KB Article #101819

Verifying a successful SPN

Verifying a successful SPN

Summary:

Once you have set up an SPN with another EMF server, you may wish to verify that it is working. This can be done for incoming or outgoing messages via the event log.

For incoming messages, if you wish, you can set a policy to automatically annotate each SPN message to let the recipient know it's secure.

Resolution:

Outgoing: how to verify the messages you send are encrypted

Set the EMF Policy Engine logging level to TRACE and send a test message to your SPN partner.

Be sure to set the logging level back down to NORMAL once the test is done or your event log may grow too large and become unmanageable.

Filter the event log so that it displays all events for just the test message. If you are not familiar with this type of filtering, see the following related articles:

  • 5.x and 6.x: Finding lost messages - tracing messages via the event log
  • 4.7: Tracing messages via the event log (4.7)
The Security Manager events for this message will tell you if it was encrypted by EMF or not. In 5.x and 6.x, the Security Manager event number is 8006.

Incoming: how to verify the messages you receive are encrypted

This can be done via the event log. Also, you can have a policy check for this.

Event Log:
Have your SPN partner send you a test message.
Filter the event log so that it displays all events for just the test message. If you are not familiar with this type of filtering, see the following technotes:

  • 5.x and 6.x: Finding lost messages - tracing messages via the event log
  • 4.7: Tracing messages via the event log (4.7)
The 4094 event for the test message should indicate that the message had an attachment called smime.p7m. If the attachment is not listed in the 4094 event, then the message was not encrypted.

Policy:
When EMF sends an SPN (formerly called VPN in 4.x) message, it adds the following header to the messages that are encrypted for VPN partners:

X-SMIME-VPN: Yes
You can create a policy to look for this header, thus verifying a successful VPN. The policy should be a Basic Mail Filtering policy that applies to the RECIPIENT. You may wish to append text to the subject rather than an annotation - it's up to you to determine what action you want taken once it's determined the SPN exists.

---------------------
Catch messages where...
x-smime-vpn exists

Take the following actions...
Deliver normally
and Append the annotation "Secure Message"
---------------------

Note - to specify "x-smime-vpn exists" on the CATCH screen, add a custom header field called "x-smime-vpn" and set the condition to "exists".

Apply this policy to the INTERNAL folder so that it annotates all incoming SPN messages.

Additional Information:

For more information on creating policies, see the online help or Administrator's guide.

For an example of the above policy on 4.7, see related article Verifying a successful VPN (4.7).

For more information on setting up an SPN, see related article Summary of SPN setup steps.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.