beautypg.com

Google Message Encryption Administration Guide User Manual

Page 14

background image

Policy Enforced TLS

15

Stage 1: The sending server sends a message via TLS to the email protection
service, which will always accept TLS messages and process them according
to the TLS protocol. The message is encrypted from the sending server to the
email protection service.

Stage 2: A TLS connection is attempted between the email protection service
and your receiving mail server. If a TLS connection is not possible, the email
protection service will either defer the message, or send the message
unencrypted, depending on your settings.

Without Policy Enforced TLS, you can set the email protection service to defer
all messages if TLS is not possible, or to deliver them.

With Policy Enforced TLS, you can name specific sender domains which must
be encrypted. If a message from one of these domains cannot be encrypted
with TLS, it will always be deferred.

The deferral message for inbound messages is:

451 STARTTLS is required for this sender - psmtp

The deferral is handled by the sending server. Most sending servers will
continue to attempt to send the message for up to five days.

As noted above, messages are decrypted in memory for virus and junk mail
processing, then encrypted again when sent to you. In some instances, mail
delivered via TLS is stored unencrypted:

Spooled mail. In the case of disaster recovery, spool messages are stored
unencrypted in our secure network, and then encrypted when delivered from
spool to your mail servers.

Quarantined messages. Quarantined messages are stored unencrypted in
our secure network, and then delivered encrypted to your mail server when
delivered from the Message Center. Both the quarantine summary message
links and the Message Center allow users to display the messages in a
browser via HTTP (not secure).

As part of your security policy, you may wish to disable the message links in the
quarantine summary and Message Center. This will ensure end-to-end secure
delivery, requiring users to deliver messages from quarantine summary or
Message Center to their inboxes. However, since the risk of falsely quarantining
valid email is small, you may choose to retain the convenience of viewing
messages through the quarantine summary or Message Center.

See also other documents in the category Google Software: