MailSealer Policies

With policies you can define when an e-mail is to be encrypted and/or signed.

  • Policies are processed from top to bottom and can be reorderd via Drag & Drop
  • E-Mail addresses can be either set complete or with wildcards, e.g. *@domain.tld or *@* for all
  • Outgoing policies should have at least the sender adress wildcard *@*. You should not use * because this would also match for mails without recipient adresses and out-of-office mails would be checked for mailsealer licenses for the non existing sender adress and thus fail to be sent at all.
  • It is recommended to use a well describing comment for policies, to be able to check in the lg to see wheter this policy was applied

  • For incoming E-Mails the option "Forward message untouched" can be used, if the E-Mail is supposed to be encrypted directly at the client
  • The certificate validation can be disabled, to use invalid or expired certificates (this is not recommended)
  • Via "message tagging" you can configer if the appliance should alter the header od subject of a mail depending on the signature validity
  • Messages with invalid signatures can be bounced back to the sender if set (in the Verify Tab)
  • Additional valid addresses can be used for signature verification
    If the sender used your "Gateway Certificate", then your Gateway Certificate Address needs to be provided here

  • The certificate validation can be disabled, to use invalid or expired certificates (this is not recommended)
  • For outbound policies, various options are possible to define how the appliance should process the signing and encryption

Signature Settings:

  • Force signature: The e-mail must be signed in all cases. If there is no signature (public key) for the sender, the e-mail is not sent but bounced back to the sender.
  • Sign if possible: If a signature (public key) is available, the e-mail is sent with signature. Otherwise it is sent without signature. The sender is not informed in this case.
  • Do not sign: The e-mail is sent without signature.

  • Forced or fallback certificates
    Here you can set an alternative certificate address for signature (e.g. when you as sender do not want to sign with your address, but with the certificate of another address like an info mailbox)

  • Signature Algorithm
    If you need a special signature algorithm for this policy that is different from the default algorithms in global mailsealer settings, you can adjust it here on policy level

Encryption Settings:

  • Force encryption (for all recipients): The e-mail must be encrypted for all recipients.
    If encryption is not possible for one or more recipients (e.g. no public key available), the e-mail is not send to anyone but bounced back to the sender.
  • Encrypt if possible (bounce unencrypted): The e-mail is supposed to be sent encrypted.
    If this is not possible for some recipients, the e-mail is not send to them and the sender gets notified. Recipients with a successful encryption will receive the encrypted e-mail.
  • Encrypt if possible (send unencrypted): The e-mail is supposed to be sent encrypted.
    If this is not possible for some recipients, the e-mail is sent unencrypted, in plain text, to them.
    Recipients with a successful encryption will receives the encrypted e-mail. The sender is not informed in this case.
  • Do not encrypt: The e-mail is send unencrypted.

  • Fallback Certificates:
    The appliance will either search for a matchhing certificate to the recipient for encryption, or if the recipient uses a gateway certificate the address can be set here

  • Encryption Algorithm
    If you need a special encryption algorithm for this policy that is different from the default algorithms in global mailsealer settings, you can adjust it here on policy level