eM4Frequently Asked Questions

General eM4 Questions

+ Do all my Emails go out encrypted?

No or Yes. Subscribers can configure their compliance level at any time. Subscribers can deploy the Server Edition or the Desktop Edition with the standard five encryption rules, or Serial Mode. In Serial Mode all Email traffic passes through the Relay and only those Emails subject to the rules are encrypted.

Subscribers can deploy the Server Edition or the Desktop Edition with absolute encryption enabled, or Parallel Mode. In Parallel Mode all Email traffic received by the Relay encrypted. Parallel Mode usually deploys controlled by an email content filtering or routing system.

Subscribers can deploy the Server Edition or the Desktop Edition with absolute encryption disabled. All Emails will pass through the Relay unchanged. Encryption only happens when the Outlook AddIn Forces Encryption (X Record inserted) or the Encrypt Flag (flag@em4relay.smtp) is one of the addresses.

+ What are the eM4 encryption rules?

1. If an Email recipient's Email address or address domain is in the list of Subscribers, the Email is encrypted.

2. If one or more Email recipients' Email addresses or address domains are in the Subscriber list, the Email is encrypted to all addresses.

3. If the wild card Email address (flag@em4relay.smtp) appears in the address, the Email is encrypted to all addresses.

4. If the wild card Email address (bypass@em4relay.smtp) appears in the address, the Email is passes through, not encrypted to any addresses.

5. If recipients on the Email are not eM4Service Subscribers or not sponsored eM4Lite Subscribers, the Email is not encrypted.

+ What are the eM4 decryption rules?

1. All incoming encrypted Email is decoded and passed on to the Email Server or Email Client.
2. All eM4 Relay encoded Emails will be tagged indicating so.

+ Is there an Outlook AddIn to help the user?

Yes. Users can install an Outlook AddIn presenting a bottom placed ribbon indicating the encryption status and the ability to change the same.

+ Can users with third party hosting or various public ISPs providers use eM4?

Yes. Subscribers and Lite Subscribers can install the Outlook Add In or Web Mail.

+ Do emails pass through PaperClip's Central Office?

No. Emails are encrypted by the internal eM4 Relay and handed off to your Email gateway for normal delivery. Only Emails for Non Subscribers are sent to PaperClip s eM4 Webmail.

+ Are Emails sent to eM4 Webmail secured?

Yes. Emails are encrypted in transit and stored on PaperClip server encrypted at rest then purged 30 days later.

+ Can we leverage our existing mail infrastructure to write business rules which would redirect mail going to specific domains, over to Em4?

Yes. In a parallel implementation of the eM4 relay, you can use your email server to identify and route emails by domain through the eM4 relay. This makes it easier for us to manage user lists.

+ The header info includes an eM4 tag for encrypted emails. Is this tag removed when the email is decrypted on the relay server?

No. The two "x records" remain with the email.

+ Will the Subject line of the email be encrypted?

Yes. The entire email and its attachments will be encrypted and wrapped. The subject line will include "eM4 Compliant Email delivery notice". The "From" line will include "PaperClip Compliant Email".

+ Besides the transaction fees, are there any other costs to implement this tool?

Yes. There is a charge for both Relay Server and Relay Desktop plus transaction fees. An individual can subscribe for $220 a year and encrypt 2,000 emails. A million emails encrypted with the Relay Server deployed would cost about $18,000 annually.

+ Is there a cost for the software?

Yes. eM4 Service charges $100US for each Desktop Edition software and $3,000US for the Server Edition software annually. The service charges for the number of Emails that are encrypted only, otherwise called a transaction..

+ Can you choose to turn on eM4 for one Subscriber and not another Subscriber?

Yes. In a Parallel Deployment the host mail server or content filtering system can decide on what domains are routed to the eM4 Relay.

eM4 Relay Server Edition

+ Can eM4 work with GroupWise email server?

eM4 is basically a SMTP relay allowing it to work with any SMTP based email platform. The eM4 Relay sits between your email server (Exchange, GroupWise, Lotus, etc.) and the Smart Host or SMTP Gateway.

+ Is a Smart Host required?

Yes. eM4 Relay is a "Closed" relay which for compliance, is not accessible from the Web. The Smart Host or SMTP Gateway manages the interface with the Web and routes all or selected emails to the eM4 Relay.

+ What type of hardware is recommended?

eM4 Relay supports Microsoft 2003 servers and above. Encoding and decoding is the most resource intense function of the eM4 Relay therefore CPU power is the most critical requirement.

+ How can I measure the performance of the eM4 Relay?

eM4 Relay supports Microsoft Performance Monitor (PerfMon) with 13 eM4 related counters providing you the capability to measure and track the systems performance.

+ Is the MS IIS SMTP Virtual Server required if we already have an email gateway that does the mail routing?

No. The eM4 Relay can inter operate with any Smart Host or SMTP Gateway. The MS SMTP Virtual Server comes with IIS and is very effective for medium to lite traffic. MS Exchange 2003/2007 requires exclusive control of the SMTP server which will require a second CPU to support SMTP Virtual Server as a Smart Host.

