Home>Solutions>Deploy Email Gateway for Email Encryption Automation

Deploy Email Gateway for Email Encryption AutomationEncrypt email automatically without changing email client.

1. Demand Analysis

Currently, there are many email security gateway products in the global market. These products mainly provide the functions, such as anti-SPAM, anti-phishing, anti-security threats, and they are integrated with data leak prevention as well, but they are all based on the analysis of the cleartext email content to make the corresponding processing on security protection. They are very important for email security.

However, the transmission of cleartext email content on the Internet is a security risk caused by the extremely insecure information transmission mechanism, which is as insecure as the HTTP cleartext transmission of the websites on the Internet. At present, the global Internet has gradually transformed the insecure transmission - HTTP into the secure encrypted transmission - HTTPS, but currently most of the emails are still transferred in cleartext. Although some email servers have already started to use SSL/TLS SMTP/IMAP for encrypting email transmission which are similar to the HTTPS used for encrypting Web transmission, this relying on that the communicating servers must all deploy SSL/TLS encrypted transmission. If one party’s server has not deployed the SSL/TLS certificates, the cleartext content of the email is still transferred on the Internet, so the entire security of the confidential information in the email cannot be guaranteed. Even if all email servers have implemented SSL/TLS encrypted transmission, the content of the email is still stored in cleartext in the email server, which is also a big security risk.

So, how to do? Please refer to MeSign Fully Automatic Email Encryption and Signing Solution. Users can use MeSign APP to implement fully automatic end-to-end email encryption, which not only realizes the security of email communications without relying on the deployment of SSL/TLS on the email server, but also realize the content of the emails stored in the email server are encrypted, which truly protects the confidential information of the email.

This solution facilitates users to use end-to-end email encryption, but it has two issues that catches users’ attention.

The first issue is that if the user has deployed an email security gateway, they lose the email security management function due to the inability of the email gateway on decrypting the encrypted email, what should they do? If this encrypted email is SPAM or malicious email, what should they do? If the confidential information of the organization is leaked and the data leak prevention function of the email security gateway becomes invalid, what should they do? These are all the practical issues that must be solved to realize the entire encryption of the email.

The second issue is that to realize fully automated email encryption, users must change the used email client software to a new email client - MeSign APP. This requirement may not be able to be fulfilled by some organizations.

2. MeSign Solutions

MeSign Technologies is committed to providing users with a fully automated and implementable email encryption solution, in order to solve the above two practical issues, we provide the following two solutions:

  1. (1) Deploy MeSign Email Cryptographic Gateway (MECG), which docks to the existing email security gateway and is responsible for decrypting the encrypted email and encrypting email that needs to be encrypted.
  2. (2) Deploy MeSign Email Security Gateway (MESG) without replacing the email client software and realize fully automatic email encryption and decryption.

2.1. MeSign Email Cryptographic Gateway Introduction

To help users who have deployed a mail security gateway to solve the issues of being unable to handle encrypted email, MeSign Technologies has developed the MeSign Email Cryptographic Gateway (or MeSign Gateway) used for docking the email security gateway. As shown in the diagram on the following left, the issue can be solved for users by only modifying slightly to the email security gateway product.

It works like this way: after receiving the encrypted email, the mail security gateway submits the encrypted email to the MeSign Gateway, which is responsible for decrypting the email and returns the cleartext email to the mail security gateway. The mail will be processed as same as processing the normal cleartext emails. If there is no security problem, the encrypted email will be released. If there is a security problem with that email, which will be handled by the mail security gateway in the same way as they handled the normal cleartext emails. If the original encrypted email is released, the employees must have the email client software to decrypt the encrypted email. And if the employee uses the email client software that does not have the function for email decryption, then the decrypted cleartext email will be released. This is the email decryption function provided by MeSign Gateway.

The reason why MeSign Gateway can decrypt the encrypted emails is of course that there must be the encryption key for decryption. Users can upload their existing encrypting certificate to MeSign Gateway. If the encrypting certificate is issued by MeSign CA, MeSign Gateway will automatically connect to the MeSign Key Management System (MeSign KM) to retrieve user’s encryption key for decrypting the encrypted email. The email user must be a MeSign APP user, or the user’s organization has purchased the MeSign Key Management Services for this user.

If the user uses the MeSign APP to send and receive emails, the user can send encrypted emails automatically. If the user does not use the MeSign APP, but the user needs to send encrypted emails, the user needs to set the email security gateway as SMTP server (most of the mail security gateways provide this function). Once the mail security gateway receives the user's outgoing email, it will submit this cleartext email to the MeSign Gateway. Next step, the MeSign Gateway will encrypt it return the encrypted email to the mail security gateway. Then, the mail security gateway can send this encrypted email to the recipient's mail server. This is the email encryption function of MeSign Gateway, which meet the users’ need to implement end-to-end automated email encryption without changing their email client.

As shown in the diagram on the above right, if the user wants to manage the email encryption keys locally and independently, they can purchase the MeSign Enterprise Key Management System (EKMS) and deploy it on their premises. It will be used for obtaining the encryption keys by employees and used for managing employees’ encryption keys locally. Considering the key security, the enterprise KM system cannot connect to the Internet. Please also refer to "Establish Cryptography Key Management System On-Premise".

We are welcome email security gateway service providers around the world to contact us to cooperate with us to support the functions of automatic email encryption and decryption for their email security gateway products, meeting the users' increasing demand on email encryption, and solving the issue of being unable to handle the encrypted emails. MeSign Technologies provide MeSign Gateway docking API documents and test interfaces for free, which is convenient for email security gateway service providers to test the functions of email encryption and decryption of MeSign Gateway without purchasing MeSign Gateway. We will list all the vendors that have completed the docking test on MeSign website to make it convenient for MeSign users to purchase the email security gateway products. Likewise, the vendors who have completed the docking test are welcome to recommend their users to purchase MeSign Gateway to help them to solve the issues of email encryption.

2.2 MeSign Email Security Gateway Introduction

If users have not purchased or deployed any email security gateway, and want to implement the functions of automatic email encryption and decryption, and do not want to or be hard to replace the email client software they are using currently, they can purchase the MeSign Email Security Gateway (MESG, referred to as: MeSign Mail Gateway). This is a new type of email security gateway product that integrates the functions of email encryption and decryption and the functions of traditional email security gateway. Of course, the core function of this product is email encryption and decryption.

As shown in the below diagram on the left, the MeSign Mail Gateway must be connected to the Internet and set up an domain name of IMAP/SMTP/Exchange corresponding to the user's mail server settings, which can be internally resolved by the IP address of the Intranet. If employees need to visit MeSign Mail Gateway when they are not in the office, then MeSign Mail Gateway need to have a public IP address. Then employees just need to change parameters of the IMAP/SMTP/Exchange server to the domain name that points to the MeSign Mail Gateway. In addition, the gateway administrator needs to set the parameter of their email server in the MeSign Mail Gateway.

When users send emails from their email clients, the email will be sent to MeSign Mail Gateway automatically. The Gateway is responsible for retrieving the public keys of the recipients from MeSign CerDB to encrypt the email and then send it to the user’s email server. And the email server is responsible to send the encrypted email to recipients. When recipients receive the encrypted emails, the emails will arrive at MeSign Mail Gateway first and retrieve the recipients’ encryption key from MeSign KMS to decrypt the email to enable the recipients can read the email using any email clients.

That is to say, the work of sending and receiving encrypted mails, decrypting the encrypted emails is all done by the MeSign Mail Gateway, which makes email decryption and encrypted email sending fully automatic without changing the user habits on using their familiar email clients. If the user uses the MeSign APP, then the emails is encrypted before sending to gateway. If the user uses other mail client software, the email security can also be guaranteed since the Gateway supports SSL/TLS by default, and the Gateway will encrypt the email to receiver’s mail server to guarantee the email can be encrypted in the whole process.

The users of MeSign Mail Security Gateway need to purchase MeSign Key Management Service used for email encryption for each employee if employees don’t use MeSign APP as email client, so that the Gateway can automatically assign an encryption key to each employee to implement fully automatic email encryption service.

Although the core function of MeSign Mail Gateway is the automatic email encryption and decryption service, but it also integrates the cloud virus killing service provided by 360 Security Brain to check the security of the URLs in the email and the email attachments (Quickly recognize the virus by submitting the HASH of the attachments and URL), and also integrates smart recognition and SPAM interception system. It also provides data leak prevention function, that users can set anti-leakage keywords in the admin console, all the emails with the anti-leakage keywords will be automatically intercepted or will automatically be forwarded to the auditor's email address waiting for the audit and release instruction.

As shown in the above diagram on the right, if users want to manage their encryption keys on their premises, they can purchase MeSign Enterprise Key Management System (EKMS), the Enterprise KM system deployed in the organization’s Intranet, used for retrieving employees’ encrypting keys for decrypting emails. In order to guarantee the encryption key security, the Enterprise KM system should not connect to the Internet.

No matter users purchase MeSign Key Management Service or deploy Enterprise Key Management System, encryption keys can not only used for encrypting emails, but also it can be used for encrypting the organization’s internal documents (if user purchased MeSign Document D-signature Service). The employees who have the right to read the encrypted document can read it seamlessly, but employees who do not have the right to read this encrypted document cannot read it even if they get the encrypted file, which protects the confidential document and prevents the leakage of confidential documents effectively. That is to say, the encryption key that organization purchased for employees can be used for both email encryption and electronic document encryption, which is a cost-effective service for protecting the security of the confidential information of the organizations with the certificate encryption technologies.

Users who have not yet purchased an email security gateway are welcome to purchase MeSign Email Security Gateway. Please refer to the FAQ for more details about MeSign Email Security Gateway.