Data Loss Prevention

Hello -  Need some help determining how the system would handle the following:

Have some SMTP policies that have response rules configured to force encrypt based on detected content, but also have some recipient email domains configured as exceptions in the Groups tab since we have forced TLS setup with them. (btw, the exception condition is configured to detect if "any" recipient matches.)

Question:  If a message is sent that includes an exception domain recipient but also has a non-exception domain recipient, does the system process the message and force encrypt it? 

Or discard it because exceptions fire first, and the message would go out unencrypted to the non-excepted domain recipient? (not desired state)

Does this need to have individual exceptions added for each domain that are set to detect only when "all" recipients match?  Is there a better way to handle this when ?

Thanks -

Spencer,

If your exception is set to 'ANY' the message will NOT be encrypted if any of the recipients is part of that domain. (Not what you want)

The best way to look at it is to be safe than sorry..

So I would set up the Exeption to be 'ALL'

This way at least the message is being sent to the TRUSTED recipient unencrypted, but if ANY one else is getting the message, than it is sent encrypted no matter what. From a risk perspective, this is best. The unfortunate aspect is that the TRUSTED recipient will need to unencrypt the message. It sucks but it is more secure.

Good Luck,

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE

Thank you Ronak - this is what I suspected - It would seem there should be a way to architect this to avoid this scenario, I'll discuss this with our Symantec reps as a product enhancement request.

Spencer,

This could be solved with the next hop encryption MTA. You can in some cases make this decesion on the encyption servers, they can send all emails that are not trusted encrypted and the ones that are trusted another route.

Good Luck

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE