Password Settings

Select the SPX password service method, and customize the messages sent for registration and password notification.

Important
Before selecting one of the following options, review the Password Management Comparison section of the Password Management documentation. Each of these password services has different advantages, so it is best to choose the one that best suits your organization's needs.
  1. Select the option button for the type of password service you want to use with this template.
    1. Select Allow the message recipient to choose their own password if you want to require recipients to register using the SPX Secure Email Portal before they can receive SPX-encrypted email messages. New recipients are sent a registration link. Delivery of any SPX-encrypted mail sent to them is delayed until they have registered. Any mail sent to newly registered recipients is encrypted with the password that was used to register.

      Selecting this method automatically enables the password component of the SPX portal. After adding this template, you should review the portal settings by clicking Settings on the SPX tab of the Configuration > Policy > Encryption page.

    2. Select Encrypt the message with a generated password if you want the appliance to generate a random password. This password will be used to encrypt messages sent to the recipient. A separate, unencrypted message that contains the generated password will be delivered to the message sender. The sender must securely communicate this password to the recipient, so that recipients can decrypt the SPX-encrypted messages that are sent to them.
    3. Select Encrypt the message with a sender-specified password if you want senders to be able to select a specific password for the recipient. This password will be used to encrypt messages sent to the recipient. A separate, unencrypted message that contains the password can optionally be delivered to the message sender. The sender must securely communicate this password to the recipient, so that recipients can decrypt the SPX-encrypted messages that are sent to them.
      Note
      • If a message is sent to a recipient who is not in a group that triggers the policy for sender-specified passwords, the message will not be encrypted, and the password will not be removed from the subject line before the email is delivered to the recipient.
      • Messages sent to multiple recipients will be encrypted using the same sender-specified password. The sender must communicate the password to each of the recipients.
      • Password recovery options are not available for sender-specified passwords.
    4. Select Use a custom remote authentication service to assign passwords if you want the appliance to retrieve passwords from your own existing authentication infrastructure. This password will be used to encrypt messages sent to the recipient. To use this method, a web service must have been created within your environment, and it must integrate with your existing authentication infrastructure. Visit the Sophos Support Knowledgebase for an example of how to configure the web service, or contact Sophos Professional Services for assistance.
      Note
      If you select this password method, the End user password options section of the Password Settings page is unavailable (grayed out).
  2. [Sender-specified passwords only] The sender must specify a password in the subject line of the email that they want to encrypt. The password must:
    • Be enclosed in the same brackets that you have configured below.
    • Follow the tag you have specified, separated by a colon (":").
    • Appear at the beginning of the subject line.
    Note
    Passwords can only contain letters, numbers and the following characters: !@#$%+=,.. Messages with invalid passwords will not be sent, and will be returned to the sender, the administrator, or both, depending on your configuration.

    In the Password settings section:

    1. Select the bracket type you want to use from the Bracket type drop-down list.
    2. In the Prefix text box, enter the prefix that senders should use.
      Note
      The prefix can be a maximum of fifteen characters long.
    3. [Optional] Select the Notify password sender by email option to send an notification email to the password sender.
  3. Click the Configure button to customize the subject and text of the notification email.
  4. [Optional] If you want a separate password to be issued each time a message is sent, select Always generate a new password.
  5. In the End user password options section, configure the features that you want to make available to message recipients.

    It is best to decide which of these password options you want to make available to end users during the initial configuration and deployment of SPX encryption. Although you can edit the settings later, this could pose problems for senders and recipients.

    If you decide, for example, to enable password reset or recovery after SPX has been deployed, those who were previously issued passwords will not automatically have access to reset or recovery. The same is true for SPX recipients whose passwords were issued before end user password features were added to the Email Appliance. For more information, see "Using SPX Passwords" in the SPX End User Experience section.

    Select one or more of the following:

    • Password change: Allows users to replace their existing passwords with new passwords. Users are prompted to enter the current password before submitting a new password.
    • Password reset: Allows users to create a new password if the previous password has been forgotten. Users are prompted to enter answers for the configured number of questions (see description in "questions" option below) before a new password is issued. Passwords can also be reset by the administrator using the Account reset option on the SPX Encryption tab.
    • Password recovery: Allows users to retrieve a forgotten password. Users are prompted to enter answers for the configured number of questions (see description in "questions" option below) before the password is recovered.
    • Require (n) password challenge question(s) for reset/recovery: This option is unavailable (grayed out) unless you select "Password reset" and/or "Password recovery." When you do so, recipients are prompted to establish at least one challenge question that must be answered to reset or recover a password. Recipients should be encouraged to select questions with answers that others are unlikely to guess. You can choose to have users answer 1-3 questions. The default is 3.

    Selecting any of the options above automatically inserts text on the next page of the wizard (Recipient Instructions) that contains an associated template variable. Each variable creates a URL that recipients can click to access the appropriate password page on the SPX Secure Email Portal.

    If you attempt to apply any of these options to an existing or customized template, the text will remain unchanged.

    You can customize the recipient instructions text as necessary, but for each option selected here, ensure that the associated template variable is preserved on the Recipient Instructions page. If the selected features do not match the included template variables, a warning message is displayed. A match is required to create an active link to the appropriate SPX portal page.

    Important
    Recipients should understand that a new password only applies to encrypted messages received after the password has been reset or changed. Recipients must use the password that was active during the period that encrypted messages were sent in order to access those messages.
  6. Optionally, configure a Fallback template.
    You can configure a different SPX Template to be used as a fallback template. If SPX encryption fails, it will use the Fallback template if one is selected here.
  7. Click Previous to configure PDF email attributes or Next to configure the recipient instructions.