EmailSentry Configuration

EmailSentry™ Configuration Settings

These are the features and settings that new EmailSentry customers should consider. While the recommended layout for EmailSentry configuration files makes changing EmailSentry settings and functionality very easy, we recommend reviewing the options below to optimize how EmailSentry works for your organization from day one.

This document is a casual explaination of EmailSentry features. See EmailSentry Features, Configuration, and Customization for more formal descriptions of the EmailSentry settings described here.

Skip down to the skipdomains or global sections below if you just want info on simple EmailSentry settings.

EmailSentry Configuration Options

config files: where settings are located, and when and how they are retrieved
configure: Setting Up the Config Files
disable: emergency disable EmailSentry
origin: originate tests from CheckTLS.com or your own domain
authorization: how EmailSentry checks your license
help: where and how to give your users help (MoreInfo link)
translate: translate EmailSentry into your language
logo: add your company logo to the popup
proxy: how to make EmailSentry work through your proxy server
skip domains: list domains you don't need to test (i.e. your own)
global settings: how EmailSentry looks and works
TestReceiver settings: how EmailSentry tests targets

Config Files

EmailSentry stores all its settings and other information in a configuration file. This configuration file is usually stored in two parts: one part on a user's PC, and one part on a webserver accessible to the PC. When Outlook first starts, EmailSentry reads the part on the user's PC from the file C:\ProgramData\SecurEmailLLC\EmailSentry.xml. One of the settings in this file is a URL for the webserver file, which EmailSentry then reads.

The file on the user's PC is called the FixedConfigFile, and it holds any settings that are specific to that user, as well as the URL of the webserver file. The file on the webserver is called the LiveConfigFile, and it holds settings that pertain to all users. Because the FixedConfigFile (the one on the user's PC) is hard to change, typically the FixedConfigFile only holds one setting: the URL of the LiveConfigFile. The LiveConfigFile, hosted on a webserver, is easier to change than touching every user's PC, and it's easier to manage since it has all settings in one place.

Large organizations host their LiveConfigFile on their own webserver. They can protect their settings from outside view, and even deliver custom LiveConfigFiles to their users based on department, title, etc. Smaller organizations let CheckTLS.com host their LiveConfigFile for them. CheckTLS.com has a webpage that lets you edit your config files.

Configuration and Re-Configuration

The FixedConfigFile on each user's PC can be installed several ways. If the EmailSentry install is pushed out via group policy or a PC management system like Microsoft's System Center, then the file (C:\ProgramData\SecurEmailLLC\EmailSentry.xml) can be installed at the same time. Command line parameters on the EmailSentry.msi file can tell the installation to fetch the file from CheckTLS.com (see Windows Installer for more info).

But most EmailSentry installations will use a special "Configure Email" to copy a company's FixedConfigFile from CheckTLS.com to each user's PC. When a user sends an email to COMPANYCODE@Config.EmailSentry.com with the Subject: COMPANYPASS, then EmailSentry recognizes the email as a "Configure Email" and instead of sending an email it uses it instead as a command to fetch the company's FixedConfigFile from CheckTLS.com and store it on the PC. COMPANYCODE and COMPANYPASS are provided when you license EmailSentry.

This configure email can be used to Re-Configure EmailSentry, which will overwrite the FixedConfigFile on the PC with a new one fetched from CheckTLS.com.

The configure email can embedded in a mailto: link on a webpage to make it easy for your users to configure EmailSentry. We provide a copy of this link, customized for your company, in the Install.html file that is provided when you license EmailSentry, usually at www.checktls.com/CsOA/COMPANYCODE/Install.html.

Temporarily Disable EmailSentry

EmailSentry is designed to be fail-safe, meaining it should never "break" a user's email. If anything goes wrong, EmailSentry gives the user an option to disable EmailSentry until they next re-start Outlook.

In addition, a company can temporarily disable EmailSentry by adding a the node <DISABLE>1</DISABLE> to either config file.

