For health care providers, governmental agencies and other entities who need to protect private, sensitive and valuable information communicated via email, the Barracuda Spam Firewall provides the option of email encryption based on policy you set for outbound mail in the BLOCK/ACCEPT pages.
Actual encryption of outbound mail is performed by the Barracuda Email Encryption Service, so system performance is never affected. Encryption is configured at the per-domain level, but actual encryption policy (by sender domain, email address, recipient, etc.) is only configurable at the global level using the BLOCK/ACCEPT pages. These global encryption policies will apply to all domains from which encrypted email messages are sent.
Email encryption can be performed by the Barracuda Spam Firewall on outbound mail as described in this article, OR you can download the Barracuda Outlook Add-In for your Microsoft Exchange Server to enable users to choose encryption from the New Message window in their MS Outlook client. See Barracuda Outlook Add-In Deployment Guide 5.x or the USERS > User Features page in the Barracuda Spam Firewall web interface for information on deploying the Outlook Add-In. For details about sending and retrieving encrypted messages as applies to this add-in, see steps 4-6 of Sending and Receiving Encrypted Messages.
Secured Message Contents
When the Barracuda Spam Firewall encrypts the contents of a message, the message body will not be displayed on the BASIC > Message Log, BASIC > Outbound Quarantine, or the ADVANCED > Queue Management pages. For Mail Journaling and the download features in the Message Viewer, the message body will not be sent to the Mail Journaling account and cannot be downloaded to the Desktop.
If you already have an email encryption server or service, you can specify a hostname (FQDN) or IP address and port in the Redirection Mail Server TCP/IP Configuration section of the BASIC > IP Configuration page to which the Barracuda Spam Firewall should redirect outbound mail for encryption. You can then select the Redirect action for outbound filtering policies in the BLOCK/ACCEPT pages. Redirection of outbound mail per policy is only available at the global (not per-domain) level.
Configuring and Using Encryption
Begin by confirming that the Barracuda Spam Firewall can communicate with the Barracuda Email Encryption Service. From the BASIC > Administration page, enter a valid test email address in the Email Encryption Service section and use the Test Encryption Connection button.
Archiving Encrypted Emails
If you have a Barracuda Message Archiver, you can choose to archive encrypted emails and replies to those emails. From the BASIC > Administration page, enter the IP address of the Barracuda Message Archiver in the Email Encryption Service section .
Requirements for Using Encryption
Before applying encryption policy, make sure of the following:
- Your Energize Updates subscription is current. See the Subscription Status section on the BASIC > Dashboard page of the Barracuda Spam Firewall.
- You validate all sending domains that are allowed to send encrypted messages, using the DOMAINS > Manage Domain > ADVANCED > Encryption page. Several validation methods are available from this page.
Setting Encryption Policy for Outbound Mail
From the BLOCK/ACCEPT pages you can select the Encrypt action to create global custom encryption policy for secure transmission of outbound mail based on:
- Sender email address and/or domain
- Recipient email address and/or domain
- Attachment Filename pattern and/or type as well as attachment content
- Content and content type (such as, for example, secured credit card info.)
These policies will apply for ALL domains from which you send encrypted email.
Predefined Filters for Data Leakage Prevention (DLP)
DLP enables your organization to satisfy email compliance filtering for corporate policies and government regulations such as HIPAA and Sarbanes-Oxley. You can select the Encrypt action for outbound email messages that contain matches to pre-made patterns in the subject line, message body or attachment. Use the following pre-defined data leakage patterns (specific to U.S. – see Note below):
- Credit Cards – Messages sent through the Barracuda Email Security Service containing recognizable Master Card, Visa, American Express, Diners Club or Discover card numbers will be subject to the action you choose.
- Social Security – Messages sent with valid social security numbers will be subject to the action you choose. U.S. Social Security Numbers (SSN) must be entered in the format nnn-nn-nnnn.
- Privacy – Messages will be subject to the action you choose if they contain two or more of the following data types, using common U.S. data patterns only: credit cards (including Japanese Credit Bureau), expiration date, date of birth, Social Security number, driver's license number, or phone number. Phone numbers must be entered in the format
- HIPAA – Messages will be subject to the action you choose if they contain TWO of the types of items as described in Privacy above and ONE medical term.
You can brand encryption notification emails (see Sending and Receiving Encrypted Messagesbelow) as well as encrypted messages with an image and a domain name to be displayed with the image. Once you have validated a domain through the Barracuda Spam Firewall, branding is configured at the per-domain level on the ADVANCED > Encryption page where you can upload an image from your local drive or network. You can optionally create custom text or html notification message content and subject from the same page.
Encryption and Quarantine, Blocking and Queuing
If an encrypted message is quarantined, the administrator will not see the message contents, but can view the message header information and the reason the message was encrypted as well as the reason it was quarantined on the BASIC > Message Log page. From either the BASIC > Message Log page or the BASIC > Outbound Quarantine page, the message can be delivered, rejected, deleted or forwarded.
If an encrypted message is blocked due to policy, the administrator will not see the message contents, but can view the message header information and the reason the message was encrypted as well as the reason it was blocked on the BASIC > Message Log page. The administrator can then deliver the message if desired.
For encrypted messages in the queue, the administrator will not see the message contents but can view the message header information and why the message was encrypted. From the ADVANCED > Queue Management page, the administrator can deliver, re-queue or delete the message.
Sending and Receiving Encrypted Messages
provides a web-based email client for recipients to manage email messages encrypted and sent via the Barracuda Spam Firewall. The email client looks and behaves much like any web-based email program. See for details on the user experience.
For organizations such as credit card companies, for example, that do not wish recipients to reply to encrypted messages, the Allow Replies option can be set to No on the ADVANCED > Encryption page.
The workflow for email encryption is as follows:
- The administrator creates a filter from one or more of the BLOCK/ACCEPT pages to encrypt certain types of outbound messages.
- Outbound messages that meet this filtering criteria are sent over a secure TLS channel to the Barracuda Message Center for encryption.
- The outbound message information appears in the Barracuda Spam Firewall Message Log, but the message body does not, as it is encrypted for security purposes.
- The Barracuda Message Center sends a notification to the recipient of the email message that includes a link the recipient can click to view and retrieve the message from the Barracuda Message Center. Notifications can be branded as described above.
- The first time the recipient clicks this link, the Barracuda Message Center will prompt for creation of a password. Thereafter the recipient can re-use that password to pick up subsequent encrypted messages.
- The recipient logs into the Barracuda Message Center and is presented with a list of email messages, much like any web-based email program. All encrypted messages received will appear in this list for a finite retention period or until deleted by the recipient.
When the recipient replies to the encrypted email message, the response will also be encrypted and the sender will receive a notification that includes a link to view and retrieve the message from the Barracuda Message Center.
Recalling Encrypted Messages
The Admin or Domain Admin roles can choose to recall an encrypted message before it is read by the recipient. From the BASIC > Message Log page, clicking on the message brings up the Message Viewer, which includes a Recall button if the message has been encrypted. Clicking this button recalls the message from the Barracuda Message Center under the following conditions:
- The recipient has not yet read the message.
- The Remove Barracuda Headers feature is set to No on the ADVANCED > Email Protocol page.
If the message is recalled, the Delivery Status for the message in the log will change to Recalled.