+ The installation mentions the need for MS SQL Express but I don't see any configuration instructions for a database. Is there a database with the Relay Server?

Yes. The eM4 Relay install software contains MS SQL Express. The install will setup the database requiring no user intervention.

+ What is stored in the DB?

SQL is used for configuration parameters and auditing. Audit data is held and posted to the Central Office (every 15 minutes) then purged - "transient data storage".

+ What's the expected size of the db?

SQL size under normal operation is estimated at 2 Mb.

+ Is there something specific in the headers before and after the encryption/decryption?

The eM4 encrypted email inserts two "x records" in the header indentifying it as an em4 encoded email and a unique identification number.

+ Is the eM4 Relay software supported under VMware?

Yes. eM4 Relay is compatible with VMware and Microsoft Virtual Server.

+ Is there any documentation on eM4 installation/setup/configuration?

Request the "eM4 Installation Docs 2007.zip" file.

+ Does the Relay Server Edition support mobile devices?

Yes. Emails are decrypted before they land on your mail server therefore available to your mobile device in clear text.

eM4 Relay Desktop Edition

+ What is the Desktop Edition?

The Desktop Edition (DE) is used on individual workstations with your Email client software. The DE sits between your Email client and your Email server as a proxy service.

+ Who can use the Desktop Edition?

Full and Lite Subscribers can install the DE. Lite Subscribers can "Register their Webmail Inbox" afterwards they will have the option to download and install the DE client. Lite Subscriber rules still apply.

+ Does the Desktop Edition communicate with the Central Office (CO)?

Yes. The DE initiates all communications to the CO via SSL on port 443 exclusively. DE pulls encryption keys from the CO and pushes auditing information to the CO asynchronously.

+ Can I use "parallel mode" with the Desktop Edition install?

Yes. The DE Options has a "Encrypt All" switch, when enabled it will encrypt all Emails regardless.

+ Can I use the Desktop and Server Editions together?

Yes. Two separate Subscriptions must be set up, one DE and the other SE. In this model the two subscriptions will be aggregated for volume.

+ Can I use the Desktop Edition if my mail server is hosted by a third party?

Yes. The DE is installed on the user's computer and will operate normally.

+ Is the Desktop Edition compatible with my Email client?

Yes. The DE functions as an Email proxy / relay. The Email Client releases the Email to the DE which encodes it and forwards it on to the target Email server for delivery.

+ How hard is it to configure IBM Notes or GroupWise Email clients?

The DE has an install wizard for automatic configuration with Microsoft Outlook. Third party Email clients (including Microsoft Outlook Express) must be manually configured. Email Client configuration changes both POP3 and SMTP server address to 127.0.0.1 with the POP3 port set to 5367 and the SMTP port set to 5366. Note - different ports can be used if necessary. All other Email settings are passed through as a proxy service.

+ Does the Relay Desktop Edition support mobile devices?

No. Emails on the local Email Server are encrypted until the Desktop Email client pulls them from the Email Server. Mobile device manufactures do offer Desktop solutions at a cost.

+ Will Desktop Edition work with IMAP protocol?

No. Since the DE encrypts the Email before landing on the Email server, mail on the Email server will rest encrypted. To support IMAP you must install the Server Edition.

+ Can I have more than one DE installed for my Email address?

Yes. You can install DE on more than one computer that you use, like an office computer and a notebook you may travel with.

+ What is the encryption standard used?

Triple DES for 168 bit encryption.

+ Can I bypass the DE?

Yes. You can setup an additional Email account with server settings bypassing the DE. This should be configured as "Send Only" while the secured account is configured for both send and receive. This will give you the option on which one you set as your default for sending, but all POP3 mail will be received through the secured account ensuring encrypted mail will be decoded.

+ How does DE handle Email List Servers?

Email sent to a List without NPI /PII would be sent through your Un-secured Email account bypasses the DE. Email sent to a List with NPI /PII would be delivered to Webmail where all users view the same Email. Account Administrators can configure eM4 List Email behavior in the portal.

+ Will my Auto Responder be encrypted outbound?

Auto Responders that are Email Server features will not be encrypted. Email Client Auto Responders should be configured with the Un-secured Email account.

eM4 Webmail

+ Who uses webmail?

eM4 Webmail is provided to support Non Subscribers and meet compliance. In addition, Webmail users can "Reply To" the sender securely.

+ Who pays for webmail?

The eM4 Webmail is included as a service for Subscribers.

+ Is there any kind of notice that an email has not been received?

Yes. Once an email goes out the recipient gets 1st notice. If they do not pick it up within 36 hours they get a 2nd notice. Yet another 36 hours goes by then both sender and receiver get a 3rd and final notice. Email is retained on PaperClip servers for 5 days then purged. Audit reports reflect activity.

+ Do Non Subscribers require a login and password to view email?

No. Subscriber can deploy their Webmail presents with no login or password required. Non subscribers simply click on the link contained in the notice and a SSL secured browser display the original Email with any attachments.

+ Does webmail provide an inbox?

Non Subscribers have the option to register and secure their inbox with a login and password. Registering an inbox provides simple Email options and management.

