Professional Documents
Culture Documents
Administration Guide
Google, Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
www.google.com
4 November 2008
Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the
Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and
PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc. All other trademarks are the property of
their respective owners.
Use of any Google solution is governed by the license agreement included in your original contract. Any intellectual property
rights relating to the Google services are and shall remain the exclusive property of Google, Inc. and/or its subsidiaries
(Google). You may not attempt to decipher, decompile, or develop source code for any Google product or service offering,
or knowingly allow others to do so.
Google documentation may not be sold, resold, licensed or sublicensed and may not be transferred without the prior written
consent of Google. Your right to copy this manual is limited by copyright law. Making copies, adaptations, or compilation works,
without prior written authorization of Google. is prohibited by law and constitutes a punishable violation of the law. No part of
this manual may be reproduced in whole or in part without the express written consent of Google. Copyright by Google, Inc.
Postini, Inc. provides this publication as is without warranty of any either express or implied, including but not limited to the
implied warranties of merchantability or fitness for a particular purpose. Postini, Inc. may revise this publication from time to
time without notice. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000 by Cold Spring Harbor Laboratory. Funded under Grant P41-
RR02188 by the National Institutes of Health.
Portions relating to JPEG copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane.
This software is based in part on the work of the Independent JPEG Group.
Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application,
provided that this notice is present in user-accessible supporting documentation.
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd,
not to interfere with your productive use of gd. If you have questions, ask. Derived works includes all programs that utilize the
This software is provided AS IS. The copyright holders disclaim all warranties, either express or implied, including but not
limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying
documentation.
Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue
Software Corporation for their prior contributions.
Google assumes no responsibility in connection with the Compliance Policies lexicon-filtering feature, including any failure to
recognize credit card or social security numbers that do not follow an applicable pattern as established in Postinis systems or
any failure to encrypt a credit card or social security number.
3
Contents
Contents 5
How Inbox Delivery Works 44
Filtering 45
Reading Encrypted Messages 45
Inbox Delivery Branding 47
Set Up Inbox Delivery 48
Configure Encryption for an Organization 50
Configure Encryption for a User 50
View User Encryption Settings 50
Configure Content Manager for Message Encryption 51
Troubleshooting Inbox Delivery 51
Chapter 5: Reports 53
About Reports 53
View a Report 53
Policy-Enforced by Domain 54
Outbound External Encryption by Domain 55
Outbound External Encryption by Account 56
Outbound External Encryption Activity Log 56
Descriptions of features and data flow of Policy Enforced TLS and Message
Encryption.
This guide is intended for mail server administrators who are already familiar with
mail server configuration and security.
Related Documentation
For additional information about your email security service, refer to the following
related documents, which are available on the Support Portal. For details, see
How to Send Comments About This Guide on page 8.
Document Description
7
Document Description
doc_comments@postini.com
Please specify in your email message the section to which your comment applies.
If you want to receive a response to your comments, ensure that you include your
name and contact information.
However, with the heightened concerns around privacy and confidentiality, best
effort is often not good enough. The need to deliver secure email regardless of a
business partners capabilities calls for a solution that can handle both connection
and message security. Adding Message Encryption not only adds a management
layer to the TLS protocol that ensures a secure connection gateway-to-gateway,
it also includes options for one-to-one message encryption when gateway TLS
capabilities are unknown or not present.
Transport-Layer Security
Transport-Layer Security is supported for all customers using the Email Security
Service for the Enterprise (it is not a separate Encryption Services product_.
Message encryption
TLS uses Public Key Infrastructure (PKI) to encrypt messages from mail
server to mail server. This encryption makes it more difficult for hackers to
intercept and read messages.
Authentication
TLS supports the use of digital certificates to authenticate the receiving
servers. Any certificate is supported, included self-signed certificates.
Authentication of sending servers is not always necessary in TLS. This
process verifies that the receivers (or senders) are who they say they are,
which helps to prevent spoofing. Advanced options include the ability to verify
proper certificate form, domain names, and certificate authority.
Organizations that have a dedicated outbound gateway that handles only TLS
traffic can utilize the Mandatory TLS option. This feature, when activated, will
monitor the TLS handshake inbound and outbound and only allow message
transmission when the TLS handshake is successful. Notification to the sender
occurs in real time if the message can not be delivered.
For a full description of how TLS works, including key exchange information, see
Transport Layer Security for Inbound Mail in the Email Security Service
Administration Guide.
You can also customize the secure web portal used with Portal Delivery. With a
Custom Portal, you can add branding and additional features to the secure portal
your contacts see. A Custom Portal is an optional feature; for more information
about Custom Portals, contact your account representative.
The two forms of Message Encryption, Portal Delivery and Inbox Delivery, are
similar services, and function identically up to the point of delivery to the recipient.
You can only have one of them enabled.
When you send an outbound message, Policy Enforced TLS takes precedence
over Message Encryption. If a message is sent to a domain listed in Policy
Enforced TLS, the message will be sent via TLS if possible. If the message cannot
be sent via TLS, the message fails. It is not sent to Message Encryption.
This means all messages are always delivered directly to trusted partners' mail
servers, and recipients in domains you specify are not prompted to access
messages via the Message Encryption Secure Portal or Inbox Delivery.
Note: This applies to Release 6.12 and later. In earlier versions of the service,
Message Encryption took precedence over all forms of TLS, including Policy
Enforced TLS.
When you specify encryption for a specific sender or recipient, you can be sure
that these connections are always encrypted. If Policy Enforced TLS cannot
establish a TLS connection to the other server, the message will be deferred and
no mail will be sent.
Ability to configure security settings separately for specific domains. You can
name specific domains which will receive additional security. Domain-based
TLS is set for each mail server separately.
TLS configuration for inbound and outbound mail. Policy Enforced TLS can be
configured for inbound mail and outbound mail separately.
To set up Policy Enforced TLS for inbound or outbound mail requires the
following:
To set up Policy Enforced TLS for outbound mail requires the following
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.
For instructions on how to route your outbound mail through Outbound Services,
see the Outbound Services Configuration Guide.
For inbound mail traffic, the email protection service acts as a proxy between the
sending server and your mail server. Inbound messages are received through two
separate SMTP connections.The first connection is from the sending server to the
email protection service. The second connection is from the email protection
service to your mail server.
Without Policy Enforced TLS, you can set the email protection service to defer
all messages if TLS is not possible, or to deliver them.
With Policy Enforced TLS, you can name specific sender domains which must
be encrypted. If a message from one of these domains cannot be encrypted
with TLS, it will always be deferred.
The deferral is handled by the sending server. Most sending servers will
continue to attempt to send the message for up to five days.
As noted above, messages are decrypted in memory for virus and junk mail
processing, then encrypted again when sent to you. In some instances, mail
delivered via TLS is stored unencrypted:
Spooled mail. In the case of disaster recovery, spool messages are stored
unencrypted in our secure network, and then encrypted when delivered from
spool to your mail servers.
As part of your security policy, you may wish to disable the message links in the
quarantine summary and Message Center. This will ensure end-to-end secure
delivery, requiring users to deliver messages from quarantine summary or
Message Center to their inboxes. However, since the risk of falsely quarantining
valid email is small, you may choose to retain the convenience of viewing
messages through the quarantine summary or Message Center.
Stage 1: The first connection is from your mail server to the email protection
service. You can choose whether this connection uses TLS.
Stage 2: The second connection is from the email protection service to the
receiving mail server. If the exact recipient domain is in your list of domains for
Outbound TLS by Recipient Domain, the outbound security service will
connect via TLS to the receiving mail server.
If the recipient domain is set up for Policy Enforced TLS and TLS is not
available, the following deferral message for outbound messages is sent:
451 Recipient does not support STARTTLS - psmtp
The deferral is handled by your server. Most sending servers will continue to
attempt to send the message for up to five days.
Outbound mail sent to a domain that exactly matches one on the outbound sender
list will always be sent via TLS in the second step. The Policy Enforced TLS
settings override standard TLS setting for that email config organization for these
domains.
If you have set up Certificate Validation, Policy Enforced TLS will drop the second
connection and send an error if the recipients certificate does not meet your
validation requirements. See Certificate Validation on page 18 for more
information.
1. In the Administration Console, click the Inbound Servers tab. Select your
email config organization, and click the TLS link.
2. If TLS is set to Send only SMTP, change it to allow TLS. The recommended
setting is SMTP or TLS. See Transport Layer Security for Inbound Mail in
the Email Security Service Administration Guide for more information on TLS
settings.
4. Enter the domain name you wish to set as TLS-only. Type the exact domain
name; wildcards and subdomains are not supported.
