With policies you can define when an e-mail is to be encrypted and/or signed.
Policies are processed from top to bottom and can be reorderd via Drag & Drop
E-Mail addresses can be either set complete or with wildcards, e.g. *@domain.tld or *@* for all
Outgoing policies should have at least the sender adress wildcard *@*. You should not use * because this would also match for mails without recipient adresses and out-of-office mails would be checked for mailsealer licenses for the non existing sender adress and thus fail to be sent at all.
It is recommended to use a well describing comment for policies, to be able to check in the lg to see wheter this policy was applied
The certificate validation can be disabled, to use invalid or expired certificates (this is not recommended)
For outbound policies, various options are possible to define how the appliance should process the signing and encryption
Force signature: The e-mail must be signed in all cases. If there is no signature (public key) for the sender, the e-mail is not sent but bounced back to the sender.
Sign if possible: If a signature (public key) is available, the e-mail is sent with signature. Otherwise it is sent without signature. The sender is not informed in this case.
Do not sign: The e-mail is sent without signature.
Forced or fallback certificates
Here you can set an alternative certificate address for signature (e.g. when you as sender do not want to sign with your address, but with the certificate of another address like an info mailbox)
If you need a special signature algorithm for this policy that is different from the default algorithms in global mailsealer settings, you can adjust it here on policy level
Force encryption (for all recipients): The e-mail must be encrypted for all recipients.
If encryption is not possible for one or more recipients (e.g. no public key available), the e-mail is not send to anyone but bounced back to the sender.
Encrypt if possible (bounce unencrypted): The e-mail is supposed to be sent encrypted.
If this is not possible for some recipients, the e-mail is not send to them and the sender gets notified. Recipients with a successful encryption will receive the encrypted e-mail.
Encrypt if possible (send unencrypted): The e-mail is supposed to be sent encrypted.
If this is not possible for some recipients, the e-mail is sent unencrypted, in plain text, to them.
Recipients with a successful encryption will receives the encrypted e-mail. The sender is not informed in this case.
Do not encrypt: The e-mail is send unencrypted.
The appliance will either search for a matchhing certificate to the recipient for encryption, or if the recipient uses a gateway certificate the address can be set here
If you need a special encryption algorithm for this policy that is different from the default algorithms in global mailsealer settings, you can adjust it here on policy level