Frequently Asked Questions

• General
• eM4 Relay
• Desktop Ed
• Auditing
• TLS-Transport Layer Security

Can users with third party hosting or various public ISPs providers use eM4?
Yes. Subscribers and Lite Subscribers can install the Outlook Add In or Web Mail.

The Em4 device encrypts everything we send to it. Can we leverage our existing mail infrastructure to write business rules which would redirect mail going to specific domains, over to Em4?
Yes. In a parallel implementation of the eM4 relay, you can use your email server to identify and route emails by domain through the eM4 relay. This makes it easier for us to manage user lists.

The header info includes an eM4 tag for encrypted emails. Is this tag removed when the email is decrypted on the relay server?
No. The two "x records" remain with the email.

Will the Subject line of the email be encrypted?
Yes. The entire email and its attachments will be encrypted and wrapped. The subject line will include "eM4 Compliant Email delivery notice". "The From" line will include "PaperClip Compliant Email".

Is there any kind of notice that an email has not been received?
Yes. Once an email goes out the recipient gets 1st notice. If they do not pick it up within 36 hours they get a 2nd notice. Yet another 36 hours goes by then both sender and receiver get a 3rd and final notice. Email is retained on PaperClip servers for 5 days then purged. Audit reports reflect activity.

Are there any rules for entering passwords when creating an account?
Minimum length 6 characters: requires 2 non-alphanumeric characters.

Do eM4 Lite Clients (sponsored clients) have access to the portal?
No.

Can multiple people log into the webmail under the same credentials?
Yes.

Who pays for the non-subscriber email "Replied to"?
Subscriber. eM4 tracks for billing purposes all emails encrypted. Subscribers account for non subscriber Reply to and eM4 Lite New emails.

Can more than one person share a Web Mail account?
Yes. One Web Mail account supports one email address, users would share login credentials.

How long are emails stored in the Web Mail Mailbox?
Emails are purged 5 days after retrieved. In the inbox, mew mail appears in bold. Once retrieved it appears normal. Emails are also purged five days after Third and Final Notice to Sender and Receiver.

Besides the transaction fees, are there any other costs to implement this tool?
No. There is no charge for the eM4 Relay and Help Desk. Professional Services are available on a per quote basis.

Can you choose to turn on eM4 for one Subscriber and not another Subscriber?
Yes. In a Parallel Deployment the host mail server or content filtering system can decide on what domains are routed to the eM4 Relay.

How do I encrypt an email to a non-subscriber?
By placing the address 'flag@em4.relay.smtp' in the CC: or BCC:.

Can eM4 work with GroupWise email server?
eM4 is basically a SMTP relay allowing it to work with any SMTP based email platform. The eM4 Relay sits between your email server (Exchange, GroupWise, Lotus, etc.) and the Smart Host or SMTP Gateway.

Is a Smart Host required?
Yes. eM4 Relay is a "Closed" relay which for compliance, is not accessible from the Web. The Smart Host or SMTP Gateway manages the interface with the Web and routes all or selected emails to the eM4 Relay.

What type of hardware is recommended?
eM4 Relay supports Microsoft 2000 servers and above. Encoding and decoding is the most resource intense function of the eM4 Relay therefore CPU power is the most critical requirement.

How can I measure the performance of the eM4 Relay?
eM4 Relay supports Microsoft Performance Monitor (PerfMon) with 13 eM4 related counters providing you the capability to measure and track the systems performance.

Is the MS IIS SMTP Virtual Server required if we already have an email gateway that does the mail routing?
No. The eM4 Relay can inter operate with any Smart Host or SMTP Gateway. The MS SMTP Virtual Server comes with IIS and is very effective for medium to lite traffic. MS Exchange 2003/2007 requires exclusive control of the SMTP server which will require a second CPU to support SMTP Virtual Server as a Smart Host.

The installation mentions the need for MS SQL Express but I don't see any configuration instructions for a database. Is there a database with the Relay Server?
Yes. The eM4 Relay install software contains MS SQL Express. The install will setup the database requiring no user intervention.

What is stored in the DB?
SQL is used for configuration parameters and auditing. Audit data is held and posted to the Central Office (every 15 minutes) then purged - "transient data storage".

What's the expected size of the db?
SQL size under normal operation is estimated at 2 Mb.

Is there something specific in the headers before and after the encryption/decryption?
The eM4 encrypted email inserts two "x records" in the header indentifying it as an em4 encoded email and a unique identification number.

Is the eM4 Relay software supported under VMware?
Yes. eM4 Relay is compatible with VMware and Microsoft Virtual Server.

Is there any documentation on eM4 installation/setup/configuration?
Request the "eM4 Installation Docs 2007.zip" file.

What is the Desktop Edition?
The Desktop Edition (DE) is used on individual workstations with your Email client software. The DE sits between your Email client and your Email server as a proxy service.

Who can use the Desktop Edition?
Full and Lite Subscribers can install the DE. Lite Subscribers can "Register their Webmail Inbox" afterwards they will have the option to download and install the DE client. Lite Subscriber rules still apply.

Is there a cost for the software?
No. eM4 Service does not charge for Desktop Edition, Server Edition or users. The service charges for the number of Emails that are encrypted.

Does the Desktop Edition communicate with the Central Office (CO)?
Yes. The DE initiates all communications to the CO via SSL on port 443 exclusively. DE pulls encryption keys from the CO and pushes auditing information to the CO asynchronously.

Do the Desktop Edition rules behave the same as the Server Edition?
Yes, the same six rules apply:

1. If an Email recipient's Email address or address domain is in the list, the Email is encrypted.
2. If one or more Email recipients' Email address or address domains are in the list, the Email is encrypted to all addresses.
3. If the wild card Email address (flag@em4relay.smtp) appears in the address with one or more recipients, the Email is encrypted to all addresses.
4. If recipients on the Email are not eM4Service Subscribers or not sponsored eM4Lite Subscribers, they are not encrypted.
5. All incoming encrypted Email is decoded and passed on to Email Server or Email Client.
6. All eM4Relay encoded Emails will be tagged indicating so.

Can I use "parallel mode" with the Desktop Edition install?
Yes. The DE Options has a "Encrypt All" switch, when enabled it will encrypt all Emails regardless.

Can I use the Desktop and Server Editions together?
Yes. Two separate Subscriptions must be set up, one DE and the other SE. In this model the two subscriptions will be aggregated for volume.

Can I use the Desktop Edition if my mail server is hosted by a third party?
Yes. The DE is installed on the user's computer and will operate normally.

Is the Desktop Edition compatible with my Email client?
Yes. The DE functions as an Email proxy / relay. The Email Client releases the Email to the DE which encodes it and forwards it on to the target Email server for delivery.

How hard is it to configure IBM Notes or GroupWise Email clients?
The DE has an install wizard for automatic configuration with Microsoft Outlook. Third party Email clients (including Microsoft Outlook Express) must be manually configured. Email Client configuration changes both POP3 and SMTP server address to 127.0.0.1 with the POP3 port set to 5367 and the SMTP port set to 5366. Note - different ports can be used if necessary. All other Email settings are passed through as a proxy service.

Will Desktop Edition work with IMAP protocol?
No. Since the DE encrypts the Email before landing on the Email server, mail on the Email server will rest encrypted. To support IMAP you must install the Server Edition.

Can I have more than one DE installed for my Email address?
Yes. You can install DE on more than one computer that you use, like an office computer and a notebook you may travel with.

What is the encryption standard used?
Triple DES for 168 bit encryption.

Can I bypass the DE?
Yes. You can setup an additional Email account with server settings bypassing the DE. This should be configured as "Send Only" while the secured account is configured for both send and receive. This will give you the option on which one you set as your default for sending, but all POP3 mail will be received through the secured account ensuring encrypted mail will be decoded.

How does DE handle Email List Servers?
Email sent to a List without NPI /PII would be sent through your Un-secured Email account bypasses the DE. Email sent to a List with NPI /PII would be delivered to Webmail where all users view the same Email. Account Administrators can configure eM4 List Email behavior in the portal.

Will my Auto Responder be encrypted outbound?
Auto Responders that are Email Server features will not be encrypted. Email Client Auto Responders should be configured with the Un-secured Email account.

As part of the Audit information, what is actually stored at the Central Office server?
Email addresses, Subject Line, Attachment file names, Sent and Received date/time stamps.

Are there specific Retention Requirements for the logs?
Audits (logs) are maintained for seven years. Audits are pushed to subscriber daily, weekly or monthly and accessible from the CO for the last sixty days.

Are the logs encrypted?
The possible NPI in the attachment name or subject line is stored in a secured database. Audit reports generated from the portal are downloaded over an SSL connection. Scheduled reports are sent as email attachments via eM4 Compliant email.

What's the mechanism to transfer the audit files? Is this optional?
Auditing File will be a CSV file (spreadsheet) pushed via email through eM4 itself. This feature can be enabled/disabled and the frequency daily, weekly or monthly selected.

What is TLS?
TLS (Transport Layer Security) was designed by Netscape in 1994 to connect email clients to email servers. TLS is an Internet protocol (RFC 2246) which provides confidentiality and authentication layers over any reliable transport layer. TLS uses digital certificates to authenticate the user as well as authenticate the server using the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchange.
Simply said, TLS encrypts the pipe.

Why would I use TLS?
TLS is intended for large enterprise email infrastructures. If I manage many emails servers across my company, TLS works well to secure email for my clients and my email servers.
Simply said, if you control the environment, TLS can be very effective.

My organization uses TLS, if I send an email to a trading partner, are we compliant?
Unfortunately no. TLS cannot guarantee end-to-end encryption. Any non-TLS open relay or TLS interoperability errors will continue your message in clear text. Receivers of TLS delivered email can validate it was encoded by reading the email properties message source.
Simply said, TLS is a one-hop encryption, not "end to end".

What does TLS cost?
TLS requires a X.509 certificate, which is installed on one to many servers depending on your infrastructure. There are commercial tools available to create certificates or you can buy a trusted certificate. Most organizations acquire trusted certificates to avoid interoperability problems with other TLS enabled server. Trusted TLS certificates can range in cost from $1,000 to $2,500 per server per year.
Simply said, TLS may cost nothing to a couple of thousand dollars.

Can I use TLS if my ISP provider hosts my email?
Usually no. Many ISP providers do not support TLS because of its implied liability and associated support.
Simply said, check with your ISP.

Does TLS provide D3P Level Auditing?
No, TLS is just a network protocol. Reporting would be "first party" at best and limited to the functionality of your email (spam, antivirus, smart host, etc.) server(s) features.
Simply said, TLS is a protocol, not an application.

How does eM4 compare with TLS?
The eM4 Service is a D3P Level secure email service meeting compliance and TLS is a network protocol which can not guarantee secure delivery. At the heart of the service is the eM4 Relay which is a closed relay designed to encrypt and decrypt the email and attachments for end to end security. These events are captured by PaperClip Incorporated's eM4 Central Office, a disinterested third party providing equal access to the sender and receiver(s) for auditing purposes. The eM4 Service does not charge for subscriber side software, only the transactions it encodes, this ensures any size organization can participate.
Simply said, TLS is a casual security feature, not a compliant application service.