The EnforceEmailSecurityRecipients system configuration setting defines a list of email addresses to always force the encryption and/or signing. It is possible to use regular expression to match several addresses like REGEX:(.*@example\.com).
The sender and all recipients for each email should be configured to use the same encryption engine either PGP or S/MIME. The system is not capable to mix them.
If the encryption of an email recipient is enforced, all recipients of this email must have a public key or certificate in the system. The email must be encrypted for all recipients, otherwise this could be considered a security issue.
If more than one key and certificate for the sender or a recipient exist in the system (if enforced), this function selects the first valid certificate. Except if another one has been previously specified in the user interface.
Note
The email sending will fail if the system could not find all the enforced keys and certificates.
If an agent uses PGP key or S/MIME certificate, the password reset email, the two-factor verification email, the ticket notification email and the appointment notification email can be sent signed and/or encrypted. PGP is favored over S/MIME.
To enable this feature, the relevant management screens have a Send signed and/or encrypted email checkbox. If this checkbox is selected, the email will be sent in signed and/or encrypted form.
