bidirectional encryption

Can anyone tell me requirements and tasks required to implement bi-directional Email encryption on appliance ES4000


  • this is what we would like to do on the email appliance is that possible or only on UTM?


  • HI Mark,

    this is the instructions for the Sophos Email Appliance

    Are you referring to TLS (transport of emails) or SPX encrypted email pdf's?   The most secure way to send email is to configure both SPX and TLS..  See below.



    Configuration / Policy / Encryption

    ensure TLS is enabled.


    under the advanced section at the bottom.. 

    Enter the domain, select sub domains if required.. change the incoming and outgoing messages require encryption OR require and validate

    **** NOTE:  if encryption fails or the certificate fails to be validated mail will pile up in the mail queues.  Ensure the domain is properly set up before setting this up.



    You will require configuration in the UI and Some rules to ensure it works correctly.


    UI: under the same encryption menu click on the spx tab.

    Note: the portal port number .. this must be accessible from the internet to the appliance. 

    create your template and password settings.


    once that is all done:

    on exchange, ensure there is a "send" connector sending all outbound mail through the appliance


    then in the appliance create the following rule:

    This example will encrypt all mail that is either flagged as "company-confidential"  (you can use the outlook plugin, or manually set the sensitivity in the email properties)  OR mail with the word *encrypt* in the subject line.



    Add SPX rule

    under configuration \ policy \ data control or additional policy \ outbound

    rule type:
    messages matching specific words or phrases
    enable advanced policy
    rule config:
    click on the regular expressions tab
    .* (period star, no spaces etc)
    message attributes : (2 rules)
    select header
    Name Subject (note the capital S is important)
    check off "is (exact match)"
    value : *encrypt* (or what ever keyword you like) you can also use the contains sub string if you want to look for *encrypt encrypt [encrypt] etc)

    Name Sensitivity (note the capital again)
    check off "is exact match"
    value company-confidential (all lower case)

    you will now see a check box at the bottom of the rule.. make sure you click "One of the message attributes must be present"

    so the rule in the window should read..

    Header is:'Subject: *encrypt*'
    OR Header is: Sensitivity: company-confidential

    select users
    main action
    encrypt using spx, select your template and you will probably want to check off all 3 boxes..
    additional actions
    rule description
    name it save it.

    once your dropped back to the list of policies use the arrows ^ to move it to the top and click save order.

  • In reply to Red_Warrior:

    Perfect many thanks for your help