is self explanatory in relation to the function. In this example we will use Keyserver. Step 3 In Properties of Folder Routes select the address list (Internet) as the sender (often named Everyone) and for the recipient enter an address where key requests are supposed to sent to in the future. In this example mike@company.com. Additionally the MIKE sending address (configured in CompanyCRYPT) has to be added to the valid addresses within the MIMEsweeper. Confirm your selection with OK. Step 4 The newly created folder should now be displayed in the scenario tree below Incoming Scenarios The expression Scenarios describe the tasks that are performed on an message. Scenarios are being set up in Scenario folder. [ ] Seite: 89 / 111

90 Scenario position Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios The picture below displays an example of the positioning of the Scenario folder needed for de- and encryption along with Scenario jobs and their respective positioning within the Scenario folder. The order of the Scenario jobs is of importance. For best functionality it is recommended to move CompanyCRYPT encrypt Scenario jobs to the last position within a Scenario folder. Note: If using CompanyCRYPT scenarios in subfolder, it is important that the address range defined in the subfolder (sender / recipients properties of scenario) is a subset of the addresses of the parent folder. Otherwise the subfolder will never be activated for processing. Important: Please make sure, that only one CompanyCRYPT job is active in a single scenario folder and that inherited CompanyCRYPT jobs are disabled for proper functionality. CompanyCRYPT-Scenarios Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Virus Manager CompanyCRYPT supports the public key encryption/signing methods S/MIME, PGP/MIME (OpenPGP) and Classic PGP (Inline PGP). This results in a large variety of combinations, which are predefined as Scenario jobs in form of a Virus Manager Scenarios. All available decrypt scenarios are listed in Decrypt Available scenarios A graphical representation of the available decrypt scenarios is displayed in Decrypt Processing details All available encrypt scenarios are listed in Encryption Available scenarios (Grouped by method). A graphical representation of the available encrypt scenarios is displayed in Normal Encryption Find your job and Site-to-Site/Group key encryption Find your job. [ ] Seite: 90 / 111

91 Setting up the CompanyCRYPT Scenarios (Encryption) Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Outgoing The following examples explains how to set up a Scenario for PGP encryption without signing. If you use the MIMEsweeper configuration wizard, some settings like the selection of the data types is done automatically (derived from the EXE.INI). The following pages however are not based on the wizard setup intentionally to provide a better insight of the required settings for a CompanyCRYPT scenario. Please note that all CompanyCRYPT scenarios are based on the MIMEsweeper Virus-Manager-Scenario and for this reason integrated into the MIMEsweeper as such. Step 1 Right click on the scenario folder To PGP Partner (Encrypt only) and select New Virus Manager. The following steps describe the process without using a wizard. Step 2 In Properties of Virus Manager General enter the name PGP-MIME Encrypt only. It is recommended to use selfexplanatory names. Step 3 In Properties of Virus Manager Data Types select the option Include selected data types. When choosing the Data Types only mark the two container types Microsoft Transport Neutral Encoding Format (TNEF) and SMTP message. Please verify that no other data types are marked. [ ] Seite: 91 / 111

92 Step 4 In Properties of Virus Manager Application Details select the CompanyCRYPT scenario OpenPGP-Encrypt only. Now activate the option Clean the detected virus in order to enable the encryption of the content. The option Strip infected files has to be left unchecked. Step 5 In Properties of Virus Manager Cleaned Annotation leave the option Insert annotation for cleaned items unchecked as well. Step 6 In Properties of Virus Manager Classification set the classifications On detected items cleaned to Encrypt OK (successful encryption) and On virus cannot be removed to Encrypt failed (encryption did not succeed). Save these settings with OK. [ ] Seite: 92 / 111

