Description

Overview

With the MailSealer you can sign and encrypt emails for sending.
The REDDOXX Appliance provides two different methods divided into 2 product groups.

MailSealer Light

The MailSealer Light encrypts on the basis of a passphrase (symmetric):

• This can be done ad-hoc without configuration efforts via a passphrase within an E-Mail subject
• The recipient needs the mailsealer light reader software to encrypt the E-Mail, a link to the software is enclosed in the E-Mail
• If the user sets a passhrase for E-Mail adresses in his user console, a permanent encryption can be done
• If the recipient and the sender use a REDDOXX appliance with passphrases in usersettings, a gateway encryption is performed
• Automatic decryption will be done without the need of the mailsealer light reader if gateway encryption is used

MailSealer

The MailSealer encrypts and signs according to S/MIME on the basis of X509v3 certificates or key pairs (asymmetric):

• S/MIME certificates (X.509v.3) are usually personal and issued by a trustworthy certificate authority, they are available from commercial providers (e.g.: VeriSign, Thawte, CaCert, etc.)
• S/MIME "Gateway-Certificates" can also be used, in this case only one certificate for each domain needs to be purchased and managed
  This is a forced usage of certificates irrespective of the sender addresses.
  It should only be used and is therefor only recommended for specific processes.
  The so called "gateway certificates" should only be used, when communication partners can handle the certificate, as otherwise signatures for example would be reported as invalid.
• With the self-signed REDDOXX ROOT-CA Certificate, usercertificates can be automatically genereated, your E-Mail partner has to import this ROOT-Certificate in his Certificate Authorities
• S/Mime Certificates will be checked for validity when they are added automatically or manually and when they are used by mailsealer for encryption or signature
• The OCSP state will be checked hourly, CRL will be checked every 8 hours.

Functional Description

Create E-Mail Signature

With signed E-Mails, the recipient can check, if the email was delivered without any change on the way from sender to recipient and if the E-Mail is indeed from the sender.

For signing an E-Mail, a valid private sender certificate and a valid and complete certificate chain (intermediate / root issuer certficate) is required.
The private sender certificate needs to have to include "digital signature" as Key Usage.
When signing an E-Mail, a hash value (checksum) over the E-Mail document is generated and then encrypted using the senders private key.
The so signed E-Mail includes the original document, the encrypted checksum and the senders public key.

Validate E-Mail Signature

For validating an E-Mail Signature, a valid public sender certificate and a valid and complete certificate chain (intermediate / root issuer certficate) is required.
The receiving system can validate the delivered checksum against the checksum that is created with the delivered E-Mail and the senders public key.
If the checksums match, the E-Mail has not been manipulated on the transmission.

Encryption of E-Mails

For encrypting an E-Mail via S/MIME, the recipients public certificate, the senders private certificate and valid key chains are required.
The private certificate has to provide "digital signature" and "key encipherment" as Key Usage.

Decryption of E-Mails

For decrypting an E-Mail via S/MIME, the recipients private certificate, the senders public certificate and valid key chains are required.