To remove one or more domains, check the domains you wish to delete and click
Delete Selected. The changes take effect immediately.
Before you can use Outbound TLS by Recipient Domain, set your mail server to
route outbound mail through the email protection service, and enable TLS on your
mail server. See About Policy Enforced TLS on page 13 for more information
about requirements.
1. In the Administration Console, click the Outbound Servers tab. Select your
email config organization, and click the TLS link.
2. If TLS is set to Accept only SMTP or Send only SMTP, change your
settings to allow TLS. The recommended setting is SMTP or TLS. See
Transport Layer Security for Outbound Mail in the Email Security Service
Administration Guide for more information on TLS settings.
3. Scroll to the Outbound TLS by Sender Domain section, at the bottom of the
page. If you do not see this section, you do not have Policy Enforced TLS
enabled. Contact your account representative for information.
To remove a domain, select the domain you wish to delete and click Remove. The
change takes effect immediately.
Certificate Validation
Policy Enforced TLS can analyze and validate TLS certificates, and block
sessions that use malformed or spoofed certificates. When outbound mail is sent
to a domain that is configured for Certificate Validation, Policy Enforced TLS
verifies the format, source, and domain of the certificate.You can specify different
validation settings for each domain.
Set up Certificate Validation for each domain on the Outbound TLS settings page,
under the heading Domain-Specific Setting for Outbound TLS.
2. If the domain is not already listed in Policy Enforced TLS, add the recipient
domain to Policy Enforced TLS.
Note: If you set up Certificate Validation, be sure to set up TLS Alerts as well, so
you will know if a problem occurs. For more information, see TLS Alerts on
page 22.
1. Under TLS Certificate Validation, select the default setting you wish to use.
TLS Alerts
Policy Enforced TLS is intended for secured business partners who intend to
encrypt all email communication between two parties. To prevent secure
messages from being transmitted in the open, Policy Enforced TLS will refuse
messages that come from specified domains when TLS sessions fail.
TLS Alerts inform your administrators when Policy Enforced TLS rejects a
message. If a TLS connection fails, this may indicate a problem which requires
immediate administrator action. With TLS Alerts, your administrators can detect
and correct security problems immediately.
WARNING: TLS Alerts are not enabled by default. You must set up them up.
Set up, modify or disable TLS Alerts in the Administration Console using batch
commands.
3. Enter the following command into Step 2.5 and click Submit job:
modifyorg <orgname>, tls_notify_admin=<admin>,
tls_notify_on=<interval>
orgname is the name of your email config organization. TLS Alerts are set on
the email config level, not the user or account level.
admin is the email address (or alias) of an administrator account. You can use
your own address or another address in any domain, as long as it is the
address or alias of an administrator for any organization.
interval shows how often an alert can be sent, in seconds. The minimum is
1 (no more than one message per second), and the maximum is 86400 (no
more than one message per day.) After a Policy Enforced TLS problem
causes an alert, no more alerts will be sent for the time period specified. In
most cases, a 600 second default is recommended. To turn off TLS Alerts, set
the interval to 0.
3. Enter the following command into Step 2.5 and click Submit job:
modifyorg <orgname>, tls_notify_admin=<admin>,
tls_notify_on=<interval>
orgname is the name of your email config organization. TLS Alerts are set on
the email config level, not the user or account level.
admin is the email address (or alias) of a new admin address to use. You can
use your own address or another address in any domain, as long as it is the
address or alias of an administrator for any organization.
4. Confirm the values by entering the following command into Step 2.5 and
clicking Submit job:
displayorg <orgname>
Alerts Description
The sender of TLS Alerts is:
<sender domain>
When Policy Enforced TLS blocks an outbound message, your administrator will
see the following alert:
Strong security to protect your confidential email, even across the Internet.
Your confidential mail is protected by 128-bit or better encryption during all
steps of transmission, and stored on a secure server for the recipient to read.
Ability to send secure messages to any recipients, even those who do not
have Transport-Layer Security (TLS) enabled on their mail servers.
Ability to receive secure replies to confidential mail, even from recipients who
do not have TLS enabled on their mail servers.
Requirements
Using Message Encryption requires that you route your mail through the message
security service. For instructions on how to do this, see the Outbound Services
Configuration Guide.
Billing
Billing for Message Encryption is based on the number of users that have
Message Encryption enabled in the Administration Console.
For details about pricing and other billing questions, contact your sales
representative.
