Secure Messaging - Definitions & Policies

Updated

This article provides an overview of Secure Messaging Definitions and Policies and how to configure them.

Secure Messaging allows users to transmit confidential messages to recipients in a secure environment. However, the functionality differs depending on if a message is sent to an internal or external recipient.

Secure Messaging Workflow

If sent externally, the message isn't sent to the recipient's mail server. Instead, it is retained by us in our Secure Messaging Portal. A notification is sent to the recipient, allowing them to:

  • View the secure message.
  • Send a secure response, if the sender enabled this option when sending the original message.

If a secure message is sent internally, it isn't retained in our Secure Messaging Portal. Instead, it's delivered through your mail server; the message is delivered with a banner (see below). The recipient can reply as usual via their email application or securely (again, if this was configured when sending the original message) via:

  • The Secure Messaging Portal.
  • A Mimecast end-user application.
banner.png

Considerations

Be aware of the following, before configuring a Secure Messaging definition or policy:

  1. Secure Messages can be sent: 
    • By end-users using the Secure Message functionality in their application. This requires at least one Secure Messaging definition to be created, but does not require a policy.
    • Automatically, as a result of a Content Examination Policy with a Secure Messaging definition (with no associated policy) selected in the Secure Delivery option. For more information on Secure Delivery definitions in relation to Secure Messaging, see Secure Delivery Configuration.
    • Automatically, as a result of a Secure Messaging definition with an associated policy.
  1. Secure Messaging Definitions are grouped in folders: It's important to remember when creating multiple definitions, as the folder location will determine who has access to them.
  2. Secure Messaging-Lite doesn't allow the creation of Secure Messaging definitions. For more details, see the Overview page.
  3. Non-Delivery notifications: If an external user replies to a secure message via the Secure Messaging Portal and the recipient list includes an address that is unknown to the destination email system, depending on the configuration of the destination email system, the sender may receive a copy of their secure message as part of the non-delivery notification.

Contact your Customer Development Manager or Customer Success contact regarding the number of users subscribed to the Secure Messaging service. Contact details are found in the Administration Console by clicking on your username at the top right, then selecting Account and Support Details. The details are under Key Contacts.

Secure Messaging Definitions

Secure Messaging supports the ability to create customized definitions in the Mimecast Administration Console, that can be used by users and policies. The definitions can be configured to include the following settings:

    • Allow Recipients to Reply.
    • Allow Recipients to Reply All.
    • Allow Recipients to Print.
    • Set the period for the expiry of the Secure Messages.
    • Send read receipt when recipient reads message.

Secure Messaging only supports the External Routing method. This means secure messages sent to internal recipients will be sent to the recipient's Inbox, and external recipients will be sent to the Secure Messaging Portal.

Note that Secure Messaging - Lite only supports the default Secure Messaging definitions.
The full Secure Messaging product allows Administrator users to create customized versions. The default definitions available for Secure Messaging - Lite are:

    • All Recipients: Secure Messages sent to internal and external recipients will be sent via the Secure Messaging Portal. Messages sent via the Mimecast for Outlook plugin to internal users will be sent to the recipient's Inbox.
    • External Recipients: Secure Messages sent to internal recipients will be sent to the recipient's Inbox, and external recipients will be sent to the Secure Messaging Portal.

Configuring a Secure Messaging Definition

You can configure a Secure Messaging definition, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies | Secure Messaging (Definitions button).
  3. Either: 
    • Click on the Folder where the definition is to be created or already exists. (A definition cannot be created in the Root folder.)
    • Create a Folder where the definition is to be created. See the Managing Folders page for full details.
  1. Either click on the: 
    • New Secure Messaging Definition button to create a definition.
    • Definition to be changed.

