Configuring Stormshield Data Mail

Stormshield Data Mail makes it possible to encrypt and sign e-mails to guarantee their confidentiality and integrity, and confirm the identity of the sender. Stormshield Data Mail runs with the help of an extension built into users' Outlook mail client.

For more information, refer to Securing e-mails in the SDS Enterprise Advanced user guide.

Securing e-mails: a few concepts

Stormshield Data Mail uses public key cryptography technology.

Each peer has one or several pairs of keys: a private key and a public key. The public key is closely guarded by its owner. The public key (certificate), by contrast, is freely distributed.

Stormshield Data Mail can use one of the following:

  • A single key pair for encryption and signing,
  • Two different key pairs, one for encryption, the other for signing.

For more information on key pairs, refer to Setting account creation parameters.

The S/MIME V3 standard allows the body of a message — its text and attachments — to be secured.

However, for S/MIME standards, the header of the message (rfc822 header) is not secured. This header contains the name of the sender, the list of recipients, the transmission date, and especially the subject of the message.

Therefore, even if the message is secured, its subject could have been read and modified over the network.

The sender encrypts messages with the recipient's public key; the recipient uses their own private key to decrypt the message. Since the recipient is the sole owner of the required private key, the sender is assured that the message cannot be read by third parties.

NOTE
Senders will be able to encrypt an e-mail only if they have a encryption key in their key ring. As a SDS Enterprise account only has one signature key, it cannot be used to encrypt e-mails.

A digital signature is a mathematical "seal" that is imprinted on the message: it guarantees the integrity of the message and the identity of its signer.

Signers sign messages with their private keys. Recipients verify the signature by using the signer's public key. Since the signer is in sole possession of the private key used to sign the message, the recipient is sure that it has been sent by the signer and that the message has not been modified during its transfer.

NOTE
Senders will be able to sign an e-mail only if they have a signature key in their key ring. An SDS Enterprise account that only holds an encryption key cannot therefore be used to sign e-mails.

There are two types of signatures: opaque and detached (i.e., plaintext) signatures. Stormshield Data Mail allows e-mails to be sent and received with both types of signature.

Detached signatures allow recipients to read the e-mail even if their messaging software does not support S/MIME format or refuses to display e-mails with signatures that cannot be confirmed. This occurs, for example, when certificates and revocation lists are not available.

However a detached signature may be modified when the e-mail is sent. Usually servers do not modify e-mails, but tags can be added and white lines can be added or removed. The signature of the e-mail would then be incorrect.

When a signed e-mail arrives and is opened in the reading pane or in a new window, SDS Enterprise checks among other things that the sender's e-mail address and the address specified in the associated certificate match. If they do not match, a warning is displayed in the security lower band of the e-mail received.

Only one error is showed in the security report. If several errors or warnings occurred, only the most critical is showed.

Stormshield Data Mail includes a trusted address book that you can use to insert the certificates of correspondents and authorities that you trust.

If you wish to encrypt a message for one or several recipients for whom you do not have valid certificates in your trusted address book, the LDAP directory can be queried automatically. To do so, you must declare an LDAP directory beforehand and enable automatic updates from the LDAP directory. For more information, see the section Configuring corporate directories.

Encrypting and signing e-mails

To configure how e-mails are encrypted and signed:

  • Go to Policies > Features > Mail, and enable the settings of your choice.

Properties

Select the type of opaque or detached signature to use when sending and receiving e-mails. Refer to the section Digital signatures for further information.

If you choose to enable signature and encryption by default on all messages, the user will still be able to disable them on individual messages.
PGP encryption If you choose to allow message encryption and decryption in PGP format, you must specify one or several WKDs (Web Key Directories) to query. Refer to the following line in this table.
WKD server

In the Directories menu of the policy, you can indicate the WKD servers to query for PGP encryption. These public key directories allow Stormshield Data Mail to retrieve the public PGP keys belonging to the recipients of encrypted e-mails. For more information, see the section Configuring corporate directories.
Directory update

When sending encrypted messages:

To update the trusted address book when sending encrypted messages, you must have declared an LDAP directory beforehand. For more information, see the section Configuring corporate directories.

When receiving a signed message:

Users can send their encryption certificates (their public keys) to their co-workers by sending them a signed e-mail. You can choose whether to allow recipients to manually import the certificate into their trusted address books to update them, and whether to allow the address book to be automatically updated. If you allow these operations only for known authorities, this means that the user's encryption certificate will be imported only if it was issued by an authority with a certificate already in the recipient's trusted address book.

For more information on the advanced use of the Mail feature on the SDS Enterprise agent, refer to the section Stormshield Data Mail.