Stop and think Before You Delete SEPPmail Certificates, Users or Alter Your Mailflow

Modifying a SEPPmail environment requires careful planning. Deleting certificates or users, or prematurely removing the appliance from your mailflow, can result in permanent data loss. If you manage a SEPPmail architecture, here is what you need to consider before making structural changes.

The Risk of Irreversible Key Deletion

In a SEPPmail environment, user profiles act as secure containers for private keys. If you delete a user or their certificate from the appliance, the associated private key is permanently destroyed.

The critical vulnerability lies outside your network. You do not have administrative control over external email systems, which may have already cached or stored your users’ public keys. If external senders continue to encrypt outgoing messages using these cached public keys, those messages will reach your network but remain mathematically impossible to decrypt without the corresponding private key. The result is unreadable data.

What Happens When You Bypass the Mailflow?

A similar failure occurs if the SEPPmail appliance is removed from the mailflow entirely. Without the gateway actively intercepting and handling the decryption process, users will be locked out of their own encrypted communications.

Instead of readable emails, their inboxes will receive raw, encrypted data messages, typically identifiable by the following subject line:

*** SEPPmail Domain Encrypted Message ***

Essential Takeaways for Administrators

Before executing changes to your SEPPmail setup, implement a strict transition plan to ensure continuity:

Certificate Revocation: Properly revoke expiring or obsolete certificates (via CRL/OCSP) before deleting them. This signals external systems to stop utilizing the old public keys. The SEPPmail should always instruct you to revoke certificates before they can be deleted completely.

Key Archiving: Always back up and archive private keys if there is any possibility of receiving legacy-encrypted emails.

Mailflow Validation: Only bypass or remove the SEPPmail appliance from your mailflow once you have definitively confirmed that no further encrypted traffic is being routed to your domain.

Don’t delete users/certificates unless necessary: On SEPPmail you can always set a user to „inactive” by enabling „may not sign/encrypt“ in the user settings. This disables the user without the need to delete the actual user and related certificates, plus it also frees up the user count on your SEPPmail (Documentation).

If you are using SEPPmail domain encryption, the public key for your SEPPmail gateway needs to be removed from the SEPPmail certificate store with a dedicated support request after disabling autopublishing for the domain certificates.

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *