VoltageSM 7.3 Management Console Guide

Voltage SecureMail
Software Version 7.3
Management Console Guide
Document Release Date: October 2020

Software Release Date: October 2020
Legal notices
Copyright notice
© Copyright 2019-2020 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”)
are set forth in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or
editorial errors or omissions contained herein. The information contained herein is subject to change without
notice.
Contains Confidential Information. Except as specifically indicated otherwise, a valid license is required for
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S.
Government under vendor's standard commercial license.
About this PDF version of online Help

This document is a PDF version of the online Help.
This PDF file is provided so you can easily print multiple topics or read the online Help.
Because this content was originally created to be viewed as online help in a web browser, some topics may
not be formatted properly. Some interactive topics may not be present in this PDF version. Those topics can
be successfully printed from within the online Help.
Voltage SecureMail (7.3) Page 2 of 245

Contents
Welcome to Voltage SecureMail 7.3 11
Voltage SecureMail Components 11
Understanding Voltage SecureMail Concepts 11
Tenants, Districts, and Domains 11
Hosts and Clusters 12
IP Address Requirements 12
IBE Key Management Server 12
Tenant Hostnames 13
Host Machines 13
Voltage SecureMail Gateway 13
Clusters 14
Cluster Shared Address 14
Inter-cluster Listening Address 14
Inter-cluster Communication Example 15
SSL Certificate Requirements 15
Importing the Root Certificate for the Certificate Authority 16
Support for SSL Certificate Chains 16
Configuring the SSL Certificates 16
Configuring the Voltage SecureMail Software 16
About SecureMail Management Console 18

Understanding the Home Page 18
Management Console Buttons 20
About SecureMail Tenants 22

Understanding Tenants 22
Tenants Tab 22
Adding or Copying a Tenant 22
Enabling and Disabling Tenants 24
Editing a Tenant 24
General Tab 25
Configuring a New Tenant Hostname 25
Selecting a Published Hostname 25
Configuring Tenant SSL Certificate Defaults 26
Configuring Tenant Hostnames 27
Selecting a Published Hostname 28

Assigning Brands to a Tenant 29

Understanding SSL Certificates 29
Importing the Root Certificate for the Certificate Authority 29
Support for SSL Certificate Chains 30
Managing SSL Certificates 30
Exporting a Certificate Signing Request 30
Importing a Tenant Certificate 31
Importing an SSL Certificate Chain 31
Testing Your SSL Connection 32
Exporting a Tenant Credential 32
Renewing an SSL Certificate 33
Configuring Tenant Branding 34
Understanding Brand Files 34
Tenant Default Brands 35
Brands and Locales 35
Managing Tenant Brand Files 35
Selecting a Tenant Brand 36
Importing a Brand File 37
See Also 38
Adding Brand Locales 38
See Also 38
Editing Brand Details 39
See Also 39
About SecureMail Services 40

Understanding Services 40
Understanding the IBE Service Summary Page 40
Understanding the Configure IBE Service Page 41
Understanding Authentication Methods 41
Authentication Method Types 42
Processing Order 42
Adding a User Authentication Method 42
Authenticating Internal and External Users 44
Adding an Enrollment Service Authentication Method 44
Adding an Active Directory Authentication Method 45
Understanding the Active Directory User Authentication Process 47
Enabling Fall Through 47
Adding a Domino LDAP Authentication Method 48
Adding an Email Answerback Authentication Method 49
Adding an External Authentication Method 50
Adding a POP3 Authentication Method 51
Adding a Question and Answer Authentication Method 52
Adding a Remote Authentication Method 52
Adding a Component Authentication Method 54
Using Azure AD 54

Configuring Outbound Encryption Settings 54

Understanding Districts 56
Determining Users of Your District 57
District Information Protection 57
Windows Server 57
Linux Appliance 57
Determining a Rollover Plan 57
Adding a District 58
Importing, Exporting, or Deleting a District 59
Exporting a District 59
Importing a District 59
Deleting a District 59
Exporting a District 59
Importing a District 60
Understanding the Zero Download Messenger Service 61
Understanding the Zero Download Messenger Proxy Service 61
Voltage SecureMail Brand Manager 61
Configuring the ZDM Service 61
ZDM Message Settings 62
User Verification 64
ZDM Service Configuration 67
Message Locking 69
Limitations 69
Creating a Message Locking Rule 69
Unlocking a Message 71
DMARC SPF Compliance 72
ZDM Proxy Configuration 74
Configuring the ZDM Proxy Mail Store 75
HTML Sanitizer 76
ZDM Attachment Filter 78
Understanding the Client Service Summary Page 79
Understanding the Configure Client Service Page 79
Configuring General Client Service Settings 79
Adding and Editing Client Encryption Rules 80
Customizing the Client Policy 83
Enabled Custom Client Policy 83
Configure Custom Policy 83
Configuring Client Policy Security Features 84
Understanding the Gateway Service 86
The Voltage SecureMail Gateway Capabilities 87
The Voltage SecureMail Gateway and the Voltage SecureMail Encryption Client 88
Configuring the Gateway Service 88
Configuring the Gateway Service for all Tenants 89
Configuring Tenant Lookup Rules 89
Configuring Tenant Rule Conditions 91

Examples 92
Configuring Policy Routes 93
Configuring Gateway General Parameters 94
Understanding Gateway Rules 96
Configuring Gateway Rules 96
Adding or Editing Header Rules 97
Adding a Policy Rule 99
Editing Policy Rule Conditions 102
Examples 103
Adding a Message Footer in a Policy Rule 103
Editing a Policy Rule 104
General Tab 104
Rule Conditions Tab 106
Examples 107
Advanced Tab 107
Content Scanner X-Header Examples 108
Using Brands for Different Locales 108
Using 3.1 Format X-Headers 109
Sample Scenario 109
Configuration 109
Rule Format 109
Message Flow 110
Understanding Public Key Infrastructure (PKI) Keys 111
Setting Up the Gateway to Encrypt and Decrypt Emails Using S/MIME or PGP 112
Using Domain Certificates/Keys 112
Deleting a User's Keys 113
Creating a PKI Key 113
Exporting a CSR 113
Importing a Certificate 114
Importing a PKI Key 114
Adding an S/MIME Domain Identity 115
Exporting an S/MIME User's Public Key 116
Exporting a Certificate and Private Key 118
Exporting PGP Keys 121
Using Sendmail Interfaces for Reencryption 121
Configuring Sendmail Interfaces for Reencryption 122
Encrypting Emails to Bcc Recipients Using the Client and Gateway Rules 124
Encrypting Emails to BCC Recipients 125
Customizing the Bcc Header Name and Value 126
Enabling the FlagSecure Configuration 126
Understanding the Enrollment Service 128
Understanding Global Enrollment 129
Enrollment User Management 130
Enrollment Service User Details 132
Enrollment First-Time Use 134
Enrollment Password Policies 136

Enrollment Password Recovery 137

Enrollment Recovery Questions 139
Two Factor Authentication 140
Enable Two Factor Authentication 141
Enable Two Factor Authentication for Tenants 142
Understanding the Settings for All Services 142
Importing CA and Root Certificates 143
Configuring Global Options for All Services 144
Using Third-Party Certificates 144
About CORS 144
Enable CORS 145
Configure CORS 145
Understanding the Mobile Service Summary page 147
Understanding the Configure Mobile Service Page 147
Enabling or Disabling Mobile Service for the Tenant 148
Uploading APNS Certificates 149
Enabling or Disabling a Mobile Policy 149
Deleting a Mobile Policy 149
Processing Order 150
Understanding Mobile Policies 150
Adding a Mobile Policy 151
Editing Mobile Policy Details 153
Configuring Mobile Policy General Settings 154
Configuring Mobile User Authentication 155
Setting Mobile Message Privileges 157
Configuring Mobile Policy Domains 158
About SecureMail System Resources 162

System Configuration 162
Understanding Clusters 163
Adding or Editing a Cluster 163
Understanding Hosts 165
Adding a Host 166
Configuring General Host Settings 167
Viewing or Regenerating a Registration Password 170
Viewing a Password from the Appliance Menu 170
Regenerating a Password from the Appliance Menu 170
Viewing, Creating or Deleting a Password Using the Registration Utility 170
Configuring Host Services 171
Configuring Host Bindings 171
Viewing Debug Logs for a Host 173
Understanding Resources 174
Configuring an Active Directory Server 175

Configuring a Domino LDAP Resource 178

Understanding Gateway SMTP Server Configuration 180
Configuring Gateway SMTP General Settings 181
Configuring Allowed Relays 182
Configuring Mail Routes 183
Configuring Advanced Settings 184
Specifying an Advanced Feature 185
Feature Examples 185
Specifying a Configuration Option 186
Configuration Option Examples 187
Specifying an Advanced Configuration 188
Custom Configuration Examples 188
Configuring a ZDM Proxy Mail Store 189
Configuring an Outgoing Mail (SMTP) Server 191
Configuring a POP3 Server 192
Configuring a Cluster Shared Address 193
Administering the SecureMail System 195

Understanding the System Administration Functions 195
Configuring the Server 195
Enabling Remote Access in Windows 198
Enabling Remote Access on a Linux Appliance 198
Understanding Back Up and Restore 198
Creating a System Backup Manually 199
Scheduling Automatic System Backups 201
Setting Up a Scheduled Backup 201
Restoring Your System From a Backup 205
Understanding Administrator Accounts 206
Administrator Accounts Management 207
Administrator Accounts 207
Security Settings 208
Audit Admins can view read-only configuration settings 208
Auto-complete is enabled for non-sensitive input fields in the Management
Console 209
Adding an Administrator Account 209
Editing an Administrator Account 210
Enabling Active Directory Accounts 211
Importing the Active Directory Server PEM Certificate 213
Adding an Active Directory Group Role 214
Editing an Active Directory Group Role 216
Changing a Local Administrator Password 217
Displaying Your Account Information 218
Choosing Administrator Account Tenants 219
Understanding Logging 219

Configuring Syslog Values 220

Understanding Advanced Feature Configuration 221
About SecureMail Events 222

Understanding Event Logs 222
Searching for Events 224
Using the Search Events Field 224
Using Advanced Search 224
Setting Event Collection and Retention 226
Event Collection 226
Event Retention 227
Backing Up and Purging Events 227
Utility Parameters 228
Debug Log File 229
Backup Files 230
Importing Backup Files Into a Database 230
About SecureMail Reports 231

Understanding Reports 231
Mail Volume by Date Report 231
Mail Volume by Domain Report 233
Mail Volume by User Report 235
Message Status by Sender Report 237
Message Status by Reader Report 239
Licensed Products Report 240
Product Usage Report 242
Deployed Clients Report 243


Welcome to Voltage SecureMail 7.3
Voltage SecureMail enables users to send secure business communication such as financial
statements, patient health information or sensitive communication regarding intellectual property.
The Voltage SecureMail online help contains help for the Management Console. Read the following
topics to get started:
l To learn about the network architecture and software configuration, see Voltage SecureMail
Components and Understanding Voltage SecureMail Concepts.
l To perform additional configuration tasks after completing the Voltage SecureMail Setup Wizard,
see Configuring the Voltage SecureMail Software.
Voltage SecureMail Components

The Voltage SecureMail platform includes the following components:
l Voltage IBE Key Management Server - Generates private keys for all authenticated users. Hosts
the public parameters that are used to generate a public key in combination with a recipient email
address when users send secure emails. It includes the Voltage SecureMail Authentication Methods
that communicate between an authentication mechanism and the Key Management Server. You can
use your existing authentication solution or the authentication method available on the Key
Management Server.
l Voltage SecureMail Gateway Service - (Not included in an all Windows environment) Provides
your enterprise with a method to automatically encrypt or decrypt email for secure communication
beyond the corporate firewall. The Gateway service enables you to create a fully clientless user
experience. You use the Management Console to specify rules for automatic encryption and
decryption of inbound and outbound email. You can also use the Gateway service in conjunction
with any of the Voltage SecureMail client applications. The Gateway service includes an SMTP Mail
Transfer Agent (MTA) that communicates with the Gateway SMTP server using the Milter API.
l Voltage Zero Download Messenger (ZDM) Service - Supports the Zero Download Messenger, an
Voltage SecureMail capability that allows users to read and compose secure messages without
installing any Voltage software.
l Voltage SecureMail Management Console - A graphical interface for configuration and
administration of the Voltage SecureMail services, including event logs and reporting.
Understanding Voltage SecureMail Concepts

Tenants, Districts, and Domains
Tenants are used to group end users of your Voltage SecureMail software. You configure Voltage
SecureMail components, such as authentication methods, encryption policies, the Gateway service,

IP Address Requirements
the Zero Download Messenger, and the Client Service, separately for each tenant. You need only one
tenant if the encryption needs of all end users in your organization are the same. You can configure
multiple tenants (user groups) in a more complex environment where specific groups of users have
distinct encryption requirements. Each tenant is associated with at least one district and unique
domain.
A district contains the underlying encryption information that is used to generate IBE keys for users
within the tenant. The cryptographic information for each district is unique. The district, which is
associated with a single tenant, is created automatically for that tenant and you do not need to do
anything to configure it. A district is always associated with a single tenant, but it is possible for a
tenant to be associated with multiple districts.
A unique domain name is required for each tenant/district. You must have multiple domain names
available if you wish to configure separate tenants for groups of users with different encryption needs.
For example, you can create a tenant/district for the domain www.yourcompany.com and a separate
tenant/district for the domain yourdepartment.yourcompany.com.
If your company uses multiple email domains for users with the same encryption needs, you can
configure your system to allow users from all domains to use encryption keys from the same
tenant/district. This is done by using the outbound encryption settings to add users who are not
members of the tenant domain to a list of domains that can provide keys. See Configuring Outbound
Encryption Settings for details.
Hosts and Clusters

A cluster is a logically grouped set of servers or hosts that run the Voltage SecureMail services.
Clusters also contain resources, such as email servers, that are shared by the hosts within a cluster.
Although the hosts in a cluster are configured with the same services, it is possible to run different
services on each host. You can create a cluster of hosts for load balancing or backup purposes.
All of the configuration data is stored in the Management Console database and then pushed to all
hosts in the cluster. To push the configuration data, you click Update on the System page. Each host
writes its configuration information to and retrieves its configuration from its own database.
A host server can support multiple tenants. You must have at least one unique IP address for each
tenant. See IP Address and DNS Requirements for more information.
Voltage SecureMail servers must be configured with at least one IP address to communicate with other
server machines and to handle requests from ZDM and SecureMail clients. Additional IP addresses
might be required if you have a custom hostname or if you have tenants that are deployed across
clusters. In some cases, you can re-use an IP address by defining different ports that are used for
different purposes.
IBE Key Management Server

The IBE Key Management Server requires one domain and IP address for each tenant that you
configure. You can configure multiple tenants on one machine or cluster, but each tenant must be

configured with its own domain and IP address. Ensure that you have the following IP address
available before you begin the configuration process:
l IP address forvoltage-pp-0000.<yourdomain> - This is the IP address for the Public Parameter
server used by the Key Management Server.
NOTE: This IP address requires an SSL certificate. See SSL Certificate Requirements for
details.
Tenant Hostnames
With the Voltage SecureMail Server software, you can create a custom tenant hostname that is seen
by users when they read or compose ZDM email. For example, if your domain name is
mycompany.com, the default tenant hostname is voltage-pp-0000.mycompany.com, but you might
prefer to direct users to a custom tenant hostname, such as securemail.mycompany.com.
If you choose to create and use a custom tenant hostname, you must have the following IP address:
l IP address for the custom tenant hostname that you create - This is in addition to the IP
address for voltage-pp-0000.<yourdomain>.
NOTE: This IP address requires an SSL certificate. See SSL Certificate Requirements for
details.
Host Machines
You need the following IP address to configure the server:
l IP address on which the server listens for data from the Management Console - Only one IP
address is required per host, regardless of how many tenants are supported on the host.
NOTE: In a single server configuration where the Management Console and host are on the
same machine, you can use the IP address 127.0.0.1 for communication between these
components.
Voltage SecureMail Gateway

A Sendmail milter is an email filter program that communicates with the Sendmail Message Transfer
Agent (MTA) using the Milter API. The Voltage SecureMail Gateway includes an MTA and the
vsgateway Sendmail milter. In some cases, you might need to configure Sendmail to listen on multiple
IP addresses. For this application, you would need multiple IP addresses for the gateway.
The Voltage SecureMail Gateway communicates with Sendmail via either Unix domain or TCP/IP
sockets. It runs with regular user permissions, requiring no superuser or root privileges.
If you are using the Voltage SecureMail Gateway, you need the following IP address:
l IP address for the Sendmail MTA - If you configure this server to deliver messages directly
outside your network, you also need forward and reverse DNS mappings for this IP address and
hostname.

NOTE: The default port for the Voltage SecureMail Gateway is 25, enabling you to reuse an IP
address that uses a different port for another function.
Clusters
Depending on your configuration, one or more IP addresses might be required for inter-cluster
communication:
l If all tenants in a cluster are included only in that cluster, then the hosts in that cluster do not need to
listen to requests from other clusters, and there is no need to configure an IP address for inter-cluster
communication.
l If a tenant is included in multiple clusters and either ZDM Proxy or Large Attachment Storage is
enabled, you must specify a separate IP address for inter-cluster communication.
l If a tenant is included in multiple clusters and you use Email Answerback or Enrollment Service as
an authentication method, you have the option of specifying a separate IP address for inter-cluster
communication, but this is not required. If you do not configure an IP address for inter-cluster
communication, it is possible for a valid user authentication attempt to fail. This would occur if a user
starts the authentication process on a host in one cluster, then is directed to a host in another cluster
to complete the authentication. If this occurs, the user must begin the authentication process again.
Only one IP address is needed per host, regardless of the number of tenants.
Cluster Shared Address

Use the Cluster Shared Address to specify the location that hosts in other clusters use to
communicate with hosts in the cluster you are configuring. For example, suppose a request arrives at
Cluster B, but the data to service the request resides on Cluster A. In this case, the host in Cluster B
must fetch the data from Cluster A, using the Cluster Shared Address associated with Cluster A. See
Configuring a Cluster Shared Address for details.
Specifically, the Cluster Shared Address for Cluster A is the location where the hosts in Cluster B send
requests to. In order to receive these requests, the hosts in Cluster A must bind to a location where
they listen for these requests. That location is the Inter-cluster Listening Address, which is
configured on the Binding tab of the Host Details page.
NOTE: If a cluster includes only one host, the Cluster Shared Address for the cluster and the
Inter-cluster Listening Address for the host typically use the same IP address and port.
Inter-cluster Listening Address

In a cluster where the Cluster Shared Address is configured, you must bind each host to the location
where it listens for requests from other clusters. To specify this location, click the host name on the
System page, click the Binding tab on the Host Details page, and then in the Inter-cluster Listening
Address list, click the location. See Configuring Host Bindings for details. Note that Inter-cluster
Listening Address displays in the Certificate Binding table on the Binding tab only if the Cluster
Shared Address resource is configured.

SSL Certificate Requirements
Inter-cluster Communication Example

Suppose a message with a large attachment is encrypted by a host in Cluster A when it is initially sent.
A reference is added to the message before being delivered to recipients, indicating that the message
resides in Cluster A. If a recipient of the message with this attachment wants to open it, this request
might be handled by a host in Cluster B. However, since the attachment is stored in Cluster A, the host
in Cluster B cannot display it to the recipient directly. Instead, that host on Cluster B uses the reference
to Cluster A to find the Cluster Shared Address to fetch the attachment from Cluster A. The hosts on
Cluster A are listening for these requests on their Inter-cluster Listening Address. When one of the
hosts receives the request, it responds by making the large attachment available to the host on Cluster
B, which stores it locally and then displays it to the recipient. If a host on Cluster B receives another
request to display the same attachment, it can display it immediately, since it no longer needs to fetch
it from Cluster A.
SSL Certificate Requirements

All web requests between any client and the Voltage SecureMail Key Management Server are
encrypted using SSL v3 / TLS. To ensure the authenticity of the connection to the client, one SSL
certificate is required for the following URLs for each tenant:
l Public Parameter Server - voltage-pp-0000.<yourdomain>
NOTE: You cannot change this domain name. The Voltage SecureMail clients use this location
to access the Key Management Server and public parameters.
l Custom Tenant Hostname - If you choose to create and use a custom tenant hostname, an SSL
Certificate is required for the hostname that you create.
To acquire an SSL certificate you must generate a Certificate Signing Request (CSR) and submit it to a
Certification Authority (CA).

Configuring the Voltage SecureMail Software
NOTE: Depending on the CA used, the certificate issuance process can take as long as five
days. For this reason, you should generate your CSRs immediately after the initial installation of
the Voltage SecureMail server software. You need one certificate for each tenant you plan to
support, even if the same host machine is used for multiple tenants. When you add a new
tenant, a CSR is generated for each hostname.
Although the required SSL certificates must be installed before full deployment of the Voltage
SecureMail platform, you can use the temporary certificates available with the software in order to test
the installation before the arrival of the certificates from the CA.
In addition, if you choose to create and use a custom tenant hostname, you must also have an SSL
Certificate for the hostname that you create. When you create a custom tenant hostname a CSR is
generated for the hostname that you created.
Importing the Root Certificate for the Certificate

Authority
The Voltage SecureMail server is shipped with a number of common CA certificates in the trust store.
If, you are using a less common CA or if you are using an internal CA, you must import the root
certificate of the CA that issued the SSL certificate into the server trust store. See Importing CA and
Root Certificates for instructions.
Support for SSL Certificate Chains

The Import Certificate page supports installation of SSL certificate chains. You can import a chain of
SSL certificates where each certificate in the chain is the certificate for the signer of the next certificate
in the chain. See Importing a Tenant Certificate for instructions.
Configuring the SSL Certificates

To configure an SSL certificate for a tenant, go to the Tenants tab and click Edit for that tenant. The
SSL configuration information is contained on the Tenant Details page in the SSL Certificate
Defaults tab and the Hostnames and SSL Certificates tab.

The Voltage SecureMail Setup Assistant configures a set of default values so that you can begin
testing and using the software immediately. The following basic steps provide guidance in performing
additional configuration steps.
1. Set up and configure accounts for administrators. See Understanding Administrator Accounts.
2. Acquire SSL certificates for the domains that you are using. See SSL Certificate Requirements.
3. Add and configure the authorization rules that the Key Management Server uses to authenticate
users. See Understanding Authentication Methods.

4. Configure the Enrollment Service. See Understanding the Enrollment Service.

5. Configure the Encryption Policies. See Configuring Outbound Encryption Settings.
6. (Optional) Configure the Client Service. See Configuring the Client Service.
7. Configure the Zero Download Messenger (ZDM) Service. See Understanding the Zero Download
Messenger Service.
8. Determine which capabilities of the Gateway service you are using. See Understanding the
Gateway Service.
9. Configure Gateway encryption rules. See Understanding Gateway Rules.
10. (Optional) If you want to import public and private keys for S/MIME and PGP users, configure the
PKI keys page. SeeUnderstanding Public Key Infrastructure (PKI) Keys.
11. (Optional) Configure the Gateway service for all tenants. See Configuring the Gateway Service for
all Tenants.
12. Add and configure clusters if you are deploying multiple boxes. See Understanding Clusters.
13. Add and register the hosts. See Understanding Hosts.
14. Configure the resources for your cluster. See Understanding Resources.
15. Determine and configure your method(s) for distributing the client software. See the Voltage
SecureMail Encryption Client Administrator Guide.
16. Back up your server. See Understanding Back Up and Restore.

Understanding the Home Page
About SecureMail Management Console

This chapter provides an overview of the SecureMail Management Console.

The Home page displays when you first log into the Management Console. This page provides an
overview of your Voltage SecureMail installation and activities. The Home page is the starting point
where you set configuration options for the Voltage SecureMail software services and operations.
The following information is displayed on the Home page:

l Alerts - Lists significant system alerts. Some examples of events that trigger a system alert are:
unresponsive hosts, number of days before expiration of a TLS certificate, or when the number of
system events exceeds a threshold. The values that you specify on the Administration > Server
Configuration page determine when alerts for TLS certificates and system events are displayed in
this section.
l Overview - Provides basic information about the Voltage SecureMail configuration and operation.
o System Summary - Lists the number of clusters, hosts, and tenants configured for your Voltage
SecureMail installation.
o Responsive Hosts - Indicates the number of hosts with an active connection to the
Management Console and the total number of configured hosts. If one or more hosts are not
responding, both the System Failures table and the Alerts box provide additional information.

o Total Number of System Events - Lists the number of system events that are logged to and
stored in the Maria Database (MariaDB) on the Management Console. This is a cumulative
number and will grow over time. The minimum event levels you select for the Voltage SecureMail
services greatly affects the total number of system events that are logged to the database and
reflected in the Total Number of System Events. You can reduce the number of logged events in
the database by running the delete_events utility. See Backing Up and Purging Events for
more information.
o Management Data Service - Indicates whether or not the service is running. The Management
Data Service is a background process that aggregates log data and synchronizes identity data
for the PKI and Enrollment Server. Green indicates that the service is running. Red indicates the
service has stopped and needs to be restarted.
To restart the Management Data Service:

On a Windows Server
1. Click Start > Settings > Control Panel > Administrative Tools > Services.
2. In the Services list, click Voltage Management Data Service.
3. Click Start the service in the upper left-hand corner.
On a Linux Appliance
1. From the Appliance Main Menu, select Configure Services > Advanced Services
Configuration > Management Services.
2. On the Management Services menu, click Restart Management Data Service.
l Management Console Version - Displays the product version and build number.
l System Failures - Lists and provides information about host, node, cluster, tenant, and
service failures. For example, a system event is displayed in the System Failures table if
the Data Management Service could not update a host. You can set the number of
system failures you see and how often the contents of this table are updated on the
Administration > Server Configuration page.
o Brand - Indicates the brand, if any, related to the event.
o Time - Indicates the time the failure occurred.
o Summary - Provides information about the failure. For example, if the Management
Data Service failed to establish a connection with a cluster, the table would be updated
with a summary similar to the following:
"Management data service skipping cluster 'Local Cluster' due
to validation errors: At least one tenant must have TLS
credentials signed by a trusted root CA."
The summary also provides a link that you can click for additional details.
o Cluster - Indicates the cluster, if any, related to the event.
3. Click Refresh at the top of the Systems Failure table to view current system failures. Use the
forward and back arrows at the bottom of the table to display older or newer system failures in
the table.

Management Console Buttons

The following three buttons are always available in the top right-hand corner of the console.
l My Account - Click to display the account details page (for all administrators) and change the
password for the administrator who is currently logged in (for local administrators not using Active
Directory credentials to log in). See Displaying Your Account Information for instructions.
l Help - Click to display the help file including the Contents and Search panes.
l Log Out - Click to log out of the Management Console.


Understanding Tenants
About SecureMail Tenants

This chapter describes how to create and configure tenants in the Management Console.
Understanding Tenants
Voltage SecureMail requires at least one tenant. You create the first tenant using the Setup Assistant
that runs the first time you log into the Management Console. The configuration, log, and application
data are associated with a tenant. Each tenant is mapped to one district and one domain.
You can create multiple tenants, using the Tenant Management page, if you want separate
cryptographic information for internal and external users, or if you have multiple internal email domains
that have different encryption needs.
Tenants Tab
Click the Tenants tab to display the Tenant Management page.
From the Tenant Management page, you can do the following:

l Add a New Tenant
l Edit a Tenant
l Enable or Disable a Tenant
l Copy a Tenant
l Delete a Tenant
Adding or Copying a Tenant

Voltage SecureMail requires at least one tenant. The first tenant is created automatically using the
Setup Assistant wizard that opens the first time you access the Management Console. If you need
multiple tenants, you can add a new tenant or copy and modify an existing tenant.
To add or copy a tenant:

1. Click the Tenants tab.

2. Do one of the following:
l To add a new tenant, click New Tenant.
l To copy a tenant, click Copy to the right of an existing tenant.
Using either of these methods, the tenant wizard displays. If you clicked Copy, the information
from the copied tenant is already populated in the wizard.
3. In the Tenant Name text box, enter a unique name for the new tenant.
The Tenant Name displays on various pages in the Management Console so that you can identify
it. It is not visible to the end users. It can be helpful to give the tenant a name that closely
resembles the name of the tenant domain.
4. Enter the Domain name for the tenant.
Users with an email address that contains the domain name you used to create the district and
tenant are automatically considered internal users for that district. The domain name must match
the domain name for the district that you are going to associate with this tenant.
5. Enter the Support Email Address.
The support email address is displayed to end users of the ZDM or Enrollment Service in various
templates. For example, when a ZDM error is displayed, the support email address that you enter
is displayed to the end user.
6. To create the new tenant in the Enabled status, leave Enabled selected. To disable the new
tenant, clear the check box.

7. Select the Locale for the tenant.

When you select a locale for a tenant the system default brand and the Enrollment Service
password recovery questions are localized for the selected locale. A column in the Tenants table
on the Tenant Management page displays the locale that you select.
You can also specify a locale in the Voltage SecureMail Brand Manager to create customized
brands for the selected locale. See the Voltage SecureMail Brand Manager User Guide for
instructions.
8. Enter comments in the Comments text box.
Comments are only displayed on the General Details tab.
9. Click Next to display the Configuring Tenant SSL Certificate Defaults page.
Enabling and Disabling Tenants

The status of a tenant is displayed in the Status column of the Tenant Management table. An option to
either Enable or Disable a tenant is available for each tenant depending on the current status of that
tenant. For example, if the tenant is disabled, only the option to enable the tenant is available.
To enable or disable a tenant, click Disable or Enable in the row of the tenant for which you want to
change the status.
Editing a Tenant
To change the details for tenant, click the Tenants tab, then click Edit for the tenant you want to edit.
The Tenant Details page displays.
This page contains the following tabs:

l General - See General Tab section below for details.

l SSL Certificate Defaults - See Configuring Tenant SSL Certificate Defaults for details.
l Hostnames and SSL Certificates - See Understanding SSL Certificates for details.
l Branding - See Configuring Branding for a Tenant for details.
General Tab
When editing general tenant information you can change the following:
l Tenant Name - a unique name for the tenant. The Tenant Name displays on various pages in the
Management Console so that you can identify it. It is not visible to the end users. When naming a
tenant, use a unique name that identifies the tenant. For example, give the tenant a name that
closely resembles the name of the tenant domain.
l Support Email Address - the support email address displayed to end users of the ZDM or
Enrollment Service in various templates. For example, when a ZDM error is displayed the support
email address that you enter is displayed to the end user.
l Enable or Disable the tenant.
l Locale - default locale for the tenant. When you select a locale for a tenant the system default brand
and the Enrollment Service password recovery questions are localized for the selected locale. You
can also specify a locale in the Voltage SecureMail Brand Manager to create customized brands for
selected locales.
l Comments -for display on the General Details tab.
Configuring a New Tenant Hostname

On the Hostnames and SSL Certificates tab, you can set a hostname that is seen by users when
they read or compose ZDM email, and you can manage your SSL Certificates. See Understanding SSL
Certificates for information and instructions on managing SSL certificates. For more information about
SSL Certificates see SSL Certificate Requirements.
Selecting a Published Hostname

When a user reads or composes a ZDM email, the URL for the Public Parameter server is displayed in
the user's browser address field. You can use the default Public Parameter hostname URL, or you can
select a custom hostname if you do not want to use the Public Parameter server hostname. If you
choose to use a custom hostname, an additional IP address is required. In this case you need one IP
address for the Public Parameters and one IP address for the custom hostname.
The Public Parameter Hostname is displayed in the Published Tenant Hostnames box.
To set the hostname, do one of the following:
l To use the displayed Public Parameter Hostname, ensure that the Use Public Parameter
Hostname option is selected (this is the default). If it is not, click to select it and then click Finish.
l To enter a Custom Tenant Hostname, do the following:

1. Click Use Custom Tenant Hostname.

2. Enter a Custom Tenant Hostname in the text box. This is a mandatory field if you selected
Use Custom Tenant Hostname.
3. Click Finish.
The Custom Tenant Hostnames that you created are displayed in the list box.
NOTE: If you have not created any Custom Tenant Hostnames, this option is not available for
selection. You can create a Custom Tenant Hostname when you add a tenant. To create a
Custom Tenant Hostname for an existing tenant, click New Tenant Hostname in the bottom
half of the current tab.

To configure a new published tenant hostname:
1. Click Tenants, then click Edit next to the tenant you want to configure.
2. From the Tenant Details page, click the Hostnames and SSL Certificates tab.
3. In the Published Tenants Hostname table, click New Tenant Hostname.
4. Enter the new hostname that you want to create.
5. If you already have an SSL credential, you can import it on this page. Continue with step 6. If you
do not have an SSL credential for the new hostname, go to step 9.
6. Select Import Credential.
7. In the Credential File text box, enter the full path and file name of the credential file or click
Browse to navigate to the file. Select the file and then click Open.
8. In the Password text box, enter the password for the credential file that you are importing.
9. Click Finish.
The hostname is added to the table. If you did not import a credential file, you need to export a
CSR for the new hostname and send it to a CA. See Exporting a Certificate Signing Request for
instructions.
Configuring Tenant SSL Certificate Defaults

To configure the SSL certificate defaults for a tenant:
1. Click the Tenants tab, then click Edit next to a specific tenant or click New Tenant.
2. Click the SSL Certificate Defaults tab or click Next to view the SSL Certificate Defaults page
of the New Tenant wizard, then enter the following information about your organization:
l Organization Unit - The department name or group within your company that is making the
request. This field is optional.
l Organization - The name of your company or organization. If your company or organization

has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol
or omit it to enroll. For example, XY&Z Corporation would be XYandZ Corporation or XYZ
Corporation.
l City/Locality - The city or locality where your organization is located.
l State/Province - The state or province where your organization is located. Spell out the state
completely. Do not abbreviate the state or province name, for example, California.
l Country - The country where your organization is located. Use the two-letter country code
without punctuation, for example: US or CA.
The Certificate Authority may wish to verify the accuracy of this information before issuing a
certificate.
3. Select a Key Strength.
The key strength must be 1024 or 2048 bits. Make sure that the Certificate Authority (CA) that you
intend to use supports the chosen key strength.
NOTE: If you are editing an existing tenant and you change the key strength, you must
also either delete the existing tenant hostname and re-create it, or configure a new tenant
hostname on the Hostnames and SSL Certificates tab. If you have only one tenant
hostname, you will need to create a placeholder tenant hostname before you can delete
and re-create the existing tenant hostname. You can then delete the placeholder when you
have finished. See Configuring Tenant Hostnames for details.
4. When you are finished, do one of the following:

l Click Next to display Configuring Tenant Hostnames.
l Click Save and Exit if you are finished editing the tenant.
This information is used to generate an SSL keypair and CSR that are then stored in your key store.
You must submit the contents of this file to a Certificate Authority to receive a valid SSL certificate. For
more information see, SSL Certificate Requirements.
Configuring Tenant Hostnames

enter a custom name if you do not want to use the Public Parameter server hostname.
NOTE: If you use a Custom Tenant Hostname, you must assign an IP address and acquire an
SSL certificate for the hostname you create.
The Public Parameter Hostname is displayed near the top of the tab.
On the Hostnames and SSL Certificates tab you can set a hostname that is seen by users when they
read or compose ZDM email, and you can manage your SSL Certificates. See Understanding SSL
Certificates for information and instructions on managing SSL certificates. For more information about
SSL Certificates see SSL Certificate Requirements.

Selecting a Published Hostname

select a custom hostname if you do not want to use the Public Parameter server hostname. If you
choose to use a custom hostname, an additional IP address is required. In this case, you need one IP
address for the Public Parameters and one IP address for the custom hostname.
The Public Parameter Hostname is displayed in the Published Tenant Hostnames box.
To set the hostname, do one of the following:
l Use the displayed Public Parameter Hostname by verifying that Use Public Parameter Hostname
is selected (this is the default). If it is not selected, click to select it, then click Finish.
l Enter a Custom Tenant Hostname as follows:
1. Select Use Custom Tenant Hostname.

2. Enter a Custom Tenant Hostname in the text box. This is a mandatory field if you selected Use
Custom Tenant Hostname.
3. Click Finish.
The Custom Tenant Hostnames that you created are displayed in the list box.
NOTE: If you have not created any Custom Tenant Hostnames, this option is not available for
selection. You can create a Custom Tenant Hostname when you add a tenant. To create a
Custom Tenant Hostname for a tenant, click New Tenant Hostname in the bottom half of the
Hostnames and SSL Certificates tab.

To configure a new published tenant hostname:
1. Click Tenants, then click Edit next to the tenant you want to configure.
3. In the Published Tenants Hostname table, click New Tenant Hostname.
4. Enter the new hostname that you want to create.
5. If you already have an SSL credential, you can import it on this page. Continue with step 2. If you
do not have an SSL credential for the new hostname, go to step 5.
6. Click Import Credential.
7. In the Password text box, enter the password for the credential file that you are importing.
8. In the Credential File text box, type the full path and file name of the credential file or click
Browse to navigate to the file. Select the file and click Open.
9. Click Finish.

The hostname is added to the table. If you did not import a credential file, you need to export a
CSR for the new hostname and send it to a CA. SeeExporting a Certificate Signing Requestfor
instructions.
Assigning Brands to a Tenant

From the Tenant Management page, click a tenant to view the Tenant Details page. This page lets
you add brand information to the tenant that you just created. See Configuring Branding for a Tenant for
instructions.
Understanding SSL Certificates

To ensure the security and integrity of client keys and the Voltage SecureMail SecureMail policy, all
web requests between the client and the Voltage SecureMail server software are encrypted using SSL
v3 / TLS. SSL certificates are required for each server to ensure the authenticity of the connection from
the client to the server. You must request, receive, and import the required SSL certificates before you
can complete the full deployment of the Voltage SecureMail server and Voltage SecureMail Gateway.
The following SSL certificate is required for each tenant:
l voltage-pp-0000.<yourdomain> - the location to which Voltage clients connect in order to retrieve
the public parameters for your district.
NOTE: Do not change this domain name. The Voltage clients use this location to access the
Key Management Server and public parameters.
You need one certificate for each tenant you plan to support, even if the same host machine is used for
multiple tenants. When you add a new tenant, a Certificate Signing Request (CSR) is generated for
each hostname.
You must also have an SSL Certificate for any custom tenant hostname you choose to create and use.
A CSR is generated for the custom tenant hostname.
The certificate issuance process could take as long as five days. For this reason, you should generate
your CSRs immediately after the initial installation of the Voltage SecureMail software.
Importing the Root Certificate for the Certificate Authority

The Voltage SecureMail server is shipped with a number of common Certificate Authority (CA)
certificates in the trust store. If you are using a less common CA or if you are using an internal CA, you
must import the root certificate of the CA that issued the SSL certificate into the server trust store. See
Importing CA and Root Certificates for instructions.
NOTE: It is not advisable to import non-root (intermediate or leaf) certificates into the trust
store. You should import intermediate certificates as part of the chain when you import the
specific hostname certificate.

Support for SSL Certificate Chains

The Import Certificate page supports installation of SSL certificate chains. You can import a chain of
SSL certificates where each certificate in the chain is the certificate for the signer of the next certificate
in the chain. See Importing an SSL Certificate Chain for instructions.
Managing SSL Certificates

From the Tenant > Tenant Management > Tenant Details > Hostnames and SSL Certificate page,
you can do the following:
l Export Certificate Signing Request - Export a CSR to send to the CA.
l Import Certificate - Once you have received your certificates from the CA, import them into the Key
Management Server.
Once you have imported a certificate, the host name in the Name column becomes a link. Click the
host name to view the certificate details.
l Delete - Delete the CSR.
l Export Credential - Exports a credential to a file. This option only displays after a certificate has
been successfully imported. Export your credential for back up purposes.
NOTE: The first time you see the Hostnames and SSL Certificates page after completing the
Secure Mail Setup Assistant, it contains a link named Export Temporary CA Certificate.
Click this link to download the temporary Voltage certificate authority. This certificate can be
used to test installations of the Voltage Encryption Client until you obtain a valid SSL certificate
for your server.
Exporting a Certificate Signing Request

From the Hostnames and SSL Certificates tab of the Tenant Details page, you can export a
Certificate Signing Request (CSR) to send to a Certification Authority (CA) and then import the signed
certificate once it is received. You can also regenerate a CSR.
For information on required SSL certificates, see SSL Certificate Requirements.
To export and submit the Certificate Signing Request to a CA:
1. Click the Tenants tab, then click Edit next to the tenant you want to configure.
2. Click the Hostnames and SSL Certificates tab, click Export Certificate Signing Request next
to the host name for which you are exporting the CSR.
The CSR is displayed.
3. Click Export Certificate Signing Request.
4. In the Save As text box, enter the location and file name for the CSR.
5. Repeat the above steps for each certificate you wish to create.

When you have submitted the CSRs and received certificates back from the CA, you must import
them. See Importing a Tenant Certificate for instructions.
Importing a Tenant Certificate

To import a tenant certificate:
1. Click the Tenant tab, then click Edit for the tenant you want to edit.
3. In the Published Tenants Hostname table, click Import Certificate.
4. Select the type of import you want to do, either Import Text or Import File as follows:
l To import a block of text:
The certificate issuing authority sends you a certificate that has a form similar to the following:
-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIBDjANBgkqhkiG9w0BAQUFADCBkjEVMBMGA1UEAxMMVm9s
tfJtTySMD3K2EEZnvdRPW4CkBE1YCgo/a2f2lbxjZRU7
-----END CERTIFICATE-----
a. Copy the certificate text, including the ”-----BEGIN CERTIFICATE-----” and
”-----END CERTIFICATE-----” delimiters.
b. In the PEM Certificate Text box, paste the certificate text into the space provided, then
click Import.
NOTE: If you are importing an SSL certificate chain, before clicking Import, import
the certificates in the chain. See Importing an SSL Certificate Chain below.
Once you have imported the certificate, the status label next to the host name in the Tenant
Details page displays Valid.
l To import a file:
a. In the PEM certificate file text box, enter the name of the certificate file or click Browse to
navigate to the location of the file.
b. Click Upload, then click Import.
NOTE: If you are importing an SSL certificate chain, before clicking Import, import
the certificates in the chain. See Importing an SSL Certificate Chain below.
Importing an SSL Certificate Chain

You can import a chain of SSL certificates in which each certificate in the chain is the certificate for the
signer of the next certificate in the chain. To import a chain of SSL certificates, you import each issuing
CA certificate in order.
If the root certificate of the chain is not already installed, you must import it on the All Services tab.
See Importing CA and Root Certificates for instructions.
To import a chain of SSL Certificates:

1. Click Add Issuer's Certificate.

An Issuer's Certificate section is added to the Import Certificate page.
2. Import the issuing CA's certificate as a text block or certificate file as described in the above
sections.
3. If you have more issuers to add, click Add Issuer's Certificate again. You can add as many
certificates as you need.
4. Click Import when you are ready to import the chain.
The chain of certificates is checked to see if it forms a valid chain. In order for the chain to be valid,
the name of an issuer’s certificate matches the name of the issuer for the next certificate in the
chain and the last certificate in the chain matches the host name. If no errors are found, the
certificate is saved.
Testing Your SSL Connection

To test the SSL connection, open a browser window to the following address:
https://voltage-pp-0000.<yourdistrict>/resources/common/logo.gif
If your SSL certificate is configured correctly the Voltage logo is displayed. If there is a problem with the
SSL connection, the browser displays an error. You must fix any issues that the browser reports. The
[[[Undefined variable ORIG_FTc_Basic_Variables._FT_Book_Title]]] client cannot connect if there are
SSL errors.
Exporting a Tenant Credential

To export a tenant credential:
1. Click the Tenants tab, then click Edit next to the tenant you want to edit.
3. In the Published Tenants Hostname table, click Export Credential.
4. Enter a password to be used to protect the exported credential file.
5. Re-enter the password to confirm.

6. Click Save in the File Download dialog box.
7. Select a location for the file and click Save in the Save As dialog box.
Store the file in a secure location. The SSL certificates are not as critical as the cryptographic
information, since you can request new certificates in case of loss. However, losing these
certificates would mean generating new Certificate Signing Requests and waiting for the
replacement certificates to be issued, a process that can take several days. In the meantime, you
cannot use your Key Management Server until the new certificates were received and installed.
Certificates do not change over time, and so they do not need to be included in scheduled daily
backups.

Renewing an SSL Certificate

By default, the Home page of the Management Console displays an alert 30 days before your SSL
certificate expires. To change when you are alerted that a certificate is going to expire, use the Alert
Prior to Expiration * text box on the Administration > Server Configuration page. See Configuring
the Server for details.
You can renew an SSL certificates through any of the major certificate vendors, such as VeriSign,
Thawte, RapidSSL, GeoTrust, or GoDaddy. Note that if you use Entrust, you might need to contact
Micro Focus Voltage Support for additional assistance. Make sure that you request renewal for an SSL
Web Server Certificate.
NOTE: Voltage SecureMail does not support the SSL Web Server Certificates with EV
certificate type.
To renew a certificate:
1. Click the Tenant tab, then click Edit for the tenant that needs certificate renewal.
2. Click the SSL Certificate Defaults tab and fill in each of the fields. See Configuring Tenant SSL
Certificate Defaults for details. It is important to fill these fields accurately to ensure that the
certificate request is not rejected by the vendor.
3. Click the Hostnames and SSL Certificates tab, then click Export Certificate Signing Request
for the tenant hostname renewing a certificate.
4. Click Export Certificate Signing Request.
5. Click Save File, then click OK to download the file to the location specified by your browser. The
default name of the file is <hostname>.csr.
6. Send the .csr file to the SSL vendor.
NOTE: If the vendor asks for a server type, specify Apache.
7. When the SSL vendor returns a signed certificate to you, copy it to a location that is accessible
from the Management Console.
8. Click the Tenant tab and click Edit for the tenant with the renewed certificate.
9. Click the Hostnames and SSL Certificates tab, then click Import Certificate for the tenant
hostname with the renewed certificate.
10. Select Import File, then click Browse to navigate to the location where you saved the signed
certificate that the SSL vendor returned to you.
11. Click Import to import the certificate.
12. Verify with your certificate authority whether you need an intermediate CA.
If you need an intermediate CA, click Add Issuer’s Certificate, then paste the correct
intermediate certificate (obtained from the vendor) in the PEM Certificate Text field for the
Issuer’s Certificate.

13. Click Exit to return to the Hostnames and SSL Certificates tab.
14. Click Save and Exit to return to the Tenant Management page.
The renewed certificate will be available as soon as the data is pushed out to the hosts.
15. Click the System tab, then click Update All Clusters.
The renewed certificate is available for use.
Configuring Tenant Branding

The brand files contain information used to customize the appearance and contents of Voltage
SecureMail messages including localized versions of the brand. Use the Branding tab on the Tenant
Details page to set the default brand for the tenant and to import custom brand files that were created
with the Voltage SecureMail Brand Manager.
You can use more than one brand file per tenant allowing you to create different brands for different
organizations in your company. Branding also lets you create and import brand files with different
locales. Localized brands are associated to a default brand that is used when the user's browser
language is not supported or cannot be determined.
Each brand file is assigned a URL based on the tenant domain and the Brand Name. For example, if
your tenant domain is www.mytenant.com and the brand name is mybrand, the brand URL is:
www.mytenant.com/login/br/mybrand.
NOTE: The brand name is case sensitive.
Brands are used by Voltage SecureMail in the following ways:

l When you create the SecureMail Client installer, you can choose the brand file that you want your
users to use. You can also choose to allow users to select a brand if there is more than one brand file
for the user's tenant. See the Voltage SecureMail Encryption Client Administrator's Guide.
l To create a Gateway policy rule. You can either select the brand that you want to use in the rule, or
use a brand specified in an X-Header. See Adding a Policy Rule for instructions.
l When a user reads a secure message using the Zero Download Messenger, the ZDM user is
automatically directed to the brand URL based on the user's tenant URL combined with the brand
name. If the user's browser is set to display in a specific language, the brand file for the specified
language displays, if available for the tenant. If a localized brand file for that brand is not available for
the tenant, the customized elements in the default brand file for the tenant are used.
Understanding Brand Files

The Voltage SecureMail Brand Manager allows you to customize the appearance and contents of the
Voltage SecureMail software web pages and email messages that are displayed or sent to your users.
You can easily change colors, add or modify text, and upload logos to create pages that reflect your
organization's existing styles and conventions. A custom brand file contains only the attributes that are
different from the attributes in the default Voltage SecureMail Brand file. When a brand is assigned to a
tenant, the server checks the assigned brand file for a value, for example a value for text, font, image or
color. If the server finds a value in the customized brand, that value is used.

If the value is not found in the customized brand file, the server uses the value in the default Voltage
SecureMail Brand file.
Tenant Default Brands
You can use the Voltage SecureMail Brand file or import a custom brand file created in Voltage
SecureMail Brand Manager to use as the tenant default brand.
The tenant default brand is used when a Zero Download Messenger user specifies a URL containing a
brand name that doesn't exist or if a brand file for the locale that matches the user's language
preference settings in the browser is not available. The Voltage SecureMail Brand is used as the tenant
default if there is no custom brand specified.
Brands and Locales
The Voltage SecureMail Brand includes a brand file for each locale listed in the dropdown on the
Branding tab. The currently selected locale determines the default locale for the Voltage SecureMail
Brand (default is English (United States)).
The Voltage SecureMail server detects the language preferences set in the user's browser and displays
content from the localized brand file if available. If the tenant does not have brand file localized in the
language set in the browser language preferences, the content for the default brand file is displayed.
For example, if a ZDM user has set the browser language preferences to Chinese (China) and the
default Voltage SecureMail Brand is selected for the tenant in the Management Console, the user will
see the elements and text from the Chinese (China) locale brand file for the Voltage SecureMail Brand
displayed. If the browser language is set to a language that doesn't match a localized version of the
brand, the Voltage SecureMail Brand displays in English since it is the default.
You can use a custom brand created in Voltage SecureMail Brand Manager as the default brand for the
tenant and import localized brand files. If the user has several languages listed in the language
preferences in the browser, the server will try to match a localized brand file to the languages in the
order listed in the browser. For example, if Chinese (China) is listed first and then English, the server
will try to find the Chinese (China) locale brand file. If the brand is localized for Chinese, the user
experience will be in Chinese. If a Chinese brand is not found, the English locale brand file will be used
according to the browser language preferences. If a brand file is not found for Chinese or English, the
elements from the default brand file are displayed.
Managing Tenant Brand Files

From the Branding tab you can do the following:
l Select the default brand you wish to use for the tenant (Voltage SecureMail Brand or Custom Brand),
see Selecting a Default Brand.
l Import any custom brand files to use for the tenant brand; see Importing a Brand File.
l Import locales to the brand files; see Adding Brand Locales.
l Change brand file details for the tenant; see Editing Brand Details.
l Delete brand files from the tenant.

Selecting a Tenant Brand

To select a tenant brand:
1. From the Tenant tab, click Edit next to a tenant.
2. From the Tenant Details page, click the Branding tab.
3. Choose whether to use the default brand or a customized brand. The tenant default brand is used
when a Zero Download Messenger user specifies a URL containing a brand name that doesn't
exist or if a brand file for the locale that matches the user's language preference settings in the
browser is not available. The Voltage SecureMail Brand is used as the tenant default if there is no
custom brand specified.
l To use the Voltage SecureMail default brand that is shipped with the server software, select
Voltage SecureMail Brand. Then select the default locale to display.
l To use a customized brand file created using the Voltage SecureMail Brand Manager, select
Custom Brand. Then select the custom brand you wish to use.
NOTE: If you have not imported a brand yet, the Custom Brand option is not available for
selection. To use a custom brand as the default, you must first import the tenant brand
file that you created. See Importing a Brand File for instructions.
4. Use the Available Brands section of the page to perform the following.
NOTE: If you have not imported a brand yet, no brands display in the Available Brands
section.

Select the Default Locale for each of the brand files displayed. The locales available are
determined by the language of the brand file.
l Import Brand - Import brand files for use with the tenant. See Importing a Brand File.
l Add Locale - Import brand files in different languages for the tenant. See Adding Brand
Locales.
l Edit - Edit the description of an existing brand or to replace the associated brand file. See
Editing Brand Details.
l Export - Exports a brand file.
l Delete - Delete a brand file from the list.
l Delete Brand - Delete a brand and all of the brand files for the brand from list of brands
available to the tenant.
5. When you are finished, click one of the following buttons:
l Save and Exit - Saves the entries and exits the Branding tab for the Tenant Details page and
displays the Tenant Management page.
l Save - Saves the entries but does not exit the Branding tab.
l Exit - Exits the Branding tab for the Tenant Details page and displays the Tenant Management
page without saving any of the changes.
Importing a Brand File

To import a brand file:
1. Click the Tenants tab. In a system with multiple tenants, you must then click Edit next to the
tenant name in the Tenant Management page.
The Tenant Details page displays.

2. Click the Branding tab.
3. In the Available Brands section, click Import Brand.
The Import Brand page displays.
4. In the Brand Name text box, enter the name that you want to use for the brand file that you are
importing.

NOTE: The brand name that you enter here is used in the brand URL. Brand names are
case sensitive. If you enter MyBrand as the brand name for tenant domain
www.mytenant.com the brand URL will be:
www.mytenant.com/login/br/MyBrand.
5. (Optional) In the Description text box, enter a description of the brand.

6. In the Upload New Brand text box, click Browse to navigate to the brand file.
NOTE: If you select a brand created in a previous version of Brand Manager, the file will be
updated to the current version on import into the Management Console. However, you may
wish to review the brand in Brand Manager to ensure that the pages continue to display as
intended.
7. Select the file name and then click Open.

The Upload New Brand text box is populated with the selected brand file and path.
8. Click Import.
The Branding tab displays the imported brand file in the Available Brands field.
See Also
Configuring Branding for a Tenant
Adding Brand Locales

From Brand Manager, you can localize a brand into more than a dozen languages (including English).
Localizing a brand means that all the static text, such as variable and field name strings, are translated
into the target language. Text that can be customized for the brand is replaced with a translation of the
default text. All customized text in the brand reverts to the default text in the locale language. The
resulting localized brand(s) can be edited to customize text for the locale.
When you localize a brand, the localized versions are associated with the brand, which becomes the
default brand for localization. Each localized brand is associated with the default brand locale.
After you have created all the required locales for the brand, you need to import them into the
Management Console for the Tenant and default brand.
To add brand locales:
1. Import the default brand as described in Importing a Brand File.
2. On the Tenants > Tenant Management > Tenant Details tab, find the default brand for the
locale you are adding and click Add Locale.
3. Add a description of the brand locale if needed.
4. Click Choose File and navigate the localized brand file you exported from Brand Manager.
5. Click Import.
See Also

Editing Brand Details

Use the Brand Details page to edit the description of an existing brand or to replace the associated
brand file with a new brand file. In this way, you can update the brand without changing the brand URL.
You cannot change the displayed Brand Name.
To edit brand details:
1. On the Tenant tab, click Edit next to the tenant name, then click the Branding tab on the Tenant
Details page.
2. In the Available Brands section, expand the brand to show all brand locales and click Edit next
to the brand locale you wish to edit.
3. In the Description text box, add a new description or change the existing description. This is an
optional field.
The current brand file name that is associated with the Brand Name is displayed above the
Upload New Brand text box.
4. In the Upload New Brand text box, type the path for the brand file that you wish to use to replace
the current file or click Browse to navigate to the brand file. Select the file name and then click
Open.
The brand file is displayed in the Upload New Brand text box.
5. Click one of the following buttons:
l Save and Exit - Saves the entries and displays the Branding tab.
l Save - Saves the entries but does not exit the Brand Details page.
l Exit - Displays the Branding tab without saving any of the changes.
See Also
Importing a Brand File

Understanding Services
About SecureMail Services

This chapter describes how to configure Voltage SecureMail Web services.
Understanding Services
The Services tab lets you configure the Voltage SecureMail services associated with a tenant. The
following services are available:
l IBE Service - From the IBE Service tab, you can set up authentication methods for users, control
which key server can be used to encrypt outbound messages, and manage the districts that contain
cryptographic information used to encrypt and decrypt messages.
l ZDM Service - From the ZDM Service tab, you can configure settings for the Zero Download
Manager (ZDM).The ZDM Service allows end users who do not have the Voltage SecureMail
Encryption Client or a Voltage SecureMail-enabled platform to read, write, and reply to Voltage
SecureMail messages.
l Client Service - From the Client Service tab, you can enable the Voltage SecureMail Encryption
Client and configure the settings that apply to the client. You can also create encryption rules that
are used by the client.
l Gateway Service - From the Gateway Service tab, you can set the Domain, enable Re-encrypt
mode, enter encryption and decryption rules for the Gateway Service, and configure Public Key
Infrastructure (PKI) keys and domain identities.
l Enrollment Service - From the Enrollment Service tab, you can configure all of the settings for the
Enrollment Service. The Enrollment Service provides an authentication method for users of both the
Voltage Zero Download Messenger (ZDM) and the Voltage SecureMail Encryption Client.
l All Services - From the All Services tab, you can view the trusted certificates and configure
advanced system properties.
Understanding the IBE Service Summary Page

The IBE Service Summary page displays the tenants in your configuration. This page only displays if
you have more than one tenant. If you have only one tenant, the Configure IBE Service page for your
tenant is displayed.

To configure the IBE service for a tenant, click the name of the tenant.
See Understanding the Configure IBE Service Page for more information and instructions.
Understanding the Configure IBE Service Page

The Configure IBE Service page allows you to configure authentication methods, districts, and
encryption policies for the selected tenant. The name of the selected tenant is displayed in the title of
the page.
Click one of the following tabs to configure the selected tenant:
l Authentication - Here you can add and configure user authentication methods and component
authentication methods.
l Outbound Encryption Settings - Here you can specify the domains that are permitted to provide
keys for encrypting email.
l District - Here you can add, import, export or delete a district.
Understanding Authentication Methods

You can perform authentication using your existing enterprise authentication solution, such as Active
Directory or a domain server, or you can use alternative methods, such as Email Answerback or
Question and Answer on the Key Management Server. You can specify one or more authentication
methods for each tenant.
Users must successfully authenticate to receive keys from the Key Management Server. You can
provide different authentication methods for different sets of users by specifying a different Matching
Pattern for each authentication method.
Examples of matching pattern include:
l a single identity, such as janedoe@yahoo.com
l a range of users specified through wildcard matching, such as j*@yahoo.com
l an entire domain specified through wildcard matching, such as *@yahoo.com

When a user matches the pattern for a user authentication method, the Key Management Server
attempts to authenticate the user using that method. Users must successfully authenticate to receive
keys from the Key Management Server.
Authentication Method Types

Authentication methods are separated into two groups and are displayed in separate tables on the
Authentication tab:
l User Authentication: A user authentication method enables users to authenticate using a specified
authentication method. There are several types of user authentication methods, including Active
Directory, Question and Answer, POP3 and Email Answerback.
Click the New User Authentication Method link to add a User Authentication method.
For information and instructions, see Adding a User Authentication Method.
l Component Authentication: The Micro Focus SecureMail Gateway service uses component
authentication to authenticate to the Key Management Server and to request keys on behalf of a
specified user base. You can configure one or more component authentication methods to decrypt
secure email.
Click the New Component Authentication Method link to add a Component Authentication
method.
For information and instructions on adding a component authentication method, see Adding a
Component Authentication Method. For more information on how the SecureMail Gateway uses
component authentication, see Understanding the Gateway Service.
Processing Order
If you have multiple authentication methods, when a user needs authentication, the Key Management
Server attempts to authenticate the user by beginning with the first method in the Component
Authentication table. When the Key Management Server can match the user to the specified matching
criteria in an authentication method, that method is used to authenticate the user. The Key
Management Server stops when it finds the first match between the user and the criteria in the
authentication method. Additionally, if authentication fails, the Key Management Server does not
continue on to other authentication methods once the failure occurs.
The order in which the user authentication methods appear in the tables is important. The component
authentication methods are processed first and in the order that they appear in the table, followed by the
user authentication methods in the order specified in the Order column of the User Authentication
table. Plan the order of the methods to ensure the proper authentication method is used for all users. To
change the order of the methods in the User Authentication table, change the number in the Order
column for the method that you want to change, then click Update Order.
NOTE: If your User Authentication table contains an entry for the Active Directory method, and
authentication is being attempted on a Linux cluster, the Active Directory method is skipped.
See Authenticating Internal and External Users for One Tenant for more information.
Adding a User Authentication Method

To add a user authentication method:

1. On the Services > IBE Service tab, click New User Authentication Method at the top of the
User Authentication table.
2. Click Show More Authentication Types to display all of the available user authentication
methods.
3. Choose one of the following user authentication methods:
l Enrollment Service - Use this method to authenticate external users outside the firewall.
External users may be external to your organization or network.
l Active Directory - If your organization uses an Active Directory server, you can use this
method to authenticate internal users who have an SMTP account.
l Domino LDAP - Use this method to authenticate users managed with a Domino LDAP
server.
l Email Answerback - Use this method to authenticate users without requiring them to create
an account (username/password). To authenticate, users click the link in the generated email
message they receive.
l External - This method is mainly used by Micro Focus Support on behalf of customers.
NOTE: It is recommended that you contact Micro Focus support for assistance setting
up this user authentication method.
l POP3 - This method can be used to authenticate internal users with POP3 accounts against
that server.
l Question and Answer - Use this method to authenticate users who know the answer to one
or more questions (shared secret).
CAUTION: For security purposes Micro Focus recommends that you only use this
authentication method for testing purposes.
l Remote - This method allows your organization to use HTTP protocol or to access the
IdentityVerifier Java interface to authenticate users.
NOTE: It is recommended that you contact Micro Focus support for assistance setting
up this user authentication method.
l Azure AD - With an advanced feature setting, you can integrate with Azure AD for user
authentication.
When adding a user authentication method, choose the most secure method available to your
server.
Where possible, it is recommended that you use the Active Directory method for internal users
and the Enrollment Service method for external users. See Authenticating Internal and External
Users for additional details. If you use the Enrollment Service method, you must also configure
the Enrollment Service settings. See Understanding the Enrollment Service for more information.
4. Click Next to complete the Detailed Configuration for the type of user authentication method you
select. For more information for each type of authentication method, click the appropriate link
above.

Authenticating Internal and External Users

When configuring your Voltage SecureMail environment, you might choose to use a cluster within your
company firewall to authenticate your company's internal users and another cluster outside of the
firewall to authenticate external users.
If you want to use Windows Active Directory to authenticate the internal users, you must configure a
Windows cluster inside your company firewall and use the Active Directory user authentication
method.
To use the Enrollment Service to authenticate external users, you must configure a cluster outside of
your company firewall and configure an Enrollment user authentication method specific to that user
base.
In this case, you can add both the Active Directory method and the Enrollment method to the User
Authentication table. When a user attempts to authenticate on the internal cluster, the internal server
uses the Active Directory method to authenticate the user. When an external user attempts to
authenticate on the external cluster, the external server skips the Active Directory method and uses the
next method in the table which would be the Enrollment method.
In the case of an external cluster, the Active Directory method is skipped if the external cluster is
running Linux because that method is not applicable. If the external cluster is running Windows, the
Active Directory resource is unavailable due to the firewall. For these reasons, authentication of
external users would fall through to the Enrollment method.
This provides flexibility when you are configuring the authentication methods and allows you to use
different operating systems for one tenant.
NOTE: It is important that all of the servers in a cluster use the same operating system. You
cannot have one cluster that contains both Windows and Linux servers.
Adding an Enrollment Service Authentication Method

When using an Enrollment service, you must configure an Enrollment Service user authentication
method to hand off the authentication process to the Enrollment service.
NOTE: It is recommended that you use the Enrollment service and the Enrollment Service user
authentication method to authenticate external users.
To add an Enrollment Service user authentication method:

1. On the Services > IBE Service tab, click a tenant name. The Authentication tab for the
Configure IBE Service page displays.
2. Click New User Authentication Method. The New User Authentication Method page displays
with a list of user authentication methods.
3. Select Enrollment Service, then click Next.
4. On the New Enrollment Service Authentication Method page, in the Email Matching
Patterns text box, enter the pattern or patterns that you want the email to match, and click Add.

For example, to use the Enrollment Service authentication method for all external email
addresses, enter *.
NOTE: Using an Advanced feature setting, you can import a list of white users from
across domains and send them an invitation to enroll for ZDM. For more information on this
feature, consult Micro Focus Voltage Support.
5. From the Force Client User Re-Authentication drop down list, select how often you want users
to be required to re-authenticate.
Each time the user goes through the authentication process, the user receives a token that is used
for future authentication. This setting determines how long the token is valid for authentication.
After the Force Client User Re-Authentication period has expired, the user must go through the
authentication process again to receive a new token. The default value is Every Week (7 days).
NOTE: A comprehensive explanation of how to configure user re-authentication if you also

have Mobile Edition enabled is provided in the Voltage SecureMail Mobile Edition
Supplement. Contact Micro Focus Voltage Support for information on how to obtain this
document.
6. Click Finish.
The new method is added to the User Authentication table. The Name field within the table is
automatically set to Enrollment Service. You can edit the name and update the details for a
method at any time by clicking Edit next to the authentication method in the table.
Adding an Active Directory Authentication Method

You can use the Active Directory authentication method to authenticate internal users who have an
SMTP email account setup in your Active Directory.
NOTE: You must be using Microsoft Exchange 2010, 2013 or 2016 to use this authentication
method. When using an Active Directory authentication method, the token provided for the
individual user is also valid for any groups to which the user belongs or has delegated access.
Active Directory authentication is not supported for use with shared mailboxes when the IBE
server is installed on a Linux Appliance.
To add a new Active Directory user authentication method:

1. On the Services > IBE Services tab, click a tenant name if you have more than one tenant. The
Authentication tab on the Configure IBE Service page displays.
a list of user authentication methods.
3. Select Active Directory as the Authentication Method, then click Next.
4. On the New Active Directory Authentication Method page, in the Email Matching Patterns
text box, enter the email pattern or patterns against which you want users to be matched for
authentication.
Pattern matching of the values is case sensitive. You can use the following special characters:
? - Matches any single character

* - Matches any sequence of zero or more characters

\ - Escapes the *, ? and \ special characters
For example, to create a user authentication method for all addresses in mydomain.com, enter
*@mydomain.com.
If you add multiple values, the values are OR’d. This means that the email does not need to match
all patterns, one matching value constitutes a match.
To remove one or more values, select the value and press the Delete button on the keyboard.
5. In the Applies to Windows Groups text box, enter the names of the Windows Groups you want
this authentication method to support.
This user authentication method only successfully authenticates users who are members of the
specified groups. The group "Everyone" is allowed.
NOTE: A space cannot be used as a separator for this field as group names may include
spaces. Acceptable separators are commas or line breaks.
6. From the Force Client User Re-Authentication list, select how often you want to require the
user to re-authenticate.
Each time the user goes through the authentication process, the user receives a token that can be
used for future authentication. This setting determines how long the token can be used for
authentication. After the Force Client User Re-Authentication period has expired, the user must
go through the authentication process again to receive a new token. The default value is Every
Week (7 days).

Supplement. Contact Micro Focus Support for information on how to obtain this document.
7. Select Fall Through Enabled if you want to enable the fall through feature. See Enabling Fall
Through for details.
If you have a Linux IBE server, or you have Mobile Edition installed on a Windows IBE server with
Mobile Policies enabled, you must have at least one Trusted LDAP Server Certificate imported. If
you do not, then the Active Directory user authentication method will only be enabled on Windows
for non-Mobile requests. On a Linux IBE server, or for requests from Mobile applications, all user
email addresses are processed as non-matches by the Active Directory user authentication
method and fall through to the next method in the User Authentication table, unless a valid Trusted
LDAP Server Certificate is specified.
NOTE: A comprehensive explanation of how to configure user authentication if you have

Mobile Edition enabled is provided in the Voltage SecureMail Mobile Edition Supplement.
Contact Micro Focus Voltage Support for information on how to obtain this document.
7. Select Delegate Access Enabled if you want to enable the delegate access feature.
When Delegate Access Enabled is selected, a delegate user is able to get a decryption or
encryption key for the user for whom they are a delegate. With Delegate Access Enabled

selected, all delegates, including reviewers, authors, and editors, are able to get keys. This
includes delegates for calendar, tasks, inbox, contacts, notes, and journal.
8. Click Finish.
The new user authentication method is added to the User Authentication table. The Name field
within the table is automatically set to Active Directory. You can change the name and update the
details for a method at any time by clicking Edit next to the authentication method in the table.
Understanding the Active Directory User Authentication Process

When a user attempts to login using an Active Directory user authentication method, the following
steps are performed for authentication and authorization:
1. The authentication method verifies that the specified email address matches the configured Email
Matching Patterns.
2. The authentication method verifies that the specified email address is associated with a Windows
group configured in the Applies to Windows group setting. This process uses the Active Directory
configured in the Active Directory resource.
3. The authentication method authenticates the user by requesting and verifying their domain
credentials (login). The credentials must be for a user that matches the email address, is a
member of the group that matches the email address, or is a delegated user for the user that
matches the email address (if Delegate Access is enabled).
NOTE: When you add an Active Directory user authentication method, you must also
specify an Active Directory server on the System tab. You can only specify one Active
Directory server per cluster and one Active Directory method per tenant. Additionally, if
you are using the Active Directory user authentication method, any Windows hosts in the
cluster must be members of the same domain as the Active Directory server.
Enabling Fall Through

Fall through enables authentication when a user's email address does not meet the necessary criteria
for the Active Directory user authentication method to authenticate the user. When a user cannot be
authenticated, authentication falls through to the next method in the User Authentication table.
In the following situations, authentication falls through to the next user authentication method, whether
or not you have selected Enable Fall Through:
l The email address does not match the configured Email Matching Patterns.
l The email address does not exist in the Active Directory specified on the System tab.
The Enable Fall Through feature enables authentication by another authentication method when the
email address does not match the configured Email Matching Patterns or does not belong to any of the
groups specified in the Applies to Window Group(s) box on the Active Directory Authentication Method
page.
In this case, the Active Directory user authentication method declines to handle the request. If you
select Enable Fall Through, the authentication falls through to the next user authentication method on
the list. If you do not select Enable Fall Through, the authentication fails.

Adding a Domino LDAP Authentication Method

You can use Domino LDAP authentication method to authenticate users who are managed within an
LDAP server.
To add a Domino LDAP user authentication method:
1. On the Services > IBE Services tab, click a tenant name. The Configure IBE Service page
opens to the Authentication tab.
3. Select Domino LDAP as the Authentication Method, then click Next.
4. In the Email Matching Patterns text box, enter the pattern or patterns that you want the emails to
match.
For example, to use the authentication method for all addresses in mydomain.com, enter
*@mydomain.com.
5. From the Force Client User Re-Authentication, select how often you want to require the user to
re-authenticate.
Week (7 days).

6. Click Fall Through Enabled to clear it, if you want to disable the fall through feature. Fall
Through Enabled is selected by default.
Fall through enables authentication when a user's email address does not meet the necessary
criteria for the Domino LDAP user authentication method to authenticate the user. If fall through is
enabled, when a user cannot be authenticated, authentication falls through to the next user
authentication method in the list on the User Authentication table.
7. Click Finish.
automatically set to Domino LDAP. You can change the name and update the details for a method
at any time by clicking Edit next to the authentication method in the table.
NOTE: In order to use the Domino LDAP authentication method, you must configure a Domino
LDAP resource. See Configuring a Domino LDAP Resource for details.

Adding an Email Answerback Authentication Method

You can use an Email Answerback Authentication method to authenticate external users without
requiring them to create an account (username/password).
To add an Email Answerback user authentication method:
NOTE: Click Show More Authentication Types to see all of the authentication methods.
3. Select Email Answerback as the Authentication Method, then click Next.

4. On the New Email Answerback Authentication Method page, in the Email Matching Patterns
text box, enter the pattern or patterns that you want the email to match.
5. In the Force Client User Re-Answerback list, specify how often you want to require the user to
re-authenticate via Email Answerback.
Each time the user goes through the Email Answerback process, the user receives a token that
can be used for future authentication. This setting determines how long the token can be used for
authentication. After the Force Client User Re-Answerback period has expired, the user must
go through the email answerback process again to receive a new token. The default value is Every
Week (7 days).

document.
6. In the Email Message Header text box, enter the email address you want to appear in the From
address in all email.
Note: Since some anti-spam programs filter out email that includes mail@ in the sender's
address, we recommend that you exclude this from the address.
7. Enter the Reply To address you want to use.
8. In the Timeout text box, enter the number of minutes that the email answerback link is valid for
the user.
If the user responds after the set time has expired, an error message is displayed instructing the
user to delete the Answerback email and start over with their request.
9. Click Finish.
automatically set to Email Answerback. You can change the name and update the details for a

NOTE: If your configuration includes multiple clusters, you must also configure a Shared
Cluster Address so that requests made on one cluster can be completed on a different cluster.
See Configuring a Shared Cluster Address for details.
Adding an External Authentication Method

An External user authentication method allows you to redirect a user to a site that will authenticate that
user on your behalf. This site must present an interface to the user where they can enter their
password. It must also be able to return a redirect URL with a token upon successful authentication.
NOTE: This method is mainly used by Micro Focus on behalf of customers. Contact Micro
Focus Voltage Support for assistance in setting up this user authentication method.
To add an External user authentication method:

3. Click Show More Authentication Types to see all of the authentication methods.
4. Select External as the Authentication Method, then click Next.
5. On the External Authentication Method page, in the Email Matching Patterns text box, enter
the pattern or patterns that you want the email to match.
6. Enter a value in the Authentication Token Secret text box.
7. Re-type the same value in the Re-enter Authentication Token Secret text box.
re-authenticate.
Week (7 days).

9. Enter a value in the Redirect To URL text box. The URL must be password-protected.
10. Click Finish.
automatically set to External. You can change the name and update the details for a method at
any time by clicking Edit next to the authentication method in the table.

Adding a POP3 Authentication Method

You can use a POP3 user authentication method to authenticate users against a POP3 server.
To add a POP3 user authentication method:
re-authenticate.
Week (7 days).

document.
4. Select POP3 as the Authentication Method, then click Next.

5. In the Email Matching Patterns text box, enter the pattern or patterns that you want the emails to
match.
For example, to use the authentication method for all addresses in mydomain.com, enter
*@mydomain.com.
6. Enter the Default Domain to which user names will expand.
For example, enter mydomain.com to have alice expand to alice@mydomain.com
7. Click Finish.
automatically set to POP3. You can change the name and update the details for a method at any
time by clicking Edit next to the authentication method in the table.
NOTE: When you add a POP3 user authentication method, you must also specify a POP3
server on the System tab. You can only specify one POP3 server per cluster and one
POP3 user authentication method per tenant. When you specify a POP3 server on the
System tab, you can choose to use SSL to ensure secure communication between the
Key Management Server and the Microsoft Exchange server.

Adding a Question and Answer Authentication Method

You can use a Question and Answer user authentication method to authenticate users who know the
answer to one or more questions (shared secret).
To add a Question and Answer user authentication method:
3. Select Question and Answer as the Authentication Method, then click Next.
4. In the Email Matching Patterns text box, enter the pattern that you want the emails to match,
and then click Add.
For example, to use this method for all addresses in mydomain.com, enter *@mydomain.com.
5. In the Force Client User Re-Quiz list, select how often you want to require the user to re-
authenticate by answering the question(s) again. Each time the user goes through the Question
and Answer process, the user receives a token that can be used for future authentication. The
Force Client User Re-Quiz setting determines how long the token can be used for authentication.
After the period has expired, the user must go through the Question and Answer process again to
receive a new token.

6. In the Question and Answer Set text box, enter the Question and Answer(s) that you want to
use. This box contains an example of the format to use. As a simple way to get started, you can
modify and use this sample.
7. Click Finish.
automatically set to Question and Answer. You can change the name and update the details for a
Adding a Remote Authentication Method

This method allows your organization to use HTTP protocol or to access the IdentityVerifier Java
interface to authenticate users.
NOTE: For assistance setting up a remote authentication method, it is recommended that you
contact your Micro Focus Voltage representative.
To add a Remote user authentication method:

3. Select Remote as the User Authentication Method, then click Next.

4. In the Email Matching Patterns text box, enter the pattern or patterns that you want the email to
match.
For example, to use this authentication method for all addresses in mydomain.com, enter
*@mydomain.com. The text appears in the list box next to Email Matching Patterns.
re-authenticate.
Week (7 days).

6. From the Authentication Mode list, select one of the following:

l Web Page Authentication: Displays a web page on which users enter a user name and
password.
l Pop-up Dialog Authentication: Displays a dialog box in which users enter a user name and
password.
7. From the Application Interface list, specify the mechanism that you want the Remote user
authentication method to use to communicate with the authentication application. Select one of
the following from the drop down list box:
l HTTP: Use the HTTP protocol. You must then specify a URL.
l Identity Verifier: Allows remote authentication applications to be co-located with the Voltage
SecureMail Server. If you choose this option, you must specify the Verifier Class Name, which
must implement the IdentityVerifier Java interface. You can also add one or more Initialization
Parameters (name/value pairs).
NOTE: To access the IdentityVerifier Java interface, contact your Micro Focus Voltage
representative.
6. Enter a URL in the Remote Server URL text box.

7. Click Finish.

automatically set to Remote. You can change the name and update the details for a method at any
time by clicking Edit next to the authentication method in the table.
Adding a Component Authentication Method

A component authentication method enables a trusted component to authenticate itself and download
the keys of any user automatically when needed.
To add a new component authentication method:
1. On the Services > IBE Service tab, click a tenant name. The Configure IBE Service page
2. Click New Component Authentication Method.
3. On the New Component Authentication Method page, in the Email Matching Patterns text
box, enter the pattern or patterns that you want the email to match.
For example, to use the component authentication method for all addresses in mydomain.com,
enter *@mydomain.com.
4. In the From IP Address text box, leave the default All
or
enter the IP address of the Gateway Server.
5. In the Authentication Token Secret text box, enter the Authentication Token Secret.
Enter any string of numbers, letters, and characters. Make sure that the token secret matches the
token secret for the external component it works with (such as Voltage SecureMail Archive
Connector or Voltage SecureMail for Blackberry).
6. Type the same string in the Re-enter Authentication Token Secret text box.
7. Click Finish.
The new component authentication method is added to the Component Authentication table. The
Name field within the table is automatically set to Component. You can change the name and
update the details for a method at any time by clicking Edit next to the authentication method in
the table.
Using Azure AD
With an advanced feature setting, you can integrate with Azure AD for user authentication. Configuring
Azure AD authentication for SecureMail begins with registering SecureMail on the Azure portal.
Registration produces the client ID and client secret that are required to complete configuration on the
SecureMail Management Console. See the Voltage SecureMail and Azure AD Supplement.
Configuring Outbound Encryption Settings

The Outbound Encryption Settings tab allows you to specify which server (the local server or the
recipient's server) is to be used for encrypting email. The server selected is the one that is used when
accessing a decryption key. Click Services > IBE Service > Outbound Encryption Settings to
display this tab.

When a local user sends an encrypted message, the client must determine which server to use to
authenticate a recipient. In this scenario, the client can be any component that is selecting the
recipient's authentication server, such as the Voltage SecureMail Encryption Client, the Gateway
service, the Zero Download Messenger, or the Voltage SecureMail Key Management Server.
For each recipient, the client determines which server to use in the following way:
First the client checks whether the recipient is internal or external. A recipient is internal if their email
address matches the local domain exactly. For example, user@example.com is internal to
example.com, but external to foo.example.com or foo.com. If the recipient is internal, the local Key
Management Server always provides the key for the recipient.
Next, if the recipient is external, the client checks whether the domain of the recipient is available for
providing the key. If the domain is not responding, the local Key Management Server provides the key.
If the domain is responding and available, one of the following options is used. Choose an option
depending on the degree of restriction required:
l When a Key Management Server is available for a domain, allow it to provide keys
If you select this option, any domain is permitted to provide keys, as long as that domain is available.
This is the least restrictive option available.
l Only allow the following domains to provide keys (in addition to <domain_name>)
If you select this option, you must specify one or more domains that are permitted to provide keys.
Keys for all other email addresses that do not match these domains are provided by the local key
server. In order to provide the key, the domain of the recipient must match one of the specified
domains, and that domain must be available. Wildcards can be used in a domain name. For
example:
*.example.com allows any sub-domain of example.com
example?.com allows domains such as example1.com, exampleb.com, and so on.

l The Key Management Server for the domain<domain_name>will provide all keys
If you select this option, only the local Key Management Server is permitted to provide keys. This is
the most restrictive option available.
For example, if the local domain is example.com, a recipient is user@foo.com, and the foo.com
domain is available and responding, then keys are provided as follows:
l If the first option is selected, the foo.com domain provides the key for the recipient.
l If the second option is selected and foo.com is listed, the foo.com domain provides the key for the
recipient.
l If the second option is selected, but foo.com is not listed, the local domain (example.com) provides
the key for the recipient.
l If the third option is selected, the local domain (example.com) provides the key for the recipient.
After selecting one of the options, click Save to save your changes. Verify that the following message
displays:
Successfully saved IBE Encryption changes for tenant <tenant_name>
Click Exit to return to the IBE Service Summary page.
NOTE: Each local user can also set rules for automatically encrypting email on the Voltage
SecureMail Encryption Client. See Adding a Policy Rule for more information.
Understanding Districts
For each tenant you create, a district is generated by the Management Console. Generating a new
district creates the cryptographic information that is at the core of the encryption and decryption
process. The district information for each district is unique and includes the following:
l District cryptographics - the underlying encryption technology that is used to generate IBE keys
for users in the district. The district cryptographics are different for each district.
l District location - the unique domain name that external users employ to locate the public
parameters.
A single district is associated with a single tenant. When you create a district, you enter a domain
name. The server software generates the district name by appending a serial number to the domain
name that you entered. Users whose email address contains the domain name that you used to create
the district are automatically considered internal users for that district and tenant. See Determining
Users of Your District for information about the relationship between users and districts.
You can host the same district on more than one server for load balancing, or to provide secure access
to the Key Management Server for users in different geographical locations.
The District tab contains a list of districts for the selected tenant.
From the District tab, you can:
l Add a District
l Delete a District

l Export a District
l Import a District
Determining Users of Your District

The Key Management Server attempts to locate a district for a user as follows:
1. The Key Management Server checks to see if the user is internal. If so, the tenant's latest district
is used.
2. The Key Management Server checks to see if the user is a provisioned user for the district to
which they sent the email. If so, the local district parameters are used.
3. If the user is not a provisioned user for the local district, the Key Management Server extracts the
recipient’s domain from his or her email address and checks for district information using that
domain name. If a district exists, the district information associated with the recipient’s email
domain is used.
4. If the previous two steps fail, the Key Management Server checks for a fall-through district. If a
fall-through district is specified, the fall-through district information is used. If there is no fall-
through district specified, the encryption fails, and the Voltage SecureMail client displays a
message informing the sender that he or she cannot encrypt to that address.
District Information Protection

Your district information is stored in the Maria Database (MariaDB). This record is encrypted with a
symmetric key created during the software installation.
Windows Server
On a Windows server, the server software entrusts the persistent storage of the randomly generated
key with the Windows Local Security Authority (LSA) which stores it on disk encrypted with the
Windows System Key (Syskey). This means that compromise of your server's Syskey must be
considered to be a compromise of your district information.
You can search for more information about Syskey at:
http://support.microsoft.com/
Linux Appliance
On a Linux Appliance, you must specify a strong password. See the Voltage SecureMail Installation
and Upgrade Guide for instructions.
Determining a Rollover Plan

Rollover occurs whenever your enterprise needs to replace your cryptographic information for any
reason. When you replace your cryptographic information, your public parameters are updated and all
client authentication tokens become invalid. Users will be required to reauthenticate to obtain new
tokens. Because the user’s public key is the user’s email address, this will not change.
When you rollover the cryptographic information, you can use one of the following approaches:

l Overlap - In this case, the enterprise supports both the current, newly-generated public parameters
and the previous public parameters. The following advantages and disadvantages must be
considered:
o Provides for a clean, smooth transition.
o If the previous cryptographic information has been compromised, messages encrypted and
decrypted on the previous public parameters are insecure.
l Controlled Overlap - Publicly, the enterprise only supports the current, newly-generated
cryptographic information and public parameters. An additional, administratively-controlled Voltage
SecureMail server, hosting the previous cryptographic information and public parameters is kept
operational for translation of previously encrypted messages and files.
o Allows recovery of encrypted data on request.
o Ensures the security of previously encrypted data, even if the previous cryptographic
information has been compromised.
o Requires an additional Voltage SecureMail server to host the previous cryptographic
information and public parameters.
l No Overlap - In this case the enterprise only supports the new public parameters.
o Requires a translation plan for important data. Data must be translated before finalizing the
transition to the new cryptographic information and public parameters.
o All untranslated data will become inaccessible.
Adding a District
In order to deploy the Voltage SecureMail server software, you must generate at least one district.
To add a district:
1. Click the Services tab and then click IBE Service.
2. Click the Tenant name for which you want to create a district.
3. On the Configure IBE Service page, click the District tab, then click New District at the top of
the IBE District(s) table.
The cryptographic information is generated. The district you have created is given a serial number
and expiration date and is added to the IBE District(s) table.
To back up and store the district information in a secure location, you should export the district
immediately after you add it. See Exporting a District for details.
NOTE: The cryptographic information that is created when you generate a district is vital and
cannot be recovered in the event of a server loss. Therefore, you must back up this information
to external storage when you create the district. See Understanding Back Up and Restore for
more information.

Importing, Exporting, or Deleting a District

After installing and implementing your Voltage SecureMail Server software, you can manage existing
districts by exporting, importing, or deleting a district.
Exporting a District
To back up district information, export the district to a secure location immediately after creating it by
clicking Export for the district in the IBE District(s) table. The cryptographic information is critical
information that cannot be recovered in case of loss unless it has been backed up. See Exporting a
District for instructions.
Importing a District
If you have exported your district, you can load the district information back onto a server by clicking
Import District on the District tab. You can also use this functionality to restore a district after server
failure or to load the district information generated on one server to another server to create a hot spare
for your server. See Importing a District for instructions.
Deleting a District
Deleting a district removes the cryptographic information associated with the district from the server. In
most situations, you would not want to delete a district. However, in the case of district rollover, for
example, in the case of the expiration of the cryptographic information, you create a new district.
Depending on your rollover plan, you might continue to host the old district for a while. Once rollover is
completed and the appropriate files have been converted, you should delete the old district and its
cryptographic information. For information on rolling over a district see Determining a Rollover Plan.
To delete a district, click Delete in for that district in the IBE District(s) table.
NOTE: If you have previously exported the district, the district information can be restored later
using the Import District functionality. If you have not exported the district, the cryptographic
information can not be recovered.
Exporting a District
Once you have created the district, it is important to export the district information to a file for backup
purposes. If you do not create a backup, the district cryptographic information and public parameters
are not recoverable in the case of server loss. If this happens, all messages encrypted under your
district cannot be recovered.
When exporting your district, you enter a password at the Export IBE District page and it is used to
encrypt the district information. Your password must meet the following requirements:
l Eight characters or more in length
l Contain at least one letter
l Contain at least one number
See the following URLs for more information on creating a strong password:
Microsoft: http://www.microsoft.com/security/articles/password.asp

SANS guidelines: http://www.sans.org/resources/policies/Password_Policy.pdf

The district backup file is stored as a .vms file. The filename is the district name, including the serial
number. You can store this backup file anywhere on your disk or on removable media. Make sure to
keep a copy on a machine other than the VSPS server machine in case of disk failures.
To export a district:
2. Click the Tenant name for which you want to create a district.
3. On the Configure IBE Service page, click the District tab, then click Export for that district in
the IBE District(s) table.
4. On the Export IBE District page, enter a strong password. Your password must meet the
following requirements:
l Eight characters or more in length
l At least one letter
l At least one number
5. To verify the password, type the password again in the Re-enter Password field.
6. Click Export.
7. In the Save As dialog box, choose the location where you want to save the file and click Save.
A .vms file containing the cryptographic information is created in the location that you chose. The
filename is the district name including the serial number.
8. Click Exit to return to the Configure IBE Service page.
Importing a District
To import a district:
2. If you have only one district, skip to step 3.
If you have more than one district, click the Tenantname for which you want to import a district.
3. On the Configure IBE Service page, click the District tab, then click Import District at the top
of the IBE District(s) table.
4. On the Import IBE District page, enter the name of the .vms file that contains the district
information that you want to import.
or
Click Browse to navigate to the file. Select the file and click Open.
5. Enter the password you used to encrypt the file when you exported it.
6. Click Import.
The imported district displays in the IBE District(s) table.

Understanding the Zero Download Messenger Service
Understanding the Zero Download Messenger

Service
The Zero Download Messenger (ZDM) Service allows end users who do not have a Voltage SecureMail
client or Voltage SecureMail-enabled platform to read, write, and reply to Voltage SecureMail
messages. This allows your users to send secure communication to any user, regardless of his or her
email application.
With the ZDM service, each secure email includes one or more HTML attachments that contain the
information needed to decrypt the message. Users without a Voltage-enabled client can read an
encrypted message by opening the attachment. After successful authentication, the decrypted
message is presented to the user in a browser window.
The Zero Download Messenger is necessary when there is a possibility that any of your users is unable
to install the Voltage SecureMail Encryption Client software. It is also necessary when any of your
users are using an email package or operating system that is not supported by the Voltage SecureMail
platform.
From the Services > ZDM Service tab, you can configure the ZDM service and the ZDM Proxy
service. See Configuring the ZDM Service for instructions.
Understanding the Zero Download Messenger Proxy

Service
Some email software alters ZDM attachments, making them unreadable by end users. Setting up a
ZDM Proxy service provides a way for these messages to be decrypted and accessed by users.
You can configure the ZDM Proxy service to poll an IMAP or POP3 Inbox on a remote server for the
ZDM Proxy emails, or to use the Gateway Service local mail store to accept ZDM Proxy emails.
See ZDM Proxy Configuration and ZDM Service Configuration for more information.
Voltage SecureMail Brand Manager

The ZDM web pages sent to the end users are based on templates, or brands, stored on the Voltage
SecureMail Management Console server. You can use the default brand, or create customized brands
with the Voltage SecureMail Brand Manager. The Voltage SecureMail Brand Manager provides a
method for customizing the templates for end-user pages. See the Voltage SecureMail Brand Manager
User Guide for information on creating a brand using the Brand Manager. See Configuring Branding for
a Tenant for instructions on assigning a brand file to a tenant.
Configuring the ZDM Service

Click Services > ZDM Service tab to display the Configure ZDM Service page. If you have more
than one tenant, the ZDM Service Summary page displays first, and you must click a tenant to
display the Configure ZDM Service page.

Use the tabs on the Configure ZDM Service page to configure the ZDM and ZDM Proxy service
settings:
l ZDM Message Settings - Sets sending and receiving options, and message and attachment
settings for the ZDM service.
l User Verification - Lets you specify restrictions on who can receive a ZDM message.
l ZDM Service Configuration - Sets the default domain, session settings, and message locking for
the ZDM service. Here you can enable an Exchange server to support ZDM service.
l Message Locking - You can prevent unintended recipients from accessing a secure message, or
can prevent all recipients from accessing a message with attachments that were incorrectly
included.
l DMARC SPF Compliance - Enable DMARC SPF compliance and specify the replacement sender
email address.
l ZDM Proxy Configuration - Enables the ZDM Proxy service and sets the options used by the
ZDM Proxy Service, such as message timeout, polling interval and more.
l HTML Sanitizer - Lets you specify the HTML elements and attributes that are permitted when
displaying HTML messages and attachments in ZDM. Elements and attributes that are not
permitted are removed from HTML messages before they are displayed in the ZDM.
For more information about configuring the ZDM service, see Understanding the Zero Download
Messenger Service.
ZDM Message Settings

On the ZDM Message Settings tab, you can configure sending and receiving options, and message
and attachment settings for the Zero Download Messenger service.
To configure ZDM message settings:
1. On the Services > ZDM Service tab, click the tenant name for which you want to configure ZDM.
The Configure ZDM Service page opens to the ZDM Message Settings tab.
2. In the Sending and Receiving section, under Allow ZDM Users to, select the level of services
that you want to support for users who have received a message and are using the ZDM to read it:
l Read Messages Only - Allows recipients of ZDM messages to read encrypted messages but
not to write, forward, or send them.
l Read & Reply to Messages - Allows recipients of ZDM messages to read encrypted
messages and reply to the message. They can only reply to existing recipients and cannot add
recipients. This is the default.
l Read, Reply & Forward Messages - Allows recipients of ZDM messages to read, reply to,
and forward encrypted messages. When replying to or forwarding the message, they can add
recipients.
3. In addition, you can select or clear the Login and Compose Messages check box. If you select
this option, ZDM users do not have to be recipients of an encrypted email in order to login and

compose a new message. If you clear this option, users must receive a secure message in order
to log into the ZDM.
4. Under Sender Copy, select Require ZDM Users to Receive a Copy of Their Messages if you
would like to require ZDM senders to automatically receive a copy of all messages they send in
their inbox. Or you can select ZDM Users Choose Whether to Receive a Copy of Their
Messages to allow users to choose whether they wish to receive a copy. If you allow ZDM users
to choose, you can select whether or not the Copy Me check box on the ZDM compose page is
selected by default.
5. Select Enable Auto-complete for the Email Address Field on the ZDM Login Page to
enable a browser's auto-complete functionality to fill in the ZDM login information for the user. If
this check box is not selected, auto-complete is not available for the ZDM login page. Note that
this option is available only if the Login and Compose Messagescheck box is selected.
NOTE: You can use the User Verification tab to prevent unauthorized usage of ZDM. See
User Verification for details.
6. Under Message Settings, select Enable Sending Messages with Rich Content to enable a
browser's auto-complete functionality to fill in the ZDM login information for the user. This option
allows end users to send messages that are formatted in HTML (rich content). When this check
box is selected, the ZDM writer retains the rich content formatting when recipients reply to or
forward their messages. When this check box is not selected, the ZDM writer provides a plain text
editor.
7. Select Enable Message Decrypt Receipts to enable senders to request a receipt from each
recipient when their message is decrypted. You can modify the text that appears in the receipt
using the Brand Manager (create a custom brand with updated text in the Zero Download
Messenger Service Pages > Emails > Decrypt Receipt element).
Receipts are always sent when the message is decrypted by a recipient who reads it using ZDM
from the same organization from which the message was sent. One receipt is sent for each
recipient who decrypts the message. If a recipient decrypts a message multiple times, a receipt is
sent the first time only.
l If a sender is using an email client and requests a read receipt for a message that is then
encrypted by the gateway, they receive a receipt when the message is decrypted.
l If a sender is using ZDM, a Request Receipt option is available on the ZDM compose page.
Selecting Request Receipt triggers the generation of a receipt when the recipient decrypts the
message.
NOTE: Receipts are not sent under the following conditions:
l Senders read their own messages.

l The message is decrypted by a Voltage Encryption Client.
l The message is decrypted by a gateway before being routed to the recipient.
l The recipient decrypts the message using a ZDM from a different organization than the
organization from which the message was sent.

This feature works best when external recipients read messages using your organization's ZDM
server. You can specify the option for this on the Outbound Encryption Settings page. See
Configuring Outbound Encryption Settings for details.
8. In the Message Decrypt Receipt Expiration text box, enter the number of days for which a
decrypt receipt is active. By default, if a message is read more than 90 days after it was originally
sent, a decrypt receipt is not sent.
9. Select Enable Sending Messages with Attachments to allow users to attached files to
messages written using the ZDM interface.
10. Select Download Only from the Reader Attachment Handling list to prevent recipients from
viewing attachments in-line on supported browsers. By default, recipients can either download or
view attachments when they read messages using ZDM. This removes the View link associated
with each attachment, so that recipients must click Download to access it.
11. In the Outgoing Attachment Size Limit text box, enter the maximum size of the attachments
allowed on an encrypted message. Enter the size in MBs up to 50. Any message containing
attachments with a total size greater than 50 MB is rejected by the server. The default is 10 MB.
Only the attachment sizes are used when determining if the size limit is exceeded. The size of the
message body is not included in that calculation.
12. Click Save.
When you make changes to the ZDM settings, you must update the cluster for the settings to take
effect. Go to the System tab to update the cluster. See Understanding Clusters for instructions.
User Verification
Depending on the settings in the ZDM Message Settings tab, a user who receives a ZDM message
might be allowed to reply to or forward that message to any email address. Additionally, a user might be
able to log into ZDM and compose a message. Use the User Verification tab to specify restrictions
that limit to whom the user can send a ZDM message.
This verification applies only to messages sent through ZDM, and does not apply to messages sent
through the Gateway or through a Voltage SecureMail client. In addition, if the user belongs to an
organization that has its own Voltage SecureMail server, user verification might be based on the
settings for that organization. See Configuring Outbound Encryption Settings for additional information.
NOTE: Make sure the IBE server can communicate to the AD server through port 389.
To configure user verification settings:

2. Click the User Verification tab.
The User Verification page displays.

3. Choose one of the following verification levels from the Sender and Recipient Verification
menu:
Do Not Verify
Allows a ZDM user to reply, forward, or send a message to anyone, with no restrictions. If you
choose this level, the options for Verification Methods are disabled because they are not used.
Verify Sender Or At Least One Recipient
Allows a ZDM user to reply, forward, or send a message to anyone, as long as either the sender or
one of the recipients is allowed based on the verification methods you enable, or if the email
address of the sender is in the domain defined for the tenant. This is the default level.
If the sender and all recipients are restricted based on the enabled verification methods, the
message is not sent and the user sees a message on the ZDM page stating that ”You must
include a valid email address for the organization providing this secure message service.”
Verify All Recipients
Prevents a ZDM user from replying, forwarding, or sending a message to any email address that is
not allowed by the verification methods you enable. This is the most restrictive level.
If any email addresses are restricted based on the enabled verification methods, those email
addresses are removed and the message is not sent. The user sees a message on the ZDM page

stating that secure messages can only be sent to certain organizations. This message also shows
the list of email addresses that were removed. The user can then send the message to the allowed
recipients, since those email addresses were not removed.
4. Enable one or more of the following Verification Methods by checking the check box:
NOTE: An email address can be allowed by any of the verification methods you enable.
Starting at the top of the list of enabled methods, if an email address meets the verification
criteria, it is allowed. An email address that does not meet the criteria for any of the enabled
methods is restricted.
Original Sender or Recipients

Allows a message to be replied to or forwarded to the original sender and any of the original
recipients (except Bcc), regardless of which other verification methods are enabled.
Domain Whitelist Matching
Allows an email address if its domain is included in the list of domain names that you specify. This
verification method is useful for domains that cannot be validated by the LDAP server. Enter the
domain names in the text entry field, separating multiple domains with either a comma, a space, or
entering each domain name on a new line. Note that you can use the * character as a wildcard. For
example, you can specify*bank.com to allow domain names such as nationalbank.com,
Dynamic Domain Matching
Allows an email address if its domain is in the same domain as the original sender or one of the
original recipients. For example, if the original sender was bob@company.com, this option lets
you reply to or forward the message to anyone@company.com.
You can restrict this for domains that might allow too many potential recipients. For example, if
one of the recipients is bob@gmail.com, and you do not want to allow anyone@gmail.com to be
verified, you can type gmail.com in the text entry field for this verification method.
LDAP
Allows an email address belonging to a valid user on the specified LDAP server. If you enable this
verification method, you must specify the URL of the LDAP server, as well as a name (or email
address) and a password for a service account that can be verified by the LDAP server. Your
LDAP administrator can provide you with this information. Note that if the password for the
account changes, you must change it in the Account Password field on this page, then update
the cluster.
Enter the LDAP server in a format similar to the following example:
ldap://ex2003.example.com/
For some LDAP servers, you can specify just the service account name, using a format similar to
the following examples:
user@domain.com
Domain\user
For other servers, such as the SunOne directory server, you might need to specify the service
account name in a different way or with additional arguments, using a format similar to the
following examples:
CN = directory manager

CN = abc,O=voltage
After you enter these values in the LDAP Server URL, Service Account Name, and Account
Passwordfields, you can click Test to verify the connection to the LDAP server, and verify that
the management server can login to the LDAP server using the account name and password that
you entered. If the login is successful, a message displays, stating that the connection to the
LDAP server was successful. If the login is not successful, it might be because the LDAP server
and the IBE server are in a different network than the Management Console. In this case, you can
save your configuration, even if clicking Test does not show a success message.
This verification method supports messages to groups only if the group has an email address
associated with it.
NOTE: If you are using this verification method, the Voltage SecureMail Appliance must
be able to connect to the LDAP server. Open port 389 in the firewall between the Voltage
SecureMail Appliance and the LDAP server.
ZDM Service Configuration

On the ZDM Service Configuration tab, you can set a default domain, the message format and
session settings for the Zero Download Messenger service.
To configure ZDM service configuration settings:
2. Click the ZDM Service Configuration tab.
The ZDM Service Configuration page displays.
3. In the Default Domain text box, enter a new domain to change the Zero Download Messenger
domain to be used for Zero Download Messenger attachments. If all recipients use the same

domain, then that domain is used. Otherwise, the domain specified for this parameter is used.
4. From the Message Format list, select a message format. The message format specifies the
format of encrypted messages. All messages are sent in the selected version format, unless a
recipient is using a different ZDM server that supports a lower ZDM Format version. The choices
are:
l Version 2 - Messages are sent in Version 2 format. Users who have not installed the Version
2 Voltage SecureMail Encryption client are not able to read them using their Voltage
SecureMail Encryption client.
l Version 3 - Messages are sent in Version 3 format. Users who have not installed the Version
3 Encryption client, are not able to read them. Set the value to Version 2 until you are sure that
your users have all upgraded to Version 3 of the Voltage SecureMail Encryption client. Version
3 is the default version.
NOTE: Changing this setting changes your public parameters. If your public parameters
are hosted only on the Key Management Server, they are updated automatically and the
change is propagated to all of your end users within one day.
5. Enter a Session Timeout Period in minutes.
The session timeout is applied only when users are inactive. If a user is active, the clock resets.
This parameter sets the amount of time during which a user is authorized to use a particular
instance of the ZDM.
Each time a user successfully authenticates an identity to the ZDM, the user is issued a cookie
that allows them to read any messages encrypted to that identity. The authorization lasts for the
duration of the session. After the session expires, the user is forced to re-authenticate in order to
read his or her messages. The default is 120 minutes.
NOTE: If you are using a load balancer, you must set its timeout value to be greater than
the value that you set here.
6. Select an Identity Timeout Policy.

When users encrypt or decrypt a ZDM email, they receive an identity cookie that stores the email
address used for that session on the user's system. When a user wants to use ZDM to decrypt
another message, the identity cookie is used to pre-select the email address for the user. The
following policies determine how the cookie is handled:
l Disabled - Does not put a cookie on the user's system.

l Enabled Never Times Out - Puts a cookie on the user's system that is always valid; the user
never has to revalidate.
l Enabled - With Timeout Period - Puts a cookie on the user's system that remains valid on
the user's system for a specified amount of time. This is the default. If you select Enabled -
With Timeout Period, the Identity Timeout Period parameter becomes available and you
must enter the amount of time you want the identity cookie to be valid.
7. If you select Enabled - With Timeout Period, you must enter an Identity Timeout Period to set
the amount of time for which an identity cookie is valid. After the timeout period expires, a user

must manually select their identity for the next encrypted email. The default is 12 Hours.
8. If you want to use an Exchange server to support ZDM service, check Enable Sending via
Exchange. See Configuring an Exchange Server for instructions on setting up your Exchange
server.
9. Click Save to save your settings.
When you make changes to the ZDM settings, you must update the cluster for the settings to take
effect. Use the System tab to update the cluster. See Understanding Clusters for instructions.
Message Locking
Email users occasionally send a message to the wrong recipients or include the wrong attachments.
Messages sent securely are more likely to contain sensitive information that is meant to be seen only
by the intended recipients. With the optional Message Locking feature enabled, specified recipients are
prevented from reading the locked message. Message locking is disabled by default. If you want to
enable this feature, contact Micro Focus Support.
When a user determines that a message should be locked, the user must contact the Voltage
SecureMail Administrator with information about the message. The administrator enters message
information into the Voltage SecureMail Management Console and locks the messages matching the
provided information within a defined time period. Locked messages cannot be access via ZDM with
the limitations explained below.
Limitations
If a user has Voltage Encryption Client on a local machine, the user can still read a locked message on
that local machine. This condition also applies to the Voltage SecureMail Mobile for iOS app.
A user who authenticates using the server for another domain can read a locked message using ZDM.
This can occur if the Outbound Encryption Settings on the Management Console allow a domain other
than the sender’s domain to provide keys.
Creating a Message Locking Rule

You can create a message locking rule using information provided by the sender or you can find
message send events for that sender and load information from the event log.
To create a message locking rule:
1. On the Management Console, navigate to the Services > ZDM Service page.
2. If your system has more than one tenant, select the tenant for the senders domain.
3. Click the Message Locking tab.
4. Click New Message Locking Rule.
There are two ways you can create details for the message locking rule. You can search the
events log by sender’s email and then load the details from the selected event log to the rule.
Alternately, you can enter the rule details manually.

5. To create the rule from an event log, enter the username (identity) or complete email address of the
sender and click Show Events.
a. Find the event log matching the details of the message to be locked and click Select. The
message locking rule is created from the selected event log details.
b. Click Finish.
6. To manually enter the information about the message the sender wants to lock, enter the following
information:
l Sender email address
The complete email address of the sender. This is not case-sensitive, but otherwise must
exactly match the email address used in the message and cannot be an alias. It must be in the
RFC 2822 address format:
local-part@domain
l Sent Date/Time
Enter the day, month and year followed by the time the message was sent. Click to open
a calendar. Select the timezone from which the message was sent.
l Tolerance
The number of seconds that defines maximum difference between the value you specify as the
Sent Date/Time and the actual time the message was sent.
If the user is uncertain about the time the message is sent, you can specify a value that
accommodates this uncertainty. For example, if the user knows that the message was sent
sometime between 9 am and 11 am, you can specify the time as 10 am and a tolerance value
of 3600 (60 minutes).
The default tolerance is 60 seconds.
l Subject (optional)
A string contained within the subject of the message to be locked. The following rules apply:

o The string is not case-sensitive unless Exact Match is checked.

o If you want to search by exact and complete subject text, enter the text and click Exact
Match.
o If you enter more than one word, they must appear in the same order in which they appear in
the subject. For example, the pattern Mistaken Identity matches subjects such as Mistaken
recipient identity and mistakenidentity, but does not match a subject such as Identity was
Mistaken.
o If a comma appears in the search text, the entire value must be surrounded with double-
quotes. In this case, if there are double-quote characters inside the field, the character must
be escaped with a double-quote character before it.
For example, for the following message subject:
Lost, Stolen, or “Mistaken” Identity
the search text would be entered as:
“Lost, Stolen, or ““Mistaken”” Identity”
o If you are also using the Content Supervisor feature with subject masking enabled, any text
that is masked in the subject must be specified with its masked value. This prevents
potentially sensitive information from appearing in the CSV file.
If no subject text is specified, messages with any subject (including an empty subject) are
locked.
l Recipient email addresses
One or more exact matches of the recipient email addresses in the message (which are not
case-sensitive), in the RFC 2822 address format. Multiple recipient addresses must be
separated by a space:
recipient1@domain1 recipient2@domain2
If no recipient email address is specified, the message is locked for all recipients.
7. Click Finish. The new rule appears in the Message Locking Rules list.
l You can search for message locking rules by sender email by entering the sender’s email
address in the text box and clicking Go. Click Show All to see the entire list.
l The list can be sorted by clicking the Sender Email, Sent Date/Time, Subject, and Last
Modified column headings.
l Click Edit to change a rule.
l Click Delete to remove a rule. The message(s) becomes accessible for viewing.
Unlocking a Message
A locked message can be unlocked by deleting the locked message rule from the list of message
locking rules.
To unlock a previously locked message:

1. On the Management Console, navigate to the Services > ZDM Service page.
2. If your configuration has multiple tenants, click the tenant name.
3. Click the Message Locking tab.
4. On the message locking rules list, click Delete next to the rule for the message you want to
unlock. You are asked to confirm the deletion.
DMARC SPF Compliance

Many organizations use the Sender Policy Framework (SPF) portion of the Domain-based Message
Authentication, Reporting & Conformance (DMARC) standards to detect messages from untrusted or
"suspicious" senders. You can use the DMARC SPF Compliance tab to configure the replacement
domain name in the From header (RFC5321.From and RFC5322.From) of ZDM messages sent from
external users to ensure that the messages conform to the RFC 4408 SPF standards.
You will need to enable the replacement of the From header with a compliant domain email address if
the SPF policy for the sender's email provider (such as Yahoo, Google, or Microsoft) or your
organization's domain is set to REJECT. This is because messages originating from the ZDM server
might not be delivered successfully if the ZDM server is sending mail from a domain for which it is not
permitted to send, based on the domain’s SPF policy. Note that this could also cause the SPAM score
of a ZDM server itself to increase, since the messages sent from the ZDM server could appear to come
from "suspicious" senders.
The format for the full replacement sender address has two parts and displays as follows:
l SenderDisplay_Name@domain.com via SecureMail <replacement_
sender@replacementdomain.com>
The replacement sender (From) address, <replacement_sender@replacementdomain.com>, can be

configured using the fields on the DMARC SPF Compliance tab.
The sender display name, original_sender@originaldomain.com via SecureMail, can be edited in Brand
Manager. By default, the sender display name uses the original sender's email address appended by
the text, "via SecureMail" in the From header.
The original sender's email address displays in the Reply-To header so that responses to secure
messages are sent to the original sender.
NOTE: If you enable SPF compliance, external ZDM users will not receive bounced message
notifications as such notifications that are sent to the address in the From header, which has
been replaced with the specified replacement sender email address and sender display name.
Additionally, logging of Gateway signature verification events for sender-signer mismatches is
turned off to prevent logging of these events for ZDM messages from external users where a
replacement sender email address is configured for DMARC SPF compliance. If you would like
to re-enable logging of these events, contact Micro Focus Support.
To specify the replacement From email address in secure messages originating from the ZDM server:
1. On the Services > ZDM Service tab, click the tenant name for which you want to configure the
ZDM settings.
2. Click the DMARC SPF Compliance tab.

The DMARC SPF Compliance page displays.
3. The Enable SPF Compliance check box is selected by default. Micro Focus recommends
leaving this feature enabled if your organization uses DMARC SPF to allow replacement of the
From header. If you do not wish to allow header replacement, click to clear the check box.
4. In the Replacement Sender Email Address text box, type the domain email address with which
you wish to replace the email address of the original sender in the From header. The Replacement
Sender Email Address must include an email address from a domain within your organization. By
default, the replacement sender email address is "securemail" at the tenant domain.
For example, if your organization includes the domain example.com, you could configure the
Replacement Sender Email Address as noreply@example.com. The full replacement From
header would display as: original_sender@originaldomain.com via
SecureMail<noreply@example.com>.
NOTE: The original sender's email address displays in the Reply-To header, even if you
edit the sender display name for the From header in Brand Manager.
5. In the For All Domains Except text box, enter the domains that you do not want to replace the
sender address. SPF will not be used on any ZDM emails sent TO or FROM domains listed here.
By default, your domain displays, as secure messages sent from your domain are already SPF
compliant.
6. Click Save, and then click Exit to return to the ZDM Service Summary page.
NOTE: After you finish making and saving changes to the DMARC SPF replacement header
settings for all applicable tenants, you must update the cluster. Click the System tab and then
click either Update or Update All Clusters depending on the number of clusters in your
deployment.
For additional information about the DMARC SPF standards, see http://www.openspf.org/.

ZDM Proxy Configuration

Use the ZDM Proxy Configuration tab to enable and configure the ZDM Proxy service. See
Configuring the ZDM Proxy Mail Store for information about how the ZDM Proxy service processes
email and additional configuration instructions.
To configure ZDM proxy settings:
2. Click the ZDM Proxy Configuration tab.
The ZDM Proxy Configuration page displays.
3. Select Enable ZDM Proxy.

4. In the Message Timeout text box, enter the number of days that an email will be kept in the
database. When the number of days that you entered has passed, the email is deleted from the
Key Management Server database. When the email is stored in the database, it is still encrypted.
NOTE: If you are going to use a local mail store, you do not need to enter a Polling
Interval, Mail Username, Mail Password or Mail Folder. If you are using a local mail
store, skip the next four steps and continue with step 9.
5. In the Polling Interval text box, enter the polling interval in number of seconds.
The ZDM Proxy service polls the mail server Inbox based on this interval.

6. In the Mail Username text box, enter the user name to access the mail server.
If you are configuring the ZDM Proxy service to poll the mail server directly, enter the user name
for the mail server Inbox.
7. In the Mail Password text box, enter the password for the email address.
If you are configuring the ZDM Proxy service to poll the mail server directly, enter the password
that you created on the mail server for the Mail Username.
8. In the Mail Folder text box, enter the folder to which emails should be directed. For example,
INBOX is the default.
9. In the Email From text box, enter the email address for the outgoing mail.
This email address is displayed in the From field of the message that the user receives from the
ZDM Proxy service containing a link to the original email. It is also the email address to which
users are instructed to forward the original email.
10. In the Email Reply To text box, enter an email address that the user can use to reply to the email.
This email address is only used when the user has a question or problem. Enter an email address
that is used for support purposes.
11. In the Email Format text box, select text/plain or text/html depending on which format you want
your users to receive.
12. Click Save, and then click Exit.
Configuring the ZDM Proxy Mail Store

The ZDM Proxy service processes email based on how you configure the service on the ZDM Proxy
Configuration tab and the ZDM Proxy Mail Store Details page. See ZDM Proxy Configuration for
more information.
Once you have configured the ZDM Proxy service, it processes email in the following way:
1. When a user tries to decrypt and view a message using the ZDM in an email client that cannot
handle the message, an error message is displayed. The error message contains instructions to
forward the message to a ZDM Proxy email address at your domain.
2. The user forwards the message to the ZDM Proxy email address that you configure on the ZDM
Proxy Configuration tab.
3. The message is then routed to the ZDM Proxy mail store configured on the ZDM Proxy Mail
Store Details page (located on the Systems tab under Resources for the cluster).
You can use one of the following as the ZDM Proxy service mail store:
l Gateway Service local mail store - If you use the local mail store, the Gateway service
running on the host accepts the ZDM proxy emails and stores the messages in the Key
Management Server database. If you use the local mail store, you must enable the Gateway
service on all hosts on the cluster.
l IMAP or POP3 Inbox on a remote server - If you use an IMAP or POP3 Inbox on a remote
server, the host periodically polls the remote server for ZDM proxy emails and then stores the

polled emails in the Key Management Server database.
NOTE: You must configure your mail server to route the ZDM Proxy emails to the
correct server.
4. After storing the message, the host sends an email back to the user containing a link that allows
them to read their secure message from the database.
To enable the ZDM Proxy service:

1. Enable and configure the ZDM Proxy service on the ZDM Proxy Configuration tab.
2. Configure the ZDM Proxy Mail Store on the Systems tab under Resources for the cluster.
NOTE: If you used the local mail store, enable the Gateway service on all hosts on the
cluster. See Configuring General Host Settings for instructions.
3. Configure your mail server to forward messages sent to the ZDM Proxy email address to the
correct server.
If you use the local mail store, ensure that messages sent to the ZDM Proxy email address are
routed directly to the host. If you use an IMAP or POP3 Inbox on a remote server, ensure that the
messages sent to the ZDM Proxy email address are routed to the IMAP or POP3 server. See your
mail server documentation for instructions.
NOTE: If you are using a content scanner such as Proofpoint, set a rule in the content
scanner to deliver all email for the ZDM Proxy email address directly to your ZDM Proxy
mail store setting. If you are using the local mail store, set the rule to deliver the messages
to any Gateway SMTP interface.
HTML Sanitizer
When HTML messages and attachments are displayed in the ZDM, most HTML tags are maintained to
format the message or attachment text in the manner specified by the sender. However, some HTML
tags can potentially cause security issues, and are not included when a message is displayed in the
ZDM. On the HTML Sanitizer tab, you can see which HTML elements and attributes are permitted
when displaying HTML, then make any changes that are needed for your specific environment. In
addition, you can update the set of attribute values, such as javascript, that are never permitted, and
are not included in messages displayed in the ZDM. If a new or existing tag,attribute, or attribute value
causes interference for ZDM users, you can adjust the settings on this page to resolve the issue.
To view or configure the permitted HTML tags and attributes, as well as the prohibited HTML attribute
values:
1. On the Services > ZDM Services tab, click the HTML Sanitizer tab.
NOTE: For most ZDM Service configuration features, any changes that you make are
specific for the tenant that you choose. However, HTML sanitizer changes are shared among
all tenants. For this reason, it does not matter which tenant name you choose.

3. In the HTML Elements section, scroll through the list of Available Tags to see if any tags need to
be added to the list of Permitted Tags. If so, select the tag, then click Add >> to move it to the
Permitted Tags list.
NOTE: You can select multiple tags using the Ctrl or Shift key.
4. If a tag that does not appear in the list of Available Tags needs to be added to the list of Permitted
Tags, type the name of the tag (alphanumeric characters only, with no spaces), and then click
Add. The new tag displays in the Available Tags list, and you can move it to the Permitted Tags
list by clicking Add >> .
5. Scroll through the list of Permitted Tags to see if any of them need to be removed. If so, select the
tag, then click << Remove to move that tag to the Available Tags list.
6. In the HTML Attributes section, repeat steps 3 - 5 for HTML Attributes.
7. Review the list of Prohibited Attribute Values, then make the following changes, if needed:
l To add an attribute value that does not appear in the list, type it in the text entry field, then click
Add. This attribute value is removed from all HTML content displayed in the ZDM. Unlike tag
names, attribute values can consist of any characters and can include spaces.

l To remove an attribute value that is included in this list, select the name of the attribute value,
then click Remove. This attribute value is permitted in all HTML content displayed in the ZDM.
NOTE: You can always return to the Voltage SecureMail default settings for the Permitted
Tags, Permitted Attributes, or Prohibited Attribute Values lists by clicking the Reset to
Defaults link underneath the list, even if you have previously saved your settings. Click Save
after you make any changes, including a reset to default values, and then click Update All
Clusters on the System Configuration page.
ZDM Attachment Filter

You can restrict the type of files that can be attached to ZDM messages. To enable this feature, you
must set the zdm.attachment.filter.enabled property on the Administration > Advanced tab.
To enable the ZDM Attachment Filter:
1. Navigate to the Administration > Advanced tab.
2. In the Advanced Management Server Configuration pane, enter

zdm.attachment.filter.enabled in the Configuration Name column.
3. Set Configuration Value to true and click Save.

4. Update the cluster.
5. Navigate to Services > ZDM Service > ZDM Message Settings.
6. Select the Enable Attachment Filter checkbox and enter the file types you want to restrict in the
Extensions To Be Restricted box.

Understanding the Client Service Summary Page
7. Click Save. If ZDM users attempt to attach restricted file types to a message, they will see a
message saying the file type is not allowed and the file will not be attached to the message.

The Client Service Summary page displays if you have more than one tenant. To view this page, click
Services > Client Service. From this page, you can configure client options for each tenant. The
options that you set for a tenant apply only to that tenant.
Click a tenant to display the Configure Client Service page.
Understanding the Configure Client Service Page

Use the Configure Client Service page to configure the settings that the Voltage SecureMail Client
uses. See the Voltage SecureMail Encryption Client Administrator Guide for information about
configuring the client.
Use the following tabs to configure the Client service:
l General - Configure settings such as enable secure conversation, pre-fetch private key, store
messages encrypted or decrypted, and key lifetime.
l Client Encrypt Rules - Create rules that automatically encrypt email from the client.
l Client Policy Security - Configure enhanced security settings for the client policy URL.
Configuring General Client Service Settings

To configure the client service for a tenant:
1. Click Services > Client Service, then click the name of the tenant you want to edit.
The General tab of the Configure Client Service page displays.

2. Click Enable Secure Conversation to enable secure conversation.

With Secure Conversations enabled, an email conversation remains secure throughout the
lifetime of an email thread. When enabled, a client sends an encrypted email, if the recipient
replies to the encrypted email, or forwards it to another user, the reply or forwarded email is
automatically encrypted. If not enabled, the recipient can choose whether or not to encrypt the
reply or forwarded email.
3. Select Pre-Fetch Private Key to enable the Voltage SecureMail Encryption Client to
automatically pre-fetch users' keys for the next week.
4. Select Cache Password to cache user passwords.
When enabled, the password is requested at the beginning of each session and then cached for
the remainder of the session. If not enabled, the password is not cached and is required each time
the user views or sends an encrypted message or accesses a secure file.
5. From the Store Messages list, choose how messages are stored on disk. The following choices
are available:
l Encrypted - Messages are decrypted each time they are opened in the client and
automatically re-encrypted when they are closed. Messages are stored encrypted in the
client’s mailbox.
l Decrypted After Viewing - Messages are automatically decrypted when they are first read
and are stored unencrypted in the client’s mailbox.
6. Select Enable Private Key Lifetime to enable it and then enter a value and a time interval in the
Private Key Lifetime Period field.
The Private Key Lifetime Period controls whether or not private keys are automatically deleted by
the Voltage SecureMail Encryption Client from the user’s machine, and if so, when. To enable
automated private key deletion, you specify a value and then select either hours, days, or weeks
from the drop-down list. The input values must be non-negative and the maximum allowable value
is one year.
NOTE: When you set Private Key Lifetime Period, users who work offline might be
affected. If a user is offline and the time interval expires, the keys are deleted and the user
will not be able to decrypt emails until they can re-establish connection with the key server.
If you know that users are working offline, it is recommended that you set a longer time
interval.
7. In the Message Footer text box, enter a message that appears at the end of a secure email
message after the message has been decrypted. This text can be used to identify the message as
secure and describe the security method used.
Adding and Editing Client Encryption Rules

You can create rules that automatically encrypt messages sent from the Voltage SecureMail
Encryption Client. You specify rules for encrypting messages based on the message headers on the
Client Encrypt Rules tab of the Client Service page. You can define a rule for any of the following:

l Sender email
l Recipient email
l Subject
l Sender Active Directory group
l Recipient Active Directory group
Encryption rules are used by the Voltage SecureMail Encryption Client. Rules are distributed to the
Clients via the Client Policy URL.
When a message is sent from a client, the sender, recipients, and subject are scanned for matches
with any rules specified in the Management Console. If a message field matches a rule, the Voltage
SecureMail Encryption Client encrypts the message.
For example, you can enter a rule to ensure that all messages addressed to a specific domain,
securedomain.com, with the word encrypt in the subject will be encrypted. The Voltage
SecureMail Encryption Client first scans the message subject to determine whether or not it contains
the word encrypt. If the subject contains the word encrypt, the client then checks if any of the
recipients are securedomain.com email addresses. If both conditions are satisfied, the message is
sent securely.
NOTE: The Voltage SecureMail Encryption Client evaluates every message sent from a client
for an encryption rules match. The client must resolve all sender and recipient email addresses
to send securely. If an email address cannot be resolved, the message cannot be sent securely
or insecurely, even if the encrypt rule is matched.
One reason that an email address cannot be resolved is if a user is working in offline mode and has not
created an offline address book. All users working in offline mode must create an offline address book
to send encrypted messages.
To add a client encryption rule:
1. Click Services > Client Service, then click the name of the tenant you want to edit.
2. Click the Client Encrypt Rules tab.
A table displays listing all of the currently configured rules.

3. Click New Client Encrypt Rule.
The New Rule wizard displays.

4. Enter a unique name for the new rule in the Rule Name field.
This is the name that is displayed in the Client Encrypt Rules table on the Client Encrypt Rules
page.
5. Enabled is selected by default. If you do not want the rule enabled, clear the check box.
6. Click Next to display the Rule Conditions page.
7. Select the field to examine for matches based on the email header fields by selecting one of the
following from the Attribute list:

l Recipient - Match the Recipients' email address, domain, or Active Directory group.
l Sender - Match the Sender's email address, domain, or Active Directory group.
l Subject - Match a string within the email Subject field.
8. From the Operator list select one of the following:
l Matches: Select if you want enter an email address or domain that matches the Sender or
Recipients' email address, or if you want to enter a regular expression that matches in the
Subject field.
l Matches AD Group: Select if you want to enter an Active Directory Group that matches the
Sender or Recipients' Active Directory group.
NOTE: If you selected Subject in the Attribute box, the Matches AD Group selection is
not available from the Operator drop-down list.
9. Specify a value or values to match against in the Values text box.
l If you selected Sender or Recipient in the Attributes list, and Matches in the Operator field,
specify an email address or specify a domain using an asterisk as a wild card. For example,
*@domain1.com.
l If you selected Sender or Recipient in the Attributes list, and Matches AD Group in the
Operator field, specify an Active Directory group to match. The client looks up the Active
Directory group information for the email addresses specified in the To or From fields in order
to identify the Active Directory group to which the users belong. Note that the Matches AD
Group option is only supported for Active Directory distribution groups with email enabled.
l If you selected Subject in the Attribute list, enter one or more string values to match a string in
the email Subject line. The string values can include wildcard characters: '*', and '?'.
Matching is case-insensitive. If you include more than one string value, the list is logically OR’ed;
that is, as long as one string value is matched, the entire 'Matches' condition is true.
NOTE: The ’*’ symbol matches zero or more characters while the ’?’ symbol matches
exactly one character.
These special symbols may be escaped with the ’\’ character. For example, to match the string
”2*3” exactly, specify the string value of ”2\*3”. To match the string ”c:\” exactly, specify the string
value of ”c:\\”.
10. Click Add Condition.
The rule condition is added to the Rule Conditions table above. The list of conditions must all be
met before the rule is applied. All messages matching the conditions will be encrypted.
11. When you have finished adding conditions, click Finish.
12. Navigate to the System page, then click Update All Clusters.
NOTE: In order for new client encryption rules to take effect immediately, the user can open the
Voltage SecureMail Encryption Manager on their Outlook client, click the Support tab, and then
click Reset Encryption Client. For clients that are not manually reset, the new rules take
effect within 24 hours.

Customizing the Client Policy

You have the option to customize the client policy to present your own Send Secure button icon with
the Voltage Encryption Client. You can also provide a custom tool tip for the send Secure Button and
require the VEC user to agree to an information security policy statement when sending secure
messages.
IMPORTANT: Customizing the client policy requires Voltage Encryption Client 7.4 or later.
To use this feature you must set a property on the Administration > Advanced tab and configure you
customization on the Client Service > General tab.
Enabled Custom Client Policy, below
Configure Custom Policy, below
Enabled Custom Client Policy

To customize the client policy, you must set the enable.custom.clientpolicy.config property on
the Administration > Advanced tab.
To enable custom client policy:
1. Navigate to the Administration > Advanced tab.
2. In the Advanced Management Server Configuration pane, enter
enable.custom.clientpolicy.config in the Configuration Name column.

Configure Custom Policy

After you have enable Client Policy customization, you configure the tool text, information security
policy text, and upload a custom Send Secure button.
To configure the Client Policy customization:

1. Navigate to Services > Client Service > General. Client Policy customization is configured in
the Custom Configuration pane.
2. In the Tooltip/Ticket Text box, enter the text you want to appear when the cursor hovers over the
Send Secure button.
3. If you want to require VEC users to agree to an information security policy when sending secure
messages, select the Enable IS Policy checkbox.
4. When you have enable IS policy, you must enter the IS policy text in the IS Policy Text box.
5. You set how often the VEC user must agree to the IS policy by setting the number of days
between assent.
6. If you want to upload a custom Send Secure button, click Upload Image.
7. Click Choose File to select your Secure Button image. Allowed image formats are: GIF, JPG,
PNG, ICON. Once uploaded, the image will be resized and displayed in standard size of 128x128
pixels. Maximum allowed size to upload image is 1 MB.
8. Click Upload.
9. Click Save on the General tab.
Configuring Client Policy Security Features

The Client Policy Security tab includes two methods for enhancing the security of your client policy
URL:

l The IP Address Filter section lets you restrict the machines that can access the client policy URL.
This prevents unauthorized external users from accessing it.
l The Token in URL section lets you change the client policy URL to prevent it from being easily
guessed by an unauthorized party.
To include one or both of these security enhancements for the client policy URL:
1. Click Services > Client Service, then click the name of the tenant you want to configure.
2. Click the Client Policy Security tab.
3. To restrict access to the client policy URL, select Restrict Access by IP.
Selecting this check box activates the other fields in the IP Address Filter section.
4. Type an IP Address / Netmask value, then click Add.
This adds the value to the List of Allowed IP Subnets, allowing the machine with that IP
address to access the client policy URL. You can add multiple IP Address / Netmask values to
this list. If you use a Netmask value of 0.0.0.0, all IP addresses are allowed, effectively disabling
this feature. The following examples show how you can use these values to restrict access:

Understanding the Gateway Service
172.16.5.5 / 255.255.255.255 restricts access to only the machine with the IP address of
172.16.5.5
172.16.7.0 / 255.255.255.0 restricts to any machine with an IP address in 172.16.7.x
172.16.0.0/ 255.255.0.0 restricts to any machine with an IP address in 172.16.x.x
To remove a value from the List of Allowed IP Subnets, select it and then click Remove.
5. Click Save, and then go to the System page and click Update All Clustersto begin restricting the
client policy URL to only those machines with IP addresses specified in the IP Address Filter
section of the page.
6. To change the client policy URL to one that appends a token value to the standard URL, either
type a string of alphanumeric characters in the Token Value text box, or click the Generate
Token button to populate that text box automatically.
The new URL has one of the following formats, depending on whether your client policy URL
includes a brand value.
l A client policy URL without a brand value has the following format:
https://voltage-pp-0000.<your_domain>/v2/clientPolicy.xml/<token>
Example: https://voltage-pp-
0000.dominicvm.com/v2/clientPolicy.xml/9Y7VQCyhd1gwwEYyM69v4tQKkEGXGDok
l A client policy URL that includes a specific brand has the following format:
https://voltage-pp-0000.<your_domain>/v2/clientPolicy.xml/br/<Brand
Name>/hhFJtys4Wg0UsWaohLo2H5uCtqEC37AY
Example: https://voltage-pp-0000.dominicvm.com/v2/clientPolicy.xml/br/Brand_
A/9Y7VQCyhd1gwwEYyM69v4tQKkEGXGDok
NOTE: The gateway automatically uses the new value, but all other clients that use the
client policy URL for this tenant must be updated to use the correct value. For the Voltage
SecureMail Encryption Client, this means that new installers must be created. See the
Voltage SecureMail Encryption Client Administrator Guide for details.
7. Click Save, and then go to the System page and click Update All Clusters to begin using the
updated client policy URL.

The Voltage SecureMail Gateway service lets you create rules for automatic encryption and decryption
of inbound and outbound email. This protects the privacy of critical communication with customers,
vendors and partners and helps to ensure compliance with federal privacy regulations. See Configuring
the Gateway Service for details on how to configure or view the settings for a specific tenant or for all
tenants.
You can configure the Gateway to decrypt messages on demand, giving users a clientless experience.
In the Management Console, you can specify rules that perform actions on messages based on the
contents of message header fields and SMTP envelope addresses.
To configure the Voltage SecureMail Gateway, you should be familiar with the following:

l basic configuration and use of the Unix Sendmail program

l implementation of milters for Sendmail
l the Voltage SecureMail Key Management Server
The Voltage SecureMail Gateway Capabilities

When a message enters or exits your organization via the Gateway SMTP server, the vsgateway milter
scans the SMTP envelope and message headers to locate fields whose contents match the conditions
in the policy rules. You can define a rule to match any of the following message fields:
l SMTP envelope sender (MAIL FROM)
l SMTP envelope recipient (RCPT TO)
l RFC2822 header sender (From:)
l RFC2822 header primary recipient (To:)
l RFC2822 header secondary recipient (Cc:)
l RFC2822 header subject (Subject:)
l RFC2822 user-defined header (header beginning with ”X-”, such as ”X-Virus-Scanned”)
If a message field matches a rule, the milter then performs the action specified by the corresponding
rule. The available actions are:
l Encrypt - Replaces the body text and all attachments with encrypted versions.
l Decrypt - Replaces the encrypted body text and any encrypted attachments with the original
contents.
l Pass: - Allows the message pass through the milter unmodified.
l Reject - Rejects the message and sends a bounce message back to the sender.
l Redirect - Sends the message to one or more specified email addresses instead of to the recipients.
For decryption, the vsgateway milter uses the Key Management Server to authenticate users. A
Component Authentication Method configured on the Key Management Server specifies the list of
users supported by the Gateway. To restrict access, a secret (password) and an IP address, or list of
addresses, are specified in the component authentication method. The secret must be entered in the
Appliance menu. The IP address for the Voltage SecureMail Gateway server must match an IP
address specified in the component authentication method.
After authentication, the Key Management Server issues the decryption key associated with the end-
user identity. The Gateway uses this key to decrypt the message. The Gateway then passes the
decrypted message to the next process in the network configuration. This might be another milter, such
as an anti-virus or anti-spam server, or the Gateway SMTP process that called the Voltage SecureMail
Gateway. For encryption, the Voltage SecureMail Gateway uses the recipient’s public parameters.
For example, you can create a rule to enforce encryption of all email addressed to a specific domain
before the email leaves the firewall. Typically an email message is relayed from the user’s computer to
an MS Exchange server. In a Voltage SecureMail Gateway-enabled environment, the Exchange server
then relays the message to the Gateway SMTP server which calls the vsgateway milter as part of its

milter chain. The vsgateway milter scans the message header and finds that the To: field contains a
domain that requires encryption. The Micro Focus SecureMail Gateway then uses the client policy file
to determine if the recipient address is on the list of supported domains and fetches the correct public
parameters. The Voltage SecureMail Gateway then encrypts the message using the identity of the
recipient.
You might also create a rule to decrypt all Voltage-encrypted messages entering your enterprise from
outside the firewall. The decrypted messages could then be passed to an existing corporate anti-virus
product.
The Voltage SecureMail Gateway and the Voltage

SecureMail Encryption Client
Using the Voltage SecureMail Encryption Client with the VoltageSecureMail Gateway is optional. See
the Voltage SecureMail Encryption Client Administrator Guide for information about configuring the
client. Communication within the corporate firewall is unaffected by the Voltage SecureMail Gateway.
Therefore, if you already deploy a security solution for internal communications, internal emails sent
with your existing solution will be encrypted and decrypted using the system already in place. If you do
not have a security solution, but do not require internal encryption, you do not need to deploy Voltage
SecureMail Encryption Client.
If you do choose to deploy the Voltage SecureMail Encryption Client for your enterprise, external
compliance remains enforced by the Gateway. The Voltage SecureMail Encryption Client cannot
override the settings for email sent through the Gateway. For example, if a user sends an unencrypted
message that the Gateway is configured to encrypt, the message is sent unencrypted to the Gateway
SMTP server. The Gateway SMTP server then calls the Voltage SecureMail Gateway, which detects
the encryption requirement and encrypts the message before it is sent outside the firewall.
Configuring the Gateway Service

The Gateway Service Summary page displays the tenants in your configuration.
On this page you can configure or view the settings for all tenants or for a particular tenant.
Click All Tenants, then click the tab that contains the settings you want to configure:

l Tenant Lookup Rules-You can specify the rules that inform the Gateway of which tenant in your
system to use.
l Policy Routes- You can specify where a message is routed after the Gateway has finished
processing it.
Click a specific tenant, then click the tab that contains the settings that you want to configure:
l General- You can enter tenant domains, enable re-encrypt mode, and specify a Brand X-Header that
can be used in a policy rule.
l Gateway Rules- You can configure rules to automatically encrypt and decrypt emails and to add and
delete headers to the emails processed by the rules.
l PKI Keys- You can import public and private keys for S/MIME and PGP users which enable the
SecureMail Gateway to decrypt inbound S/MIME or PGP emails and to encrypt outbound emails to
external users who use S/MIME or PGP.
Configuring the Gateway Service for all Tenants

The All Tenants option lets you configure Tenant Lookup Rules and Policy Routes that will apply to all
tenants and nodes in a cluster by default. The All Tenants configuration uses Tenant Lookup Rules to
determine where to send email.
Click one of the following tabs depending on which action you want to perform:
l Tenant Lookup Rules - Allows you to enter default rules to apply to all tenants. The tenant lookup
rules work similarly to the Gateway Encryption rules, except instead of matching an action they
match tenants in one of four ways, direct, outbound, inbound, or header.
To add a tenant lookup rule, click New Tenant Lookup Rule.
l Policy Routes - Allows you to enter policy routes. A policy route is used in conjunction with a policy
rule, in order to specify where a message should be routed after the gateway has finished processing
it.
To add a policy route, click New Policy Route.
You can also customize settings and rules for individual tenants. See the following topics for details:
l Configuring Gateway General Parameters
l Understanding Gateway Rules
l Understanding Public Key Infrastructure (PKI) Keys
Configuring Tenant Lookup Rules

The New Tenant Lookup Rule wizard enables you to configure both general rules and rule conditions
for all tenants.
To configure general tenant lookup rules:
1. On the Services > Gateway Service tab, click All Tenants. The Global Service Configuration
page displays the Tenant Lookup Rules tab.

2. Click New Tenant Lookup Rule. The General Configuration page of the Tenant Lookup Rule
Configuration page displays.
3. Enter a unique Name for the rule that you are creating.
4. Specify whether the tenant lookup rule is enabled by selecting or clearing the Enabled check box.
The rule is enabled by default.
5. Select a Lookup Method from the list:
l Direct - Explicitly selects a tenant to select. This will cause the rules for that tenant to be
processed in the context of that tenant.
l Outbound - Looks up the tenant based on the message envelope. The tenant is chosen by
comparing the sender of the message with the Tenant Domains (Email Patterns) field on
each Tenant's Gateway Service general tab. The tenant that matches will be the tenant that is
chosen to process the message.
l Inbound - Looks up the tenant based on the message envelope. The email addresses of the
message recipients are compared with the entries in the Tenant Domains (Email Patterns)

box on the Gateway Service General tab for each tenant. The tenant that matches processes
the message.
l Header - Looks up the tenant based on the X-VS-IDS header, if it exists on the message. The
X-VS-IDS header exists on the message if the Gateway has decrypted a message, and re-
encrypt mode is on. This rule will be chosen to decide the tenant to use. The tenant with the
specified X-VS-IDS: <district name> in the header will be chosen to process the message.
This ensures that the tenant that was used to decrypt the message is chosen for re-encryption.
or
Looks up the tenant that is present in the X-IBE-Encrypted-Signer-District: <signer district>
header, if it exists on the message. The X-IBE-Encrypted-Signer-District: <signer district>
header exists if a message was encrypted by ZDM or by the Gateway service. Using this
lookup rule ensures that the Gateway chooses the correct tenant to decrypt the message.
6. Select a tenant from the drop-down menu, and then click Next.
The Rule Conditions page of the New Tenant Lookup Rule wizard displays. See Configuring
Tenant Rule Conditions to continue with this wizard.
Configuring Tenant Rule Conditions

This topic provides instructions for the second page of the New Tenant Lookup Rule wizard. See
Configuring Tenant Lookup Rules for details about completing the first page of this wizard. After you
complete the General Configuration for the rule and click Next, to display the Rule Conditions page.
To configure tenant rule conditions:

1. In the New Rule Condition box, from the Attribute list, select the message field that you want the
rule to match against. Choose one of the following options:
l Envelope Recipient - Allows matching of the RCPT TO email address(es) in the SMTP
envelope.
l Envelope Sender - Allows matching of the MAIL FROM email address in the SMTP envelope.
l Subject - Allows matching of the RFC2822 Subject: header in the message.
l Custom Header - Allows matching of any RFC2822 header in the message.
l Local Interface - Allows matching of the SMTP local interface on which the message was
received.
l Remote IP Address - Allows matching of the IP address of the remote MTA that sent the
message.
2. From the Operator drop-down list, choose one of the following:
l Matches - The condition evaluates to true if a value in the Values text box (see step 3) exactly
matches the Attribute value.
l Contains - The condition evaluates to true if the value in the Values text box (see step 3)
contains the Attribute value. Note that the availability of this option depends on the value of
the Attribute. The Contains operator is not available for all attributes.
l Does Not Match -The condition evaluates to true if a value in the Values text box (see step 3)
does not match the Attribute value.
3. In the Values text box, enter the value that the contents of the field that you specified in the
Attribute text box will be matched against. You can add more than one value to the condition.
l To add multiple values, type each value on a separate line. If you add more than one value, the
values are OR'd. This means that one matching value constitutes a match.
l To remove one or more values, select the value(s) and press the Delete button on the
keyboard.
? - Matches any single character.

* - Matches any sequence of zero or more characters.
\ - Escapes the *, ?, and \ special characters.
Examples
*@acme.com
Matches any acme.com email address
*@acme.co*
Matches any acme.com address, any acme.co.uk address, any acme.co.jp address, and so forth
jsmit?@acme.com

Matches jsmith@acme.com and jsmits@acme.com, but not jsmithers@acme.com or

pjsmith@acme.com
4. Click Add Condition to add the condition to the list of conditions for the rule.
The conditions are displayed in the Tenant Lookup Rule Conditions table. The Tenant Lookup
Rule Conditionstable is a logically AND’ed list. When the rule is processed all conditions in the
list must be met before the rule is applied to a message. To create an OR condition, you must add
a new policy rule.
5. Update existing conditions as follows:
l To remove an existing condition, click Delete in the row for the condition that you want to
remove.
l To change an existing condition, click Edit in the row for that condition, make the changes you
need, then click Save Condition.
6. Click Finish to exit the wizard and return to the Configure Gateway Service: All Tenants page.
Configuring Policy Routes

A policy route is used in conjunction with a policy rule, in order to specify where a message should be
routed after the gateway has finished processing it. Each individual policy rule can be configured to use
a different policy route. When a policy route is specified in the advanced tab of a policy rule, a sendmail
is created to deliver the message to the route destination.
Policy routes can be used, for example, to setup re-encryption by the gateway. See the example below.
If there is no policy route set and configured for a rule, the mail will be delivered via the mail route that is
specified in the Gateway SMTP tab on the system page. If there is also no mail route on the system
page, MX lookup will be used to deliver the message directly.
Example:
You want the Gateway service to decrypt inbound mails and re-encrypt outbound mails.
In order to do this, you can use two policy routes:
l One policy route named InternalDelivery - The route destination will be the internal SMTP server.
l One policy route named OutForReencrypt - The route destination will be the IP of the gateway's
encrypt SMTP interface.
In the Policy Rules Advanced tab you will specify the InternalDelivery policy route for the rule where
the recipient matches your internal domain.
You will specify the OutForReencrypt policy route in the rule for all other messages that are decrypted.
To add a policy route:
1. In the Services > Gateway Services tab, click All Tenants in the Configured Gateway Services
table.
2. Click the Policy Routes tab, then click New Policy Route in the Policy Routes table.
3. In the Name text box, enter a unique name to identify the policy route. You can use any name for
the policy route, but once you choose a name, you cannot change it

4. In the Route Destination text box, select the option and enter the information for one of the
following:
l Route Destination - Select the first option to enter the IP address or host name of a machine.
The policy route will re-route the message to the specified machine.
l Specify Local Interface - Select the second option to select an interface name from the drop-
down list. The policy route will re-route the message back to the local machine to the selected
local interface.
5. In the Client Interface list, select a client interface that does not match the IP of the route
destination.
6. Enter the HELO Name.
This will be used by the policy route to identify itself to the receiving MTA.
7. Click Finish to return to the Policy Routes tab.
After you have configured a policy route, you can use it as a routing option for a policy rule:
1. In the Services > Gateway Service tab, click a tenant name in the Configured Gateway Services
table.
2. Click the Gateway Rules tab, then click the name of a rule in the Gateway Policy Rules table.
3. Click the Advanced tab, then select Specify Route to enable the Policy Route list.
4. In the Policy Route list, select the Policy Route Name that you added.
5. Click Save.
Configuring Gateway General Parameters

To configure gateway general parameters:
1. Click the Services > Gateway Service tab.
2. Click a tenant name in the Configured Gateway Services table, then click the General tab.

3. (Optional) In the Tenant Domains (Email Patterns) text box, enter the domains for which the
gateway will encrypt email. The values in this field are used only when you do one or both of the
following:
l Enable the Tag Inbound Only setting when configuring a custom footer for a policy rule that
decrypts messages. See Adding a Message Footer in a Policy Rule for details.
l Configure a tenant lookup rule that uses either Inbound or Outbound as the Lookup Method.
See Configuring Tenant Lookup Rules for details.
4. Select or clear the Enable Re-Encrypt Mode check box.
Re-encrypt mode enables the software to decrypt a message, perform an additional action, such
as scanning for a virus or adding a header, and then encrypt the message again before it is sent to
recipients. In most cases, you must enable Re-encrypt mode if senders within your organization
use a Voltage SecureMail Client to send encrypted messages outside your organization. If a
message is scanned for viruses before being sent to external recipients, the virus scanner can
only work with decrypted messages.
See Using Sendmail Interfaces for Reencryption for more information about the uses of Re-
encrypt mode.
5. In the Brand X-Header Name text box, enter the name of the brand X-Header that is added to
messages to indicate a brand value for those messages. Note that you do not need to enter X-,
since this required portion is automatically included. The brand associated with this X-Header is
used when the message is encrypted or re-encrypted at the gateway.
For example, suppose you use the default value of X-VS-Brand and the tenant includes a brand
named brand1. A message might have the header X-VS-Brand: brand1 added either by the Voltage
SecureMail Encryption Client or by a content scanner. When this message enters the gateway,

the software detects that the message contains the header X-VS-Brand and looks for the
associated brand name, in this case brand1. This association indicates that the gateway is to use
brand1 when adding the message envelope.
The default value of X-VS-Brand is the same value used by the Voltage SecureMail Encryption
Client. If you change the default value for this field, you must also change it in all clients that send
secure messages through the gateway for re-encryption.
The brand X-Header value you specify here is used if you configure a policy rule that specifies Use
the X-Header selected brand. See Adding a Policy Rule for instructions.
6. Click Save to save the general parameters for the tenant.
Understanding Gateway Rules

The Gateway Rules tab allows you to define a set of rules for handling the messages that pass through
the SecureMail Gateway. These rules specify actions based on the contents of message fields.
When a message is processed, the Gateway service scans through the set of rules until it finds a
matching rule. The Gateway service then performs the action of the matching rule on the message. The
default action is to pass the message if no matching rules are found. You can specify a secondary
action for encrypt/decrypt actions, in case the encrypt/decrypt fails. This alternative action can either
be to pass or to reject the message.
To allow for inter-operation with other email filters, you can specify custom header name/value pairs to
be added and removed from messages based on processing actions. For example, a rule can be
created to always add the user-defined header ”X-Voltage” with the value ”encrypted” whenever a
message is successfully encrypted.
Configuring Gateway Rules

The Gateway Rules tab displays the Gateway Header Rules table and the Gateway Policy Rules
table. The tables list all of the existing rules and you can add, copy, edit, disable or remove rules.
You can perform the following actions in the Gateway Header Rules table:

l Add A Header Rule

l Edit a Header Rule
You can perform the following actions in the Gateway Policy Rules table:
l Add a Policy Rule
l Edit a Policy Rule
You can perform the following actions in either table:

l Copy a Rule
Click Copy in the row for the rule that you want to copy. Edit the fields that you want to change for
the new rule and then click Finish.
l Disable a Rule
Click Disable in the row for the rule that you want to disable. The Disabled icon displays in the
Status column and Disable changes to Enable. Note that when a rule is disabled, emails are not
processed against it.
l Enable a Disabled Rule
Click Enable in the row for the rule that you want to enable. The emails are now processed against
the rule.
l Remove a Rule
Click Delete in the row for the rule that you want to remove. The rule is removed from the table and
is no longer used to process emails. If you want to process emails with the removed rule, you
must recreate the rule.
When a message is processed, the Gateway service examines the rules in the tables one rule at a time
in the order that they are listed in their respective tables. Once the Gateway service finds a matching
rule, the specified action is performed and no further rules are examined. The Gateway service
examines rules in the Header Rules table and the rules in the Policy Rules table separately.
See Sample Scenario for an example of how to configure the software to automatically encrypt specific
messages at the gateway.
Adding or Editing Header Rules

Header rules allow you to add to and remove user-defined headers from messages based on
processing actions. The user-defined header is in the form of a name/value pair. These headers can be
used to ensure operability with other milters.
For example, a rule can be created to always add the user-defined header ”X-Voltage” with the value
”encrypted”, whenever a message is successfully encrypted. Another rule can be created to always
add the user-defined header ”X-Voltage” with the value ”encrypt-failed”, whenever an encryption failure
occurs.
When configuring header rules, you can choose to include soft errors in the header rule process. A soft
error occurs when a policy rule attempts to encrypt an already encrypted message or decrypt an
already decrypted message. If you choose to include soft errors, the message will be passed by the
policy rules; however, the header rules will still be processed.

To add or edit a header rule:

1. On the Services > Gateway Service tab, click a tenant name in the Configured Gateway
Services table.
2. Click the Gateway Rules tab, then click New Header Rule or the name of an existing rule.
The Gateway Header Rule Details page displays.
3. In the Name text box, enter a unique name for the new header rule.
The Name displays in the Header Rules table on the main Gateway Rules page so that you can
identify the rule. It is not part of the rule. This is a required field.
4. Specify whether to enable or disable the rule. By default the new rule is enabled. To disable the
new rule, click Enabled to clear the check box.
5. From the Action list, select one of the following:
l Add Header -Adds the header to messages when they meet the condition selected in the
Conditionlist. See step 6 below.
l Delete Header - Deletes the header from messages when they meet the condition selected in
the Condition list. See step 6 below.
You can specify the user-defined header’s name and optionally, a header value. If you omit the
header value, any header in the message matching the header’s name will be deleted.
6. From the Condition list, select one of the conditions.
The Gateway service adds or deletes the header from messages when the condition you select is
met. The available conditions are:
l Encrypt Succeeded
l Encrypt Failed
l Decrypt Succeeded

l Decrypt Failed
l Pass
l Always
7. Select Include Soft Errors to process the header rule even when a soft error has occurred.
A soft error occurs when a policy rule attempts to encrypt an already encrypted email or decrypt an
already decrypted email.
8. In the Header Name text box, enter the header name.
The header name must conform to RFC822, for that reason the 'X-' is already added at the
beginning of the name. All header names will begin with 'X-.' This is a required field.
9. In the Header Value text box, enter a value.
The matching done on the header value is case-insensitive. If the header value is omitted, any
header in the message matching the header name will be added or deleted depending on the Rule
Action selected. This field is optional.
10. Click Finish (for a new header rule) or Save and Exit (for an existing header rule) when you are
finished.
Adding a Policy Rule

Policy rules let you configure rules to encrypt or decrypt messages on demand. You can use policy
rules to provide users with a clientless experience. From the Gateway Rules tab, you can add a policy
rule that performs actions on messages based on the contents of message header fields and SMTP
envelope addresses. You can specify policy rules to encrypt, decrypt, pass, or reject an email
message that matches the criteria you set.
To add a policy rule:
Services table.
2. Click the Gateway Rules tab, then click New Policy Rule.
The New Policy Rule wizard displays.

3. In the Name text box, enter a unique name for the new policy rule. This is required.
4. The new rule is enabled by default . To disable the new rule, clear the Enabled check box.
5. In the Action section, select an action that you want the rule to perform on messages that match
the condition you specify on the Rule Conditions page:
l Encrypt - Encrypts messages that match the specified conditions. If you select this action,
you must also select a secondary action if the encryption fails, as well as a brand for the
messages. Proceed to step 6 to continue.
l Decrypt - Decrypts messages that match the specified conditions. If you select this action,
you must also select a secondary action if the decryption fails, as well as a brand for the
NOTE: When you select decrypt, three new fields display for you to enter message
footer information. See Adding a Message Footer in a Policy Rule for more information.
l Pass - Relays the message and delivers it without changing anything. If you select this action,
you do not need to select a secondary action or a brand, and you can proceed to Step 8.
l Redirect - Delivers the message to the email address that you specify, rather than to the
recipients. If you select this action, you must enter a valid email address in the text entry field.
You do not need to select a secondary action or a brand. Proceed to Step 8 to continue.
l Reject - Returns messages that match the specified conditions to the sender without
processing. If you choose this action, you do not need to choose a secondary action or a brand.
Proceed to Step 8 to continue.
6. If you chose Encrypt or Decrypt as the action, select the secondary action the rule performs if the
primary action fails:
l Pass - Relays and delivers the mail unchanged.
l Reject - Returns all messages that fail the primary action to the sender without processing.

7. If you chose Encrypt as the action, select one of the following options:
l Use Brand - Uses a brand that is available for the tenant. If you select this option, select the
brand name that you want to use from the list.
l Use X-Header Selection - Uses the brand specified in the brand X-Header of the message. If
the message does not contain a brand X-Header with a valid brand, the default brand specified
for the tenant is used.
The brand X-Header can be added by the Voltage SecureMail Client or by another application,
such as a content scanner. For information on X-Headers and content scanners see, Content
Scanner X-Header Examples.
When you select Use X-Header Selection, the gateway service scans the message for the
brand X-Header name specified on the General tab of the Configure Gateway Service page
(as described in Configuring Gateway General Parameters) and uses the brand associated with
that X-Header. After the gateway service determines the brand to use for the message, it
removes the X-Header from the message.
NOTE: When re-encrypt mode is enabled, the Gateway service always preserves the
original brand.
8. If you selected Encrypt as the Action in step 5, proceed to the next step. If you selected Decrypt
as the Primary Action, the message footer fields display. See Adding a Message Footer in a
Policy Rule, on page 103 for instructions.
9. Click Next.
The Rule Conditions page displays.

Editing Policy Rule Conditions

To edit a rule condition:
1. From the Attribute list, select the message field against which you want the rule to check for a
match:
l Envelope Recipient - Checks the RCPT TO email address(es) in the SMTP envelope.
l Envelope Sender - Checks the MAIL FROM email address in the SMTP envelope.
l Header Recipient - Checks the email address(es) in the RFC2822 header primary recipient
(To:).
l Header Sender - Checks the email address in the RFC2822 header sender (From:).
l Subject - Checks the RFC2822 Subject: header in the message.
l Custom Header - Checks any RFC2822 header in the message.
l Local Interface - Checks the SMTP local interface on which the message was received.
l Remote IP Address - Checks the IP address of the remote MTA that sent the message.
2. From the Operator list, select one of the following:
NOTE: The available operators depends on the selection in the Attribute list. Some
operators are not available for certain attributes.
l Matches - The Values text box (see step 3) exactly matches the Attribute value.
l Contains - The Values text box (see step 3) contains the Attribute value.
l Does Not Match - The Values text box (see step 3) does not match the Attribute value.
l Matches PKI User - This option is only available if you selected Envelope Recipient or
Envelope Sender in the Attribute list.
The condition evaluates to true if PKI keys have been imported for the envelope sender and
recipients. See Understanding Public Key Infrastructure (PKI) Keys for information on
importing PKI keys. The following PKI keys must exist depending on the type of rule:
n Encrypt rule - A private key must have been imported for the envelope sender and a public
key must have been imported for at least one recipient.
n Decrypt rule - A private key must have been imported for at least one recipient.
When you choose Matches PKI User, you do not need to enter a value. The Values text box is
not available for input. Proceed to Step 4 to continue.
3. In the Values text box, enter the value of the contents of the field that you specified in the
Attribute list will be matched against. You can add more than one value to the condition.
To add multiple values, enter each value on a separate line. If you add more than one value for
the condition, the values are OR'd. This means that one matching value constitutes a match.
? Matches any single character.

* Matches any sequence of zero or more characters.
\ Escapes the *, ?, and \ special characters.
Examples
*@acme.com
*@acme.co*
Matches any acme.com address, any acme.co.uk address, any acme.co.jp address, and so
forth
jsmit?@acme.com
pjsmith@acme.com
4. Click Add Condition to add the condition to the list for the rule.
The condition displays in the Policy Rule Conditions table.

5. (Optional) To configure a rule with multiple conditions, repeat steps 1-4, then decide whether the
rule is processed only if All conditions are met (the list in the Policy Rule Conditions table is
logically AND'ed) or if the rule is processed if Any condition is met (the list is logically OR'd).
By default, the rule is processed only if all conditions are met. To process the rule if any condition
is met, choose Any from the list below the Policy Rule Conditions table, specifying that the
software is to Take action if Any of the rule conditions are met.
6. To edit an existing condition, click Edit in the row for the condition that you want to edit. To
remove an existing condition, click Delete in the row for the condition that you want to remove.
7. Click Finish when you are finished configuring the rule. Click Back to return to the General
Configuration tab if you want to further edit any of the rules.
Adding a Message Footer in a Policy Rule

A recipient who receives confidential information in an email that was encrypted and then automatically
decrypted does not necessarily know that the message was sent securely. If you add a Policy Rule to
decrypt messages, you can include a message footer to inform recipients that the message had
originally been sent securely and was automatically decrypted. The text that you enter for the message
footer is appended to the body of the decrypted email.
To add a message footer to a decrypted email:
1. Go to the Rule Conditions page of the New Policy Rule wizard, and select Decrypt in the
Action list. See Adding a Policy Rule for details.
Three additional fields display for you to add a message footer.

2. In the Custom Footer text box, enter the message that you want to append to the body of
decrypted emails. You can enter a maximum of 1000 characters.

When you enter text in the Custom Footer text box, the text is validated against the Tenant
Default Brand Locale. If there is no brand, it is validated against the Tenant Locale. The text
entered must match the setting for the locale language.
When a message is decrypted, the Gateway service matches the character set of the Custom
Footer text to the character set of the message body. If the Message Footer uses a different
character set than the message body, the gateway service attempts to convert the footer to the
character set of the message body. If the conversion fails, the Footer Fallback Message text is
used. This text is always in ASCII format.
3. In the Footer Fallback Message text box, enter the message that you want append to the body of
decrypted emails. In most cases, you can use the same text as you used in the Custom Footer
text box, but you must use only ASCII characters in this text box. You can enter a maximum of
1000 characters.
NOTE: If you leave the Custom Footer and Footer Fallback Message text boxes
empty, no footer will be added to decrypted messages.
4. Specify whether to enable the Tag Inbound Only setting.
If you enable this setting, the message footer is only added to messages that contain at least one
recipient with an email address that is included in one of the domains in the Tenant Domains
(Email Patterns) box on the Services > Gateway Service > General tab for the tenant. You can
use this setting to prevent the footer from displaying in outbound messages that have been
decrypted and then re-encrypted.
5. Continue entering the policy rule general information.
Editing a Policy Rule

To edit a policy rule:
table.
2. Click the Gateway Rules tab, then click the name of a rule in the Gateway Policy Rules table.
You can edit the policy rule details on the Gateway Policy Rule Details. Click any of the
following tabs to edit the information on that tab:
l General tab - You can enable or disable the rule, edit the policy rule name, set a primary action
and fail action, and change a brand.
l Rule Conditions tab - You can add or remove conditions for the selected rule.
l Advanced tab - You can set options for PGP and SMIME encryption and decryption, and
specify a configured policy route.
3. Click Save and Exit to return to the Gateway Rules tab.
General Tab
To edit General policy rule options, you can update any of the following:

1. Edit or change the name for the new policy rule by updating the Name field.
2. Change whether this rule is enabled.
The rule is enabled by default. To disable the new rule, clear the Enabled check box.
3. Change the primary action that the rule performs on messages that match the condition specified
on the Rule Conditions page:
l Encrypt - Encrypts messages that match the specified conditions. If you select this action,
you must also select a secondary action if the encryption fails, as well as a brand for the
l Decrypt - Decrypts messages that match the specified conditions. If you select this action,
you must also select a secondary action if the decryption fails, as well as a brand for the
NOTE: When you choose decrypt from the list, three additional fields display for you to
enter message footer information. See Adding a Message Footer in a Policy Rule for
more information.
l Pass - Relays the message and delivers it without changing anything. If you select this action,
you do not need to select a secondary action or a brand.
l Redirect - Delivers the message to the email address that you specify, rather than to the
recipients. If you select this action, you must enter a valid email address in the text box. You do
not need to select a secondary action or a brand.
l Reject - Returns messages that match the specified conditions to the sender without
processing. If you select this action, you do not need to select a secondary action or a brand.
4. Change the action that the rule performs if the primary action fails:
l Pass - Relays and delivers the mail unchanged.
l Reject - Returns messages that fail the primary action to the sender without processing.
5. Change the brand used for the message. Select one of the following options:
l Use X-Header Selection - You can change this to always use a specific brand. Click Use
Brand, then select the brand from the list.
l Use Brand - You can change this to use a different brand or click Use X-Header Selection to
use the brand name specified in the brand X-Header.
The brand X-Header can be added by the Voltage SecureMail Client or by another application,
such as a content scanner. For information on X-Headers and content scanners see, Content
Scanner X-Header Examples.
When you select Use X-Header Selection, the Gateway service scans the message for the brand X-
Header name that you entered on the General tab of the Configure Gateway Service page and uses
the brand associated with that X-Header , see Configuring Gateway General Parameters. After the
Gateway service determines the brand to use for the message, it removes the X-Header from the
message.

NOTE: When re-encrypt mode is enabled, the Gateway service always preserves the original
brand.
Rule Conditions Tab

To edit rule conditions options, you can update any of the following:
1. In the Attribute list, you can change the message field against which you want the rule to check
for a match.
l Envelope Recipient - Checks the RCPT TO email address(es) in the SMTP envelope.
l Envelope Sender - Checks the MAIL FROM email address in the SMTP envelope.
l Header Recipient - Checks the email address(es) in the RFC2822 header primary recipient
(To:).
l Header Sender - Checks the email address in the RFC2822 header sender (From:).
l Subject - Checks the RFC2822 Subject: header in the message.
l Custom Header - Checks for any RFC2822 header in the message.
l Local Interface - Checks the SMTP local interface on which the message was received.
l Remote IP Address - Checks the IP address of the remote MTA that sent the message.
2. In the Operator list, you can change the evaluation method that determines if an attribute meets
the criteria.
NOTE: The available operators depend on the selection in the Attribute list. Some
operators are not available for certain attributes.
l Matches - The Values text box (see step 3) exactly matches the Attribute value.
l Contains - The Values text box (see step 3) contains the Attribute value.
l Does Not Match - The Values text box (see step 3) does not match the Attribute value.
l Matches PKI User - This option is only available if you selected Envelope Recipient or
Envelope Sender in the Attribute list.
The condition is true if the PKI keys have been imported for the envelope sender and
recipients. See Understanding Public Key Infrastructure (PKI) Keys for information on
importing PKI keys. The following PKI keys must exist depending on the type of rule:
l Encrypt rule - A private key must have been imported for the envelope sender and a public
key must have been imported for at least one recipient.
l Decrypt rule - A private key must have been imported for at least one recipient
When you select Matches PKI User, you do not need to enter a value. The Values text box is
not available for input. To proceed, continue with Step 4.
3. In the Values text box, enter the value that the contents of the field that you specified in the
Attribute text box will be matched against. You can add more than one value to the condition.

l To add multiple values, enter each value on a separate line. If you add more than one value, the
values are OR'd. This means that one matching value constitutes a match.
l To remove one or more values, select the value(s) and press the Delete button on the
keyboard.
? Matches any single character.

* Matches any sequence of zero or more characters.
\ Escapes the *, ?, and \ special characters.
Examples
*@acme.com
*@acme.co*
Matches any acme.com address, any acme.co.uk address, any acme.co.jp address, and so
forth
jsmit?@acme.com
pjsmith@acme.com
4. Click Add Condition to add the condition to the list of conditions for the rule.
5. (Optional) To configure a rule with multiple conditions, repeat steps 1-4, then decide whether the
rule is processed only if All conditions are met (the list in the Policy Rule Conditions table is
logically AND'ed) or if the rule is processed if Any condition is met (the list is logically OR'd).
By default, the rule is processed only if all conditions are met. To process the rule if any condition
is met, choose Any from the list below the Policy Rule Conditions table, specifying that the
software is toTake action if Any of the rule conditions are met.
Advanced Tab
To edit Advanced policy rule options:
1. Click the Advanced tab on the Gateway Policy Rule Details page.
2. From the PKI Options list, select one of the following:
l Disabled - This is the default. When PKI is disabled, IBE is used to encrypt and decrypt all
emails.
l Enable User PGP/SMIME - The Gateway service uses the PGP or S/MIME keys specified in
the Gateway Service > PKI Keys tab to encrypt or decrypt messages. Messages are
encrypted in either PGP or S/MIME format, depending on which type of key was found.
Messages encrypted in PGP or S/MIME format are also decrypted.
l Enable User PGP/SMIME and Domain SMIME - The Gateway service uses the Domain

S/MIME feature if there is a Domain S/MIME identity loaded on the PKI Keys tab. The
message will be encrypted in S/MIME format, and the domain S/MIME identity will be used for
all recipients that match the domain specified. This can be used for Gateway to Gateway
S/MIME encryption.
3. Click the Use IBE if Domain S/MIME Fails check box to select or clear it.
When you select Use IBE if Domain S/MIME Fails, the Gateway Service uses IBE for
encryption if there is any failure with the domain S/MIME encryption.
4. Click the Use OpenPGP Fallback Signer check box to select or clear it.
When you select Use OpenPGP Fallback Signer, an OpenPGP fallback signing key is used for
encryption in the event that an individual key does not exist for a sender.
5. In the Routing Options section, click the Specify Route check box to select or clear it.
When you select Specify Route, the policy rule delivers the message using the policy route that
you select from the Policy Route list.
6. If you selected Specify Route, select a Policy Route from the list.
The list is populated from the Policy Routes that you configure on the Gateway Service > All
Tenants > Policy Routes tab. See Configuring Policy Routes for more information.
Content Scanner X-Header Examples

If you are using a brand that uses the same language as the tenant, you do not need to include the
locale and language in the X-Header. The Gateway service uses the tenant locale when the X-Header
does not contain the language and locale.
Example:
X-VS-Brand: name=<brand name>
Using Brands for Different Locales

If you are using a content scanner to add the brand X-Header for a brand that uses a different locale
than the tenant, include the locale and language in the X-Header as shown in the following examples:
English brands:
X-VS-Brand: name=<brand name>,language=en,
Japanese brands:
X-VS-Brand: name=<brand name>,language=ja,
French brands:
X-VS-Brand: name=<brand name>,language=fr,country=CA
X-VS-Brand: name=<brand name>,language=fr,country=FR
NOTE: Country codes for supported brands use the standard ISO 3166 two-letter
combinations.

Using 3.1 Format X-Headers

Existing X-Headers in the following Version 3.1 format will work with Version 3.1.1. In this case, the
tenant locale is used.
X-VS-Brand: <brand name>
Sample Scenario
Suppose that a business named Enterprise A has a statement generation process that generates
confirmations of online stock trades. Enterprise A wants to give customers the option of receiving
these confirmations via email, but privacy laws require that messages with this type of content be
encrypted. Enterprise A can use Voltage SecureMail to automatically encrypt messages that are sent
from the server that generates the trade confirmation messages.
Configuration
The Voltage SecureMail administrator at Enterprise A uses the Management Console to do the
following:
l Ensures each email address that can receive encrypted statements is supported by one of the user
authentication methods or creates a fall-through district that can be used for all addresses. See
Adding a User Authentication Method for instructions.
l Creates a component authentication method that supports the email address that the statements
originate from: statements@a.com. Because the gateway is only encrypting, it does not need
private keys for the recipients. See Adding a Component Authentication Method for instructions.
l Enables Zero Download Messenger (ZDM) attachments for recipients who do not have a Voltage
SecureMail client. See Configuring the ZDM Service for instructions.
l Adds a policy rule to encrypt all messages originating from the email address statements@a.com.
See Adding a Policy Rule, on page 99 for instructions.
The following sections describe how to set up a policy rule that encrypts all messages sent by
statements@a.com.
Rule Format
In this example, on the General Configuration page of the New Policy Rule wizard, the primary action is
set to Encrypt. If the message cannot be encrypted or contains files that cannot be scanned, the
secondary action is set to Reject. That way, if there is a problem with the encryption, the sender
receives a bounce message, and the sensitive information is not sent in an unencrypted format.

A condition is added on the Rule Conditions page of the New Policy Rule wizard. The condition
encrypts all messages sent from statements@a.com.
The new Statements Rule appears in the Gateway Policy Rules table.
Message Flow
In this example, the statement server sends a statement to an external recipient with the email address
Brian@otheraddress.com. The message is forwarded from the Exchange server to the Sendmail
server, which then calls the milter. The milter examines the rules file and determines that the message
must be encrypted. The gateway encrypts the message and then Sendmail relays the encrypted
message to the next server or to the internet.
The encrypted message is delivered to Brian’s ISP and then to his computer.
l If Brian has the Voltage SecureMail Encryption Client, the message is decrypted directly in Brian's
Outlook or Outlook Express application. If this is the first time Brian has received a message from

the domain a.com, his Voltage SecureMailEncryption Client authenticates to the SecureMail server
to retrieve his key.
l If Brian does not have the Voltage SecureMail Encryption Client, the message includes an
attachment named message_zdm.html, which directs him to a web page where he can authenticate
and read the message.
Understanding Public Key Infrastructure (PKI) Keys

The Voltage Public Key Infrastructure (PKI) service allows you to import public and private keys for
S/MIME and PGP users. You can also create an S/MIME or PGP key for a user.
Importing an internal user’s public and private keys enables the Voltage SecureMail Gateway to
decrypt inbound S/MIME or PGP emails to that user. Importing an external user’s public key, and the
internal user’s public and private keys, enables the Voltage SecureMail Gateway to encrypt outbound
emails to the external user using S/MIME or PGP.
Creating a key for a user enables the VoltageSecureMail Gateway to encrypt and decrypt messages
from a user for whom a signing key does not exist.
To support decryption of S/MIME and PGP messages to an internal user, you must import the internal
user’s public and private keys on the PKI Keys tab. To support S/MIME encryption of messages to an
external user, you must import the external user’s public key, and the internal user’s public and private
keys, on the PKI Keys tab.
You can also use domain certificates instead of using the individual keys. See Using Domain
Certificates/Keys for more information.
For information regarding which versions of Symantec Encryption Desktop are supported for use with
Voltage SecureMail, see Supported Versions of PGP.
From the PKI Keys tab, you can perform any of the following tasks. Click the following links for details:
l Create a PKI key
l Import a Key
l Export a Key
To export a key:
1. Click the Export tab in the Action column for the key that you want to export.
2. Click Save in the File Download box.
3. Enter a name and location for the file and click Save in the Save As box and click Save.
The key is exported to a file with a .asc extension.
l Add a Domain S/MIME Identity
l Delete a Domain Identity
To delete a domain identity:
o Click the Delete Domain Identity link in the Domain S/MIME Identities table for the identity that
you want to delete.
l Delete a Key

To delete a key:
o Click the Delete link in the Gateway PKI Keys table for the key that you want to delete.
Setting Up the Gateway to Encrypt and Decrypt Emails Using S/MIME or

PGP
To enable the SecureMail Gateway to encrypt and decrypt email using S/MIME or PGP:
1. Export the user’s key(s) from his or her computer. For instructions on exporting certificates see
one of the following topics:
l Exporting an S/MIME User's Public Key

l Exporting a Certificate and Private Key
l Exporting PGP Keys
NOTE: To use a domain S/MIME certificate to encrypt and/or decrypt emails for a whole
domain, see Using Domain Certificates/Keys. For information regarding which versions of
Symantec Encryption Desktop are supported for use with Voltage SecureMail, see
Supported Versions of PGP.
table.
3. Click the PKI Keys tab.
4. Receive and import the key(s). See Understanding Public Key Infrastructure (PKI) Keys for
instructions.
5. Define rules to perform encryption and decryption using S/MIME or PGP. See Understanding
Gateway Rules for information.
Using Domain Certificates/Keys

With the Voltage SecureMail Gateway, you can create a domain certificate for encrypting outgoing and
decrypting incoming S/MIME messages.
You can also import a domain certificate from an external SecureMail Gateway for use when encrypting
S/MIME messages to a specified domain or domains.
To use a domain certificate:
1. Generate a new key/certificate and get it signed by a CA. See Creating a PKI Key, on the next
page for instructions.
NOTE: If you are importing an existing certificate, skip this step and proceed with Step 2.
2. Import your certificate, and enter a domain name for which the certificate will be used to sign,
encrypt, and decrypt all S/MIME emails. See Importing a PKI Key for instructions.
3. Import an external certificate for external users and domains. Enter the domain name. This
certificate will be used for encrypting emails to the specified domain.

4. Enter the rules in the configuration file for processing the emails. See The SecureMail Gateway
Configuration Guide Rule topic usePKI and useDomainPKI for instructions.
Deleting a User's Keys

1. On the Services > Gateway Service page, click a tenant name in the Configured Gateway
Services table.
2. Click the PKI Keys tab and find the Key Identity (user name) in the Gateway PKI Keys or
Domain S/MIME Identities table.
3. Click Delete in the Gateway PKI Keys table or Delete Domain Identity in the Domain S/Mime
Identities table.
4. Click OK. The key is deleted.
Creating a PKI Key

To create a PGP PKI key:
1. In the Services > Gateway Service tab, click a tenant name in the Configured Gateway
Services table.
2. Click the PKI Keys tab, then click Create Key in the Gateway PKI Keys table.
3. Select OpenPGPG from the Key Type list.
4. In the Email Address text box, enter the email address of the user for whom you are creating the
key.
5. In the Name text box, enter a name for the user the key displays in the Gateway PKI Keys table.
6. Click Finish.
To create an S/MIME PKI Key:

1. In the Services > Gateway Service tab, click a tenant name in the Configured Gateway
Services table.
2. Click the PKI Keys tab, then click Create Key in the Gateway PKI Keys table.
3. Select S/MIME from the Key Type list.
4. In the Email Address text box, enter the email address of the user for whom you are creating the
key.
5. In the Name text box, enter a name for the user the key displays in the Gateway PKI Keys table.
6. Enter the Organization, City, State/Province and Country of the user for whom you are creating
the key and then click Next.
7. Click Next to export a CSR.
You must create a Certificate Signing Request (CSR) by exporting the CRS.
Exporting a CSR
To export a CSR:

1. Click Export CSR next to the Certificate Signing Request for which you are exporting the CSR.
2. In the Save As text box, enter the location for the CSR. The filename will be the email for which
you are creating the key with a file extension of csr. You can also copy the text in the Certificate
Signing Request box and paste it into a file or Certificate Authority site. Be sure to copy the text
including the ”-----BEGIN CERTIFICATE-----” and ”-----END CERTIFICATE-----” delimiters.
3. Click Save and Import Later. This saves the key that you are creating so that you can import the
certificate later.
4. Click Finish.
5. When you have submitted the CSR and received the certificate back from the CA, you must
import it.
Importing a Certificate
To import a certificate:
1. Click Import Certificate in the Gateway PKI Keys table. Note that this link is only available after
you have exported the CSR. The Create PKI Keypage displays.
2. Make sure that the Save and Import Later check box on the Create PKI Key page is clear.
3. Locate the certificate that the issuing authority has sent.
The form of the certificate is similar to the following:

-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIBDjANBgkqhkiG9w0BAQUFADCBkjEVMBMGA1UEAxMMVm9s
tfJtTySMD3K2EEZnvdRPW4CkBE1YCgo/a2f2lbxjZRU7
-----END CERTIFICATE-----
4. Copy the certificate text, including the ”-----BEGIN CERTIFICATE----
-” and
”-----END CERTIFICATE-----” delimiters.
5. In the Signed Certificate text box, paste the certificate text into the space provided.
6. Click Finish.
Importing a PKI Key

Before you can import an S/MIME or OpenPGP key for a user, you must first export the key. See one of
the following topics for instructions:
l Exporting an S/MIME User's Public Key
l Exporting a Certificate and Private Key
l Exporting PGP Keys
To import a key:
Services table.


3. Click Import Key at the top of the Gateway PKI Keys table.
NOTE: If you have already imported S/MIME or OpenPGP keys for a user, you must first
delete the existing key for that user. To delete a key, find the user name in the table and
click Delete in the row for that user. For information regarding which versions of Symantec
Encryption Desktop are supported for use with Voltage SecureMail, see Supported
Versions of PGP.
4. From the Key Type list, select either S/MIME or OpenPGP, depending on the type of key you are
importing.
5. In the Key File text box, click Browse to navigate to the file.
6. Select the file on your file system that contains the internal user’s public and private keys and then
click Open.
For an S/MIME key, the file must be in PKCS #12 format. For an OpenPGP key, the file must be in
ASCII armored (ASC) format.
NOTE: The expiration dates of the public and private keys are not checked. Please
manually verify that the user’s keys have not expired before importing. An expired key will
cause the encrypt operation to fail.
7. If the file requires a password, enter the password for the private key in the Private Key
Password text box.
8. Click Finish.
Adding an S/MIME Domain Identity

To add a new S/MIME domain identity:
Services table.
3. Click Add Domain S/MIME Identity at the top of the Domain S/MIME Identities table.
4. In the Domain text box, enter the domain for which you are creating the identity, for example,
www.companya.com.
5. Enter an Email Address such as, name@companya.com.
When you create a domain S/MIME key, you can specify multiple email addresses by
constructing rules based on the following syntax. You can use as many rules as you need for each
user authentication method:
? - Matches any single character.
* - Matches any sequence of zero or more characters.
| - Ends one rule and begins another.
Examples
*@acme.com Matches any acme.com email address

*@acme.co* Matches any acme.com, any acme.co.uk, any acme.co.jp, any acme.co.it etc
address
jsmit?@acme.com Matches jsmith@acme.com and jsmits@acme.com, but not
jsmithers@acme.com or pjsmith@acme.com
*@acme.com|*@nadir.com Matches any acme.com or nadir.com email address
6. Click Finish. The new domain identity is added to the Domain S/MIME Identities table.
Exporting an S/MIME User's Public Key

To export an S/MINE User's Public Key:
1. Open an Internet Explorer browser window.
2. From the Tools menu, select Internet Options.
3. Click the Content tab and then click Certificates.
4. Click the Other People tab.

5. Click the certificate that you want to export and click View.
6. Click the Details tab and then click Edit Properties.

7. Ensure that the Friendly Name field is blank. If there is a name in the field, delete it.
8. Click OK until you return to the Certificate window with the certificate selected.
9. Verify the expiration date for the certificate to ensure that it has not expired and then click Export
to start the Certificate Export Wizard.
10. Click Next at the first screen to continue the certificate export process.
The default setting for the next screen will export the certificate in DER format.
11. Click the second option to select to export the certificate in Base-64 encoded format and then click
Next.
12. On the next screen, enter a file name for the saved certificate file.
Or
click Browse to select the name of the file in the file name text box.
13. Click Next to proceed to the next screen.
A summary of the settings that you have entered is displayed.
14. Review the information that you have entered up to this point and click Finish to complete the
process.
When you see the following confirmation pop-up, you have successfully exported the certificate to
a file.

Exporting a Certificate and Private Key

To export a certificate and private key:
1. Open an Internet Explorer browser window.
2. From the Tools menu, select Internet Options.
3. Click the Content tab and then click Certificates.
4. Click the Personal tab.

5. Click the certificate that you want to export and then click View.
6. Click the Details tab and then click Edit Properties.
7. Ensure that the Friendly Name field is blank. If there is a name in the field, delete it.
8. Click OK until you return to the Certificate window with the certificate selected.
9. Verify the expiration date for the certificate to ensure that it has not expired and then click Export.
This will start the Certificate Export Wizard.
10. Click Next to proceed.
11. Click Yes, export the private key to select it, and then click Next to proceed.

12. Click Include all certificates in the certification path if possible to select it.
13. Clear the boxes labeled Enable strong protection and Delete the private key if export is
successful.
14. Click Next to continue.
15. Enter a Password that you want to use for the certificate file. Enter the password again to confirm.
16. Click Browse and navigate to your My Documents folder. Once there, enter a file name for the
export file.
17. Click Finish to complete the certificate export process.
When you see the following confirmation pop-up, you have successfully exported the certificate to
a file.
18. Click OK and then Close to finish this part of the process.
The person who is administering the PKI Manager must receive a copy of this file.
19. Open your email program and compose an email message to your administrator. Send the file that
you just exported as an attachment to the email.

20. After you are sure that your administrator has received the file, delete the original copy from your
hard drive.
Exporting PGP Keys

1. Open the Symantec Encryption Desktop and select the keyring where the PGP key that you want
to export is stored.
NOTE: For information regarding which versions of Symantec Encryption Desktop are
supported for use with Voltage SecureMail, see Supported Versions of PGP.
2. Verify the expiration date for the key to ensure that it has not expired.
3. Right-click on the key and click Export from the list to open the Export Key to File menu.
4. In the Export Key to File menu, if you want to export the private key as well as the public key,
select the Include Private Keys check box. If you are only exporting the public key, do not select
this check box.
NOTE: If you are exporting another user’s PGP key, you do not have the private keys
associated with the public key. Therefore, the check box for Include Private Keys is
unavailable. You cannot export the other user’s private key.
5. Enter the file where you want to store your PGP keys.
6. Click Save to complete the process.
Using Sendmail Interfaces for Reencryption

If your organization needs to decrypt and then re-encrypt emails, the easiest way to accomplish this is
to use two Sendmail interfaces, assigning each Sendmail interface its own IP address. There are
various reasons that you might need to re-encrypt messages. This topic provides examples to help you
determine if you need to configure re-encryption.
A common reason to re-encrypt outbound client messages is to improve usability for message
recipients. When a message is encrypted by the Voltage SecureMail Encryption Client, recipients must
choose their identity to be able to download a decryption key. When the gateway re-encrypts, it splits
the message so that each recipient receives a version that only they can decrypt. When recipients read
the message with ZDM, the server already knows the email address and can get the decryption key
without requiring the recipient to choose their email address from a list.
Another reason to re-encrypt messages is if encrypted messages are scanned (such as for viruses)
before they are sent to external recipients. These messages must be decrypted before scanning and
then re-encrypted afterward. The client sends encrypted messages to the content scanner, which
detects that the message is encrypted. The content scanner then sends the message to the gateway
decryption interface. The gateway decrypts the message and adds an X-header named "X-VS-IDS" to
all decrypted emails. This X-header contains the identities to which the original email was encrypted.
The gateway sends the decrypted message to the content scanner where it is scanned and viruses are
removed. The content scanner then sends the message to the gateway encryption interface where it is
re-encrypted. To route the decrypted messages back to the Voltage SecureMail Gateway, configure a
rule on the content scanner to filter messages containing the "X-VS-IDS" X-header and route them
back to the Voltage SecureMail Gateway.

If you decide that you want to re-encrypt messages at the gateway, see Configuring Sendmail
Interfaces for Reencryption for configuration instructions and examples.
Configuring Sendmail Interfaces for Reencryption

To configure Sendmail interfaces for reencryption:
1. Click the System tab, then expand Resources, and click Gateway SMTP.
2. On the Gateway SMTP General tab, click Enable Multiple Listen Interfaces.
3. In the Listen Interfaces text box, enter the name of an interface and then click Add. Do this for
two interfaces. Name the interfaces names in accordance with their purposes. For the purpose of
this documentation only, we will name the two interfaces encrypt and decrypt.
See Configuring Gateway SMTP Settings for more information on this page. An example is shown
below:
4. Click Save and Exit.

5. On the System tab, under Resources, click Outgoing Mail SMTP server.
6. In the Outgoing Mail (SMTP) section, click the (Specify Local Interface) option for the Host
Name.
7. Select Decrypt from the list.
This is the interface to which you want to route the emails encrypted by the ZDM so that they can
be decrypted by the Gateway.
Outgoing messages from the client must be routed by Microsoft Exchange to go through the
Decrypt interface.

See Configuring an Outgoing Mail (SMTP) Server for more information about this page. An
example is shown below:

9. Click the Services > Gateway Service.
10. Click the name of the tenant that you are configuring.
11. Click the General tab, then select the Enable Re-encrypt Mode check box. See Configuring
Gateway General Parameters for more information.
12. Click Save and then click Exit.
13. On the Gateway Service tab, click All Tenants.
14. Click the Policy Routes tab.
15. Click New Policy Route and add two policy routes, similar to the example below:
l Add a Policy Route for InternalDelivery. Set the Route Destination for your internal SMTP
server, set the Client Interface to decrypt, and set the HELO Name to
decrypt.my.company.com.
l Add a second Policy Route for ExternalDelivery. Set the Route Destination for the encrypt
interface, set the Client Interface to decrypt, and set the HELO Name to
decrypt.my.company.com. See Configuring Policy Routes for more information.

16. Click the Services > Gateway Service.

17. Click the tenant you want to configure.
18. Click the Gateway Rules tab.
19. Create three Gateway policy rules. See Adding a Policy Rule for more information. An example is
shown below:
20. When you have added the rules, click on each rule and then click the Advanced tab.
21. Select the Specify Route check box.
22. Select the appropriate Policy Route. The list contains the policy routes that you added in step 15
above. In this example, you would select the InternalDelivery policy route for the Decrypt for
internal delivery policy rules. You would select the OutForReEncrypt policy route for the
Decrypt for Re-encrypt policy rule. An example of the how the rules look after you add the Policy
Route information is shown below:
Encrypting Emails to Bcc Recipients Using the Client and

Gateway Rules
By default, the Voltage SecureMail Encryption Client does not allow messages containing Bcc
recipients to be sent securely because the message would reveal information about the Bcc recipients.
However, you can configure Voltage SecureMail Encryption Client to add an X-Header to messages
when a user clicks Send Secure . When the X-Header is added, the Voltage SecureMail Gateway
service detects the X-Header and splits the message, sending a separate secure message to the Bcc
recipients. This way, the other recipients are not aware that the Bcc recipients received the email.

IMPORTANT:
Micro Focus strongly recommends careful use of the Voltage SecureMail Encryption Client Bcc
feature. When the feature is enabled, the Send Secure button causes the message to NOT be
encrypted when Bcc recipients are present. The Gateway encrypts the message to all external
recipients, but does not encrypt the message to internal recipients. To warn users of this fact,
the end user receives the following message after clicking Send Secure, indicating that the
internal recipients will receive an insecure message:
Encrypting Emails to BCC Recipients

You enable the Bcc feature by adding a registry entry on the Voltage SecureMail Encryption Client
users’ machines and an encrypt rule in the Gateway Services page of the Management Console. You
can customize the header name and header value using a registry entry. You can make the registry
entries on Voltage SecureMail Encryption Client users’ machines using a registry push. See the
Voltage SecureMail Encryption Client Administrator Guide for information about configuring the client.
To enable the Bcc feature:
1. On the Voltage SecureMail Encryption Client users’ machines, in the following registry key:
HKEY_CURRENT_USER\Software\Voltage\VSOutlook
add a DWORD value named bccSupport.
2. Enter a value of 1 in bccSupport to enable the Bcc feature.
When the value is set to 1, if the user adds a Bcc recipient to an email and clicks Send Secure,
the client adds a header name of X-Voltage and a header value of encrypt.
NOTE: If the Bcc Support value is set to 0, the Bcc support is turned off and the email is
not sent if Bcc recipients are present.
3. In the Management Console, click Services > Gateway Service.

4. Click the name of the tenant you want to configure, then click the Gateway Rules tab.
5. Add a header rule to encrypt the message containing the X-Voltage header. See Adding or Editing
Header Rules for instructions. The following is an example of a Bcc header rule:

NOTE: You can customize the header name and header value by adding two string values
to the registry. See Customizing the Bcc Header Name and Value for instructions.
Customizing the Bcc Header Name and Value

This procedure is optional. See the Voltage SecureMail Encryption Client Administrator Guide for
information about configuring the client.
To customize the Bcc header name and value:
1. On the Voltage SecureMail Encryption Client users’ machines, in the following registry key:
add a DWORD value named bccSupport
2. Enter a value of 1 in bccSupport to enable the Bcc feature.
When the value is set to 1, if the user adds a Bcc recipient to a message and clicks Send Secure,
the client adds a header name of X-Voltage and a header value of encrypt.
NOTE: If the bccSupport value is set to 0, the Bcc support is turned off and the message
will not be sent if Bcc recipients are present.
3. In the following registry key:

add the following string values:
bccXHeaderName
bccXHeaderValue
4. In the value data for each of the string values, enter the header name and header value that you
want to use for messages sent securely with Bcc recipients.
5. In the Management Console, go to Services > Gateway Service.
6. Click the name of a tenant, then click the Gateway Rules tab.
7. Enter a header rule that matches the name and value that you entered. See Adding or Editing
Header Rules for additional instructions.
Enabling the FlagSecure Configuration

The Voltage SecureMail Encryption Client (version 5.1 or later) can be configured to flag messages to
be encrypted at the Voltage SecureMail gateway when users click the Send Secure button, rather than

encrypting messages directly on the local machine. In this FlagSecure configuration, the Voltage
SecureMail Encryption Client adds an X-Header to the message when a user clicks the Send Secure
button. The gateway detects the X-Header and encrypts the message to the external recipients. Since
messages to internal recipients do not go through the gateway, they are not encrypted. See the
Voltage SecureMail Encryption Client Administrator Guide for details about configuring a FlagSecure
client.
IMPORTANT: Micro Focus strongly recommends careful use of the FlagSecure configuration
because messages are encrypted to all external recipients, but not encrypted to internal
recipients. To warn users of this fact, the sender sees the following message after clicking the
Send Secure button.
The FlagSecure configuration works in conjunction with an encrypt gateway rule on the Services >
Gateway Service tab of the Management Console.
To add an encrypt rule to work with the FlagSecure configuration:
1. On the Management Console, click Services >Gateway Service.
2. In a system with multiple tenants, click the name of the tenant you want to configure.
3. Click the Gateway Rules tab.
4. Click New Policy Rule to open the New Policy Rule wizard.
5. On the General Configuration page of the wizard, enter a title for the rule (such as FlagSecure
Encrypt Rule) in the Name text box.
6. In the Action section, select Encrypt, then select Reject if the encryption fails, and then click
Next.
7. On the New Rule Condition page, select Custom Header from the Attribute menu, and type X-
Voltage in the Header Name text box.
8. Select Matches from the Operator menu, then enter encrypt in the Values field.
9. Click Add Condition, then click Finish.
The Gateway Rules tab displays, with the new condition included in the Gateway Policy Rules
table, similar to the following example:

Understanding the Enrollment Service
You must update all clusters any time you add or update gateway policy rules in order for them to
take effect.
To remove the header after the message is encrypted:
1. On the Gateway Rules tab, click New Header Rule.
2. Type a title for the rule (such as Remove FlagSecure Header) in the Name text box.
3. Select Delete Header from the Action menu.
4. Select Encrypt Succeeded from the Condition menu.
5. Enter Voltage in the Header Name text box (Voltage is automatically prefixed with the value X- in
the rule itself, and appears as X-Voltage).
6. Enter encrypt in the Header Value text box.
7. Click Finish to return to the Gateway Rules tab.
The new rule, similar to the following example, appears in the table.
You can also consider adding a rule to automatically decrypt encrypted messages. A decrypt rule can
help internal recipients who receive encrypted messages from outside of your organization. See Adding
a Policy Rule and Adding or Editing Header Rules for details about adding gateway rules.

The Enrollment Service is one of the authentication methods available as part of the IBE Service for
users of both the Voltage Zero Download Messenger (ZDM) and the Voltage SecureMail Encryption
Client. When you enable and configure the Enrollment Service, a user who receives an encrypted email
is directed to the Enrollment Service to log in before decrypting and viewing encrypted email. See
Adding an Enrollment Service Authentication Method for details about enabling this authentication
method.
The Enrollment Service requires the first time user to create a username and password. When users
receive subsequent messages, they can use the password to log into the Enrollment Service. You can

also configure the Enrollment Service to send an email address verification message to verify that the
user who is attempting to enroll is the intended recipient.
When the user is logged in and authenticated, the Enrollment Service directs the user to the IBE Key
Management Server with an authorization token that allows the retrieval of a decryption key.
Click Services > Enrollment Service to display either the Enrollment Service Summary page or
the Configure Enrollment Service page, depending on whether multiple tenants are configured.
You configure the Enrollment Service separately for each tenant. If you have multiple tenants and want
users to be able to have a single account, select the Share Users check box for those tenants. See
Understanding Global Enrollment for details about using this feature.
If you click one of the tenants, or if you have a single tenant, the Configure Enrollment Service page
for that tenant displays. The Configure Enrollment Service page contains the following tabs that let
you configure settings used for the Enrollment Service authentication method:
l User Management - View and manage Enrollment Service users.
l First-time Use - Specify when to require the Enrollment Service to send an email address
verification message, and to configure enrollment confirmation settings.
l Password Policies - Configure password requirements such as minimum length and whether to
require numbers, special characters or capital letters. You can also configure rules that determine
when a user must change their password.
l Password Recovery - Configure how a user can reset a lost password.
l Recovery Questions - Configure a set of questions that users can set up in order to use a question
and answer method for resetting a forgotten password.
Understanding Global Enrollment

In an environment with multiple tenants, it is possible for a user to receive messages from more than
one tenant. Rather than forcing the recipient to enroll in multiple tenants, you can use the global

enrollment feature to let recipients use a single password to authenticate across all tenants. The user
then has a single sign-on experience for the global enrollment tenants.
To use the global enrollment feature, select the Share Users check box for at least two tenants on the
Enrollment Service Summary page, then click Save. After you update the cluster, all user enrollment
information for the selected tenants is shared. Users who are already enrolled in any of the shared
tenants can use their existing credentials to read secure messages from users in any of the shared
tenants.
After enabling shared users, the software automatically shares the brands among the tenants, and you
are not allowed to use the same brand name for multiple shared tenants. If the same brand name is
used for multiple shared tenants, an error message displays, and you cannot update the cluster until
each shared tenant uses unique brand names.
Users will see the same brand throughout the ZDM and authentication experience, no matter which
tenant they are enrolled on or reading a message on.
NOTE: Users who were enrolled in multiple tenants before the tenants were shared might have
difficulty authenticating. To avoid confusion for these users, you can remove them from one of
the tenants:
1. Click the Events tab and search for the phrase Duplicate Users.
A list of events that show the duplicate users displays. These events occurred when you initially
chose the tenants that share users.
2. Record the email addresses for the duplicate users, since you will need this information in
subsequent steps.
3. Click the Services > Enrollment Service tab, then click the name of one of the shared tenants.
4. Search for the email addresses of duplicate users that you recorded in Step 2, then select those
users by clicking the check box to the left of each of their names.
5. Click the Delete selected users option, then click Save.
The duplicate users are removed from that tenant.

If more than two tenants share users, you might need to search each of those tenants to determine
which ones contain the duplicate users.
Enrollment User Management

The User Management tab of the Configure Enrollment Service page lets you view and manage
users of the Enrollment Service. From this tab, you can view the list of users, view and update account
information, change users to Active status, delete users, and specify whether inactive accounts are
automatically deleted. If you have multiple tenants, you can also use this page to move users to a
different tenant.
To display this page, click Services > Enrollment Service, then click the tenant name for which you
want to configure the Enrollment Service. If only one tenant is configured, the Configure Enrollment
Service page opens directly to the User Management tab.

You can perform the following tasks directly from the User Management tab:
l To search for a specific user, enter a whole or partial email address in the Search Users text box,
then click Go.
The list of users that match the search criteria is displayed in the Users table. To return to the
complete list of users, click Show All.
l To change the status of users (from Suspended, Locked, or Unverified) to Active, select the check
box (at the left side of the table) for those users, click Change selected users to Active status
below the table, and then click Save. Click OK to confirm the change in status. To suspend a user,
click the user’s email address and select Suspended from the User Status list on the Enrollment
Service User Details page.
NOTE: You can group all users with the same status by clicking the User Status column
name. This sorts the table by user status, which can make it easier to see which users need
to have their status changed. To sort the table by email address, click the Email column
name.
l To delete users, click the check box (at the left side of the table) for those users, click Delete
selected users below the table, and then click Save. Click OK to confirm the user deletion.
l To move users from the current tenant to another tenant, click the check box (at the left side of the
table) for those users, click the Move selected users to tenant option below the table, choose the
name of the new tenant for those users, and then click Save. Click OK to confirm the move. Note
that this option is particularly useful if you are using the global enrollment feature. See
Understanding Global Enrollment for details.

l To view or edit user account information, click the email address of the user that you want to edit.
See Enrollment Service User Details for more information.
l To specify that inactive accounts are removed, select the Automatically Delete Inactive
Accounts check box, and then specify a length of time, in days, that the account has not been used
in order to qualify as inactive. Account deletion occurs once a day for inactive accounts with a status
of Active, Unverified, or Locked. When you initially save this setting, existing accounts that now
qualify as inactive are deleted during the next daily account deletion event.
NOTE: Information about accounts that have been automatically deleted is available in the
Event Data table. Events that list the email addresses of the users that were automatically
deleted contain the value Users deleted automatically in the Summary column of the table.
See Understanding Event Logs for details. The Event Collection level must be set to Normal
in order to enable this feature. See Setting Event Collection and Retention Levels for details.
The Configure Enrollment Service page also includes the following tabs:
l First-time Use - Specify when to require the Enrollment Service to send an email address
verification message, and to configure enrollment confirmation settings.
l Password Policies - Configure password requirements such as minimum length and whether to
require numbers, special characters or capital letters. You can also configure rules that determine
when a user must change their password.
l Password Recovery - Configure how a user can reset a lost password.
l Recovery Questions - Configure a set of questions that users can set up in order to use a question
and answer method for resetting a forgotten password.
Enrollment Service User Details

To view or edit Enrollment Service account information for a specific user, go to the User Management
tab of the Enrollment Services page, then click the email address of the user. This displays the Edit
User Details page, where you can change a user's name, password, and status. You can also view a
log of user events.
You can modify the following values for a specific user:

l To change the name that the user entered when enrolling, type a new value into the Name text box.
l To change the status of a user, select a value from the User Status list. Each user has one of the
following status values:
l Active - Indicates that the user has enrolled and is able to encrypt and decrypt message. If a user is
unable to log into the Enrollment Service because their status is Suspended, Locked, or
Unverified, you can change this value to Active to enable or reinstate their ability to log in.
l Suspended - Temporarily prevents the user from logging in. The username is maintained, and can
easily be reinstated by selecting Active. While suspended, the user cannot log into the Enrollment
Service to encrypt and decrypt messages.
l Locked - You cannot select the Locked status. This status is assigned automatically when the user
tries more than the allowed unsuccessful login attempts. See Enrollment Password Policies for
information about changing the allowed number of unsuccessful login attempts. If a user has a
status of Locked, you can provide access to the account by changing the status to Active.
l Unverified -You cannot select the Unverified status. This status is assigned automatically when
the user has been added, but has not verified their email address by clicking the link in the email
address verification message that was sent to them. Note that this status is only used if you specify
(in the Enrollment First-Time Use page) that an enrollment verification email is required. If a user has
a status of Unverified, and you are certain that the user is supposed to be enrolled, you can change
the status to Active.
l To change the password for the user, enter the same password in both the Password and Re-type
Password text boxes. Note that the current password for the user's account is never displayed.
l To view the user events, click Show Events.
The User Events table displays the logged events for the selected user. The Events table entries,
which are not editable, display the following information about each event:
l Host - The name of the host on which the event took place.
l Brand - The name of the brand that was used.
l Time - The time that the event took place.
l Status - The status of the event; Success, Failure or Info.
l Summary - A description of the event. The Summary column also contains a Details link for
each event.
l Log Level - The log level assigned to the event.
l Session Id - The session ID assigned to the event.
l Service - The service running that produced the event.
l Cluster - The cluster that the host is a part of.
You can view more information about a specific event by clicking Details in the Summary field. This
displays a separate Event Details window. The details displayed on this page differ depending on
the type of event. When you are finished viewing the details, close the Event Details window and
return to the User Details page.

When you are finished making changes for a specific user on the User Detailspage, click Save and
Exit to return to the User Management page. Click Save to save any changes that you made on the
User Management page.
Enrollment First-Time Use

The First-time Use page lets you configure options to verify that a user who is attempting to enroll for
the first time has control over the email account they are attempting to enroll.
To configure Enrollment settings for first-time users:
1. On the Services > Enrollment Service page, click the name of the tenant for which you want to
configure settings for first-time users. If only one tenant is configured, the Configure Enrollment
Service page opens with the User Management tab open.
2. Click the First-time Use tab to display options for configuring email address verification and
enrollment communication settings.
3. Choose an option to control when the Enrollment Service sends an email address verification
message. The message contains a link that the user clicks to become authenticated. The
verification message is only sent the first time that a user enrolls. After being authenticated once,
the user only needs to enter a password to log in.

The following options are available in the Require Email Address Verification list:
l When reading or composing a message - The Enrollment Service sends a verification
message to the user the first time that the user either receives a secure message or goes to the
Zero Download Messenger (ZDM) web page to compose a message.
l When composing a message - The Enrollment Service only sends a verification message if
a user attempts to enroll while composing a secure message. Using this option improves the
usability of the enrollment experience without compromising security. In most cases, users
can read the first secure message they receive without receiving a verification message.
However, under some circumstances, including when the message is sent using the Voltage
SecureMail Encryption Client, the first secure message has insufficient information to
complete the authentication process, and the Enrollment Service sends a verification message
that requires the user to click the link.
l Never - The Enrollment Service never sends an email address verification message that
requires the user to click the link.
4. In the Time Allotted to Complete Verification text box, enter the number of minutes that a user
has to click a link in the email verification message. If the user clicks the link after the set time has
expired, the system automatically sends a new email verification message. This field is ignored if
you specify Never for Require Email Address Verification. Note that the value you specify in
this field is also used if you choose Email Answerback as a password recovery method. See
Enrollment Password Recovery for details.
5. Determine whether you want to restrict the enrollment of first-time users so that only recipients of
a secure message can create an account through the ZDM. This prevents users who are not
already enrolled from using the ZDM to compose secure messages. The options in the Enrollment
Restrictions section for First-time users composing a message in ZDM control what first-time
users see after attempting to sign in on the ZDM login page without first receiving a message.
l Select can enroll to permit first-time users to enroll and then compose a message using ZDM,
without having first received a secure message.
l Select cannot enroll: they will see an informational message to display a message that
informs users who are not currently enrolled that they must receive a message before enrolling.
This prevents first-time users from using ZDM to compose a message.
l Select cannot enroll: they will see a password prompt and a generic message (for
additional security) to display the ZDM password screen if a user attempts to sign into ZDM
without first receiving a message. If they enter a password, they see a message that either the
email address or password is incorrect. This prevents first-time users from using ZDM to
compose a message, and decreases the possibility that an unauthorized person could guess a
valid username.
6. In the Enrollment Communication Settings section, specify whether to send an enrollment
confirmation message to the user. This option provides additional confirmation to the user that an
account has been activated for their email address. The message also contains information about
what to do if the user did not sign up for the account.
7. If you specify that an enrollment confirmation message is to be sent, enter the email address that
is to be displayed in the From field of that message.
8. In the Enable Disable Re-captcha section, you make Google's reCAPTCHA prompt to appear in

the ZDM first time enrollment sign in page. Check Enable re-captcha and enter the site key and
secret key you received from Google.
Enrollment Password Policies

The Enrollment Service authentication method requires the user to create a password. The Password
Policies page lets you control the strength of the password that a user must enter by specifying
password requirements. You can also control when a password becomes invalid by specifying
password rules.
To configure Enrollment Service password policy settings:
1. On the Services > Enrollment Service page, click the tenant name for which you want to
configure the password policies. If only one tenant is configured, the Configure Enrollment
Service page opens with the User Management tab open.
2. Click the Password Policies tab to display options for configuring password strength and
password rule settings.
3. Enter the minimum number of characters that a password must contain in the Minimum Length
Required text box.
4. Enter a value in the Maximum Repeated Characters Allowed text box. The password must
contain no more consecutively repeated characters than the value you specify in this field. For

example, if you specify a value of 2, the password cannot contain a value that includes the string
"aaa". The value of this field is set to 0 by default, which deactivates this restriction.
5. Click Numbers Required to require that all passwords contain at least one number.
6. Click the Capital Letters Required to require that all passwords contain at least one capital
letter.
7. Click the Special Characters Required to require that all passwords contain at least one special
character, such as (!@#$%^&*_+-=).
8. Select the Disallow Trivial Passwords check box to prevent users from specifying a trivial
password. A trivial password is one that contains or is contained in the local portion of the email
address or in the user name. For example, if the user name is "May" or if the email address is
may@company.com, the user cannot specify a password with a value such as "Ma", "May", or
"Maya".
9. Enter the number of times that the user can attempt to enter a password before being locked out of
the system in the Number of Failed Login Attempts text box. If user is locked out due to too
many attempts, you can allow the user to reset password using the password recovery setting.
See Enrollment Password Recovery for details.
10. Enter the minimum number of days for which a password is valid and cannot be reset in the
Minimum Age (days) text box. This is useful when you have set a value for Consecutively
Unique Passwords. If a user wants to reuse a recent password, he or she could reset the
password multiple times in one day until the system accepts the reused password. Setting a
Minimum Password Lifetime ensures that the user must use a unique password for a minimum
number of days.
NOTE: If the password recovery feature is used before the minimum lifetime is up, users
are not able to set their new password, and therefore cannot retrieve a key. They must
either wait for the minimum password lifetime to pass or call support to have them reset the
password.
11. Enter the number of days after which a user will be prompted to change their password in the
Maximum Age (days) text box.
12. Enter the number of previous passwords that you want the system to check against a newly
entered password in the Consecutively Unique Passwords text box. For example, if you enter
5, when the user enters a password, the system checks the last five passwords for that
username. If the new password matches one of the last five passwords, the system rejects the
new password.
Enrollment Password Recovery

The Password Recovery page lets you set the options for how a user can reset a forgotten password.
To set password recovery options:
configure settings that enable users to reset their password. If only one tenant is configured, the

Configure Enrollment Service page displays with the User Management tab open.
2. Click the Password Recovery tab to display options for password recovery and recovery
communication settings.
3. Choose a password recovery method. The following methods are available:

l None - Users cannot reset a lost password on their own, and must contact support to have
their password reset.
l Password Recovery Question - The user can only reset a lost password by answering a
question to which they provided an answer when they first created their username and
password. You configure the questions that a user can answer in the Recovery Questions
page.
l Email Answerback - The user can only reset a lost password by clicking a link in a message
that is sent to their email address. The message is sent from the address that you specify in
the Recovery Communication Settings section. Note that the user must click the link within
the time period specified in the Time Allotted to Complete Verification text box on the First-
time Use page.
With Email Answerback, you can chose to require user to provide a secondary email address
for password recovery.
l Password Recovery Question or Email Answerback - The user has a choice of answering
a password recovery question or clicking a link in a message that is sent to their email address.
If the user has forgotten the password recovery question, they can reset this as well after they
click the link in the answerback email.
With Password Recovery Question or Email Answerback, you can chose to require user to
provide a secondary email address for password recovery. See

Once the user answers the question or clicks the link, they are presented with a page where they
can enter a new password.
4. If you select Password Recovery Question or Password Recovery Question or Email
Answerback, use the following additional settings if you want to add restrictions to the answer
that a user can specify for a password recovery question:
l Minimum Answer Length - The answer must contain no fewer characters than the value that
specify in this text box.
l Maximum Repeated Characters Allowed - The answer must contain no more consecutively
repeated characters than the value you specify in this field. For example, if you specify a value
of 2, the answer cannot contain a value that includes the string "aaa". The value of this text box
is set to 0 by default, which deactivates this restriction.
l Disallow Trivial Answers - Select to prevent users from specifying a trivial answer. A trivial
answer is one that contains or is contained in the local portion of the email address or in the
user name. For example, if the user name is "May" or if the email address is
may@company.com, the user cannot specify an answer with a value such as "Ma", "May", or
"Maya".
5. In the Recovery Communication Settings section, specify whether to send a password change
confirmation message to the user. This option provides additional confirmation to the user that the
password associated with their email address has been changed. The message also contains
information about what to do if the user did not change the password.
6. If you specify that a password change confirmation message is to be sent, enter the email address
that is to be displayed in the From field of that message.
7. If you selected Password Recovery Question or Email Answerback or Email Answerback,
you have the option to require users to provide a secondary email address for password recovery.
To use this option, click Enable Secondary Email Address in Secondary Email Address
Setting section.
Enrollment Recovery Questions

The Recovery Questions page lets you configure password recovery questions that enable a user to
reset a forgotten password. The user selects one of the questions and provides the answer when
creating their username and password. You can view the password recovery questions in each locale,
add questions, and change the order in which the password recovery questions are displayed to the
user. Note that this page is used only if you choose either Password Recovery Question or
Password Recovery Question or Email Answerback as a recovery method in the Password
Policies page.
To configure password recovery questions:
configure password recovery questions. If only one tenant is configured, the Configure
Enrollment Service page displays with the User Management tab open.
2. Click the Recovery Questions tab to display options for configuring password recovery
questions.

3. If you are using a brand with a locale that is different than the tenant default brand locale, select
the locale for the password recovery question from the Locale list.
The password recovery questions are translated to the locale (language) that you select. If you are
not using a custom brand that uses a different language from the tenant default brand locale, the
drop-down list contains only the tenant default brand locale.
4. Specify whether to allow the user to select the first question. By default, the first question serves
as a prompt.
5. Configure the questions and the sequence in which they appear to the user:
l To add a question, type a question in the New Question text box, then click Add.
l To move a question up or down in the list of questions, select the desired number in the Order
column list.
l To delete a question, click Delete in the Action column for the question that you want to delete.
NOTE: If you delete a password recovery question, any user that previously selected the
deleted question is allowed to continue using that question.
Two Factor Authentication

Two Factor Authentication can be enabled on the Administration > Advanced tab. Once enabled on
the system, Two Factor Authentication can be applied on the Tenant level. Two Factor Authentication

is available only to Enrollment Service users.

To use Two Factor Authentication, Enrollment Service users must install the Google Authenticator
application on their devices. To access a protected message, Two Factor Authentication users are
presented with a Enter Secret Code (a time-based one-time code) page followed by user password
page. On successful verification of secret code, users can access their protected messages.
First-time ZDM users are enrolled in Two Factor Authentication during the sign-up process. Existing
users for whom Two Factor Authentication is not already set, are instructed to enable Two Factor
Authentication after entering their password on the user password page.
Enable Two Factor Authentication, below
Enable Two Factor Authentication for Tenants, on the next page
Enable Two Factor Authentication

Two Factor Authentication is enabled on the Administration > Advance tab with the property
auth.es.2fa.enabled.
To enable Two Factor Authentication:
1. Navigate to the Administration > Advance tab.
2. In the Advanced Management Server Configuration pane, enter auth.es.2fa.enabled in the

Configuration Name column.

