Secure Messaging

From Roaring Penguin
Revision as of 13:45, 10 August 2018 by JohnMertz (talk | contribs) (Secure Messaging Permissions)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Outbound Filtering Required

Email encryption requires that all outbound mail be relay through Roaring Penguin. Only messages matching one of the trigger rules, as discussed below, will be encrypted.

Hosted CanIt

If you are on Hosted CanIt you need to request outbound filtering as an administrator from My Domains->Request Outbound Filtering. You will receive a confirmation email with the routing information.

CanIt PRO or Domain-PRO

For on-premise users you need to set up a Setup->Known Networks entry with 'ar' (Allow Relaying), force it to an outbound stream and then point your mail server at an outbound node (Setup->Cluster Management).

Secure Messaging Permissions

By default, only administrators within the “base” realm have permissions to access Secure Messaging settings. In order for any account below the base level to manage their own Secure Messaging Settings, the permissions must be granted from Administration→Permissions page.

On Hosted CanIt we will assign these permissions for your re-seller admins when you sign up for the Secure Messaging.

In order to allow access to admins of a parent realm without allowing access to sub-realm admins, you can create a permission set for *localroot*. The required permissions are “Configure Secure Messaging” and “Edit Secure Messaging Rules” from the User Permissions page. Otherwise a permission set for *root* will be inherited to admins of sub-realms as well.

Note: The set of boxes that are pre-selected when creating a new permissions set will be more limited than what an admin normally has access to, so please review the remaining permissions as well. The Online Documentation link can teach you more about permissions.


Once permissions have been enabled, all affected users will gain access to the new secure messaging top-level menu. Secure Messaging settings are inherited in the same manner as all other stream settings. Thus if you go to Secure Messaging→Configure and “Enable Secure Messaging” for the 'default' stream, it will be enabled for all other streams in that realm, and any sub-realms. Because billing is done per configured stream, it is not recommended that you enable it from 'default' unless you absolutely want them all enabled. To enable it for select users, simply change to their stream and enable it from there.

Secure Messaging Rules

The Rules (or “triggers”) for Secure Messaging also inherit like all other settings, but defining them in the 'default' stream does not result in all streams being counted for billing. This means that if you only have a handful of users that are going to use Secure Messaging, but they are all going to use the same triggers, then you can define those in 'default', but enable it in only the streams you need.

There are generally two different approaches to triggers; active and passive. An active being a rule that requires the sender to specifically compose the message in a way that would hit a known rule. This is often something like:

   Subject Contains Encrypt

This can be made more or less specific by using different conditions, such as “Starts with” or “Matches RegExp”. Various email clients also have headers that can be added to mark the message as confidential. If the user is in the habit of using those headers already, it may be valuable to include a “Header Contains” rule to find that content.

Passive rules are those that will work without the sender having to intentionally trigger them. This can be used as a mechanism for Data Loss Prevention or compliance with rules such as:

   Body Contains Credit Card Number
   Body Matches RegExp ClientID: [0-9]{10}

This will automatically encrypt messages if the sender includes content that should not be allowed to be delivered unencrypted; in these examples credit card details and client information (specifically triggered by a 10 digit ClientID).

The rules work in the order that they are listed and can be moved up or down to change their precedence. This is helpful if you need to make exceptions such as:

   Subject Contains Encrypt AND Recipient Is

If this is placed above the more general rule with the action as “Normal Delivery” then all mail with “Encrypt” in the subject will be sent as Secure Messages unless it is to that recipient.


If a message has been identified as a Secure Message, deliver stops at Roaring Penguin. Instead, a notification is generated and sent to the intended recipient. The notification points the recipient to the Roaring Penguin Secure Messaging portal where they can view the message and reply to it from there.

If that recipient has never received a Secure Message before, they will be asked to create a Password for their account (which is simply their email address). You may wish to send new recipients an innocuous message the first time to ensure that their account is created securely before anything confidential has been sent.

The first time a specific sender triggers a secure messaging rule, they to will be notified of their secure messaging account which provides access to their “Sent” content or any replies. If the user already has login credentials for the Roaring Penguin spam portal, it will not require them to set up a new password.

More Information

This is a basic summary of setup and configuration. For more details see Chapter 11, "Secure Messaging" of the User's Guide