Password modes

The gateway supports the following “password modes”:

  • Use a pre-defined static password.

  • Randomly generate a password. The password will be sent back to the sender of the message.

  • Randomly generate a password. The password will then be sent by SMS Text to the recipient.

  • Generate a one time password (OTP).

  • Sender specified password.

Static password mode

With the “static password mode”, a pre-defined password is used for PDF encryption. A static password can be configured per recipient or per domain.

Important

To make sure that the password will never expire, either set “Validity interval” to -1 or set the advanced password setting “Date last generated” to an empty value.

Generate password to originator

If “Generate password to originator” is enabled, a password will be securely generated and the generated password will then be sent back to the sender of the email. The sender is then responsible for delivering the passwords to the recipients in a secure manner.

Send password by SMS Text

With the “Send password by SMS Text” mode, a password for the PDF will be securely generated and sent by SMS Text to the recipient. This requires that the SMS gateway is correctly setup, that a user is available for the email address and that the recipients telephone number is configured in the user settings of that user. Alternatively, if the user is allowed to add a telephone number to the subject , the mobile number can be read from the subject line of an email.

One time password (OTP)

If enabled, a PDF password will be securely generated using a one time password algorithm. The recipient should login to the portal to retrieve the PDF password. The OTP mode requires that the portal functionality is correctly setup.

Sender specified password

With a “subject Password Trigger” the sender can specify a password on the email subject line. The password is extracted from the subject line and is then used to encrypt the email using PDF encryption. To prevent the sender from selecting a weak password, a password policy can be defined. If the password is not strong enough, the email will not be sent and the sender will be notified.

Note

Pro/Ent only If Webmail Messenger is used, it is advised to configure OTP mode for Webmail Messenger because it has additional features like 2-factor authentication etc.

Portal

The CipherMail gateway contains a built-in portal which is used by external recipients to reply to a PDF and to retrieve PDF passwords for OTP mode. The portal should be configured before the PDF reply functionality or OTP mode can be used. The global PDF portal settings can be configured using the portal sub-menu from the global settings page (Setting ‣ Portal). For details on portal settings see Subject triggers.

Password mode config

This section explains how to configure PDF encryption on one of the supported password modes.

Static password

This section will explain how to configure PDF encryption with static passwords. To enable static password mode, the following steps are required:

  • Enable PDF encryption

  • Set a static PDF password

  • Edit PDF encryption template

Enable PDF encryption

To allow PDF encryption, the following settings should be set:

Encrypt Mode

should be set to “Allow”

PDF enabled

should be enabled.

Set a static PDF password

A new user object for the external recipient should be added (click Add user on the left-hand side menu). Then set the password for the user.

Edit PDF encryption template

The encrypted PDF will be attached to a new email. The new email is based on the “Encrypted PDF” template. The template can be edited from the templates page (Setting ‣ Template). On the template page, select the template “Encrypted PDF”, change the template and click Apply.

Generate password to originator

With the “Generate password to originator” mode, a PDF password will be automatically generated and sent back to the sender. To enable “Generate password to originator” mode, the following steps are required:

  • Enable PDF encryption.

  • Enable “Generate password to originator”

  • Set password validity interval

  • Set password generated length

  • Edit PDF encryption template

Enable PDF encryption

To allow PDF encryption, the following settings should be set:

Encrypt Mode

should be set to “Allow”

PDF enabled

should be enabled.

Enable Generate password to originator

For the global settings, enable the PDF setting “Generate password to originator”.

Note

The generated passwords will be sent back to the sender by email. The template for this email can be edited by selecting the “Password notification” template.

Set password validity interval

By default, a new password will be generated for every new message. The time (in minutes) a generated password will be valid can be set by changing the “Validity interval” setting. If validity interval is set to a different value than 0 and a password is not expired, a new password will not be generated and the existing password will be used.

Set password Generated length

The length of the randomly generated password is by default 16 bytes (128 bits). The length of the generated password can be set using the advanced password setting generated length.

Important

Make sure the generated password is long enough to make it harder to brute-force guessing the password.

Edit PDF encryption template

The encrypted PDF will be attached to a new email. The new email is based on the “Encrypted PDF” template. The template can be edited from the templates page (Setting ‣ Template). On the template page, select the template “Encrypted PDF”, change the template and click Apply.

Send password by SMS

With the “Send password by SMS” mode, a PDF password will be automatically generated and the password will be sent by SMS Text to the recipient’s configured telephone number. This mode requires that the SMS gateway is correctly setup.

To enable SMS mode, the following steps are required:

  • Enable PDF encryption

  • Allow SMS

  • Set recipients mobile number

  • Set password validity interval

  • Set password generated length

  • Edit PDF encryption template

Enable PDF encryption

To allow PDF encryption, the following settings should be set:

Encrypt Mode

should be set to “Allow”

PDF enabled

should be enabled.

Allow SMS

By default, senders are not allowed to send SMS Text messages. To allow the sender to send SMS Text messages, the “Send SMS” for senders and recipient should be selected.

Set recipients phone number

The generated password will be sent by SMS Text to the recipient. The gateway therefore has to know the phone number of the recipient. A user object for the recipient should be added and the SMS “Phone number” should be set (Setting ‣ SMS). The phone number should be in international format (i.e., it should start with a country code).

Note

Instead of explicitly setting the mobile number of the recipient, the sender can also add the phone number to the subject line of the email.

Set password validity interval

By default, a new password will be generated for every new message. The time (in minutes) a generated password will be valid can be set by changing the “Validity interval” setting. If validity interval is set to a different value than 0 and a password is not expired, a new password will not be generated and the existing password will be used.

Set password Generated length

The length of the randomly generated password is by default 16 bytes (128 bits). The length of the generated password can be set using the advanced password setting generated length.

Important

Make sure the generated password is long enough to make it harder to brute-force guessing the password.

Edit PDF encryption template

The encrypted PDF will be attached to a new email. The new email is based on the “Encrypted PDF via SMS” template. The template can be edited from the templates page (Setting ‣ Template). On the template page, select the template “Encrypted PDF via SMS”, change the template and click Apply.

One Time Password (OTP)

With the one time password mode, a password will be generated using a “One Time Password” (OTP) algorithm. The generated passwords will be based on the “Client Secret” of the recipient and the “Password ID” of the email. Because the “Password ID” of the email will always be different for every PDF, the generated password will be different for every PDF. To enable OTP mode, the following steps are required:

  • Enable PDF encryption

  • Enable OTP

  • Enable Auto create client secret

  • Enable Auto invite

  • Set password generated length

  • Edit PDF encryption template

Enable PDF encryption

To allow PDF encryption, the following settings should be set:

Encrypt Mode

should be set to “Allow”

PDF enabled

should be enabled.

Enable OTP

Enable the PDF setting “OTP enabled”.

Enable Auto create client secret

The “Client secret” of a recipient is used for generating the unique PDF password. Every recipient therefore requires a “Client secret”. The gateway will automatically generate a random client secret for a recipient if the setting “Auto create client secret” is enabled and the recipient does not have a client secret yet.

Enable Auto invite

A recipient needs to login to the portal to generate the one time password of the PDF. The recipient therefore requires a portal password. If the “Auto invite” option is enabled and there is not yet a portal password for the recipient, an invite link will be added to the email. After clicking the invite link, the recipient can choose a portal password for the portal account. Alternatively, the portal password can be set by the gateway administrator.

Set password Generated length

The length of the randomly generated password is by default 16 bytes (128 bits). The length of the generated password can be set using the advanced password setting generated length.

Important

Make sure the generated password is long enough to make it harder to brute-force guessing the password.

Edit PDF encryption template

The encrypted PDF will be attached to a new email. The new email is based on the “Encrypted PDF OTP” or “Encrypted PDF OTP invite” template. The “Encrypted PDF OTP invite” template is used for the first invite email. The template can be edited from the templates page (Setting ‣ Template). On the template page, select the template “Encrypted PDF OTP” or “Encrypted PDF OTP invite”, change the template and click Apply.

Configure PDF reply

To enable the PDF reply option, the following steps are required:

  • Configure portal base URL

  • Enable PDF reply

  • Open the firewall to allow access to the portal

Configure portal base URL

The “Base URL” defines the base URL on which the portal functionality is accessible for external users. It should be a fully qualified URL which can be resolved externally. Portal URLs, like for example the reply link URL and portal login URL, are based on the “Base URL”. The “Base URL” should be configured as follows:

https://www.example.com/web/portal

Where www.example.com should be replaced by the real domain name.

Enable PDF reply

Enable the global advanced PDF setting “Reply allowed”.

Open the firewall to allow access to the portal

The PDF reply page must be accessible for remote user on URL:

https://www.example.com/web/portal/pdf/reply

Make sure the firewall allows access to the reply URL for external recipients.