Understanding the Settings for All Services
4. In the Advanced Host (IBE, ZDM, Gateway) Configuration pane, enter auth.es.2fa.enabled in
the Configuration Name column.
6. Update cluster and restart each host.
Enable Two Factor Authentication for Tenants

Two Factor Authentication can be enabled/disabled on a per tenant basis for Enrollment Service users.
To enable Two Factor Authentication for a tenant:
1. Navigate to Services > Enrollment Service and click the tenant for which you want to enable
Two Factor Authentication.
2. At the bottom of the User Management tab, select the Enable 2-factor Authentication
checkbox.
3. Click Save and update the cluster.

Select one of the following tabs depending on the action you want to perform:
l Trusted Root Certificate Authorities - Enables you to import a root CA certificate into the trust
store.
l Global - Enables you to use customized error pages that display when a custom brand is not
available or has not been configured.
l Using Third-Party Certificates - To secure communication between SecureMail services with
third-party certificates, you can import CA-signed certificates on the SecureMail Management
Console.

Importing CA and Root Certificates

The Voltage SecureMail software is shipped with a number of common Certificate Authority (CA)
certificates in the trust store. If, however, you are using a less common CA, or if you are using an
internal CA, you must import the root certificate of the CA that issued the SSL certificate into the server
trust store. After you have received and imported the SSL certificate, you can configure Voltage
SecureMail to accept the certificate.
NOTE: It is not advisable to import non-root (leaf or intermediate) certificates into the Trust
Store. You should import intermediate certificates as part of the chain when you import the
specific hostname certificate on the Tenants > Hostnames and SSL Certificates tab. See
Importing an_SSL_Certificate Chain for instructions.
Click Services > All Services Trusted Root Certificates Authorities to display the Certificates
page.
To add a CA certificate:
1. Click Import Certificate at the top of the table.
2. Enter the location and name of the PEM file that you are importing or click Browse to navigate to
the file.
3. Click Import.
The file you imported displays in the Trusted Root Authorities Certificate table.
To delete a CA certificate, click Delete in the row for the certificate that you want to delete.

About CORS
Configuring Global Options for All Services

To configure advanced service options:
1. Click Services > All Services > Global to display the Global Configuration page.
2. The Global Error Page Configuration is used when no brand can be found for an email. Choose
one of the following options in this section:
l To use the default error messages, leave Default selected.
l To use a custom error page, click Custom, then click Browse to navigate to the file and click
Open. The custom error file must be named globalerror.htm. You can also upload a zip file
containing the globalerror.htm file. Click Upload to upload the custom error file.
3. When you are finished, click Save.
Using Third-Party Certificates

SecureMail Server installs with self-signed certificates to secure internal communications. To secure
communication between SecureMail services with third-party certificates, you can import CA-signed
certificates on the SecureMail Management Console. This advanced setting feature is described in the
Voltage SecureMail and Third-Party Certificates Supplement.
About CORS
Cross-Origin Resource Sharing (CORS) is a safe method to control access to SecureMail services
from permitted origin sources. The CORS specification uses HTTP header client and browser
exchange to access selected resources from SecureMail appliance.

About CORS
You configure the origin sources that are permitted to make a request to SecureMail Server via CORS.
The origin source is the source from which the request originates. Note that the origin must be an exact
case-sensitive match with the origin that the user sends to the service. You can use the wildcard
character (*) to allow all origin sources to make requests via CORS.
Enable CORS
CORS is enabled from the Advanced Settings page. After you have enabled CORS, you configure
CORS from the Services tab.
To enable CORS:
1. Navigate to Administration>Advanced.
2. Enter enable.custom.cors.config for the Configuration Name and set the Value to True.
3. Click Add and Save. The feature is enabled.
Configure CORS
CORS is configured from the Services tab.
To configure CORS:

About CORS
1. Navigate to Services>CORS.
2. Select Enable CORS Settings. This enables CORS for the current SecureMail tenant.
3. In the Original Sources text box, enter a comma-separated list of origins (domain names e.g.
xyz.com) that can make HTTP requests to the SecureMail Server. You can enter the wildcard * to
allow all sources.
4. In the Allowed Http Methods text box, enter a comma-separated list of HTTP methods
permitted. You can enter the wildcard * to allow all HTTP methods.
5. In the Allowed Http Headers text box, enter a comma-separated list of HTTP headers permitted.
You can enter the wildcard * to allow all HTTP headers.
6. In the Exposed Headers text box, enter a comma-separated list of HTTP methods permitted. You
can enter the wildcard * to allow all exposed headers.
7. Check the Support Credentials box if the resource in the origin source supports user credentials
in the request.
8. In the Preflight Max Age text box, enter the maximum time in seconds that the preflight
OPTIONS request is cached by the browser. Default is 600 seconds.

Understanding the Mobile Service Summary page
9. Click Save.

The Mobile Service Summary page displays if your organization has more than one tenant
configured. If your organization has only one tenant, the Configure Mobile Service page displays.
NOTE: Mobile Service is an add-on module to Voltage SecureMail and may not be part of your
Voltage SecureMail installation.
To view the Mobile Service Summary page, click Services > Mobile Service. From this page, you
can select the tenant for which you would like to enable or disable mobile service, or view or edit mobile
policies.
The Configured Mobile Services table lists the tenant names, domains, number of enabled mobile
policies you have for each tenant and whether mobile service is valid, invalid or disabled for the tenant.
The following values may display in the Configuration column:
l Valid - Mobile service is enabled and mobile policies are enabled and valid
l Invalid - Mobile service is enabled, but there are no mobile policies, or the mobile policies are
disabled or invalid
l Disabled - Mobile service is disabled
To view or edit the Mobile Policies for a tenant, click the name of the tenant to display the Configure
Mobile Service page.
For more information on Mobile Policies, see Understanding Mobile Policies.
Understanding the Configure Mobile Service Page

The Configure Mobile Service page displays the mobile policies you currently have configured for the
tenant. The name of the tenant displays in the title of the page. If you have only one tenant configured
for your organization, this page will display when you click Services > Mobile Service, instead of the
Mobile Service Summary page.

If you have not created any custom mobile policies, only the Default Internal and External Policy
display in the Mobile Policies table. For more information on Mobile Policies, see Understanding Mobile
Policies.
From this page you can perform the following:
l Enable or Disable Mobile Service for the tenant
l Upload APNS certificates for push notifications
l Add a New Mobile Policy
l Edit a Mobile Policy
l Enable or Disable a Mobile Policy
l Delete a Mobile Policy
l Update the order in which the policies are processed
Enabling or Disabling Mobile Service for the Tenant

You can enable or disable mobile services for the tenant by clicking Enable or Disable. By default,
mobile services are enabled for all tenants when you configure Mobile Service.
To enable Mobile Service for the tenant:
1. Click Services > Mobile Service.
If you have more than one tenant configured, the Mobile Service Summary page displays. Click
the name of the tenant for which you want to edit the mobile policy.
The Configure Mobile Service page displays.
2. Click Enable.
You can disable Mobile Services for the tenant by clicking Disable.
The Mobile Policies table now displays the policies for the tenant and the status of each policy.
You can add a new mobile policy, edit, disable, delete or update the order of existing policies.

3. Click Exit to return to the Mobile Service Summary page.
NOTE: After you finish making and saving changes to Mobile Policies, you must update the
cluster. Click the System tab and then click either Update or Update All Clusters depending
on the number of clusters in your deployment. See Understanding Clusters.
Uploading APNS Certificates
If you have enabled push notification for iOS devices, you need to upload your APNS Certificate. You
must first obtain this certificate from Apple.
Enabling or Disabling a Mobile Policy

You can enable or disable a specific mobile policy for the tenant by clicking the Enable or Disable link
next to the Mobile Policy. By default, the Default Internal Policy and the Default External Policy are
enabled, as are new policies when you create them. You can enable or disable a mobile policy at any
time. The status for the mobile policy updates accordingly in the Mobile Policies table.
NOTE: It is recommended that you configure at least the Default Internal and External Policies
for each tenant, as the generalized default settings might not suit your organization's needs.
Deleting a Mobile Policy

You can delete a mobile policy by clicking the Delete link next to the Mobile Policy name. Once you
delete a policy, it is no longer available for use within the Voltage SecureMail Management Console.
You will need to recreate the policy if you wish to use it again at a later time.
NOTE: You must have at least one mobile policy enabled in order for Mobile Service to be
available for the users within the tenant.

Processing Order
The Mobile Policies table displays all of the policies for the tenant. The policies are processed in the
order in which they are listed. If two policies are in conflict with one another, the policy which is higher
up in the table is processed and the lower policy is ignored.
It is suggested that you order policies starting with the policy that applies to the fewest users first. This
way you won’t inadvertently apply a more restrictive policy which applies to a larger number of users, to
users who should actually be allowed more access. Accordingly, internal policies should be higher in
the list than partner or external policies, especially if you use general domain designations, such as * for
all domains in your external policies.
To change the order of the policies in the Mobile Policies table:
1. Change the number in the Order column for the policy that you want to change.
2. Click Update Order.
3. If you have more than one tenant, click Exit to return to the Mobile Service Summary page.
Understanding Mobile Policies

Voltage SecureMail Mobile Edition allows you to configure policies that control which internal and
external users can use Voltage SecureMail Mobile Edition and which actions they can perform when
sending and receiving secure mail from mobile devices. You can establish separate policies for internal
and external mobile users, and create different mobile policies for each tenant. You can also specify the
domains to which a particular policy applies.
When configuring mobile policies, you can:
l Specify the domains or email patterns to which specific policies apply
l Set the frequency with which mobile users are required to re-authenticate
l Enable support for Good Dynamics mobile security through a Mobile Policy
l Set message privileges to determine which actions internal or external users can perform from
mobile devices (read only; read and reply; read, reply and forward; compose)
l Specify the domains or domain matching patterns to which users can reply
l Specify the domains or domain patterns which users must include when sending or replying to
secure messages
To configure Mobile Policies, see Editing Mobile Policy Details.

Voltage SecureMail Mobile Edition comes with two default policies:
l Default Internal Policy - Applies to users with an internal email address accessing secure mail from
mobile devices
l Default External Policy - Applies to users from other email addresses accessing secure mail from
mobile devices

You can also add your own mobile policies and specify the users to whom the policy applies. To add a
new Mobile Policy, see Adding a Mobile Policy. To edit an existing Mobile Policy, see Editing Mobile
Policy Details.
Adding a Mobile Policy

In addition to configuring the default mobile policies, you can create new internal, external or even
partner policies to meet the needs of your organization. The Mobile Policy wizard takes you through the
steps to create and configure a new Mobile Policy.
To add a new Mobile Policy:
the name of the tenant for which you want to add a mobile policy.
2. Click New Mobile Policy to add and configure a mobile policy for the tenant.
The General Configuration page of the New Mobile Policy wizard displays.
3. In the Name text box, enter a name for the Mobile Policy. The default name is New Policy.
4. Verify that the Enabled check box is selected if you want the policy to be enabled for the tenant.
By default, a new policy is enabled. You can disable the policy by clicking the Enabled check box
to clear it.
5. In the Email Matching Patterns text box, enter the email pattern or patterns against which you
want users with mobile devices to be matched for application of the policy.
NOTE: The default for new policies is *, which is all users in all domains.
l ? - Matches any single character
l * - Matches any sequence of zero or more characters
l \ - Escapes the *, ? and \ special characters
For example, to create a Mobile Policy for all addresses in mydomain.com, enter
*@mydomain.com.
If you add multiple values, the values are OR’d. This means that the user does not need to match
To remove one or more values, select the value and press the DELETE button on the keyboard.
6. Click Next to continue configuring the new Mobile Policy.
The Mobile Policy Definition page of the wizard displays.

7. From the Force Mobile User Re-Authentication list in the Authentication section, select how
frequently you want to require mobile users to re-authenticate. The default is Every Day.

You can set this to any of the frequency options provided. However, the more frequently a user on
a mobile device is required to re-authenticate, the more likely messages on the device will remain
secure if the device is misplaced, lost or stolen.
Every 5 Minutes functions essentially like "always." Mobile users are required to re-authenticate
every 5 minutes, or almost each time they read or compose a secure message.
The value you set here takes precedence over the re-authentication frequency set in the user
authentication methods, only when users access secure mail from within the Mobile Edition
application. It does not affect re-authentication frequency for user access to secure mail from
other devices, such as a laptop or desktop, or from outside the mobile application, such as from
ZDM. See Understanding Authentication Methods for more information on user authentication.
CAUTION: For security purposes, Micro Focus recommends you do not set this value to
Never for mobile policies as users will not be required to re-authenticate, and the key
issued for authentication and access to secure messages will remain valid for an extended
period, currently 25 years.
8. If you are integrating to a Good Dynamics server, check the Enable Good Dynamics checkbox.
To complete the configuration for Good Dynamics support, you must configured the Good
Dynamics Good Proxy server from the System tab. See Configuring a Good Dynamics Server for
more information.
9. Under Allow mobile users to, in the Message Privileges section, select the action(s) which you
want to allow mobile users covered by this policy to be able to perform from a mobile device:
l Reply to Sender - Allows secure message recipients to reply to the original sender of a secure
message from a mobile devices, and to add or change recipients
l Reply All - Allows secure message recipients to reply to the original sender and original
recipients of a secure message from mobile devices, and to add or change recipients
l Cannot Change Recipients on Reply and Reply All - Prevents recipients of secure
messages from adding or changing recipients when replying to secure messages from mobile
devices. This option is not available unless you select Reply to Sender and/or Reply All
l Forward - Allows secure message recipients to forward the secure message to additional
recipients from mobile devices
l Compose New Messages - Allows mobile users to compose and send new secure messages
from mobile devices
l Require Users to Receive a Copy of Their Messages - Automatically sends a copy of all
secure messages sent by a user to the user’s Inbox. This option can be used for compliance
purposes if your organization requires users to receive copies of the secure messages they
send
By default, recipients of secure messages can always read the secure messages they receive.
9. Under Permitted Recipients, select from the following:
l Original sender or recipients - Allows mobile users to reply to any of the original senders or
recipients only
l Any of the following domains - Allows mobile users to reply to anyone in the specified
domains

By default, neither option is selected when creating a new mobile policy, so mobile users can
send secure email to any recipients, without restriction.
10. If you have selected the Any of the following domains check box, enter the domains or domain
patterns to which you would like to allow mobile users to reply to or send secure messages in the
text box.
For example, you can use the following domain patterns:

l mydomain.com
l *.mydomain.com
l my?omain.com
l *.my?omain.com
l *.com
NOTE: * (all domains) is not an accepted value. Additionally, you must include the domain
for the tenant and/or for your organization if you want to permit secure replies and/or
messages to addresses in those domains.
11. Under Mandatory Recipients, if you would like to require that a specified domain or domain pattern
is always included as a recipient for all secure messages sent by mobile users under this policy,
select Any of the following domains and enter the domain or domain pattern.
NOTE: You must include the domain for the tenant and/or for your organization if you want
to require secure replies and/or messages to addresses in those domains.
12. Click Finish to create the Mobile Policy with the settings you have just selected.
The new Mobile Policy now displays in the list on the Configure Mobile Service page.
NOTE: After you finish making and saving changes to Mobile Policies, you must update the
cluster. Click the System tab and then click either Update or Update All Clusters depending
on the number of clusters in your deployment. For more information, see Understanding
Clusters.
You can now perform the following actions on the newly created Mobile Policy:
l Edit
l Disable/Enable
l Delete
Editing Mobile Policy Details

Use the Mobile Policy Details page to edit and configure the settings that apply to a particular policy
within the tenant. See Understanding Mobile Policies for more information on Mobile Policies.
Use the following tabs to configure the Mobile Policy:

l General - You can edit general information about a mobile policy for the tenant, such as the name
and whether it is enabled. Additionally, you can edit the domains or email matching patterns to which
the policy applies.
l Authentication - You can configure settings for the frequency of re-authentication for mobile users
within the tenant. This is also where you can enable support for Good Dynamics mobile security.
Enabling Good Dynamics support automatically creates support for Microsoft Exchange Server.
l Message Privileges - You can define settings that determine which mobile users within the tenant
can read, reply, forward and compose secure messages from mobile devices.
l Domains - You can define the domains or domain patterns to which mobile users are permitted to
reply or send secure messages. You can also set domains or domain patterns which mobile users
must include when sending or replying to secure messages.
Configuring Mobile Policy General Settings

You can edit information about a mobile policy such as the name of the policy and whether it is enabled
or not. Additionally, you can edit the domains or email matching patterns to which the policy applies.
To edit the general settings for the mobile policy:
If your organization has more than one tenant configured, the Mobile Service Summary page
displays. Click the name of the tenant for which you want to edit the mobile policy.
2. Click Edit next to the policy you want to configure or edit.
The General tab displays.
NOTE: The default policies contain general settings and configuration, which may or may not
be appropriate for your organization. It is recommended that you review the default settings and
configure them to suit your organization's deployment.
3. Optionally, in the Name text box, edit the name of the policy if you wish.

4. Click Enabled to enable or disable the policy.
By default, the Default Internal and External Policies are enabled. You can disable a policy by
clicking the Enabled check box to clear it.
5. In the Email Matching Patterns text box, enter the email pattern or patterns against which you
want users with mobile devices to be matched for application of the policy.
NOTE: The default for the Default Internal Policy is *@<tenantdomain>.com, which is all
users at the domain for the tenant. The default for the Default External Policy and for any
new policies you create is *, which is all domains.
l ? - Matches any single character
l * - Matches any sequence of zero or more characters
l \ - Escapes the *, ? and \ special characters
For example, to create a mobile policy for all addresses in mydomain.com, enter
*@mydomain.com.
If you add multiple values, the values are OR’d. This means that the user does not need to match
To remove one or more values, select the value and press the DELETE button on the keyboard.
6. Click Save and Exit to save the settings and return to the Configure Mobile Service page.
NOTE: After you finish making and saving changes to Mobile Policies, you must update
the cluster. Click the System tab and then click either Update or Update All Clusters
depending on the number of clusters in your deployment. See Understanding Clusters for
more information.
To edit the other settings for the Mobile Policy, see the following:
l Configuring Mobile User Authentication
l Setting Mobile Message Privileges
l Configuring Mobile Policy Domains
Configuring Mobile User Authentication

You can use the Authentication tab to configure how frequently you want to require mobile users to re-
authenticate.
To define the frequency at which mobile users must re-authenticate:

2. Click Edit next to the name of the Mobile Policy you wish to edit.

3. Click the Authentication tab.
4. If you plan to use Good Dynamics for user authentication, check the Enable Good Dynamics
Authentication box. To configure the Good Dynamics Server, see "Configuring a Good
Dynamics Server" on page 1.
NOTE: You must purchase both Voltage SecureMail Mobile Edition and Voltage
SecureMail for Good Dynamics in order to use Good Dynamics authentication.
5. From the Force Mobile User Re-Authentication list, select the frequency with which you would
like to require mobile users to re-authenticate. The default is Every Day. This setting is not
available if you are using Good Dynamics authentication.
NOTE: The value you set here takes precedence over the re-authentication frequency set
in the user authentication methods, only when users access secure messages from the
Mobile Edition application. It does not affect re-authentication frequency for user access to
secure messages from other devices, such as a laptop or desktop, or from outside the
Mobile Edition application, such as from ZDM. See Understanding Authentication
Methods for more information on user authentication.
more information.
l Configuring Mobile Policy General Settings

Setting Mobile Message Privileges

Depending on the settings for message privileges, a user who receives a secure message on a mobile
device might be allowed to read only, reply to or forward the message, or compose a new message.
These settings only apply to secure messages received and sent by users from mobile devices. Use
the Message Privileges tab to select which actions mobile users are allowed to perform.
To edit the message privileges for a Mobile Policy:
2. Click Edit next to the name of the Mobile Policy you wish to edit.

3. Click the Message Privileges tab.
4. Under Allow mobile users to, select the actions which you want to allow mobile users covered
by this policy to be able to perform from a mobile device:
l Reply to Sender - Allows secure message recipients to reply to the original sender of a secure
message from a mobile devices, and to add or change recipients
l Reply All - Allows secure message recipients to reply to the original sender and recipients of a
secure message from mobile devices, and to add or change recipients
l Cannot Change Recipients on Reply and Reply All - Prevents recipients of secure

messages from adding or changing recipients when replying to secure messages from mobile
devices. This option is not available unless you select Reply to Sender Only and/or Reply All
l Forward - Allows secure message recipients to forward the secure message to additional
recipients from mobile devices
l Compose New Messages - Allows mobile users to compose and send new secure messages
from mobile devices
l Require Users to Receive a Copy of Their Messages - Automatically sends a copy of all
secure messages sent by a user to the user’s Inbox. This option can be used for compliance
purposes if your organization requires users to receive copies of the secure messages they
send.
l Include BBC Recipient - Allows BBC recipients to receive Voltage encrypted messages. This
option cannot be used if you are using Sending via Exchange for Active Directory User for ZDM.
See ZDM Service Configuration, on page 67.
l Send Message with Attachments - Allows mobile users to add attachments to secure
messages sent from mobile devices as permitted by Outgoing Attachment Size Limit.
l Outgoing Attachment Size Limit - Sets the maximum size allowed for attachments to
messages sent from mobile devices. The default is 10MB.
By default, none of the options are selected for the Default Internal Policy. The policy permits all
of the actions, including changing recipients on Reply and Reply All. The Default External Policy
permits the recipient to reply and reply to all, but restricts these actions to the sender or original
recipients only.
Recipients of secure messages can always read the secure messages they receive through ZDM
if they do not have Voltage SecureMail Mobile Edition.
more information.
Configuring Mobile Policy Domains

To specify which recipients mobile users may reply and send to, and to set any mandatory domains
which recipients must include when sending or replying to secure messages:

2. Click Edit next to the policy you want to configure or edit.

3. Click the Domains tab.
4. Under Permitted Recipients, select from the following options:
l Original sender or recipients - Allows mobile users to reply to any or all of the original senders
or recipients only. This is the default setting for the Default External Policy
l Any of the following domains - Allows mobile users to reply to anyone in the specified
domains. This is the default setting for the Default External Policy, and the domain for the tenant
is listed in the text box
By default, neither option is selected for the Default Internal Policy, so there are no restrictions on
the recipients to whom mobile users may send secure email. For the Default External Policy, both
options are selected.
5. If you selected the Any of the following domains check box, enter the domains or domain
patterns to which you would like to allow mobile users to send or reply to secure messages in the
text box.
For example, you can use the following domain patterns:

l mydomain.com
l *.mydomain.com

l my?omain.com
l *.my?omain.com
l *.com
The default domain specified for the Default External Policy is the tenant domain.
NOTE: * (all domains) is not an accepted value. Additionally, you must include the domain
for the tenant and/or your organization if you want to permit responses or messages to
addresses within those domains.
6. Under Mandatory Recipients, if you would like to require that a specified domain or domain pattern
is always included as a recipient for all secure messages sent by mobile users covered by this
policy, select Any of the following domains and enter the domain or domain pattern.
This is selected by default for the Default External Policy, and the domain for the tenant is listed in
the text box. The Default Internal Policy does not require any mandatory recipients, so the check
box is not selected.
NOTE: You must include the domain for the tenant and/or for your organization if you want
to require responses to addresses within those domains.
depending on the number of clusters in your deployment. For more information, see
Understanding Clusters.


About SecureMail System Resources

This chapter describes how to configure SecureMail system resources.
System Configuration
The System Configuration page contains a System Clusters table that lists the clusters, hosts,
resources and tenants that are part of your Voltage SecureMail configuration. To view the System
Configuration page, click the System tab.
The columns in the System Clusters table provide the following information:
l System Resources - Lists the clusters, hosts, resources and tenants in your configuration. System
Resources include:
o Clusters - You can add, update and validate clusters from this table. You can also add hosts
to the cluster and update hosts that are part of the cluster and view the host's logs. See
Understanding Clusters for more information.
o Hosts - You can add, delete and restart hosts from this table. See Understanding Hosts for
more information.
o Resources - When you create a cluster the list of cluster resources is automatically added to
the table. Click a resource to configure it. See Understanding Resources for more information.
o Tenants - The list of tenants associated with the cluster is displayed. You can check the
status of the tenant, but cannot configure it from this table. See Understanding Tenants for
more information.
l Configuration - Indicates whether the System Resource is valid, invalid, or unused.
l Runtime Status - Indicates whether the System Resource is running or disabled.

l Update Status - Indicates whether the host or cluster is updated with the current information or
requires an update.
l Services - Lists the Voltage SecureMail services that reside on the cluster or host.
l Actions - Contains links for actions related to the cluster or host. The following actions are listed for
clusters:
o New Host - Adds a host to the cluster. See Adding a Host for more information.
o Update - Updates the cluster with the latest configuration information.
The following actions are listed for hosts:

o Disable - Disables the host. Clicking disable does not change any configuration information.
o Delete - Deletes the host from the cluster.
o Restart - Restarts the host.
o Logs - Displays the debug logs for the host. See Viewing Debug Logs for a Host for more
information.
Understanding Clusters
A cluster is a logically grouped set of servers or hosts that run the Voltage SecureMail services.
Clusters also contain resources, such as email servers, that are shared by the hosts within a cluster. If
all of the hosts in your configuration are in the same geographical location, you need only one cluster.
However, if your configuration includes hosts that are in different locations, you should configure a
separate cluster for each location. For more information on the Voltage SecureMail Server software
configuration, see Understanding Voltage SecureMail Concepts.
From the System Configuration page you can perform the following actions for clusters:
l Add or edit a cluster.
l Update a cluster to push the new configuration information to each of the hosts in the cluster. Click
Update Cluster to update the selected cluster or click Update All Clusters to update all of the
clusters in your deployment.
l Validate a cluster to ensure that the hosts and resources are configured properly. Click Validate in
the Configuration column for the cluster that you want to validate.
The host and resources are checked for proper configuration. Information messages are displayed at
the top of the page indicating which hosts and resources are configured properly and which must still
be configured.
l Delete a cluster. Click Delete next to the cluster name to delete it.
l Add a host to a cluster.
Adding or Editing a Cluster

To add or edit a cluster:

l Click New Cluster on the System Configuration page.

l Click the name of the cluster in the System Resources list.
The first New Cluster wizard page or the Cluster Details page displays. Both pages contain the
same content.
2. Enter a name for the cluster in the Cluster text box.

3. Enter an optional description in the Description text box.
4. If you do not want to add tenants, click Finish to add the cluster.
5. Click Add Tenants to add the tenants serviced by this cluster.
The Tenants page of the wizard displays.

Select the tenants that you want in this cluster using the check boxes to the left of the tenant
name and click Select.
6. (Optional) If you are editing an existing cluster, you can enter a value in the Trusted Proxy IP
Address text box. This setting is used in source NAT configurations where a load balancer or
other trusted proxy replaces the actual source IP address for a message with its own internal IP
address. To preserve the original source IP address, that trusted proxy can open the SSL tunnel
and add a new X-Forwarded-For HTTP header. The software verifies that the X-Forwarded-For
header is authentic by checking that it originated from the Trusted Proxy IP Address entered in this
field.
7. Click Finish on the first New Cluster wizard page or Save and Exit on the Cluster Details page.
Understanding Hosts
A host is a server machine that runs the Voltage SecureMail services. Configuring multiple hosts can
be useful for load balancing or disaster recovery. If you configure multiple hosts they can either be in a
single cluster or in multiple clusters. If all host machines are in the same geographic location, using a
single cluster provides better performance than dividing them among multiple clusters. Using multiple
clusters is useful for grouping your host machines when they are not all in the same geographical
location.
Use the System tab to set the cluster and host configurations. The configuration data is stored in the
Management Console database. When you finish the configuration on the cluster, click Update to push
the configuration data to each host to update those machines. Each host writes to and retrieves
information from its own IBE database.
You can manage the hosts in your configuration using the links on the System Configuration page.

From the System Configuration table, you can perform the following tasks for hosts:
l Add a host - Click New Host to display the New Host page.
l Configure host settings - Click the name of the host to display the Host Details page.
l View debug logs for a host - Click Logs to display the Debug Logs page.
l Disable a host - Click Disable.
l Delete a host - Click Delete.
l Restart a host - Click Restart.
Adding a Host
To add a new host:
1. On the System page, click New Host in the action column of the cluster to which you are adding
the host.
The New Host page displays.

2. In the Host Name text box, enter a name for the host machine. This is the name that appears in
the System table. You cannot change this name after the host is created.
3. In the Host Description text box, enter a description for the host machine.
4. Enter the Management IP Address and Management Port that the new host machine uses to
communicate with the Management Console machine.
In most cases, you do not need to change the port number from its default value of 443. However,
if you have limited IP addresses available, you can choose to use a different port for the
Management Port. To use the same IP address for both the host and the Cluster External
Address, change the value in the Port text box for the Cluster External Address. If the host is
running on a Linux Appliance, this Port must either be 443 or a value of 1024 or greater.
5. Click Save.
The host is added and is listed in the System Configuration table under the cluster.
To update a host after it has been added, see Configuring General Host Settings.
Configuring General Host Settings

The Host Details page provides the ability to configure an existing host.
To configure a host:
1. Click the name of the host in the table on the System tab.
The Host Details page displays.

The Host Details page has the following tabs:

l General - Specifies the name, description, and IP address/port of the selected host. Also
allows you to register the host.
NOTE: You must register a host before you can configure the services for that host, or
bind the URLs to the IP addresses.
l Database - Each host has its own local Maria Database (MariaDB) named 'voltage' by
default, which listens to the default port 3306.
If you want to change just the Database Password for MariaDB, enter the new password, re-
type it in Re-enter Database Password text box, the then click Update Connection.

If you want to change both the Database User Name and Database Password for the
MariaDB, you must first update the credentials in the MariaDB. This means that you must
provide root authority to the database for the new username. Contact Micro Focus Support for
details.
l Services: Displays the services associated with the host. Allows you to enable or disable
services on the hosts.
l Binding: Allows you to bind the URLs associated with the host to the IP addresses for the
URLs. Also allows you to bind an IP address to the Cluster External Address used for
communication between hosts across clusters.
2. Most of the information on the General tab was entered when you added the host. You can view or
modify the following:
l Host Name - Displays the name of the selected host. You cannot modify the Host Name.
l Host Description - Displays the current description that is displayed next to the Host Name
on the System page. Enter the new description in the text box.
l Management IP Address - Displays the IP address that the selected host uses for
communication with the Management Console and with other hosts in the cluster.
l Management Port - Displays the port number that the selected host uses for communication
with the Management Console and with other hosts in the cluster.
l If the host has previously been registered, the Enabled check box displays. Click to enable or
disable the selected host.
l If the host is already registered, the Host Re-Registration section displays. Re-registration can
be used if you change the IP address or port number that the host uses for communication with
the Management Console.
3. If you need to re-register the host, check the Runtime Status column on the System
Configuration page to see if the host is communicating with the Management Console.
l If the column contains a question mark, make sure that both the host and the Data Service are
running. If both are running and the question mark continues to display, then the host is not able
to communicate with the Management Console, and you must generate a registration
password. For information about generating a registration password for the host, see Viewing
or Regenerating a Registration Password.
l If the column contains any icon other than a question mark, the host is communicating with the
Management Console and you do not need to enter a registration password.
Specify the Management IP Address and Management Port values, specify the
Registration Password (if needed), then click Register, to re-register the host.
The Host Re-Registration section provides two ways for you to specify the IP address:
l Click the top option, and then type the IP address in the text entry field.
l Click the bottom option, and then choose the IP address from the list.
You can use the default Management Port value of 443 unless you are re-using the Management
IP Address value (with the default port value) in a different location. If the host is running on a
Linux Appliance, this Management Port must either be 443 or a value of 1024 or greater.

4. If you want to relocate a host to a different cluster, choose a cluster name from the Move Host to
Cluster list, then click Move.
In most cases, all hosts should be included in a single cluster for performance purposes.
Viewing or Regenerating a Registration Password

You can view or regenerate a registration password from the Voltage SecureMail Appliance menu. If
you are using a Windows server, you can use the registration utility.
You can only use a password once. If you delete a host and then need to re-register that host, you must
create or regenerate a password.
Viewing a Password from the Appliance Menu

1. From the Appliance Main Menu, use the arrow keys to highlight d. Voltage Services and press
ENTER.
2. From the Service Management Menu, highlight a. Host Registration and press ENTER.
3. From the Host Registration Menu, highlight b. View Current Registration Password and
press ENTER.
If the registration password is available, it is displayed. If no registration password is available,
you must regenerate the password. For security purposes, the password is not displayed again
once it has been used successfully.
Regenerating a Password from the Appliance Menu

1. From the Appliance Main Menu, highlight d. Voltage Services and press ENTER.
2. From the Service Management Menu, highlight a. Host Registration and press ENTER.
3. From the Host Registration Menu, highlight a. Create New Registration Password and press
ENTER.
The new registration password is displayed.
Viewing, Creating or Deleting a Password Using the Registration

Utility
Use the following utilities to view, create, or delete a registration password depending on the operating
system:
Windows Server: <IBE installdir>\bin\registration_util

Linux Appliance: /opt/vsibe/bin/registration_util
l To view the current password:
registration_util view

l To create a new password:

registration_util create
l To delete a password:
registration_util delete
Configuring Host Services

Use the Services tab on the Host Details page to enable and disable services on the selected host.
The host must be registered before you can enable any services. You can enable or disable any of the
services that are available on the host. Services that are not available on the host display as Not
Available.
To enable or disable services:
1. Click the System tab, then click the name of the host and the Services tab on the Host Details
page.
2. Click the check box next to the service to enable or disable it.
l If the host is running on a Windows server, only the IBE, ZDM, Client Services check box
displays.
l If the host is running on a Linux Appliance, both the IBE, ZDM, Client Services and the
Gateway Service check boxes display. You can enable both of these services or you can
choose to enable only one of them.
3. Click Save.
4. When you are finished with this page, do one of the following:
l To change the Maria Database (MariaDB) name or password, click the Database tab.
l To bind a certificate or a Gateway SMTP interface to a specific IP address, click the Binding
tab.
l To display or change general settings for the host, click the General tab.
l To return to the System page, click Exit.
Configuring Host Bindings

On the Binding tab on the Host Details page you can:
l Bind the tenant hostname to an IP address.
This is the IP address where the host listens for web requests coming from the browsers of ZDM
users.
l Bind the Inter-cluster Listening Address to an IP address.
This is the IP address where the host listens for requests related to Large Attachment Storage, ZDM
Proxy, Email Answerback, or ZDM read requests that are coming from hosts in other clusters.

Each value in the Name column (tenant hostname or Inter-cluster Listening Address) must be bound
to a unique combination of IP address and port number. See IP Address Requirements for additional
information. IP addresses are only displayed after a host is registered. You can register a host using the
General tab on the Host Details page. See Configuring General Host Settings for instructions, if you
have not already registered the host.
You can bind a tenant hostname, an Inter-cluster Listening Address, or a gateway to an IP address.
Since the Inter-cluster Listening Address is not a hostname, it is not in DNS.
To configure the tenant hostname, Inter-Cluster Listening Address, or gateway bindings:
1. Click the System tab, then click the name of the host.
2. Click the Binding tab on the Host Details page.
3. To bind a tenant hostname (such as voltage-pp-0000.dominicvm.com, as shown in the illustration

above) to an IP address, choose the IP address from the drop-down list next to the name.
NOTE: If the IP address of a host does not display in the drop down list, click Refresh IP
Addresses to display the IP address in the list. If the IP address that is used for
communication between the Management Console and the hosts (the Management IP
Address) has a Management Port value of 443, that IP address does not display for
tenant hostnames.
4. To bind the host to the location at which it listens for requests coming in from other clusters, select
the IP address from the list next to Inter-cluster Listening Address. See the Inter-cluster

Listening Address section of the IP Address Requirements topic for details. To use the same IP
address for both the tenant hostname and the Inter-Cluster Listening Address, you can change
the value in the Port field for the Inter-cluster Listening Address. Changing the port value also
allows you to reuse the Management IP address, which uses a default port of 443. If the host is
running on a Linux Appliance, this Port must either be 443 (if it is not sharing the Management IP
address) or a value of 1024 or greater.
Viewing Debug Logs for a Host

The Debug Logs page lets you download the debug logs for the services running on the selected host.
You do not need to use this page unless directed to do so by Micro Focus Support.
To download the debug logs for a host:
1. On the System page, click Logs for the host that has the files you want to download.
The Debug Logs page displays.
A list of the available log files displays, with the most current log for each available service listed
first. Note that when one log file fills up, it is renamed and a new file is started so that no
information is lost. For this reason, multiple log files might be available. If you are using an
Appliance, you can also generate and download logs that contain System Info. This log, which is
not available for a Windows server, contains system configuration and resource usage information
that is generated by a Voltage script called vsinfo. It can take up to one minute to generate this log.

2. Click Download next to the log file that you want.

The log file is downloaded to the location you specify, or to the default download location specified
by your browser.
3. Click Exit to return to the System Configuration page.
NOTE: To specify the amount of data written to these files, go to Administration > Support
Logs, then select either Normal or Detailed from the Service Support Log Settings section
of the page.
Understanding Resources
Resources include the software that your Voltage server uses to perform authentication, such as an
Active Directory server, and to direct emails, such as an SMTP server. These resources are shared by
the hosts in the cluster. To configure resources, click the System tab to display the System
Configuration page, then click the plus icon (+) next to Resources in the table to expand the list.
The System Configuration tab always displays links for general system resources. Additional
resources that are in use, such as those used by the authentication methods that have been enabled,
also display as links in the System Configuration tab. Click a link to perform additional configuration
for the resource. Resources that are not in use do not display on this tab.
The following resource is always available for configuration:
l Outgoing Mail (SMTP) Server - Specify the server information for the Outgoing SMTP Mail server.
This is used by ZDM and by the Server when it sends notification messages and account
verification emails.
The following resource is available if the Gateway Service is enabled on a host:

l Gateway SMTP - Specify the SMTP server information for the Gateway Service. This has
configuration settings for Sendmail. This resource displays after you follow the instructions in
Configuring Host Services.
The following resource is available if a tenant is assigned to this cluster and to at least one other
cluster, and either ZDM Proxy or Large Attachment Storage is enabled for the tenant or if you have
configured Email Answerback as an authentication method.
l External Address - Specify an IP address and a port that can be used for hosts in other clusters to
communicate with hosts in this cluster.
The following resource is available if the ZDM proxy is enabled on a service:

l ZDM Proxy Mail Store - Specify the server information for the ZDM Proxy Mail Store. This
resource displays after you follow the instructions in ZDM Proxy Configuration.
The following resources are available for configuration if an authentication method for at least one
tenant uses it:
l Active Directory - Specify an Active Directory server to be used with Windows Domain
authentication in the cluster. This resource displays after you follow the instructions in Adding an
Active Directory Authentication Method.
l Domino LDAP - Specify the Domino LDAP server information used for authentication. This
resource displays after you follow the instructions in Adding a Domino LDAP Authentication Method.
l POP3 - Specify a POP3 server to be used with POP3 authentication in the cluster. This resource
displays after you follow the instructions in Adding a POP3 Authentication Method.
Configuring an Active Directory Server

If you are using an Active Directory User Authentication Method, you can use the following procedure
to enable the Voltage SecureMail software to use the Active Directory server for authentication
purposes. You must be running Microsoft Exchange 2007 and above on the Active Directory server to
use these authentication methods.
Make sure the AD server has either port 3268 (AD authentication activated on Windows platform) or
port 3269 (AD authentication activated on Linux or Mobile-enabled IBE server) accessible for
communication with the server hosting the IBE server.
To enable Voltage SecureMail to use an Active Directory Server:
1. Click the System tab. If there are multiple clusters, click plus icon (+) next to name of the cluster
in the table. Then click the plus icon (+) next to Resources, and click Active Directory.
The Active Directory Details page displays.

2. (Optional) In the Description text box, enter a description that identifies the Active Directory
server that you are configuring.
3. In the Active Directory Domain or Server text box, type the name of the domain or AD server's
FQDN that is using the Active Directory server for authentication.
NOTE: Using the domain name is recommended.
4. Depending on the value you entered in the Active Directory Domain text box, type the login
name in the User Name text box using one of the formats specified below.
NOTE: The login that you use does not need to be an administrator’s login. However, the
login name must have permission to connect to and query that server.
The login name can be one of the following formats:

l User Principal Name (UPN) format - user01@mydomain.com, where user01 is the login name
and mydomain.com is the UPN suffix. (Recommended)
l NT format - mydomain\user01
l simple login name - user01. This format can only be used if you enter the domain name in the
Active Directory Domain or Server text box, as the login name is appended to that value. For
example, if you enter mydomain.com as the domain name and user01 as the login, it will be
concatenated as user01@mydomain.com.
NOTE: If needed, additional domains can be configured using the Administration >
Advanced tab.

5. Type the password in the Password text box.
6. (Linux Appliance or Mobile-enabled IBE Server) Click Import Certificate for the Trusted LDAP
Server Certificates field.
The Import Certificate page displays, allowing you to browse to the PEM certificate file to be
included.
The Trusted LDAP Server Certificates field and the Import Certificate link display only if you have
a Gateway host in the cluster, or if you have Mobile Edition installed on the IBE server and have
Mobile Policies enabled for a tenant deployed in the cluster.
If you do not import a certificate, native AD authentication only will be used.
NOTE: A comprehensive explanation of how to configure user authentication if you have

Mobile Edition enabled is provided in the Voltage SecureMail Mobile Edition Supplement.
Contact Micro Focus Support for information on how to obtain this document.
7. Click Browse to navigate to the PEM Certificate file that you are importing.
This file can either be the same as the one used by your LDAP server, or in a certificate chain for
that certificate.
8. Click Import.
The file you imported displays in the Trusted LDAP Server Certificates table.

To delete a certificate, click Delete in the row for the certificate that you want to delete.
Configuring a Domino LDAP Resource

The Domino server is used for authentication in configurations where Lotus Notes is used for email. In
these cases, the Key Server uses the Domino directory via LDAP for authentication when a client
requests a key.
To configure a Domino LDAP resource:
1. Click the System tab, then click the plus icon (+) next to Resources in the table, and click
Domino LDAP.
The Domino LDAP Details page displays.