3. Notification to Recipient
Portal Delivery sends a notification that informs the recipient of the message. The
notification includes a link to set up an account within the Secure Portal.
If the recipient replies to a message, Portal Delivery sends the reply back to the
email protection service, which routes the message to your inbox. Replies are
filtered by the email protection service using the same protection as any other
inbound messages.
Filtering
Before a message is routed to Message Encryption, the email security service
applies the same filter rules as all outbound mail.
The Email Security Service filters all mail before sending it to the portal. All
Attachment Manager or Virus filters still apply.
Brand Name
Color Scheme
Footer Text
Welcome Text
Password Requirements
Portal Timeouts
Domains Supported
Compose Mail
The ability to compose new messages is an optional feature that can be
purchased separately as part of a custom portal.
If you have a Custom Portal with the Compose feature enabled, anyone who
receives a message through Portal Delivery can use it to:
Compose new messages to the sender or any other address at your domain.
These messages are securely delivered directly to the recipients inbox.
Save drafts of messages before sending them. Drafts are available in the
Drafts tab.
View messages that have previously been sent. Sent messages are visible in
the Sent Mail tab.
Prerequisites
Using Message Encryption, Portal Delivery requires that you route your mail
through Outbound Services. For instructions on how to do this, see the Outbound
Services Configuration Guide.
You will also need to enable Transport Layer Security (TLS) on your mail server.
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.
Also, you will need to enable Transport Level Security in the Administration
Console. For steps on setting up TLS in the Administration Console, see below.
To assure that all incoming mail routes properly, add the following MX records to
your DNS records with first priority:
This domain needs to be queried explicitly, including the zixvpm subdomain. If this
MX record is not added, replies and some other encrypted traffic will not be routed
properly. This MX record does not affect the filtering of an inbound message.
Contact your DNS server to change this setting. Because these are new MX
records, changes take place immediately. You do not need to add an A record.
Encrypt mail with Security to Confidential in Microsoft Exchange, for any user
2. Save.
In this scenario, Message Encryption will also apply for messages with
Sensitivity: Company-Confidential in the subject or header.
4. In user-level Message Encryption for each user who should have mail
encrypted, set Encryption to All messages.
Encrypt only mail with a custom phrase in the subject or header, and only for a
small set of users, without changing your organization structure.
1. In org-level Message Encryption for each organization that contains users, set
Encryption to Messages with this subject or header text:
6. In user-level Message Encryption for each user who should have mail
encrypted, set Encryption to Based on Organization Setting.
Encrypt mail that matches a Content Manager rule, but only for a small set of
users, without changing your organization structure
1. In org-level Message Encryption for each organization that contains users, set
Encryption to No Messages.
3. In user-level Message Encryption for each user who should have mail
encrypted, set Encryption to Only messages with this subject or header text:
Sensitivity: Company-Confidential
In the Message Encryption Settings page, you can view and change your settings
for your organization. This page is used for Message Encryption, whether you are
using Portal Delivery or Inbox Delivery.
You can also set up encryption for individual users. See Configure Encryption for
a User on page 37 for more information.
Note: When you enable encryption for an organization, you will be billed for all
users in the organization.
3. Select the setting you wish to use for this organization. This setting will apply
to all users in the organization except those with overriding settings.
If you select the Only messages with this subject or header text option, enter
the text to match or use the default.
Choose from the following options on the Message Encryption Settings page.
6. View User Encryption Settings to confirm your changes. See View User
Encryption Settings on page 39.
Batch Interface
You can also use the following batch commands for Message Encryption. These
match the functions in the Encryption Settings page.
For information about using batch commands, see the Batch Command
Reference Guide.
In the Message Encryption Settings page, you can view and change your settings
for your organization. This page is used for Message Encryption, whether you are
using Portal Delivery or Inbox Delivery.
3. Select the radio button of the setting you wish to use for this user. This will
override org settings. See Message Encryption Settings Page, below.
If you select the Only messages with this subject or header text option, enter
the text to match or use the default.
Choose from the following options on the Message Encryption Settings page.
Setting Description
5. View User Encryption Settings to confirm your changes. See View User
Encryption Settings on page 39.
Batch Interface
You can also use the following batch commands for Message Encryption. These
match the functions in the new Encryption Settings page.
For information about using batch commands, see the Batch Command
Reference Guide.
External Encryption settings are listed for each user, on the right side of the page.
This will show a list of Message Encryption settings for all users. If the users
Message Encryption is set to the org default, the setting will show as blank (-).
2. Click Only Encryption Users and choose the settings youd like to see and
click Search.
A list of user names is shown. All users on the list have the specified Encryption
Settings.
You can set Content Manager rules to detect text in the sender, recipient, header
or body of the email message. If the rule is triggered, mail will be encrypted with
Message Encryption.
Before you can set up Content Manager to use Message Encryption, you must set
Message Encryption to match specific text (or default text). See Configure
Encryption for an Organization on page 35 for more information.
2. In the Org Management page, scroll down to the Outbound Services section
and click Content Manager.
3. If you have not already set up Outbound Content Manager, click Edit. Set
Filter Status to On, and enter any administrator address as the Quarantine
Redirect Address. Click Save.
5. Add the Content Manager rules to describe the text content you want to
detect.
6. Select the Deliver disposition and check Encrypt in the checkbox to the right.
7. Click Save.
For more information about Content Manager, see Content Manager in the Email
Security Service Administration Guide.
Safari 2.0.
The recipient didnt receive a notification when an encrypted message was sent.
When secure mail routes through Portal Delivery, a notification is sent by normal
email to the recipients mail server. If this mail isnt received, it may be a result of
the recipients mail filtering. Instruct the recipient to add zixmail.net to the
whitelist of any mail filtering service the recipient uses.
If login problems persist, check the security settings on the recipients web
browser. The recipient should set security to Medium and be sure cookies are
enabled.
A new password can be generated from the login page of the Secure Portal. The
password wont be changed until the email is received and the link in the email is
used.
Recipients may have problems downloading the attachments. The recipient can
download attachments individually, or download all attachments together as a ZIP
file. Direct the recipient to click these links to download attachments.
If both the sender and the recipient are signed up with Message Encryption,
messages are sent directly to the recipients mail server. Messages are encrypted
on every step of transmission.
When a user logs in to the portal, they have a limited time to complete their activity
before having to log in again. If the recipient tries to reply and takes longer than
the timeout, the recipient is prompted to log in again and all reply text is lost. The
default session timeout in the Encryption Portal is 20 minutes. This timeout can be
set in a Custom Portal.
Ability to send secure messages to any recipients, even those who do not
have Transport-Layer Security (TLS) enabled on their mail servers.
Ability to receive secure replies to confidential mail, even from recipients who
do not have TLS enabled on their mail servers.
You will also need to enable Transport Layer Security (TLS) on your mail server.
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.
Billing
Billing for Message Encryption is based on the number of users that have
Message Encryption enabled in the Administration Console.
Message Encryption bills for every user in an organization with org-level Message
Encryption set up, including users that dont actively use Message Encryption.
Message Encryption also bills for any individual user with user-level Message
Encryption.
For details about pricing and other billing issues, contact your sales
representative.
Filtering
Before a message is routed to Message Encryption, the email security service
applies the same filter rules as all outbound mail.
The Email Security Service filters all mail before sending it to the recipient. All
Attachment Manager or Virus filters still apply.
If the user forgets the password, a Forgot Your Password? link is available,
which allows the user to send a new message to create a new password.
Recipients reading the message can then forward or reply to the message
securely using the same browser.
Recipients can also change passwords securely using the same attachment. If a
password changes, previous messages will not be legible until the message is
recovered. Recipients can read old messages that were encrypted using a
previous password by clicking the Recover this Message link.
If the recipients web browser is unable to run JavaScript, the recipient will be
directed to a secure portal which allows the user to log in and read the message.
This secure portal uses the same mechanism as Message Encryption, Portal
Delivery. For more information about the Secure Portal, see About Message
Encryption, Portal Delivery on page 25. Each message is handled separately; if
JavaScript is later enabled, subsequent messages will open with Inbox Delivery
automatically.
Customize branding of portal page (used if the recipient is unable to run the
encrypted attachment)
Contact your account representative for more information about custom branding
for your Inbox Delivery message.
Prerequisites
Using Message Encryption, Inbox Delivery requires that you route your mail
through Outbound Services. For instructions on how to do this, see the Outbound
Services Configuration Guide.
You will also need to enable Transport Layer Security (TLS) on your mail server.
Setting up TLS on your server ensures that your confidential email is secure
throughout transmission. For information on implementing TLS on your mail
server, check your mail server documentation. If you are using multiple servers,
enable TLS on each server that routes mail to the email protection service.
To assure that all incoming mail routes properly, add the following MX records to
your DNS records with first priority:
This domain needs to be queried explicitly, including the zixvpm subdomain. If this
MX record is not added, replies and some other encrypted traffic will not be routed
properly. This MX record does not affect the filtering of an inbound message.
Contact your DNS server to change this setting. Because these are new MX
records, changes take place immediately. You do not need to add an A record.
For information about setting up Message Encryption for a user, see Configure
Encryption for a User on page 37.
For information about setting up Content Manager for Message Encryption, see
Configure Content Manager for Message Encryption on page 39.
Firefox monitors the amount of time it allows a script to run. By default, this is set
to five seconds. Because Inbox Delivery is encoding and decoding the message,
the script often runs longer than this and the recipient gets the error message. The
recipient can click Continue to let the script continue to run, or change the amount
of time that Firefox allows a script to run.
5. Click OK.
Why cant the recipient see the images in Microsoft Internet Explorer?
The recipient may not have the correct version of the Java Runtime Engine (JRE_
installed. Firefox and Netscape require version 1.4.2 or later. Recipients can
download the latest version of the JRE at http://www.java.com.
Inbox Delivery also requires cookies and JavaScript support in the browser.
If both the sender and the recipient are signed up with Message Encryption,
messages are sent directly to the recipients mail server. Messages are encrypted
on every step of transmission.
Reports Chapter 5
About Reports
Reports provide visibility into the traffic patterns across your organization. The
Administration Console produces reports for Message Encryption under the name
External Encryption. External Encryption reports give information about either
Portal Delivery or Inbox Delivery, depending on which delivery method you use.
Policy Enforced TLS reports are sorted by sending or receiving domain. Both
inbound and outbound reports are available.
Reports are generally available around noon, Pacific Time, the day after
messages are sent. The time of availability fluctuates with quantity of traffic
processed.
The reports displayed in the Administration Console show the top 20 results. You
can also click the Download link to download reports in a comma-delimited list,
which contains all results.
View a Report
Viewing a report requires selecting the org you wish to report on, specifying
whether or not to include sub-orgs in the report, choosing time range in the Report
Length of the report, and choosing the report type. Viewing a report is described in
the steps that follow.
Viewing a Report
3. Select the organization from the pull-down list. The total number of registered
users in organization, including sub-orgs, is displayed above the reports list.
Reports 53
4. Click one of the External Encryption reports: Domain, Account or Activity Log,
or the Inbound or Outbound TLS report: Policy-Enforced by Domain.
Policy-Enforced by Domain
This report contains information on Policy-Enforced TLS filtering, sorted by
domain. For each sending or receiving domain, you will be able to view the
number of messages sent and/or received by Policy-Enforced TLS, and traffic
volumes measured in message size.
Item Description
Msgs Bytes The total size (in bytes) of all messages sent or
received through Policy-Enforced TLS.
Item Description
Reports 55
Outbound External Encryption by Account
Message Encryption information on outbound encryption, sorted by sender
address. Senders who sent the most messages are listed at the top.
Item Description
Item Description
The logs contain data from the prior day. Timestamps are in PST for most
systems, and GMT for System 200. The log contains a maximum of 5000 lines of
data (the lines are tab-delimited.) Once the size limit is reached, logging
continues, with the oldest data deleted first. A sample log entry looks like:
Item Description
Reports 57
Item Description
Index 59
features and benefits 13
inbound mail flow 14
outbound mail flow 16
reports 53
requirements 14
Postini Email Security Administration Guide
related documentation 7
R
related documentation 7
reports
Message Encryption 53
Outbound External Encryption Activity Log 56
Outbound External Encryption by Account 56
Outbound External Encryption by Domain 55
Policy Enforced TLS 53
Policy-Enforced TLS by Domain 54
RFC 2487 18
S
setup
Message Encryption, Inbox Delivery 48
Message Encryption, Portal Delivery 31
Policy Enforced TLS 16
prerequisites for Message Encryption, Inbox
Delivery 44, 48
prerequisites for Message Encryption, Portal
Delivery 25, 30
prerequisites for Policy Enforced TLS 14
T
Transport-Layer Security (TLS) 9
troubleshooting
Message Encryption, Inbox Delivery 51
Message Encryption, Portal Delivery 40