+ Are there any rules for entering passwords when creating an account?

Minimum length 6 characters: requires 2 non-alphanumeric characters.

+ Can a Non Subscriber use their Inbox to initiate a secure email?

Yes. Subscribers can acquire eM4 Lite accounts and sponsor a Non Subscriber. This will enable the Non Subscriber to create an Email and send securely to only the sponsoring Subscriber.

+ Do eM4 Lite Clients (sponsored clients) have access to the portal?

No.

+ Can multiple people log into the webmail under the same credentials?

Yes. They must share the authentication.

+ Who pays for the non-subscriber email "Replied to" ?

Subscriber. eM4 tracks for billing purposes all emails encrypted. Subscribers account for non subscriber Reply to and eM4 Lite New emails.

+ Can more than one person share a Web Mail account?

Yes. One Web Mail account support one email address, users would share login credentials.

+ How long are emails stored in the Web Mail Mailbox?

Emails are purged 30 days after retrieved. In the inbox, mew mail appears in bold. Once retrieved it appears un-bolded. Emails are also purged five days after Third and Final Notice to Sender and Receiver.

+ Can I brand with my company logo my emails to non subscribers?

Yes. Subscribers can send to eM4 Support a properly formatted banner (240x120 pixel) which will be configured whereby Non Subscribers opening Emails from Subscriber will be displayed.

+ Can I customize the notice email sent to non subscribers?

Yes. Subscribers can modify the notice Email language to conform to their compliance department. Notices are setup in the eM4 Central Office portal.

+ Can Non Subscribers use the eM4 Desktop?

No. eM4 Lite Subscribers can purchase the eM4 Desktop Edition for $100 but remain restricted to securing Emails to their Client.

+ Can Webmail users save the Email to their desktop?

Yes. Non Subscribers and Lite Subscribers can save the Email to their desktop in a WC3 compliant format.

eM4 Auditing

+ Are Bypass Emails recorded for auditing?

Yes. If an Email normally subject to encryption but the users select s  Force Not Secure or enters the Bypass Flag, the event is considered auditable and recorded.

+ As part of the Audit information, what is actually stored at the Central Office server?

Email addresses, Subject Line, Attachment file names, Sent and Received date/time stamps.

+ Are there specific Retention Requirements for the logs?

Audits (logs) are maintained for seven years. Audits are pushed to subscriber daily, weekly or monthly and accessible from the CO for last sixty days.

+ Are the logs encrypted?

The possible NPI in the attachment name or subject line is stored in a secured database. Audit reports generated from the portal are downloaded over an SSL connection. Scheduled reports as sent as email attachments via eM4 Compliant email.

+ What s the mechanism to transfer the audit files? Is this optional?

Auditing File will be a CSV file (spreadsheet) push via email through eM4 itself. This feature can be enabled / disabled and frequency daily, weekly or monthly selected.

TLS-Transport Layer Security

+ What is TLS?

TLS (Transport Layer Security) was designed by Netscape in 1994 to connect email clients to email servers. TLS is an Internet protocol (RFC 2246) which provides confidentiality and authentication layers over any reliable transport layer. TLS uses digital certificates to authenticate the user as well as authenticate the server using the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchange.

Simply said, TLS encrypts the pipe.

+ Why would I use TLS?

TLS is intended for large enterprise email infrastructures. If I manage many emails servers across my company, TLS works well to secure email for my clients and my email servers.

Simply said, if you control the environment, TLS can be very effective.

+ My organization uses TLS, if I send an email to a trading partner, are we compliant?

Unfortunately no. TLS cannot guarantee end-to-end encryption. Any non-TLS open relay or TLS interoperability errors will continue your message in clear text. Receivers of TLS delivered email can validate it was encoded by reading the email properties message source.

Simply said, TLS is a one-hop encryption, not "end to end".

+ What does TLS cost?

TLS requires a X.509 certificate, which is installed on one to many servers depending on your infrastructure. There are commercial tools available to create certificates or you can buy a trusted certificate. Most organizations acquire trusted certificates to avoid interoperability problems with other TLS enabled server. Trusted TLS certificates can range in cost from $1,000 to $2,500 per server per year.

Simply said, TLS may cost nothing to a couple of thousand dollars.

+ Can I use TLS if my ISP provider hosts my email?

Usually no. Many ISP providers do not support TLS because of its implied liability and associated support.

Simply said, check with your ISP.

+ Does TLS provide D3P Level Auditing?

No, TLS is just a network protocol. Reporting would be "first party" at best and limited to the functionality of your email (spam, antivirus, smart host, etc.) server(s) features.

Simply said, TLS is a protocol, not an application.

+ How does eM4 compare with TLS?

The eM4 Service is a D3P Level secure email service meeting compliance and TLS is a network protocol which can not guarantee secure delivery. At the heart of the service is the eM4 Relay which is a closed relay designed to encrypt and decrypt the email and attachments for end to end security. These events are captured by PaperClip Incorporated's eM4 Central Office, a disinterested third party providing equal access to the sender and receiver(s) for auditing purposes.

Simply said, TLS is a casual security feature, not a compliant application service.