2. In the Description text box, enter a description that identifies the LDAP server that you are
configuring.
3. In the Host Name/IP Address text box, enter the host name or the IP address of the machine on
which the LDAP directory resides.
4. In the User Name text box, enter the user name for the cluster database.
The user name format depends on the server’s ”r;BindWithFullDN” setting.

l If ”r;BindWithFullDN = no” on the Domino server then you just need to specify the username.
In this case, valid formats can be:
Name="CN=abc" and User Name = "abc".
l If ”r;BindWithFullDN = yes” on the Domino server then you must specify the full DN of the
user. In this case, the only valid format is:
User Name = "CN=abc,O=voltage".
5. In the Password text box, enter the password for the user name that you entered.
6. Click the Use SSL check box if you want to use SSL to communicate with the LDAP directory.
NOTE: If you want to use SSL, you must add the root certificate of the Domino LDAP
server to the list of trusted root certificates, see Importing CA and Root Certificates.
7. In the Port text box, enter the port number that the hosts will use to access the database. The
default port number is 636. The IBE server uses the specified port to communicate with the
Domino LDAP server.
8. In the Timeout text box, enter the timeout you want to use for all connections to the LDAP host.

The default is 10 seconds.

Understanding Gateway SMTP Server Configuration

The Voltage SecureMail Gateway SMTP server uses the SMTP Mail Transfer Agent (MTA) to route
email. Before you configure the Gateway SMTP Server, you must first configure the Gateway Service
for at least one tenant. See Understanding the Gateway Service and Configuring the Gateway Service
for all Tenants for more information.
The Gateway SMTP server receives mail on the Listen Interface (IP address) and sends mail using the
Client Interface (IP address). The SMTP server listens on a single IP address by default, but you can
configure multiple listen IP addresses if necessary.
For example, if you are integrating the Gateway Service with a content scanner that adds X-headers to
email, you can configure encrypt/decrypt policy rules based on the content of the X-header. If your
content scanner does not include X-headers in email, you need to configure two IP addresses on the
Gateway: one that accepts email needing to be encrypted and the other accepting email that needs to
be decrypted.
You assign a virtual name and define the interfaces as Policy Routes on the Gateway Service page,
under All Tenants. See Configuring Policy Routes for more information. You then map the Policy
Route to a physical IP address in the host configuration on the System page. See Configuring Host
Bindings for more information.
To configure an Gateway SMTP Server, click the System tab, then click Resources on the table, and
click Gateway SMTP.
The Gateway SMTP Details page displays.
This page contains the following tabs:

l General - You can specify the SMTP Hostname, the Listen IP Address for receiving email, and the
Client IP Address for sending email.
l Allowed Relays - You can specify the domains and/or subnet addresses that can be used for
relaying messages.
l Mail Routes - You can specify inbound and outbound mail routes, and/or the Smart Host you want
to use for outbound message routing.
l Advanced - You can specify features, configuration options and advanced configurations for
Sendmail. Entries are added to the sendmail.mc configuration file.
Configuring Gateway SMTP General Settings

Use the General tab of the Gateway SMTP Details page to specify the SMTP Hostname, the Listen
IP Address for receiving email, and the Client IP Address for sending email.
To configure gateway SMTP general settings:
1. Click the System tab, then click the plus next to Resources in the table, and click Gateway
SMTP.
The Gateway SMTP page displays.
2. Enter the host name you want to use as the SMTP Hostname in the SMTP Hostname text box.
This must be a fully qualified domain name that uses no special characters.
3. Enter the email address that you want to receive administrator messages in the Administrator
Email text box.
4. Click Save if you do not wish to enable multiple interfaces or click Enable Multiple Interfaces to
add more interfaces.

5. In the Listen Interfaces text box, enter virtual names such as "encrypt" or "decrypt" to be used for
the listen interfaces and then click Add.
After entering the virtual names for the Listen Interfaces, you must map them to the IP addresses
of the physical interfaces in the Host Details > Binding tab. See Configuring Host Bindings for
more information.
The interfaces are added to the Listen Interfaces text box. The Client Interface list is also
populated with the interfaces that you add.
6. From the Client Interface list, select the interface that you want the gateway to broadcast to the
receiving MTA that it is sending from.
7. By default, Use Incoming Interface for Delivery is selected. Click to clear it.
When Use Incoming Interface for Delivery is selected, mail is delivered using the same
interface on which it was received. When Use Incoming Interface for Delivery is cleared, mail
is delivered using the interface that you selected in the Client Interface drop-down list.
8. Click Save to save the General configuration options.
Configuring Allowed Relays

The Allowed Relays tab enables you to specify domains or IP addresses that can relay email through
the Gateway SMTP server.
To configure allowed relays:
SMTP.
2. On the Gateway SMTP Details page for the selected cluster, click the Allowed Relays tab.
3. In the first text entry field (before the /), enter a fully qualified host name, IP address, or IP subnet
of the machine that will be allowed to send outbound email through the Gateway SMTP Server.
These can be machines running anti-spam or anti-virus programs, your mail server, or a whole
subnet, such as 192.168. You can add each name individually, or separate multiple entries using
commas.
CAUTION: For security purposes, Micro Focus recommends that you restrict the list of
allowed mail relays to the specific authorized hosts in your organization. Whenever
possible this should be done using full IP addresses rather than subnet patterns. This will
prevent arbitrary hosts from relaying mail through the Gateway for encryption or decryption.
1. (Optional) In the second text entry field (after the /), enter the subnet mask.
2. Click Add.
3. Enter additional relays, as necessary.

Configuring Mail Routes

The typical Gateway SMTP configuration defines a Smart Host to use for all email routing, with one
inbound mail route and no outbound routes. The Smart Host does additional processing or routing of the
message. The Gateway SMTP server uses only one vsgateway milter for both inbound and outbound
mail.
You can create more than one inbound and outbound mail route if you want to associate specific
domains with different routing destinations. If you do not define any Outbound Domains or a Smart
Host, the Gateway SMTP server performs a DNS MX Lookup to determine where an outbound email is
to be delivered.
If you want to configure two different network interfaces - one to receive inbound mail and one to
receive outbound mail - you can configure two Local IP Bindings under All Tenants. See Configuring the
Gateway Service for all Tenants and Adding a Policy Rule for more information.
To configure mail routes:
1. Click the System tab, then click the plus icon (+) next to Resources in the table, and click
Gateway SMTP.
2. In the Gateway SMTP Details page for the selected cluster, click the Mail Routes tab.
3. In the Smart Host text box, enter the name of the mail server to which the gateway will deliver all
email if the recipient of the email does not match any of the domains specified in the Inbound
Routes or Outbound Routes tables. You can enter the names or IP addresses of multiple mail
servers to support high availability. If the first mail server is not available, the next one on the list is
used. If you specify multiple values, separate them with a colon.
To add an inbound mail route:

1. Click New Inbound Route.
The New Inbound Mail Route page displays.

2. In the Inbound Domains text box, enter the domain names for which the Gateway SMTP will be
receiving email, then click the Add button.
Include the domain names for all inbound email to the company, separating the entries using a
comma.
3. In the Route Destination text box, enter the route destination to define where the mail server
should route incoming email. Note that you can enter the names or IP addresses of multiple
destinations to support high availability. If the first destination is not available, the next one on the
list is used. If you specify multiple values, separate them with a colon.
4. Click Save.
The inbound route you added appears in the Inbound Routes table.
To add an outbound mail route:
1. Click New Outbound Route.
The New Outbound Mail Route page displays.

2. In the Outbound Domains text box, enter a domain name associated with this route, and then
click Add.
Any mail with a recipient matching this domain will be delivered directly to the mail server
specified in the Route Destination text box.
3. In the Route Destination text box, enter the route destination to define which mail server the
Gateway server should deliver mail to. Note that you can enter the names or IP addresses of
multiple destinations to support high availability. If the first destination is not available, the next
one on the list is used. If you specify multiple values, separate them with a colon.
4. Click Save.
The outbound route you added appears in the Outbound Routes table.
Configuring Advanced Settings

The Advanced tab for the Gateway SMTP service enables you to specify advanced features,
configuration options and advanced configuration options for Sendmail. When you add an entry to any
of the tables on this tab, a line is added to the Sendmail configuration file, sendmail.mc.
NOTE: You should be familiar with configuring Sendmail using the sendmail.mc file before
specifying entries on the Advanced tab.
You can specify the following entries on the Advanced tab:

l Features - When you add a feature to the Advanced Features table, a "FEATURE()" line is added to
the configuration file.
l Configuration Options - When you add a macro to the Advanced Macros table, a "define()" line
is added to the configuration file.

l Advanced Configurations - When you add a custom configuration to the Advanced Configurations
table, the line that is added to the configuration file depends on the type of configuration that you add.
The line will be in the form, "configuration_name(`configuration_value')".
Specifying an Advanced Feature

When you add an advanced feature to the Advanced Features table, a "Feature()" line is added to
the sendmail.mc configuration file. You can use all of the available Sendmail features. Use the
following steps to add advanced features. See Feature Examples for examples of features that you can
add.
To add an advanced feature:
SMTP.
2. In the Gateway SMTP Details page for the selected cluster, click the Advanced tab.
3. Select Feature from the list at the bottom of the page.
4. Enter the feature that you are adding, for example greet_pause.
Entries that you make to the Advanced Features table are case sensitive. In the above example,
greet_pause must be all lower case. See your Sendmail documentation for more information.
3. Click Add.
The feature is added to the Advanced Features table.
4. If the feature that you are adding requires a value, enter a value in the text box in the Feature
Value column on the Advanced Features table.
Some features do not require a value. In those cases, leave the Feature Value column empty.
5. Click Save to save your entry, or click Save and Exit to save your entry and exit the Advanced
tab.
Feature Examples
The following are some examples of features that you can use. See your Sendmail documentation for
information on all available features.
l greet_pause
The greet_pause feature pauses briefly before sending out a 220 greeting message. If any
commands arrive during that pause, then the connection is marked bad and anything coming over
it is ignored. This feature can help cut down on the number of spam attempts.
To use the greet_pause feature:
1. Enter greet_pause as the feature name.
2. In the Feature Value column, enter the number of milliseconds that you want the pause to last
(5000 = 5 seconds).
When you add this feature to the Advanced Features table, the following line is added to the
sendmail.mc file: FEATURE(`greet_pause', '5000').

l allmasquerade
To use this feature, you must enable masquerading by entering a MASQUERADE_AS advanced
configuration option. See Specifying an Advanced Configuration for instructions. By default the
MASQUERADE_AS option only applies to the outgoing sender address. The allmasquerade
feature configures Sendmail to use the masqueraded domain on recipient addresses as well.
Before using allmasquerade, check your Sendmail documentation for details of usage and
possible issues.
To use the allmasquerade feature:
1. Enter allmasquerade as the Feature Name.
2. Do not enter a value.
sendmail.mc file: FEATURE(àllmasquerade').
l accept_unresolvable_domains
You can use the accept_unresolvable_domains feature to accept all domains, even when a
domain is unresolvable. Normally, MAIL FROM: commands in the SMTP session are refused if
the host part of the argument to MAIL FROM: cannot be located in the host name service. If you
are inside a firewall that has only a limited view of the Internet host name space, this could cause
problems.
To use the accept_unresolvable_domains feature:
1. Enter accept_unresolvable_domains as the Feature Name.
2. Do not enter a value.
sendmail.mc file: FEATURE(àccept_unresolvable_domains')
Specifying a Configuration Option

When you add a configuration option to the Configuration Options table, a "define()" line is added to
the sendmail.mc configuration file. Use the following steps to add configuration options. See
Configuration Option Examples for examples of macros that you can add.
To add a configuration option:
SMTP.
3. Select Configuration Option from the dropdown list at the bottom of the page.
4. Enter the configuration option that you are adding, for example confMAX_MESSAGE_SIZE.
Entries that you make to the Configuration Options table are case sensitive. In the above
example, confMAX_MESSAGE_SIZE must be entered as shown. See your Sendmail
documentation for more information.
5. Click Add.

The configuration option is added to the Configuration Options table.

6. Enter a value in the text box in the Configuration Value column on the Configuration Options
table.
tab.
Configuration Option Examples

Some examples of macros that you can use are:
l confMAX_MESSAGE_SIZE
This is the maximum size in bytes of the messages that will be accepted.
To use the confMAX_MESSAGE_SIZE configuration option:
1. Enter confMAX_MESSAGE_SIZE as the configuration option name.
2. In the Configuration Value column, enter the maximum message size in bytes, for example,
1000.
When you add this line to the Configuration Options table, the following line is added to the
sendmail.mc file: define('confMAX_MESSAGE_SIZE','1000').
l confMAX_HOP
The confMAXHOP configuration option sets the maximum number of times a message may be
relayed through mail-handling sites (maximum hop count).
To use the confMAXHOP configuration option:
1. Enter confMAXHOP as the configuration option name.
2. In the Configuration Value column, enter the maximum number of hops you want to allow, for
example, 15.
sendmail.mc file: define(`confMAX_HOP', `15')
l confTO_COMMAND
The confTO_COMMAND configuration option sets the maximum interval of time for Sendmail to
wait for the arrival of the next SMTP command. Setting the confTO_COMMAND value of 1h
causes Sendmail to close the connection and exit if the client sits idle for 1 hour.
To use the confTO_COMMAND configuration option:
1. Enter confTO_COMMAND as the configuration option name.
2. In the Configuration Value column, enter the time limit, for example, 1h.
sendmail.mc file: define(`confTO_COMMAND', `1h').

Specifying an Advanced Configuration

When you add an advanced configuration to the Advanced Configurations table, the line that is added
to the configuration file depends on the type of configuration that you add. The line will be in the form,
"configuration_name(`configuration_value')".
To add an advanced configuration:
SMTP.
3. Select Advanced Configuration from the list at the bottom of the page.
4. Enter the advanced configuration that you are adding, for example MASQUERADE_AS.
Entries that you make to the Advanced Configurations table are case sensitive. In the above
example, MASQUERADE_AS must be all upper case. See your Sendmail documentation for more
information.
5. Click Add.
The advanced configuration is added to the Advanced Configurations table.
6. Enter a value in the text box in the Advanced Configuration Value column.
tab.
Custom Configuration Examples

Some examples of configurations that you can use are:
l MASQUERADE_AS
This is allows you to set your host to masquerade as a different host.

To use the MASQUERADE_AS advanced configuration option:
1. Enter MASQUERADE_AS for the Advanced Configuration name.
2. In the Advanced Configuration Value column, enter the domain name that you want the mail to
be labeled as coming from.
When you add this line to the Advanced Macro table, the following line is added to the
sendmail.mc file: MASQUERADE_AS(`host.domain')
l MASQUERADE_EXCEPTION
If you have specified the MASQUERADE_AS advanced configuration option, you can use the
MASQUERADE_EXCEPTION advanced configuration option to exempt hosts or subdomains from
being masqueraded.
To use the MASQUERADE_EXCEPTION advanced configuration option:
1. Enter MASQUERADE_EXCEPTION for the Advanced Configuration name.
2. In the Advanced Configuration Value column, enter the domain name that you want exempt

from masquerading.
sendmail.mc file: MASQUERADE_EXCEPTION(`host.domain')
l EXPOSED_USER
Specifying the EXPOSED_USER advanced configuration option allows you to enter a user name
that you want to be "exposed." In other words, the user's internal site name will be displayed
instead of the masquerade name. This is used only when you have specified the MASQUERADE_
AS option.
To use the EXPOSED_USER advanced configuration option:
1. Enter EXPOSED_USER for the Advanced Configuration name.
2. In the Advanced Configuration Value column, enter the user name that you want to expose.
3. Enter a separate line for each user name that you want to expose.
sendmail.mc file: EXPOSED_USER(ùsername')
Configuring a ZDM Proxy Mail Store

To use a ZDM Proxy Mail Store to authenticate email encryption users:
1. Click the System tab, then click the plus icon (+) next to Resources in the table, and click ZDM
Proxy Mail Store.
The ZDM Proxy Mail Store Details page displays.

2. In the Description text box, enter a unique description for the ZDM Proxy Mail Store that you are
adding.
3. If you are using the Local Mail Store, select Use Local Mail Store.
If you use the local mail store, the Gateway service running on the host accepts the ZDM proxy
emails and stores the messages in the Key Server database.
NOTE: If you select Use Local Mail Store, you must enable the Gateway service on all of
the hosts in the cluster. See Configuring Host Services for instructions.
4. If you selected Use Local Mail Store you do not need to configure anything else on this page,
click Save and Exit. If you are not using the Local Mail Store, do not select the Use Local Mail
Store box. Continue with Step 1 below.
If you are not using the Local Mail Store complete the following steps:
1. In the Host Name text box, enter the name of the IMAP or POP3 email host for the ZDM Proxy
account.
If you use an IMAP or POP3 Inbox on a remote server, the host periodically polls the remote
server for ZDM proxy emails and then stores the polled emails in the Key Management Server
Database.
2. From the Protocol list, select one of the following:

l IMAP - If you use IMAP, you must open port 143 for communication.
l POP3 - If you use POP3 you must open port 110 for communication.
3. Select Use SSL.
To enable secure communication between the Key Management Server and the Microsoft
Exchange server, select Use SSL. When Use SSL is selected, communication happens over a
secure port.
When you select Use SSL, you must ensure that the root certificate for the host is in the listed of
Trusted Root Certificates on the Services > All Services > Certificates tab. See Importing CA
and Root Certificates.
4. In the Port text box, the correct port for the protocol you selected is entered, see Step 2 above.
5. Click Save to save the changes you made or click Save and Exit to save the changes and exit
the ZDM Proxy Mail Store page.
Configuring an Outgoing Mail (SMTP) Server

To use an outgoing mail (SMTP) server to authenticate email encryption users:
1. Click the System tab, then click the plus next to Resources in the table, and click Outgoing Mail
(SMTP) Server.
The Outgoing Mail (SMTP) Server Details page displays.

2. In the Description text box, enter a unique description for the Outgoing Mail (SMTP) server that
you are adding.
3. For the Host Name text box, select one of the following options and enter or select the required
information:
l Host Name - Enter the IP address or host name of a machine. The policy route re-routes the
message to the specified machine.
l Specify Local Interface - Select an interface name from the drop-down list. The policy route
re-routes the message back to the local machine to the selected local interface.
4. In the Port text box, enter the SMTP port number used by your SMTP server. The default is 25.
5. In the Timeout text box, enter the length of time in milliseconds that the server waits for a reply
from the SMTP server.
6. Click Save to save your changes or Save and Exit to save your changes and exit the Outgoing
Mail (SMTP) Details page.
Configuring a POP3 Server

If you are using a POP3 authentication method, you must configure the POP3 server to be used for
authentication purposes.
1. Click the System tab, then click the plus next to Resources in the table, and click POP3.
The POP3 Details page displays.

2. In the Description text box, enter a description that identifies the POP3 server that you are using.
3. In the Host Name text box, enter the name of the POP3 server you want to use for authenticating
users.
The Key Management Server must be able to communicate with this server. The POP3
authentication method supports user validation using the full email address or just the user name
(such as alice@mydomain.com or just alice).
4. Select the Use SSL check box.
To enable secure communication between the Key Management Server and the Microsoft
Exchange server, select Use SSL. When Use SSL is selected, communication happens over a
secure port.
When you select Use SSL, you must ensure that the root certificate for the host is in the listed of
Trusted Root Certificates on the Services> All Services> Certificates tab. See Importing CA and
Root Certificates.
5. In the Port text box, enter the port number that you are using for the POP3 server, or leave the
default port number, 110.
6. In the Timeout text box, enter the number of milliseconds after which the connection to the POP3
server times out, or leave the default, 10,0000.
Configuring a Cluster Shared Address

You can configure an IP address to enable communication across clusters. The Cluster Shared
Address resource is available if your environment includes at least one tenant that is used in multiple
clusters. If the ZDM Proxy is enabled, and/or you are using Large Attachment Storage, you must
configure an IP address to enable communication across clusters. Additionally, Micro Focus
recommends that you configure a cluster shared address anytime the user might begin authentication
on one cluster and complete it on another.
To configure a cluster shared address:
1. Click the System tab, then click the plus next to Resources in the table, and click Cluster
Shared Address.
The Cluster Shared Address Details page displays.

2. (Optional) In the Description field, enter a description for the external address.
3. Configure the values in the Cluster Shared Address section when another cluster needs
information from this cluster about ZDM Proxy, Email Answerback, Enrollment Service, or Large
Attachment Storage. See the Cluster Shared Address section of the IP Address Requirements
topic for details.
l In the IP Address text box, enter the IP address that hosts in other clusters use to
communicate with hosts in this cluster.
l In the Port text box, enter the port number used for the cluster shared address, or leave the
default port number, 443.

Administering the SecureMail System

This chapter provides information on administering the Voltage SecureMaill system.
Understanding the System Administration Functions

The Administration tab allows you to configure the display parameters for the Management Console
Home page, back up or restore your Voltage server, manage administrator accounts, and configure and
view debug logs for the Management Console and Data Management Service.
See the following topics for information and instructions:
l Configuring the Server
l Understanding Back Up and Restore
l Understanding Administrator Accounts
l Understanding Logging
l Understanding Advanced Feature Configuration
Configuring the Server

The Server Configuration page lets you configure the display parameters for the Management
Console Home page, specify settings used when the Management Console sends email notifications,
and configure remote access to the Management Console. The Server Configuration page displays by
default when you click the Administration tab.

1. In the Home Display Parameters section, configure the following values to control how much
information displays on the Home page:
l Number of System Failures per Page - Enter the number of failure message you want to
display per page in the System Failures box on the home page. The default is five.
l Refresh System Failures Page Every - Enter a refresh rate in the number of minutes. The
default is five, so the System Failures page is refreshed every five minutes.
l Alert When Number of System Events Exceeds - Enter a number of system events. When
the number of logged system events reaches the number you enter, an alert is displayed on the
Home page.
2. In the SSL Certificate Expiration section, use the Alert When SSL Certs Expire In text box to
specify the number of days notice that you want to be alerted to the fact that one or more SSL
Certificates are going to expire. The default is 30 days. The notification displays on the Home
page, and is also sent to the email addresses that you specify in the Expiration Notification List.
Leave this list empty if you do not want the Management Console to send a notification via email.

3. In the Server Email Settings section, specify either the host name or IP address in the SMTP
Host Name text box. This is the host that is used when the Voltage SecureMail Server sends out
email notifications, such as when an automated backup or a report is ready.
4. Specify the From Address that appears in email messages that are automatically generated by
5. Click Test to verify that the Management Console can connect to the server. If the connection is
successful, the message SMTP connection verified displays at the top of the Server
Configuration page.
6. In the Remote Server Access section, verify that remote access to this console from other
machines is enabled by ensuring that Enable Remote Access is selected.
CAUTION: If you are accessing the Management Console remotely and you clear Enable
Remote Access, clicking Save removes your Management Console access immediately.
You must access the Management Console locally, using http://localhost:8080/console.
By default, remote access to the Management Console is enabled. If remote access is disabled,
see the following topics for instructions on how to enable it:
l Enabling Remote Server Access - Windows
l Enabling Remote Server Access - Linux
The Remote Access IP Networks box displays the list of IP networks that have been given
access to the Management Console.
To limit access to the Management Console from browsers on remote machines, add an IP
address or subnet by entering an IP address and a netmask to identify the machine(s) from which
administrative logins will be accepted in the Enter as IP Address/Netmask text box.
The following are examples of IP address and netmask entries:
To allow everyone:
IP Address: 127.0.0.1
Netmask: 0.0.0.0
To allow any machine on 172.16 class B network:
IP Address: 172.16.0.0
Netmask: 255.255.0.0
To allow only the machine with IP address, 172.16.5.14:
IP Address: 172.16.5.14
Netmask: 255.255.255.255
7. Type the IP address and netmask, then click Add.
The HTTPS access URL field displays the URL that you can use to access the Management
Console from a remote machine. On the machine for which you allowed access, you can open a
browser and enter the HTTPS access URL to log into the Management Console.

Enabling Remote Access in Windows

To enable remote access to a Management Console running on a Windows server:
1. In the Advanced Server Configuration section, enter the following value in the Configuration
Name column of the table:
mgmt.console.ip
2. In the corresponding Configuration Value column, enter the IP address of the Management
Console.
3. Click Add, and then click Save.
4. Restart the Management Console.
NOTE: If you are using Internet Explorer, you must add the IP address of the Management
Console to the list of trusted sites for your browser.
Enabling Remote Access on a Linux Appliance

To enable access to a Management Console running on a Linux Appliance:
1. If you are logged into the Management Console, log out.
2. Log into the Linux Appliance, and from the Appliance Main Menu, highlight c. Networking and
press ENTER.
3. From the Network Configuration Menu, highlight e. Remote Access then press ENTER.
4. From the Firewall/Remote Access Menu, highlight d. Enable/Disable Remote Browser Access
to Management Console then press ENTER.
The message ”Management console is currently disabled on the external interface. Enable?”
displays.
5. Ensure that Yes is highlighted and then press ENTER.
A progress bar displays, followed by a success message when the process is complete. The
message also displays the URL for the Management Console.
6. Press ENTER to display additional information about remote access, and press ENTER again to
return to the Firewall/Remote Access Menu.
You can now log into the Management Console from a browser on a remote machine.
Understanding Back Up and Restore

From the Backup and Restore page, you can back up your Voltage SecureMail server software and
restore a previously created backup file. You can either manually create a single backup file for
selected tenants, or you can schedule an automatic backup that occurs at regular intervals and
includes data for all tenants. The data within the backup file depends on the type of backup you choose:

l For a manual backup, you can choose a service data backup, an identity data backup, or a system
recovery backup. Micro Focus Voltage recommends that you make at least two copies of each
backup file that you create manually, and store one copy off-site. See Creating a System Backup
Manually for details.
l For automatic backups, you can set up system recovery backups and identity data backups. Micro
Focus Voltage recommends writing the automatically-generated backup files directly to a remote
server. See Scheduling Automatic System Backups and Setting Up a Scheduled Backup for details.
Identity data changes frequently because it includes information about when users are added,
removed, and is updated when users make changes to their account recovery information. For this
reason, Micro Focus Voltage recommends backing up identity data regularly by setting up an automatic
backup of this data on a daily or weekly basis.
System recovery data does not change as frequently as identity data. You should perform a system
recovery backup manually when you finish installing and configuring your system for the first time. You
should also perform this type of backup whenever you make changes to settings in the Management
Console that you want to recover in the event of a system outage. You can either perform this backup
manually when needed or set up a scheduled backup to do this automatically.
It is possible to perform a backup whether the configuration is valid or not. After a backup file has been
created, you can restore your system using that file. See Restoring Your System From a Backup for
details.
Creating a System Backup Manually

When you initially install and configure your system, you should create a System Recovery Backup. To
create a backup file manually:
1. In the Management Console, go to the Administration > Backup and Restore page, then click
the Create a New Backup link to create a backup file.
2. From the Backup page, choose one of the following types of backup:
l Service Data Backup - Backs up the application state of one or more selected tenants. The
Service Data Backup, which is a subset of the System Recovery Backup, includes:
o Configuration data for each tenant, such as the tenant name, domain, brand and
certificates.
o Service configuration for each tenant, such as ZDM, Client, Gateway and Enrollment
Server configurations.
l Identity Data Backup - Backs up the identity data of one or more selected tenants. The
identity data includes:
o All user information included in the Enrollment Service, such as usernames, passwords,
and account recovery information
o PKI keys for the Gateway Service
Since identity data changes frequently, Micro Focus recommends setting up an automatic
backup of this data. See Setting Up a Scheduled Backup for details.

NOTE: The Identity Data Backup does not include any service, tenant, or cluster
information.
l System Recovery Backup - Backs up the entire state of the system including all tenant,
service and system deployment configurations. This does not include any identity data, which
is constantly changing and needs to be backed up separately.
The System Recovery Backup includes:
o Configuration information for each tenant
o Information about each service configured for each tenant, including sensitive district
information
o Service configuration options that apply to all tenants
o System configuration information for all clusters and every node in each cluster
o Resources for each cluster (such as Gateway SMTP)
o Management properties tables
NOTE: This backup is intended to be used only in the rare case of disaster recovery
or corruption of the management database.
3. Click Add Tenant to select the tenant or tenants that you are backing up. Click the check box
next to each tenant you want to add and click Select.
4. Select Include Global Service Data to include global service information.
Selecting this option includes the configuration settings under the Services > All Services tab
(certificates, global domain, global error page, and advanced host configuration) and also the
settings under Services > Gateway Service > All Tenants (tenant lookup rules, policy routes).
5. Select Include Sensitive Data to include district data.
Selecting this option includes the IBE district settings.
6. Enter a password for the backup file in the Password text box.
7. Re-enter the password to confirm.
8. Click Backup.
NOTE: Your popup blocker might block the File Download/File Save dialog box. If you do not
see a dialog box when the backup is complete, allow the popup in the message bar at the top of
your screen.
10. Click Save in the File Download dialog box.

11. Enter a name and location for the backup file in the Save As dialog box.
The file is saved to the location and name that you entered. The backup file is password protected
with the password that you entered.

Scheduling Automatic System Backups

You can automatically back up your system at regular intervals. To display the backups that are
already scheduled or to schedule a new backup, navigate to the Administration > Backup and
Restore page, then click the Schedule backups link. The Schedule Backups page displays.
This page displays the following information about each backup:

l Name - The name of the backup. This name is included in the file name of the actual backup file.
l Type - The type of backup. This can be either a system recovery backup, which includes all data
needed to restore your system, or an identity data backup, which includes only identity data.
l Status - Whether the automated backup is currently enabled or disabled.
l Backup Path - The location of the backup files.
l Frequency - How often the backup is performed. This can be daily, weekly, or monthly.
l Time: The time at which the backup process begins.
In addition, you can perform the following actions from this page:
l Set up a new backup - Click to display the Set Up a Scheduled Backup page, where you can
enter the values you need for a new backup. See Setting Up a Scheduled Backup for details.
l Edit - Click to make modifications to an existing backup. The Set Up a Scheduled Backup page
displays the current values for the backup, and lets you make any modifications you need. See
Setting Up a Scheduled Backup for details.
l Disable - Click to prevent the automatic backup from occurring. This can be useful if you want to
temporarily stop this type of backup, but intend to resume it later.
l Delete - Click to remove the automatic backup from the table. Existing backups remain in their
current location, but new backup files are no longer created.
Setting Up a Scheduled Backup

Use the Set Up a Scheduled Backup page to specify information for a new scheduled backup or
change the information for an existing scheduled backup. To set up a scheduled backup:
1. Navigate to the Administration > Backup and Restore page, and click the Schedule backups
link. The Schedule Backups page displays.

l Click Edit for an existing backup to display the Set Up a Scheduled Backup page with the
current information for that backup.
l Click Set up a new backup to display the Set Up a Scheduled Backup page with the
default values.
The Set Up a Scheduled Backup page displays.
3. Enter a Backup Name. The name must start with a letter and can contain only letters, numbers,
spaces, hyphens, and underscores. This name is used as the first part of the backup file name.
For example, if you choose the name DailyBackup as the name of an Identity Data Backup, the
name of this backup might be DailyBackup-identityBackup-4.1.0-Sun-16-May-2010-16-00.vsb
4. Choose a Backup Type.
The System Recovery Backup includes:
l Configuration information for each tenant
l Information about each service configured for each tenant, including sensitive district
information
l Service configuration options that apply to all tenants
l System configuration information for all clusters and every node in each cluster
l Resources for each cluster (such as Gateway SMTP)
l Management properties tables

NOTE: This backup is intended for use only in the rare case of disaster recovery or
corruption of the management database. The System Recovery Backup does not include
any Identity Data, which is constantly changing and needs to be backed up separately.
The Identity Data Backup includes:

l All user information included in the Enrollment Service, such as usernames, passwords, and
account recovery information
l PKI keys for the Gateway Service
NOTE: Depending on the volume of users within your system, Micro Focus Voltage
recommends that you schedule a daily or weekly backup of identity data.
5. Specify whether the automated backup is Enabled. Note that you can also enable or disable the
backup from the Schedule Backups page.
6. Type a Backup Path to specify the location where the backup files are to be stored. If you want to
use a directory that does not already exist, you must create it before you enter it in this field. Micro
Focus Voltage recommends storing your backup files in a remote location so that they can be
used if the server machine becomes inaccessible or unusable.
l On a Linux appliance, you can mount Windows file sharing server (such as Samba). To do this,
use the following procedure:
a. Set up Windows file sharing on the remote server that is to be used as the storage area for
the backup.
b. Log into your VoltageSecureMail Appliance as root, then create a file that stores login
credentials for the Samba server. For example, create a file named backups.credentials in
the /opt/vsmgmt/etc directory, which contains the lines similar to the following example:
username=<samba_server_user_name>
password=<samba_server_password>
c. Secure the file that stores the login credentials so that it is readable only by root. For
example, if you created a file named backups.credentials in the /opt/vsmgmt/etc
directory, use the following commands to secure the file:
chown root:root /opt/vsmgmt/etc/backups.credentials

chmod 0400 /opt/vsmgmt/etc/backups.credentials
d. Make a directory on your Voltage SecureMail server for the mount point, using a
command similar to the following:
mkdir -p /mnt/backups
e. Mount the share using a command similar to the following:
mount.cifs //storage.mycompany.com/backups
/mnt/backups/
-o rw,credentials=/opt/vsmgmt/etc/backups.credentials, dir_mode=0775,file_
mode=0664,soft

Note: Using the mount command provides temporary access only, allowing you to verify
that the share works. You must update /etc/fstab to make this permanent.
f. Verify that the share works correctly, then unmount it, using a command similar to the
following:
umount /mnt/backups
g. Add a line to /etc/fstab that contains the same values that you used when mounting the
share. The sample values in the following lines correspond to the first four fields in
/etc/fstab:
//storage.mycompany.com/backups
/mnt/backups
cifs
rw,credentials=/opt/vsmgmt/etc/backups.credentials,dir_mode=0775,file_
mode=0664,soft
You can either leave the fifth and sixth fields of the new /etc/fstab line blank or use a
value of 0 to indicate the default.
h. Confirm that the configuration is correct, using the following command:
service netfs status

i. Test the configuration that is called during boot, using the following command:
service netfs start

j. Make the configuration automatic on boot, using the following command:
chkconfig --levels 345 netfs on

l On a Windows server, you can use a UNC path, such as \\fileserver\backups. To do this, use
the following procedure:
a. Right click the folder on the server that you want to use for storing backup files, and
choose Properties.
b. Click the Sharing tab and choose the Share this folder option.
c. Click Permissions, then click Add.
d. Click Object Types, then select Computers.
e. Enter the computer name of the Management Console server in the text box, then click
OK.
f. Click the computer name to select it, then select Full Control.
g. Click OK.
In either case, the Management Console verifies that the location exists and is accessible for
writing. Mapped network drive letters are not supported on a Windows server, .
7. Select the Number of backup files that are to be retained. By default, 7 backup files are retained.
This means that the 8th time an automatic backup file is created, it overwrites the 1st backup file.

You can choose a value from 1 to 15, or you can choose N/A to indicate that backup files are never
overwritten. If you choose N/A, make sure that the directory has sufficient space to contain all the
backup files that will be written there. If a directory runs out of space, no new backup files can be
written there.
8. Select the Frequency of the backup. You can choose Daily backups, Weekly backups that occur
on Sundays, or Monthly backups that occur on the first day of the month.
9. Select the Time the backup is to start.
10. Enter the Password to be entered in order to restore from the backup file. If you are editing an
existing automated backup, you can leave this field empty to keep the existing password.
11. Re-enter the Password to confirm that you entered it correctly. If you are editing an existing
automated backup, you can leave this field empty to keep the existing password.
12. Click Save and Exit to save your settings and return to the Schedule Backups page, where you
can see a summary of scheduled backups.
If you need to make any changes, click Edit for that backup.
Restoring Your System From a Backup

To restore your system from a backup:
1. Go to the Administration > Backup and Restore page, then click Restore from a previous
backup. This starts the Restore Wizard.
2. Choose the type of restore that you want to perform from the drop-down list. The type of restore
you select depends on the type of backup you selected when creating the backup file.
l Service Data Backup: Backs up the application state of one or more selected tenants. The
Service Data Backup includes:
o Configuration data for each tenant, such as, the tenant name, domain, brand and
certificates.
o Services configuration for each tenant, such as, ZDM, Client, Gateway and Enrollment
Server configurations.
l Identity Data Backup: Backs up the identity data of one or more selected tenants. The
identity data includes the PKI keys for the Gateway Service and username and passwords for
the Enrollment Service.
l System Recovery Backup: Backs up the entire state of the system including all tenant,
service and system deployment configurations.
3. In the Upload Backup File field, click Browse to navigate to the file.
NOTE: If the file is not accessible from the Management Console machine, move the file
to an accessible location using a tool such as WinSCP. When using WinSCP, the default
port (22) does not work and you must connect on port 10022.

4. Enter the password that you entered when you created the backup file in the Password field.
5. Click Validate Password and Upload.
When the file has been successfully uploaded, the following message is displayed:
"Validated backup file created Day Month Date Time Year"
6. Click Next when the file has finished successfully uploading.
7. Select the Tenants that you want to restore. If you want to overwrite current tenant information
with the information in the backup file, select Restore Tenant Details.
8. Click Next.
9. Select the services that you want to restore.
10. Click Next.
11. Click Finish to confirm the restore options that you selected, or click Back to change your
selections.
12. Click OK to confirm that you want to restore.
When the file is successfully restored, you are returned to the Backup and Restore page where
the following message displays:
Successfully restored Service Data Backup.
Understanding Administrator Accounts

Individuals who are responsible for the day-to-day operations such as starting, stopping, and
configuring the Management Console are referred to as administrators. Individuals who use the Voltage
SecureMail Encryption Client or the Zero Download Messenger to encrypt and decrypt secure email
messages are referred to as users. Only an administrator, using an administrator account, can log in to
Administrators can have one of the following roles:
l Config Admin:Accounts in this role have no restrictions. They can alter all server settings and user
data, and view logs. Only accounts in this role can add and edit other administrator accounts.
l User Admin:Accounts in this role can view events and reports, and can edit user data, such as user
information for the Enrollment Service and the PKI keys for the Voltage SecureMail Gateway
Service. Accounts in this role cannot view or alter server settings.
l Audit Admin:Accounts in this role can only view events, debug logs, and user data. They cannot
alter server settings or user data. You can configure this account to limit the tabs and options
displayed to a user logged in with an Audit Admin account. See the Security Settings section below
for details.
In addition, administrators can be configured so that they are restricted to performing actions and
viewing Management Console pages for specified tenants only. See Choosing Administrator Account
Tenants for details.

Administrator Accounts Management

Click Administration > Administrator Accounts to display the Administrator Accounts
Management page, which includes the following tabs:
l Local Administrator Accounts - Details about this tab are described below.
l Active Directory Groups - Details about this tab are described in Enabling Active Directory
Accounts.
The Local Administrator Accounts tab displays a list of the administrator accounts and their roles.
You must be logged into the Management Console as a user with the Config Admin role in order to
display the Administrator Accounts Management page.
Administrator Accounts
You can perform the following tasks from the Administrator Accounts section of this page:
l Reduce the possibility of an unauthorized user accessing the Management Console, by selecting
Lock out administrator accounts after 5 consecutive failed login attempts. After 30 minutes,
you can log into the account again. The next time you are locked out, you need to wait an additional
30 minutes, with successively longer waits until you are locked out for 24 hours. At that point, you
must reset the password from another Config Admin account. If another Config Admin account is
not available, you must reset the password outside of the Management Console. See Changing a

Local Administrator Password for instructions.

l Add a new account- See Adding an Administrator Account for details.
l Edit an existing account - See Editing an Administrator Account for details.
l Delete an account - To delete an Administrator account, enter your administrator password at the
bottom of the page (not needed if the Management Console is on a Windows server and you are
using Active Directory credentials), then click the Delete link in the last column for the account that
you want to delete. Click OK in the dialog box to confirm that you want to delete the account. You
cannot delete the account you are logged into and you cannot delete the account named admin.
l Sort by Account Name, Role, or Tenants in the Administrator Accounts table, by clicking the
Account Name, Role, or Tenants column title.
l Refresh the table, by clicking Refresh Account List. This can be useful in an environment where
multiple administrators manage accounts.
NOTE: During installation, a default account namedadminwith a default password of

voltage123 is automatically created and assigned to the Config Admin role. It is not possible to
delete the default admin account or change the default account name or role. However, it is
recommended that you change the default password for security purposes.
Security Settings
Two settings are available in the Security Settings section of this page.
Audit Admins can view read-only configuration settings

l If this option is checked, Audit Admins can view all features within the Management Console, but
cannot change any settings.
l If this option is unchecked, several tabs and options are not available to Audit Admins, including the
following:
l Cluster Update Needed warning tab (at the top right corner of the Management Console) is not
displayed
l Tenants tab is not displayed
l Services tab displays only the Services > Gateway Services > PKI Keys tab and the Services
> Enrollment Service > User Management tab, which does not display the Automatic
Account Deletion text box.
l System tab does not display Resources, Tenants, Update Status, or links to Cluster and Host
pages
l Events > Settings tab is not displayed
l Administration tab shows only the Administration Support Logs box, and the other tabs are not
displayed at all.

Auto-complete is enabled for non-sensitive input fields in the

Management Console
l If selected, most input fields within the Management Console can be filled using your browser's
auto-complete functionality.
l If selected, auto-complete is not available for any Management Console fields.
Auto-complete is disabled for login fields and other sensitive fields (such as passwords) within the
Management Console, regardless of how you configure this option.
Adding an Administrator Account

To add a new administrator account:
1. Click Administration > Administrator Accounts, then click New Account.
The New Administrator Account page displays.