Obviously, when EmailSentry is disabled, it is no longer protecting your email.

Originate Tests from CheckTLS.com or Your Domain

EmailSentry tests domains by connecting to them and probing their security. These tests are usually launched from the CheckTLS.com servers. You can find the IP addresses of the CheckTLS.com servers by doing a DNS search on "whitelist.checktls.com".

Very security conscious companies or companies that have very robust Internet mail connectivity and reputation can specify a different IP address space from which to originate these tests.

Use the node <a_SOCKS> to specify a SOCKS proxy server which EmailSentry can route connections to Internet port 25 (SMTP). The format is "user:pass@host:port", for example: <a_SOCKS>socks-proxy-server.checktls.com:1080</a_SOCKS>

Authorizing a User to Use EmailSentry

Each licensee (company) has unique COMPANYCODE and COMPANYPASS. These are encrypted into an AUTH code (see //subscription/getAUTH). The AUTH code can also include an IP address range to further protect the license. Only requests coming from this IP range are allowed to use those COMPANYCODE and COMPANYPASS.

The AUTH code must be included in an <AUTH> node in either config file. This AUTH code is used to authenticate EmailSentry to CheckTLS.com on every email.

AUTH codes should be kept private, especially if the AUTH is not limited to an IP address range. If someone steals your AUTH, they can use one of your seat licenses, and have access to unlimited CheckTLS.com tests and any saved Batches you have.

If an AUTH is compromized, it is easy to change the CUSTOMERPASS and generate a new AUTH, so let us know if you suspect any unauthorized access.

Documentation For Your Users

The EmailSentry popup window has a "More Information" link your users can click to learn more about EmailSentry. MoreInfo Circled
This link opens a webpage that you specify with the node <MOREINFOURL> in either config file.

We provide a skeleton page that you can customize (see www.checktls.com/CsOA/COMPANYCODE/MoreInfo.html). You can either customize this page and send it back to us to host for you, or you can host it yourself and change the <MOREINFOURL> node in your config file.

There is also an optional <POPUPURL> node that points to a text only message that EmailSentry displays in a popup every time it starts. Most companies do not use this feature. It exists for a company to put up a quick text note to introduce users to EmailSentry, or to inform users about a security policy change.

Language Translations

Every button and nearly every message in EmailSentry can be translated or otherwise customized. These are the node names and default text for each available item:

T_Title: "EmailSentry"
T_Change: "&Change This Email"
T_Delete: "&Delete This Email"
T_Encrypt: "&External Encrypt This Email"
T_Send: "&Send This Email Anyway"
T_CheckingRecipient: "Checking Recipient Security"
T_Checking: "Checking:"
T_MoreInformation: "More Information"
T_TheseDomainsFailed: "These domains failed CheckTLS:"
T_FAIL: "FAIL"
T_OK: "OK"
T_TIMEOUT: "TimeOut"
T_NewConfigFileSaved: "New config file saved!\nPlease close and re-open Outlook."
T_DisabledMessage: "EmailSentry disabled.\nRestart Outlook to re-enable.\nUntil you restart Outlook\nALL MESSAGES WILL BE SENT\nWITHOUT ANY SECURITY CHECKS."

For example, here is the EmailSentry popup in Dutch:
EmailSentry in Dutch

Add Your Logo to The Popup Window

The optional node <T_LogoImageLocation> points to a logo file that replaces the EmailSentry logo in the top left of the popup window next to the title.

List Domains That Do Not Need To Be Tested

You can make EmailSentry even faster by telling it to skip any domains that you are sure are secure. The obvious domain is your own, since you should not be using your users to verify that your own domain is secure. If you tell EmailSentry to skip your own domain, then it does not pop up at all on any email that is only to your own users.

If you have other domains that you know are safe, especially ones that you frequently email, then listing those saves time too.

You tell EmailSentry to skip specific domains by listing them in <SKIPDOMAIN> nodes. You can put many domains in one <SKIPDOMAIN> node and have multiple <SKIPDOMAIN> nodes, for example: <SKIPDOMAIN>Dwalin.com</SKIPDOMAIN> <SKIPDOMAIN>Balin.com;Kili.com;Fili.com;Dori.com</SKIPDOMAIN> <SKIPDOMAIN>Nori.com;Ori.com;Gloin.com;Bifur.com;Bofur.com</SKIPDOMAIN> <SKIPDOMAIN>Bombur.com</SKIPDOMAIN> <SKIPDOMAIN>Thorin.com</SKIPDOMAIN>

User Interface and Operations

<TIMEOUT>
This tells EmailSentry how long to wait for a response from CheckTLS.com. It needs to include the time to contact CheckTLS.com and make a request, for CheckTLS.com to perform the test, and for the data to come back. The first and last pieces together are usually less than a second. Performing the test depends on the target email server. Tests usually take 3-5 seconds, but if the target does some IP or SPAM checking it can take 10 seconds or more. Default: 30 seconds.

<MINSCORE>
This tells EmailSentry what CheckTLS.com Confidence Factor is considered "pass". Less than this number is a "fail". Please see below and the complete documentation for //email/testTo: ("TestReceiver") on CheckTLS.com for how to tune the test to return just the score you want. Default: 90 (which works for most cases).

<HIDEUID>
EmailSentry logs tests with the PC's USERNAME and COMPUTERNAME. These are generally not security risks as they are typically names that Windows assigned when Windows was installed, but some companies put actual login names and/or real computer identifiers in these fields. This setting causes EmailSentry to perform a one-way hash on the USERNAME and COMPUTERNAME, there by obfuscating them from ever being read.

We recommend leaving the USERNAME and COMPUTERNAME un-hashed as it lets you and us find problems and report on usage.

<ENCRYPTOPTION>
EmailSentry can add an extra button, Encrypt, which can re-route insecure emails through an encryption path you have in your systems. See Encrypt Options for more information.

<SENDBUTTON>
Adding this node to your config and setting it to zero will disable the "Send Anyway" button. Some high security environments do not ever want users to send an email that is not encrypted. Most sites trust their users to only use this option when they are sending casual "remember to buy milk" messages to their spouses.

EmailSentry does log the use of the Send Anyway button, so you can both check up on your users and inform them that any Send Anyway will be logged.

<WAITSEC>
This tells EmailSentry to wait a few seconds before enabling the Send Anyway button. This helps users to not get into the habit of just clicking Send without giving the contents of the email some thought.

<HIDEPOPUP>
In operation, EmailSentry displays two popups. The two look exactly alike so in normal operation they look like one window. The first is shown while EmailSentry is testing, and the second is shown if EmailSentry finds any insecure domains.

This option suppresses the first window, so EmailSentry runs transparently unless it finds an insecure domain. We recommend not using this option, as we like reminding users that their emails are being checked, and it lets the user know that "outlook is working".

Customize How Targets are Tested

EmailSentry uses //email/testTo: ("TestReceiver") on CheckTLS.com to test the security of each domain. This test is very configurable. We encourage you to review the documentation on CheckTLS.com, and experiment with different options on various targets to tune the test to return exactly what you want EmailSentry to do.

Some common options you may want to consider:

QUICK: Recommended option that is a good compromise between speed and accuracy. It tests the path your email would take at the moment rather than thoroughly testing all options.
SSLVERSION: This specifies what versions of SSL/TLS are acceptable. The CheckTLS.com Confidence Factor is designed to take SSL/TLS versions into consideration, so rather than specifying a version here we recommend using the MINSCORE option (above) to decide "pass" or "fail" for an email system. But you can use this setting to eliminate some versions or only allow some versions.
TIMEOUT: This specifies how long the CheckTLS.com TestReceiver test should wait for an email server to respond. It differs from the TIMEOUT above in that this TIMEOUT is for just one step whereas the above TIMEOUT is for all steps combined.