  1. Complete the Definition's Properties as follows.

Field / Option Description
Description This is used to identify the definition. It is good practice to ensure this accurately describes the settings below (e.g. Allow Print, 7-Day Exp, No Receipt).
Allow External Recipient to Print If selected, the recipient of the secure message can print it.
Allow External Recipient to Reply
  • If selected, the recipient of the secure message can reply to the sender.
  • If the sender sent the message to multiple recipients, they cannot use the Reply All functionality unless the "Allow External Recipient to Reply All" option is also selected.
Allow External Recipient to Reply All If selected, the recipient of the secure message can reply to all the recipients.
Expire Secure Messages for External Recipients After Set the expiration date of any secure message sent to an external recipient using this definition. If the secure message using this definition is sent to internal recipients, they can see the message after the expiration date. If the "Never Expire" option is selected, this is limited to the maximum retention period for your account.
Allow Sender to Extend Message Expiration by a Maximum of Set the period when the sender can extend the secure message's expiration date.
Send Read Receipt If selected, the sender receives a notification when the recipient views the secure message.
Customize Internal Notification Banner
  • If selected, you can customize the default Secure Messaging banner that has been added to an internal recipient of a secure message.
  • When ticked, an additional box is exposed. This allows you to edit the input as required by inserting your banner wording (including custom tags in plain text or HTML).
  • To completely remove your banner, enter the following empty div class construct:
<div class="\"mc-sm-hide\""> </div>

This functionality is not currently supported with Mimecast For Outlook or Mimecast Mobile (the standard Mimecast banner will continue to be applied to these applications).
  1. Click on the Save and Exit button.

Configuring a Secure Messaging Policy

Unlike other definitions, with Secure Messaging, you do not always require an associated policy.
This is because definitions can be set up to be used inside Content Examination Definitions or end-user applications.
Where this is the case, a policy is not required to control when the definition is triggered, and the action to be taken.

You can configure a Secure Messaging policy, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies | Secure Messaging.
  3. Either click on the:  
    • Policy to be changed.
    • New Policy button to create a policy

  1. Complete the Options section as required:

Field / Option Description
Policy Narrative Describe the Policy to allow you to identify it easily in the future.
Take No Action If this option is selected, secure messaging is not applied to messages covered by the Policy.
Select Secure Messaging

Select a Secure Messaging definition by clicking the Lookup button.
  1. Complete the remainder of the Policy as necessary; refer to the Policy Basics KB article if needed.
  2. Click on the Save and Exit button.

Creating a Content Examination Definition and Policy

A Content Examination policy (with an associated definition) can be used to automatically send messages using Secure Messaging - Lite, based on the messaging content. For example, they can be used to look for any message sent with "Confidential" in the Subject field. Note that this section describes the Optional Tasks referred to in the Overview page, Setting Up Secure Messaging - Lite section.

You can create a Content Examination definition and policy by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies.
  3. Create a Content Examination Definition, but with the following settings:
Field / Option Recommended Setting Comments
Secure Messaging Override See the "Comments" Click the Lookup button to select one of the following Secure Messaging definitions:
  • External Recipients: This only sends a secure message to external recipients. Internal recipients receive the message as usual in their Inbox.
  • All Recipients: This sends a secure message to all internal and external recipients receive the message as usual in their Inbox.
  • All Recipients: This sends a secure message to all internal and external recipients
  1. Click the Save and Exit button.
  2. Create a Content Examination Policy, but with the following settings:
Field / Option Recommended Setting Comments
Select Content Definition See the "Comments" Click the Lookup button to select the Content Examination Definition created in the previous step.
  1. Click the Save and Exit button.

Applying the Content Examination Definition in a Policy

You can apply the Content Examination definition in a policy by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies.
  3. Click on Content Examination from the list of policy types on the page, to view any policies already created.
  4. Click the New Policy button from the menu bar.
  5. Enter a description of the policy in the Policy Narrative text box.
  6. Use the Lookup button to select the Content Examination definition you created in the previous step.
  7. Select which senders and recipients the policy should apply to in the Emails From and Emails To sections.

Secure Messaging can apply to messages both inbound and outbound. Be sure to consider this when selecting senders and recipients in this section.

  1. In the Validity section, optionally set:
    • The date range that the policy should be active, use the Always On button to set all time,
    • Policy Override to force the policy to apply in a situation where there are conflicting policies
    • Source IP Ranges to specify if the policy should only apply when the Mimecast receives a connection from the defined IPs.
  1. Do not set the Bi-Directional setting as a Secure Messaging policy, which is for internal to external messages only.
  2. Click Save and Exit to apply the policy.

Next Steps

Once the policy is saved, outbound messages containing the content specified in your Content Definition and matching the communication pair specified in your policy will be delivered via Secure Messaging.

Secure Messaging Bypass 

This section describes how to configure a Secure Messaging Bypass policy. These can be used to override a Secure Messaging policy.

You can configure a Secure Messaging Bypass policy, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies.
  3. Click on Secure Messaging Bypass.
  4. Either select the: 
    • Policy to be changed.
    • New Policy button to create a policy.
  1. Complete the Options section as required:
Field / Option Description
Policy Narrative Provide a description for the policy to allow you to easily identify it in the future.
Select Option Select whether to Take No Action or Disable Secure Messaging.
  1. Complete the Emails From and Emails To sections as required:
Field / Option Description
Addresses Based On Specify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are:
  • The Return Address (Mail Envelope From): This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
  • The Message From Address (Message Header From): Applies the policy based on the masked address used in the message's header.
  • Both: Applies the policy based on either the Mail Envelope From or the Message Header From whichever matches. When both match, the specified value the Message Header From will be used.
Applies From / To Specify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
  • Everyone: Includes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
  • Internal Address: Includes only internal organization addresses.
  • External Address: Includes only external organization addresses. This option is only available in the "Emails From" section.
  • Email Domain: Enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
  • Address Groups: Enables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
  • Address Attributes: Enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
  • Individual Email Address: Enables you to specify an SMTP address. The email address is entered in the Specifically field.
  1. Complete the Validity section as required:
Field / Option Description
Enable / Disable Use this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached.
Set Policy as Perpetual If the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires.
Date Range Use this field to specify a start and / or end date for the policy. If the Eternal option are selected, no date is required.
Policy Override This overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override.
Bi-Directional If selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient.
Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  1. Click on Save and Exit.

Enforce Secure Messaging For Messages Sent to Specific Recipients

When using Secure Messaging, you will likely want to enforce the feature for messages sent to specific recipients, for example, a domain or a named group of recipients. This section outlines how to apply Secure Messaging to messages based on the message's recipient.

Ensure you have:

    • A Mimecast admin account with permissions to the Gateway | Policies menu.
    • At least one Secure Messaging definition

You can enforce Secure Messaging for messages sent to specific recipients, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies.
  3. Click on Secure Messaging from the list of policy types on the page to view any policies already created.
  4. Click the New Policy button from the menu bar.
  5. Enter a description of the policy in the Policy Narrative text box.
  6. Use the Lookup button to select the Secure Messaging definition that should apply when the policy is triggered.
  7. Select which senders and recipients the policy should apply to in the Emails From and Emails To sections.

Secure Messaging only applies to messages from internal to external recipients. Be sure to consider this when selecting senders and recipients in this section.

  1. In the Validity section, optionally set:
    • The date range that the policy should be active. Use the Always On button to activate the policy continuously.
    • Policy Override to force the policy to apply when there are conflicting policies.
    • Source IP Ranges to specify if the policy should only apply when Mimecast receives a connection from the defined IPs.
  1. Do not set the Bi-Directional setting, as a Secure Messaging policy is for internal to external messages only.
  2. Click Save and Exit, to apply the policy.

Next Steps

Once the policy is saved, any message that matches the sender and recipients specified will be delivered via Secure Messaging.

Related to

Was this article helpful?
0 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.