2. Enter a name in the Account Name field.
The Account Name is not case sensitive and must be unique. It must begin with a letter and
consist only of alphanumeric characters, hyphens, underscores and periods, and cannot exceed
20 characters in length. This is the name administrators enter when they log into the Management
Console.
3. Select one of the following roles from the Role list:
l Config Admin - Accounts in this role have no restrictions. They can alter all server settings
and user data, and view logs. Only accounts in this role can add and edit other administrator
accounts.
l User Admin - Accounts in this role can view events and reports, and can edit user data, but
cannot view or alter server settings.
l Audit Admin - Accounts in this role can only view events, debug logs, and user data. They
cannot alter server settings or user data. You can configure this account to limit the tabs and
options displayed to a user logged in with an Audit Admin account. See theSecurity Settings
section of Understanding Administrator Accounts for details.
4. Choose whether this account has access to All Tenants or Selected Tenants. Administrators
who have access to more than one tenant (but who are not global administrators) do not see the
All Tenants option, but must choose at least one tenant. This step does not apply to
administrators who have access to only one tenant.
If you select Selected Tenants, you must click Add Tenants to select the tenants to which this
account has access. See Choosing Administrator Account Tenants for details.
5. Type a password in the Password text box.
Passwords serve as a security check to protect your Voltage SecureMail Server. Therefore, it is
important to choose passwords that are not easily guessed. Passwords must be at least eight

characters in length and contain at least one number and one letter. Because passwords are case
sensitive, it is recommended that you use a mixture of upper and lower case letters.
6. Type the password again in the Re-enter Password text box.
7. To save your changes, enter your administrator password, which is the password for the account
you are currently logged into. (This step is not needed if the Management Console is on a
Windows server and you are using Active Directory credentials.)
8. Click Finish.
The account is added and displayed on the Administrator Accounts table on the Administrator
Accounts Management page.
Editing an Administrator Account

You must be logged into the Management Console as a user with the Audit Admin role in order to
display the Administrator Accounts Management page or with the Config Admin Role to display and
edit the page. To edit an existing administrator account:
1. Click Administration > Administrator Accounts, then click the name of the administrator you
want to edit.
The Administrator Account Details page displays.

2. To change the name of the account, type a new name in the Account Name text box.
The account name must begin with a letter and consist only of alphanumeric characters, hyphens,
underscores and periods. Note that you cannot change the name or role for the admin account.
3. To change the role, select one of the following roles from the Role list:
l Config Admin - Select this role to provide unrestricted access for the administrator. They can
alter all server settings and user data, and view logs. Only accounts in this role can add and
edit other administrator accounts.
l User Admin - Select this role to provide limited access for the administrator. Accounts in this
role can view events and reports, and can edit user data, but cannot view or alter server
settings.
l Audit Admin - Select this role to allow the administrator to only view events, debug logs, and
user data. You can configure this account to limit the tabs and options displayed to a user
logged in with an Audit Admin account. See the Security Settings section of Understanding
Administrator Accounts for details.
4. To change whether this account has access to All Tenants or Selected Tenants, select the
correct option. Administrators who have access to more than one tenant (but who are not global
administrators) do not see the All Tenants option, but must choose at least one tenant. It is
optional for global administrators who have access to all tenants. This step does not apply to
administrators who have access to only one tenant.
Note that if you change an account from All Tenants to Selected Tenants, or if you want to
change which tenants are accessible to this administrator, you must click Add Tenants to choose

the tenants to which this account has access. Click Remove if you need to remove a tenant from
the list. See Choosing Administrator Account Tenants for details.
5. To change the password, type a new password in the New Password text box.
Passwords serve as a security check to protect your Voltage SecureMail Server. Therefore, it is
important to choose passwords that are not easily guessed. Passwords must be at least eight
characters in length and contain at least one number and one letter. Because passwords are case
sensitive, it is recommended that you use a mixture of upper and lower case letters.
6. If you changed the password, type the password again in the Re-enter New Password text box.
7. To save your changes, enter your current administrator password, which is the password for the
account that you are currently logged in with. (This step is not needed if the Management Console
is on a Windows server and you are using Active Directory credentials.)
8. Click Save and Exit to save your changes and exit the Administrator Account Details page.
Enabling Active Directory Accounts

Make sure the AD server has either port 3268 (Management Console on Windows) or port 3269
(Management Console on Linux) accessible for communication with the server hosting the
Management Console.
To enable access to the Management Console for members of Active Directory groups:
1. Click Administration > Administrator Accounts.
The Administrator Accounts Management page displays.

2. Click the Active Directory Groups tab.

3. Select Use Active Directory to authenticate administrative users to enable it.
This activates all of the fields on this tab. Some fields have different names and behavior
depending on whether your Management Console is running on a Linux Appliance or a Windows
Server.
4. In the Active Directory Domain text box,type the name of the domain that is using the Active
Directory server for authentication.
5. Depending on the value you entered in the Active Directory Domain text box, type the login
name in the User Name text box using one of the formats specified below .
NOTE: The login that you use does not need to be an administrator’s login. However, the
login name must have permission to connect to and query that server.
The login name can be one of the following formats:

l User Principal Name (UPN) - user01@mydomain.com, where user01 is the login name and
mydomain.com is the UPN suffix. (Recommended)
l NT - mydomain\user01
l simple login name - user01. This format can only be used if you enter the domain name in the
Active Directory Domain or Server text box, as the login name is appended to that value. For

example, if you enter mydomain.com as the domain name and user01 as the login, it will be
concatenated as user01@mydomain.com.
NOTE: If needed, additional domains can be configured using the Administration >
Advanced tab.
6. In the Password text box, type the password for the user name that is used by the software to log
into the Active Directory server.
7. (Linux Appliance only) Click Import Certificate for the Trusted LDAP Server Certificates field.
The Import Certificate page displays, allowing you to browse to the PEM certificate file that
needs to be included. See Importing the Active Directory Server PEM Certificate for details.
8. To enable members of an active directory group to use their Active Directory password to access
the Management Console, click New Active Directory Group at the top of the Active Directory
Groups table.
This link displays the New Active Directory Group Role page, where you can specify the
required details. See Adding an Active Directory Group Role for details. Note that if this link is only
available if the Management Console can connect to the server specified in the Active Directory
Domain field.
You can also refresh the table by clicking Refresh Active Directory Group List. This can be
useful in an environment where multiple administrators manage accounts.
10. Click Save.
Members of the Active Directory groups that you added to one of the administrator roles can use their
Active Directory login credentials to log into the Management Console as an administrator. If a group is
not available on the Active Directory Server, a warning icon displays next to that name in the Active
Directory Security Group Name column.
Importing the Active Directory Server PEM Certificate

If the Management Console is running on a Linux Appliance and you are using LDAP credentials to log
in as an administrator, you must import the LDAP Server Certificate.
To import the LDAP Server Certificate:
1. Navigate to the Administration > Administrator Accounts > Active Directory Groups tab.
3. Click Import Certificate. This displays the Import Certificate page.

4. Click Browse to navigate to the PEM Certificate file that you are importing.
This file can either be the same as the one used by your LDAP server, or in a certificate chain for
that certificate.
5. Type your administrator password, which is the password for the account you are currently logged
into. (This step is not needed if the Management Console is on a Windows server and you are
using Active Directory credentials.)
6. Click Import.
The Active Directory Groups tab displays, and the file you imported appears in the Trusted LDAP
Server Certificates table.
To delete a certificate, type your administrator password (unless the Management Console is on a
Windows server and you are logged in using Active Directory credentials), then click Delete in the row
for the certificate that you want to delete.
Adding an Active Directory Group Role

If you are logged in as a Config Admin, the New Active Directory Group Role page lets you specify
the name of an Active Directory group, then create an administrator account that enables all members
of that group to log into the Management Console with their Active Directory credentials.
To create a new Active Directory group role:
1. Navigate to the Administration > Administrator Accounts > Active Directory Groups tab.
3. Click New Active Directory Group. This displays the New Active Directory Group Role page.

4. Enter the Active Directory Security Group Name in the text box. This must be an Active
Directory that has a Group type of Security (rather than a Group type of Distribution).
5. Select one of the following roles from the Role list:
l Config Admin - Accounts in this role have no restrictions. They can alter all server settings
and user data, and view logs. Only accounts in this role can add and edit other administrator
accounts.
l User Admin - Accounts in this role can view events and reports, and can edit user data, but
cannot view or alter server settings.
l Audit Admin - Accounts in this role can only view events, debug logs, and user data. They
cannot alter server settings or user data. You can configure this account to limit the tabs and
options displayed to a user logged in with an Audit Admin account. See the Security Settings
section of Understanding Administrator Accounts for details.
6. Select whether this account has access to All Tenants or Selected Tenants. Only global Config
Admins can see this option. Config Admins for tenants can see and change the list of tenants to
which they have access.
If you select Selected Tenants, you must click Add Tenants to choose the tenants to which this
account has access. See Choosing Administrator Account Tenants for details.
8. Click Finish.
The Active Directory Groups tab displays the new account in the Active Directory Groups table. If the
group is not available on the Active Directory Server, a warning icon displays next to group name in the
Active Directory Security Group Name column.

Editing an Active Directory Group Role

If you are logged into the Management Console as a user with the Audit Admin role, you can display the
Administrator Accounts Management page. To edit this page, you must be logged into the
Management Console as a user with the Config Admin role. To edit an existing Active Directory Group
Role:
1. Navigate to Administration > Administrator Accounts > Active Directory Groups, then click
the name of the group you want to edit.
The Active Directory Group Role Details page displays.
2. To change the name of the group, enter a new name in the Active Directory Security Group
Name text box.
This must be an Active Directory that has a Group type of Security (rather than a Group type of
Distribution).
3. To change the role, select one of the following roles from the Role drop-down list:
l Config Admin -Select this role to provide unrestricted access for the administrator. They can
alter all server settings and user data, and view logs. Only accounts in this role can add and
edit other administrator accounts.
l User Admin -Select this role to provide limited access for the administrator. Accounts in this
role can view events and reports, and can edit user data, but cannot view or alter server
settings.
l Audit Admin -Select this role to allow the administrator to only view events, debug logs, and
user data. You can configure this account to limit the tabs and options displayed to a user

logged in with an Audit Admin account. See theSecurity Settings section of Understanding
Administrator Accounts for details.
4. To change whether this account has access to All Tenants or Selected Tenants, select the
correct option. Only global Config Admins can see this option. Config Admins for tenants can see
and change the list of tenants to which they have access.
If you change an account from All Tenants to Selected Tenants, or if you want to change which
tenants are accessible to this administrator, you must click Add Tenants to choose the tenants to
which this account has access. See Choosing Administrator Account Tenants for details.
account that you are currently logged on with. (This step is not needed if the Management Console
6. Click Save and Exit to save your changes and return to the Active Directory Groups tab.
Changing a Local Administrator Password

You can change the password for administrators who log into the Management Console using local
administrator accounts. You cannot change passwords for administrators who log in using their Active
Directory credentials.
To change an administrator password:
1. Click the Administration tab, then click the Administrator Accounts tab. This displays the
Administrator Accounts Management page, which opens to the Local Administrator
Accounts tab by default.
2. Click the name of the administrator you want to edit. This opens the Administrator Account
Details page. You must be logged into the Management Console as a user with the Config Admin
role in order to display this page.
3. To change the password, type a new password in the New Password text box.
4. To confirm the password, type the new password again in the Re-enter New Password text box.
account that you are currently logged in with. (This step is not needed if the Management Console
6. Click Save and Exit to save your changes and exit the Administrator Account Details page.
If Lock out administrator accounts after 5 consecutive failed login attempts is selected on the
Administrator Accounts Management page, you can be locked out of your account after entering the
password incorrectly. To recover your account if this occurs, you can reset the password from another
Config Admin account. If another Config Admin account is not available, you must use a utility outside
of the Management Console to either change the password or create a new user.
To change the password on a Linux Appliance, run the following command:
opt/vsmgmt/bin/admin_user <username> [password]
To change the password on a Windows Server:

l Open a Command Prompt window.

l Change to the bin subdirectory in the directory in which the management console is installed.
l Run the command admin_user <username> [password]
NOTE: Entering the password as part of this command line is optional. If you prefer to not enter
the password in the clear, enter only the <username> value. You are then prompted to enter the
password, which is not displayed when you enter it.
For an existing user, the password is updated and the role for that user is converted to Config Admin for
all tenants, regardless of the previous role. If the username does not exist, a new user with that name is
created, and that user is automatically assigned to the role of Config Admin for all tenants.
Displaying Your Account Information

The My Account Details page displays the name of the account you are logged into, as well as the
administrator role for each tenant to which you have access. If you are logged in using Active Directory
credentials, you also see the Groups to which your account belongs. You can access this page by
clicking the My Account button at the top of the Management Console. If you are logged in using a
local account (rather than with Active Directory credentials), you can also change your administrator
password from this page.
To change your password:
1. Click My Account at the top of the Management Console. This displays the My Account Details
page.
2. Type the current password in the Old Password text box.

3. Type a new password in the New Password text box.

4. To confirm the password, type the new password again in the Re-enter New Password text box.
5. Click Save to save your changes and exit the My Account Details page.
You can also change your password on the Administrator Account Details page. See Changing a
Local Administrator Password for details.
Choosing Administrator Account Tenants

If you are logged in as a Config Admin, you can add or edit an administrator account that is limited to
seeing or updating only information for particular tenants.
To choose tenants:
1. Navigate to the page for the account to be created or edited:
l For a new local account, navigate to the New Administrator Account page. Click
Administration > Administrator Accounts, then click New Account.
l For an existing local account, navigate to the Administrator Account Details page. Click
Administration > Administrator Accounts, then click name of the account.
l For a new Active Directory Group Account, navigate to the New Active Directory Group
Role page. Click the Administration > Administrator Accounts > Active Directory
Groups tab, then click New Active Directory Group.
l For an existing Active Directory Group Account, navigate to the Active Directory Group
Role Details page. Click the Administration > Administrator Accounts > Active
Directory Groups tab, then click New Active Directory Group.
2. Select Selected Tenants. This option is available only to administrators with the global Config
Admin role. Administrators with access to multiple tenants only see the list of tenants to which
they have access, and do not perform this step.
3. Click Add Tenants. A table displays each Tenant Name, along with the Domain and Status value
for that tenant.
4. Select the check box next to any tenants that are to be accessible to the administrator for the
account you are creating, then click Select.
The Selected Tenants box now includes the names of the tenants for which the administrator has
access. To remove a tenant from this list, click the tenant name, then click Remove.
6. Click Save and Exit to return to the Administrator Accounts Management page.
Understanding Logging
Use the Support Logs page on the Administration tab to download debug log files for the
management console or the data service, and to configure how much information is written to host-

specific log files. You do not need to use this page unless directed to do so by Micro Focus Voltage
Support.
The Support Logs page contains the following sections:
l Administration Support Logs - Use this section to download the debug logs for the Management
Console or the Data Service. Click Download for the log you want to download. If you are using an
Appliance, you can also generate and download logs that contain System Info. This log, which is
not available for a Windows server, contains system configuration and resource usage information
that is generated by a script called vsinfo. It can take up to one minute to generate this log.
NOTE: You do not need to use the Administration Support Logs section unless directed
to do so by Voltage SecureMail Support.
l Service Support Log Settings - Use this section to specify the amount of data that is written to the
syslog server and to host-specific log files. See Viewing Debug Logs for a Host for details. Select
one of the following options:
o Normal - Includes routine operational data, as well as warnings and errors
o Detailed - Includes additional data that can be helpful during troubleshooting.
If you are using a separate syslog server, you can also use the Service Support Log Settings
section to specify whether data is written to that server, as well as the location of that server. See
Configuring Syslog Values for details.
Configuring Syslog Values

You can specify whether events and logs are written to a separate syslog server, and if so, the location
of that syslog server. By default, events and logs are not written to a separate server. If you are not
using a separate syslog server, you do not need to make any changes.
To enable events and logs to be written to a separate syslog server:
1. Click Administration > Support Logs.
2. In the Service Support Log Settings section of the Support Logs page, select Send Events to
Syslog Server to enable it.
3. In the Syslog Server text box, enter the hostname or IP address of the server where the syslog
service is running.
4. In the Syslog Port text box, enter the syslog server port number that is to be used by the Voltage
SecureMail front-end services for sending the logs to syslog server. The default is 514.
When syslog is enabled, the following log data is sent only to the syslog server:
l /var/log/vsgateway/system.log - verbose log information about gateway encryption/decryption
actions via SMTP
l /opt/vsibe/logs/ibe_server.log - verbose event information for the key server and ZDM web interface
When syslog is enabled, the following log data is both available locally and is sent to the syslog server:

l /var/log/maillog - sendmail information and general mail delivery information

l /opt/vsmgmt/logs/mgmt_data_service.log - debug information about the management
synchronization service that retrieves logs from front-end hosts and pushes out configurations
The following logs files are never included in the syslog data and are only accessible locally:
l /opt/vsmgmt/logs/mgmt_server.log - event information about the Management Console for Voltage
SecureMail administrators
l /var/log/vsgateway/policy.log - one-line summaries of each message that was processed by the
gateway
l /opt/vsibe/logs/ibe_error.log - information concerning severe issues with the IBE service (including
memory dumps and crashes)
Understanding Advanced Feature Configuration

The Advanced page on the Administration tab can be used to configure advanced features for
Voltage SecureMail Management Console, Data, and IBE Services. Some advanced features require a
separate license or guidance from Micro Focus Voltage Support. There are four advanced features you
can enable without an additional license or support.
Two Factor Authentication - See Two Factor Authentication, on page 140
ZDM Attachment Filter - See ZDM Attachment Filter, on page 78
Custom Client Policy - See Customizing the Client Policy, on page 83
CORS - See About CORS, on page 144

About SecureMail Events

This chapter provides information on SecureMail events.
Understanding Event Logs

Events are generated when transactions are performed and are logged to the Maria Database
(MariaDB). For example, an event might be logged when a user sends a message, attempts to obtain a
key, or when event data is automatically purged. Event logs provide detailed information about events
generated by the servers and services, and can help you track how users are using the system. The
Database Event Handler, responsible for logging the events to the database, is always enabled. It is
also possible to log events to your syslog server. See Configuring Syslog Values for details.
The following screen shows the Event Data page of the Events tab.

From the Events tab, you can choose the following pages:
l Event Data: Use this page to view and search for logged events.
o To control the number of events displayed on this page, choose a value in the Records per
page list below the Event Data table.
o To view the latest events at any time, click Refresh Events.
o To search for a specific event or set of events, enter a search criteria in the Search Events
text entry field, then click Go. Alternatively, you can limit the criteria of a search by clicking
Advanced Search. See Searching for Events for details.
l Settings: Use this page to configure the event collection level and control the purging of events from
the Management Console. See Setting Event Collection and Retention Levels for details.

Searching for Events

You can search for events using a variety of criteria, which also act as filters to display the selected
events. For example, you can search for all Service events that were successful, or search for an event
by Session ID or Tenant to display a smaller set of events.
Search for an event using the simple search or the advanced search.
Using the Search Events Field

To search for events using the search events field:
1. Click the Events tab to display the Event Data page.
2. Enter search criteria, such as a user name or text used to describe an event, in the Search Events
text box.
3. Click Go.
The events matching the search criteria you entered appear in the System Events table on the
Event Data page.
To clear the search criteria and display all events, click Show All.
Using Advanced Search

To search for events using search parameters on the events page:
1. Click the Events tab to display the Event Data page.
2. Click Advanced Search.
3. Enter or select one or more search criteria to locate the events you want to display. Select Search
All to search for all items in a list box.
Searches can be done using the following criteria:

l Event Summary - Enter text, such as a user name or the description associated with an
event. The results will be displayed in the Summary column of the System Events table. This
search is not case sensitive and does not support wildcards.
l Session ID - Typically, you will not know the ID associated with a particular session. As a
result, you should first perform a search using other criteria, then locate the session ID of
interest in the System Events table. Click on the session ID link in the System Events table to
populate the Session ID box. Then perform a second search, using the session ID as the
criteria for the search. This lets you view all events pertaining to a particular user's session,
including the authentication process and ZDM activity. When you finish searching for a
specific session ID, delete it from the Session ID box.
l Event Source - Select the category or type of event.

o Admin Events - Searches for any administrative events or configurations. Examples of

these events include configuring hosts, clusters, tenants, and administrator logins.
o Authentication Method Events - Searches for events that are related to end user
authentication.
o Gateway Events - Searches for any Gateway events, such as the encryption and
decryption of messages.
o Enrollment Events - Searches for Enrollment Service events. Examples of these events
include the starting or stopping of the enrollment service, the first time enrollment of a
user, or if a user attempts to recover a password.
o HTTP Events - Searches for HTTP events.
o Identity Data Aggregator Events - Searches for Identity Data
o Key Server Events - Searches for any Key Management Server events, including key
requests from the ZDM, Gateway, or client.
o System Events - Searches for any system event. Examples of these events include
startup and shutdown events for the IBE server and for the Management Console.
Memory usage is also logged as a system event, but at a lower logging level, which is not
enabled by default.
o ZDM Events - Searches for ZDM events, including sent messages, read messages, or
errors attempting to read ZDM messages.
l Event Name - Select an event name from the drop down list. The available event names
change depending on the Event Source that you selected.
l Service - Select the service mechanism that generated an event.
o IBE - Search for IBE Service events.
o Enrollment - Search for Enrollment Service events.
o Gateway - Search for Gateway Service events.
o Management - Search for Management Data or service events.
l Status - Select the status for an event.

o Info - Search for informational events, such as server memory usage and updated server
configuration.
o Success - Search for all successful events, such as successful authentication events, or
successful ZDM events (messages sent or decrypted).
o Failure - Search for all system errors and user errors, such as failure to authenticate.
l Log Level - Select a log level. When you select a level, all events at the selected level and the
levels of higher severity are logged. For example, when you select Warning, all Warning level
events, as well as Error level events are logged.
l Cluster - Select a specific cluster, or select Search All to search for an event or events for all
clusters.

l Host - Select a specific host, or select Search All to search for an event or events for all hosts.
l Tenant - Select a specific tenant name, or Search All to search for an event or events for all
tenants.
l Brand - Select a brand. You must first select a tenant from the Tenant list. Once you have
selected a tenant, the Brand list is populated with the brands assigned to the selected tenant.
l Show Date/Time - Click to show the Start Date and End Date times by which to search.
o Start Date/Time - Enter the date and time for which to start the search for an event, or
select a date from the calendar.
o End Date/Time - Enter the date and time for which to end the search for an event, or
select a date from the calendar.
4. After you have selected your search criteria, click Go to perform the search. Click Reset to clear
all selected search criteria.
The events that match your search criteria appear in the System Events table. The System
Events table is dynamic and, depending on your search criteria, could display additional
information.
You can also perform any of the following actions:
l Select the number of records you would like to display in the System Events table from the Records
per page list box. If the number of recorded events exceed the number of events displayed, click
Forward and Back to view the additional system events.
l Refresh the data in the System Events table by clicking Refresh Events.
l View the details for a specific event by clicking Details in the Summary column. The Details page is
dynamic and includes the data about the event already listed in the Systems Events table and,
depending on your search criteria, often provides additional information.
Setting Event Collection and Retention

Use the Events > Settings page to specify how much event data is written to the event logs. You can
also specify how long that data is retained by the Management Console database, set the time the
purge occurs and enter a location to which you would like the purged data to be saved, if any.
Event Collection
By default, the Event Collection level is set to Normal. This setting logs the data required for
generating reports, as well as warning and error messages. If you want to limit the number of events
logged so that you only see error messages, you can set the event collection level to Minimal. If you
set the level to Minimal, then data for the reports is not available, and any reports that you generate will
not contain data.

Event Retention
You can specify the number of days that events remain available in the Management Console database
before being purged and whether to save the purged data to an external file. By default, events are
purged from the Management Console database after 15 days.
NOTE: You will need to restart the data service after making any changes to the event retention
settings.
l To prevent events from being purged from the Management Console database, clear the Enable
Event Purging check box.
l To change the number of days that events are available in the Management Console database,
select Enable Event Purging, and enter the number of days in the Keep events for text box. You
can specify a value in the range of 0 (to purge events the same day they are written) to 3650 (to
purge events after 10 years).
l To set the time at which you would like the events regularly purged, select the time from the When
to purge events lists. The default is 1:30AM.
l Optionally, to save the purged data to an external file, enter the path in the Save events to text box.
After automated purging, the location displays under the Summary of the purge event.
NOTE: Purging events from the Management Console database does not affect the data used
for generating reports. Event information is available for reports regardless of whether it is
available in the Management Console database because a separate database stores all events
relevant for the reports.
Backing Up and Purging Events

The event levels that are selected for Voltage SecureMail servers and services are logged to and stored
in the Maria Database (MariaDB) on the Management Console. Storing a large number of events can
have a negative impact on database performance. By default, events are automatically purged after 15
days. See Setting Event Collection and Retention Levels for information on changing this behavior. If
you choose to prevent the automatic purging of events, or if you want to have the option to save events,
you can delete or save them manually.
For backup and audit purposes, the Voltage SecureMail server provides a delete_events
command-line utility on both Windows and Linux. The delete_events utility allows you to purge
events from the database, as well as write purged events to a MariaDB backup file.
The utility is located in the following directories:
Windows: <installation_directory\
Linux: /opt/vsmgmt/bin/delete_events
The delete_events command-line utility can do the following:

l Delete events
l Save deleted event information to a file
l Backup the deleted events
l Import backup files to a database
NOTE: If you are going to delete a large number of events, for example 3,000,000 or more, it is
recommended that you turn off the data service while the event purge utility is running. This
allows the utility to run faster.
Utility Parameters
The delete_events utility includes several parameters for handling events.
The following tables list the parameters for the delete_events utility. You must use one of the three
parameters described in the first table. The "-L" or "--list" and the "-u" or "--update" parameters
cannot be used with any other parameter. You can use the "-a" or "--age" parameter with the option
parameters listed in the second table.
One of the following parameters must be used:
-L or --list Causes the utility to print all the values for tenant, cluster, and host
found in the database. The values are printed to stdout.
Note: This parameter cannot be used with any other parameter.
-u or --update Updates the log count table by recalculating the total number of records
in the log tables. This is only needed if a prior delete was aborted or
ended with an error.
Note: This parameter cannot be used with any other parameter.
-aor--age<days> Deletes events that are as old and older than the specified number of
days.
Valid values are non-negative integers.
The following optional parameters can be used with the "-a" or "--age" parameter:
-lor--level Deletes only events (case insensitive) with an event level equal to or
more verbose than the specified level.
<event level>
Valid values:
All

Warning
Normal
Verbose
Trivia
The default value is All, meaning that all events of all levels are
deleted.
-t or --tenant Deletes only the events for the specified tenant (case sensitive).
<tenant name> Any valid tenant name is a valid input.
If a valid tenant name is not specified, events are deleted regardless of
the tenant.
-cor--cluster Deletes only events for the specified cluster (case sensitive).
<cluster name> Any valid cluster name is a valid input.
If a valid cluster name is not specified, events are deleted regardless of
the cluster.
-hor--host Deletes only events for the specified host (case sensitive).
<host name> Any valid host name is a valid input.
If a valid host name is not specified, events are deleted regardless of
the host.
-sor--save Saves events to the specified file before they are deleted. If the save
fails, the events are not deleted. If not specified, events are not saved
<file name>
to a file.
A writable file path is a valid value. Existing files will not be overwritten.
Use a unique file name.
If you choose to save the purged events to a backup file, you have the
option of importing the backup file data into a separate MariaDB.
-dor--dryrun Lists the number of events that would be deleted based on the
parameters that you specified. Uses system resources to determine
the count, but does not delete any events.
Note: If you run the command later without this option, the number of
events deleted might change if new events were generated or existing
events were deleted.
Debug Log File

The delete_events utility writes debug logging information to the admin.log file in the following
locations:
Windows: <installation_directory>\logs\admin.log
Linux:/opt/vsmgmt/logs/admin.log

Backup Files
When you use the "-s" or "--save" parameter, the delete_events utility saves the deleted events
to a backup file that contains the SQL commands necessary to import the data into a MariaDB. You
can import the backup files into a separate database using the database tool.
You can import multiple backup files into the same database if they were exported from the same
Management Console database. However, backup files with events from different Management
Console databases are probably incompatible due to potential conflicts with event sequence numbers.
Importing Backup Files Into a Database

If you have not already created a separate database in which to import the backup files, follow these
instructions:
1. Optionally, make a copy of the voltage_settings file to ensure that you always have a copy
of the original file values.
Windows: <installation_directory>\etc\mysql\voltage_settings.bat
Linux:/opt/vsmgmt/etc/mysql/voltage_settings.conf
2. Edit the voltage_settings file to specify the connection properties for your new database.
3. Execute the create script to create the database.
Windows: <installation_directory>\etc\mysql\create.bat
Linux: /opt/vsmgmt/etc/mysql/create
NOTE: Executing the create script on an existing database will delete all the data in
the database.
To import the contents of a backup file into the new database, execute the following command:
l % mysql (with appropriate connection parameters) < backup_file.sql
where backup_file.sql is the file name you specified using the –save parameter with the
delete_events utility.

About SecureMail Reports

This chapter explains how to create Voltage SecureMail reports.
Understanding Reports
The Reports tab lets you generate reports that display on a variety of usage information within your
system. The following reports are available:
o Mail Volume by Date
o Mail Volume by Domain
o Mail Volume by User
o Message Status by Sender
o Message Status by Reader
o Licensed Products
o Product Usage
o Deployed Clients
After you choose a report type, the Enter Parameters page displays. The parameters that you specify
depend on the report type.
Click Generate Report to display a that contains information based on the parameters you specified.
l Reports with an output format of HTML display within the Management Console.
l Reports with an output format of PDF, XLS, PPT, or DOC are exported for display outside the
Management Console. When you click Generate Report, a dialog box displays, with options to
either save or open the exported file. Charts are not included when you export to the XLS format.
NOTE: If you specified an Event Collection level of Minimal on the Events > Settings page,
your event logs do not have any data to graph. As a result, all of your reports are empty. See
Setting Event Collection and Retention Levels for more information.
Mail Volume by Date Report

The Mail Volume by Date report contains a graph and a table showing the count of the encrypted and
decrypted messages over a selected time period. This report can help you see patterns and trends in
usage data.
To generate a Mail Volume by Date report:
1. Click the Reports tab.
The View Your Reports page displays.

2. Click Mail Volume by Date.

3. Choose a value for each of the following parameters:
l Tenant Domain - Select a domain from the list to include only information for messages in the
specified domain. The list includes all tenants found in report database. An empty list indicates
that no activity is stored in the database.
l Start date - Specify the earliest date of messages that are to be included in the report.
Messages from the beginning of that day are included. You can display a calendar by clicking
the button to the right of the displayed date. Click a date on the calendar to populate the Start
date.
l End date - Specify the latest date of messages that are to be included in the report. Messages
up to the end of that day are included. You can display a calendar by clicking the button to the
right of the displayed date. Click a date on the calendar to populate the End date. The default
value is yesterday's date.
l Interval - Select the interval for which the count is broken out. For example, if you choose Per
Month, the report shows a count of messages for each month during the reporting period, as
well as the total count.
l SecureMail Component - Select whether to include information about messages sent or
received through ZDM, only through the Gateway, or all messages (through either ZDM or the
Gateway) in the report.
l SecureMail Activity - Select whether to include information about messages that were
encrypted, decrypted, or all messages (both encrypted and decrypted) in the report.
l Report Output Format - Select the format for displaying the reports. You can choose HTML,
PDF, XLS, PPT, or DOC. See Understanding Reports for additional information about these
formats.
4. Click Generate Report.
The Mail Volume by Date report displays, with a title that indicates the time interval you specified
for the Interval parameter.

In this example the Interval was set to Per Hour. Both the graph at the top and the table at the bottom
show the number of ZDM Decrypts and Gateway Encrypts during each hour, and that there were no
ZDM Encrypts or Gateway Decrypts done during the specified time period.
NOTE: If the gateway is configured to re-encrypt messages, the re-encrypted messages are
counted as both Gateway Decrypts and Gateway Encrypts. The number of Gateway Decrypts
does not necessarily correspond with the actual number of messages that have been read,
since some of the messages might have been re-encrypted.
Mail Volume by Domain Report

The Mail Volume by Domain report provides a summary of message activity with partners or users in
other domain. This can help you monitor the extent to which your organization uses secure messages
during external communication, as well as whether secure messages sent to specific domains are
being read.
To generate a Mail Volume by Domain report:

2. Click Mail Volume by Domain.

date.
l List of additional domains to exclude from the report - Enter the names of any additional
domains that you consider to be internal. By default, this list includes the internal domain name
associated with the tenant. If you consider other domains to be internal, you can add them to
the list so that they are also excluded from the report.
l Minimum number of messages to be included in the report - Specify a value to exclude
information from the report about less frequently used domains. The report includes only
information about domains that sent or received at least the specified value of messages. For
example, if you specify 5, then only domains at which users sent or received at least 5
messages are included.
l Report Output Format - Select the format for displaying the reports. You can choose HTML,
formats.
The Mail Volume by Domain report displays.
This example shows that encrypted messages were sent from or read by 6 separate domains, including
15 messages were sent from users in the gwtest.com domain, and 7 messages that were read by
users in that domain. Note that if a recipient opens the same message multiple times, that message is
counted multiple times in the Read Email column.

Mail Volume by User Report

The Mail Volume by User report contains both a bar graph and a table containing information about the
top senders and recipients. This report can help you determine which users send or receive large
quantities of encrypted messages.
To generate a Mail Volume by User report:

2. Click Mail Volume by User.
l Show either senders or recipients - Choose either Senders only or Recipients only from
the list.
date.
l Number of top users to be included in the chart - Specify the number of senders or
recipients of messages to be included in the graph at the top of the report. For example, if you
specify 5, then only data from messages sent by the top 5 senders or recipients (depending on
what you select in the Show either senders or recipients field) is included in the graph.
l Minimum number of messages to be included in the report - Specify a value to exclude
information from the report about less frequent users.The report includes only information
about users who sent or received at least the specified value of messages. For example, if you
specify 5, then only users who sent or received at least 5 messages are included.
l Report Output Format - Select the format for displaying the reports. You can select HTML,
formats.
The Mail Volume by User report displays. The report varied depending on whether you choose
Senders only or Recipients only for the Show either senders or recipients parameter.
The following report shows an example in which Senders only is specified.

The following report shows an example in which Recipients only is specified.

In either case, the report shows a graph at the top that has the same number of bars as the value you
specified for the Number of top users to be included in the chart parameter. The table at the
bottom shows the number of messages received by each recipient who sent or received at least the
specified value of messages specified for the Minimum number of messages to be included in the
report parameter.
Message Status by Sender Report

The Message Status by Sender report shows when each message was sent, who it was sent to, and (if
known) when each recipient read it. This report can help you track the extent to which specific users
are sending secure messages, who the messages are being sent to, and when those messages are
being read.
To generate a Message Status by Sender report:

2. Click Message Status by Sender.
l Tenant Domain - Select a domain from the drop-down list to include only information for
messages in the specified domain. The list includes all tenants found in report database. An

empty list indicates that no activity is stored in the database.

l Sender Starting With - Enter the first few characters of an email address or the full email
address of the sender for whom you want the report to display data.
date.
value is today's date.
l Include email subject in report - Select if you want the report to display the text of the email
subject. Clear to prevent the display of message subjects in the report.
formats.
Note: If you specify parameters so that a large number of messages match the values you enter,
the report cannot process all of the data, and the report might only be partially generated. A
message at the bottom of the report that states "Report exceeds maximum number of rows: 1000.
Please narrow your selection criteria" indicates that the report was only partially generated. In this
case, the value shown at the top of the Sent Time column indicates the number of messages
processed during report generation. If the report is only partially generated, or is not generated at
all, you can try to limit the amount of data by using a complete email address in the Sender
Starting With text box, or by changing the values in the Start Date and End Date text boxes to
encompass a shorter interval.
The Message Status by Sender report displays.

In this example, testuser@gwtest.com sent 15 messages, each with a different number of

recipients. Three of the recipients of the message sent at 20:23:46 read the message using the
ZDM that is on the same mail server from which the message was sent. The other recipients (for
which the value in the Read Time column is blank) either did not read the message yet, read the
message using the Voltage SecureMail Encryption Client, or read the message using a ZDM that
is on a different mail server. The Read Time column might also be blank if the message was sent
from a version of Voltage SecureMail prior to 3.7.
Message Status by Reader Report

The Message Status by Reader report displays information about each message that was read,
including the time that the message was sent (if known), and the time it was read by each recipient.
This can help you track the extent to which specific users are receiving and reading secure messages.
To generate a Message Status by Reader report:

2. Click Message Status by Reader.
l Tenant Domain: Select a domain from the drop-down list to include only information for
messages in the specified domain. The list includes all tenants found in report database. An
empty list indicates that no activity is stored in the database.
l Reader Starting With: Enter the beginning characters of an email address or the full email
address of the reader for whom you want the report to display data.
l Start date: Specify the earliest date of messages that are to be included in the report.
date.
l End date: Specify the latest date of messages that are to be included in the report. Messages
value is today's date.
l Include email subject in report: Select if you want the report to display the text of the email
subject. Clear to prevent the display of message subjects in the report.
l Report Output Format: Select the format for displaying the reports. You can select HTML,
formats.
NOTE: If you specify parameters so that a large number of messages match the values you
enter, the report cannot process all of the data, and the report might only be partially generated.
A message at the bottom of the report that states "Report exceeds maximum number of rows:
1000. Please narrow your selection criteria" indicates that the report was only partially
generated. In this case, the value shown at the top of the Read Time column indicates the

number of messages processed during report generation. If the report is only partially generated,
or is not generated at all, you can try to limit the amount of data by using a complete email
address in the Reader Starting With text box, or by changing the values in the Start Date and
End Date text boxes to encompass a shorter interval.
The Message Status by Reader report displays, showing all messages that were read by the
specified recipient on this server using ZDM. Messages that were not read, that were read using
the Voltage SecureMail Encryption Client, or that were read using a ZDM that is on a different mail
server do not show up in this report.
In this example, the recipient decrypted the message that was sent at 20:23:46 multiple times
using ZDM on this server, as indicated by the 3 values in the Read column for that message. If the
Read column is blank, it indicates that the time the message was sent is not available. This can
occur if the message was sent using the Voltage SecureMail Encryption Client, if it was sent
using a ZDM that is on a different mail server, or if it was sent using a version of Voltage
SecureMail prior to 3.7.
Licensed Products Report

The Licensed Products report displays a count of licensed users and optionally, the email addresses of
licensed users for each Voltage SecureMail product. Licensed users include those who send or receive
secure messages that are encrypted or decrypted at the Voltage SecureMail Gateway, through ZDM,
or with the Voltage SecureMail Encryption Client, as well as those who encrypt or decrypt files using
Voltage SecureFile. This report can help you see whether your organization is approaching its license
limit and might need to purchase additional licenses.
To generate a Licensed Products report:

2. Click Licensed Products.

date.
l List of domains to include in the report - Type the names of any additional domains for
which data is to be included in the report. By default, only data for the domain of the tenant is
included.
l Show detailed licensed user information - Select if you want the report to include the email
address of each user. Clear to see only a count of licensed users.
formats.
The Licensed Products report displays.

In this example, the Voltage SecureMail Encryption Client has one user from the gw20vm.com domain.
If you click the link from the number of users, the report scrolls to the location of the email address for
the user from that domain.
Product Usage Report

The Product Usage report displays a count of all users, both licensed and unlicensed, or details about
these users for each Voltage SecureMail product. You can optionally include the email address of all
users of each product. This report can help you track the extent to which each Voltage SecureMail
product is being used within your organization.
To generate a Product Usage report:

2. Click Product Usage.

date.
l Show detailed licensed user information - Select if you want the report to include the email
address of each user. Clear to see only a count of the users for each product.
formats.
The Product Usage report displays.
In this example, two users are licensed to use the Voltage SecureMail Encryption Client. If you
click the value in the PRODUCT column, the report scrolls to the location that displays the email
address of each user of that product.
Deployed Clients Report

The Deployed Clients report contains a list of the unique users for each version of the Voltage
SecureMail Encryption Client deployed in production. This can help you see which users need to have
their client software upgraded to the next version.
To generate a Deployed Clients report:


2. Click Deployed Clients.
date.
formats.
The Deployed Clients report displays.
In this example, two users are using version 4.1.1 of the Voltage SecureMail Encryption Client.
When you are ready to upgrade to a new version, you can deploy the new version to all of the
users displayed in the Email Address column.


VoltageSM 7.3 Management Console Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VoltageSM 7.3 Management Console Guide

Uploaded by

Copyright:

Available Formats

Voltage SecureMail

Software Version 7.3

Management Console Guide

Document Release Date: October 2020

About this PDF version of online Help

Voltage SecureMail (7.3) Page 2 of 245

About SecureMail Management Console 18

About SecureMail Tenants 22

Voltage SecureMail (7.3) Page 3 of 245

Assigning Brands to a Tenant 29

About SecureMail Services 40

Voltage SecureMail (7.3) Page 4 of 245

Configuring Outbound Encryption Settings 54

Voltage SecureMail (7.3) Page 5 of 245

Voltage SecureMail (7.3) Page 6 of 245

Enrollment Password Recovery 137

About SecureMail System Resources 162

Voltage SecureMail (7.3) Page 7 of 245

Configuring a Domino LDAP Resource 178

Administering the SecureMail System 195

Voltage SecureMail (7.3) Page 8 of 245

Configuring Syslog Values 220

About SecureMail Events 222

About SecureMail Reports 231

Voltage SecureMail (7.3) Page 9 of 245

Voltage SecureMail (7.3) Page 10 of 245

Voltage SecureMail Components

Understanding Voltage SecureMail Concepts

Voltage SecureMail (7.3) Page 11 of 245

Hosts and Clusters

IBE Key Management Server

Voltage SecureMail (7.3) Page 12 of 245

Voltage SecureMail Gateway

Voltage SecureMail (7.3) Page 13 of 245

Cluster Shared Address

Inter-cluster Listening Address

Voltage SecureMail (7.3) Page 14 of 245

Inter-cluster Communication Example

SSL Certificate Requirements

Voltage SecureMail (7.3) Page 15 of 245

Importing the Root Certificate for the Certificate

Support for SSL Certificate Chains

Configuring the SSL Certificates

Configuring the Voltage SecureMail Software

Voltage SecureMail (7.3) Page 16 of 245

4. Configure the Enrollment Service. See Understanding the Enrollment Service.

Voltage SecureMail (7.3) Page 17 of 245

About SecureMail Management Console

Understanding the Home Page

The following information is displayed on the Home page:

Voltage SecureMail (7.3) Page 18 of 245

To restart the Management Data Service:

Voltage SecureMail (7.3) Page 19 of 245

Management Console Buttons

Voltage SecureMail (7.3) Page 20 of 245

Voltage SecureMail (7.3) Page 21 of 245

About SecureMail Tenants

From the Tenant Management page, you can do the following:

Adding or Copying a Tenant

Voltage SecureMail (7.3) Page 22 of 245

1. Click the Tenants tab.

Voltage SecureMail (7.3) Page 23 of 245

7. Select the Locale for the tenant.

Enabling and Disabling Tenants