93 Standard encryption vs. Site-to-Site encryption (Group-keys) Standard encryption When encrypting the default processing starts by extracting all recipients addresses. For each address, where a valid public key is available, that key is then used for encryption. This is possible as long as there is a valid address noted in the key. Variations on how to encrypt and/or sign depend on the required method (Inline-PGP, PGP/MIME, S/MIME). Also some methods allow to only modify parts of the message. Site-to-Site encryption (Group-keys) The so called site-to-site encryption is needed if: 1. All s addressed to a certain SMTP domain are to be encrypted with the same key 2. All s addressed to a limited group of recipients within a SMTP domain are to be encrypted with the same key 3. A given key from an external partner doesn t show a valid (explicit) address in the key. In the 2. and 3., these types of keys used are also called group keys and usually show an address similar All three cases require a different processing approach, since the recipients address alone no longer provides enough information to select the correct key(s). Such group/site-to-site keys can also be used by CompanyCRYPT. In the first step the CompanyCRYPT administrator manually associates such a key to a SMTP-domain (For details see chapter Site to Site Encryption). The second step is to select a so called Site-to-Site encryption scenario. It s logic varies in that respect, that instead of the explicit recipients address, the unique target SMTP domains are extracted and then the associated keys to those domains are used for encryption. A special condition arises, if only a few addresses of a target domain are to be encrypted using a group key (Case 2. and 3.). This is solved by limiting these addresses in the sender/recipient properties of the scenario folder within the MIMEsweeper configuration that triggers the Site-to-Site scenario job. Again the available variations on how to encrypt and/or sign depend on the required method (Inline-PGP, PGP/MIME, S/MIME). Setting up the CompanyCRYPT Scenarios (Decryption) Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Incoming Note: Unlike outgoing encryption, it is not necessary to distinguish between the methods Inline-PGP, PGP/MIME or S/MIME for incoming s. The method is automatically detected and processed accordingly. The following examples explains how to set up a Scenario for decryption without evaluating signatures. If you use the MIMEsweeper configuration wizard, some settings like the selection of the data types is done automatically (derived from the EXE.INI). The following pages however are not based on the wizard setup intentionally to provide a better insight of the required settings for a CompanyCRYPT scenario. Please note that all CompanyCRYPT scenarios are based on the MIMEsweeper Virus-Manager-Scenario and for this reason integrated into the MIMEsweeper as such. Step 1 Right click on the Scenario Folder Incoming and select New Virus Manager. The following steps describe the process without using a wizard. [ ] Seite: 93 / 111

94 Step 2 In Properties of Virus Manager General enter a name a name that is self explanatory in relation to the function. In this example we will use Decrypt (decrypt only). Step 3 In Properties of Virus Manager Data Types select the option Include selected data types. When choosing the Data Types only mark the two container types Microsoft Transport Neutral Encoding Format (TNEF) and SMTP message. Please verify that no other data types are marked. Step 4 In Properties of Virus Manager Application Details select the matching CompanyCRYPT Scenario Decrypt-Expect decrypt only OK. [ ] Seite: 94 / 111

95 Now activate the option Clean the detected virus in order to enable the decryption of the content. The option Strip infected files has to be left unchecked. Step 5 In Properties of Virus Manager Cleaned Annotation leave the option Insert annotation for cleaned items unchecked as well. Step 6 In Properties of Virus Manager Classification set the classifications On detected items cleaned to Decrypt OK (successful decryption) and On virus cannot be removed to Decrypt failed (decryption did not succeed). Save these settings with OK. Setting up the CompanyCRYPT Scenarios (MIKE - Mail Initiated Key Exchange) Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Scenarios Incoming Note: The Keyserver Intern scenario is reserved for use later CompanyCRYPT versions and therefore not active yet. The Keyserver-Extern-Scenario analyses the subject line on an and sends replies back to the sender. The responses are triggered by the following conditions: Case 1: Subject contains no address Response: Send Quick guide back. Bodytext: <CompanyCRYPT Installpath>\Templates\Keyserver\Body-Quickguide.txt Attachment: <CompanyCRYPT Installpath>\Templates\Keyserver\ Info.pdf Case 2: Subject contains a valid address o Option A: An internal user key to the address is found in the CompanyCRYPT key stores A.1 Subject contains the keyword pgp Response: Send public key back. Bodytext: <CompanyCRYPT Installpath>\Templates\Keyserver\Body-Keyreply.txt Attachment: The public PGP key (1 file, extension: *.asc) [ ] Seite: 95 / 111

96 Note 1: Note 2: o A.2 Subject contains the keyword smime Response: Send public key back. Bodytext: <CompanyCRYPT Installpath>\Templates\Keyserver\Body-Keyreply.txt Attachment: The public S/MIME key (2 files, extension: *.cer and *.pem) A.3 Subject contains no keyword Perform A.1 and A.2 in sequence Option B: No internal user key to the address is found in the CompanyCRYPT key stores B.1 Automatic key generation is activated and the address is found in the reference list Response: No immediate response A key generation request is handed to the operational service. The service generates the key(s) and proceeds with option A. B.2 No automatic key generation is activated Response: Send No key info back Bodytext: <CompanyCRYPT Installpath>\Templates\Keyserver\Body-Notfound.txt Attachment: none This scenario always checks the for (new) unknown keys and extracts them. The responses No key info and Quick guide can be suppressed by another keyword in the subject line. Read chapter 3 Key distribution on the option Inhibit other replies by for this. The following examples explains how to set up a Scenario for the automatic key exchange. If you use the MIMEsweeper configuration wizard, some settings like the selection of the data types is done automatically (derived from the EXE.INI). The following pages however are not based on the wizard setup intentionally to provide a better insight of the required settings for a CompanyCRYPT scenario. Please note that all CompanyCRYPT scenarios are based on the MIMEsweeper Virus-Manager-Scenario and for this reason integrated into the MIMEsweeper as such. Step 1 Right click on the Scenario Folder To Keyserver and select New Virus Manager. The following steps describe the process without using a wizard. Step 2 In Properties of Folder General enter a name a name that is self explanatory in relation to the function. In this example we will use Keyserver. Step 3 In Properties of Virus Manager Data Types select the option Include selected data types. When choosing the Data Types only mark the two container types Microsoft Transport Neutral Encoding Format (TNEF) and SMTP message. Please verify that no other data types are marked. [ ] Seite: 96 / 111

97 Step 4 In Properties of Virus Manager Application Details select the matching CompanyCRYPT Scenario Keyserver Extern. Now activate the option Clean the detected virus in order to enable the decryption of the content. The option Strip infected files has to be left unchecked. Step 5 In Properties of Virus Manager Cleaned Annotation leave the option Insert annotation for cleaned items unchecked as well. Step 6 In Properties of Virus Manager Classification set both conditions On detected items cleaned and On virus cannot be removed to the same classification Keyserver. Save these settings with OK. [ ] Seite: 97 / 111

98 All replies, if occur are being generated by CompanyCRYPT. Since further processing by the MIMEsweeper is obsolete, this scenario should lead to a classification without any reply, forward or deliver actions Step 7 Right click on the Scenario Folder To Keyserver and select New Classifier. The following steps describe the process without using a wizard. Step 8 In Properties of Classifier General enter the name Block without Reply. Step 9 In Properties of Classifier Classifications select the classification Keyserver. Should there be no detect from the Keyserver-Scenario this default classifier will prevent any unwanted processing by the MIMEsweeper. Step 10 In the Scenario Folder Keyserver deactivate all other CompanyCRYPT-Scenarios. For this right-click on the scenarios and uncheck the box Enable Extended Configuration The extended configuration does not interfere with the de- and encryption of CompanyCRYPT. Their purpose lies in a better supervision of the functionality and an additional source of information for troubleshooting or problem analysis. [ ] Seite: 98 / 111

99 Message-Areas (optional) It is not required to set up additional message areas. However at installations in a sensitive productive environment, it is very useful to store the messages temporarily before and after being processed. This provides a very good source of information for troubleshooting and is the easiest way to prove the actual encryption. In this context it is recommended to set up the following message areas: Report Receive Report Deliver for received (original) messages for sent (modified) messages They can be used simultaneously for messages from the internet (decryption) as well as messages to the internet (encryption). Setting up Message Areas Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Message Areas Step 1 Right-click on Message Areas and select New Quarantine Area. The following steps describe the process without using a wizard. If using a wizard the screens and the order of the following steps is different. Step 2 In Properties of Quarantine Area General enter the names of the message areas. Report Receive Report Deliver for received (original) messages for sent (modified) messages Step 3 In Properties of Quarantine Area Folder enter the name for the folder. Use the same name as for the message area. Report Receive Report Deliver for received (original) messages for sent (modified) messages Step 4 In Properties of Quarantine Area Management activate the option Automatically delete messages and enter 30 days into the appropriate field. The option Allow area to be managed by PMM may not be activated. Confirm the changes by clicking on OK. Step 5 The new message areas will be displayed in the message overview. [ ] Seite: 99 / 111

100 Classifications (optional) Setting up the Classifications for the monitoring Policy Editor MIMEsweeper for SMTP Policy MIMEsweeper for SMTP Policies Classifications The following steps describe how to keep copies of the s processed by CompanyCRYPT in original form and in encrypted/decrypted form. Theses messages are stored in the defined message areas. Step 1 Right-click on the classification Encrypt OK and select New Quarantine.. The following steps describe the process without using a wizard. Step 2 In Properties of Quarantine General enter the name Report Receive. Step 3 In Properties of Quarantine Message Area select Report Receive. Step 4 In Properties of Quarantine Options activate the option In original form and confirm the settings with OK. Step 5 Right-click again on the classification Encrypt OK and select New Quarantine. [ ] Seite: 100 / 111