[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

Need help with mail Encryption and Authentication

Good day,

We have need in my organisation to send mails to another organisation and it must be ENCRYPTED and AUTHENTICATED.  Basically in lay terms these are our objectives;
1. We need there to be privacy in the mails that go from our domain to the other domain so that if someone in our domain A wants to send a mail to someone in domain B and mistakenly sends it to someone in domain C, the person in domain C will not be able to view it (Encryption).
2. A more granular requirement similar to (1) above whereby the user A in domain A sends an encrypted mail intended for user B1 in domain B but mistakenly sent to user B2 in the same domain B but cannot read it because it is only meant for user B1 and not user B2.
2. If domain B receives a mail from domain C claiming to be from domain A, they will be able to verify that the mail is actually from domain C and not domain A and hence disregard it(Authentication).
3. We would like a process that is transparent to the users, meaning it will be a server side implementation rather than a client side implementation.

We have a Verisign ceritificate and wanted to implement TLS or SMIME or PGP.  I need more information as to which of these three methods will easily satisfy our requirements and, if possible, why that method will be the best of the three.

Thank you.

Adeyinka Olatunji
0
yinolat
Asked:
yinolat
  • 3
  • 3
  • 2
1 Solution
 
zoofanCommented:
Listening.......

as i can not see how you can uniquely encypt per-user to per-user without each user having a different encryption key for each and every other user.  Domain a to b to c, ok,  one key for each.  But at the user level how without a seperate key for each one would user A/domain B encypt a message solely for user C/domain B.  

Not questioning the possiablity of your desire, just hoping to learn something new myself.  And I will offer more points to a solution as I would love to do this as well.

zf
0
 
yinolatAuthor Commented:
Hi Zoofan,

Thanks for your post.  I understand we will need a key for each user (PGP can offer that), I was hoping with a certificate we can drill down more using TLS or SMIME.  I still need help in understanding SMIME better if you have information on it.

When you say domain A to B to C, ok, one key for each, what method are you suggesting?  If certificate, are you trying to say if we had, say verisign and we mistakenly send a message from domain A meant for B to domain C instgead, they will not be able to decrypt it?  If we cannot achieve the per-user then I can at least offer the per-domain option.

Thank you.
0
 
zoofanCommented:
Is very much worth a look.  Loaded it last night have been toying with it.

http://enigmail.mozdev.org/


zf

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
zoofanCommented:
Main Features

    * Encrypt/sign mail when sending, decrypt/authenticate received mail
    * Support for inline-PGP (RFC 2440) and PGP/MIME (RFC 3156)
    * Per-Account based encryption and signing defaults
    * Per-Recipient rules for automated key selection, and enabling/disabling encryption and signing
    * OpenPGP key management interface

See the Features page for a full list of Enigmail's features.


zf
0
 
dworltonCommented:
I have been working a lot in PGP messaging for my company right now, and have a few thoughts.
Here is what PGP Corporation's messaging solution does:

*PGP uses a Universal server that stores the key of every user you wish to send encrypted e-mails to.
*Each key is associated with an e-mail address on the server.
*Each user that is going to seamlessly receive or send encrypted messages has a desktop client installed and enrolled to your PGP server.
*When you send an e-mail that you intend to be encrypted (we encrypt all mail marked as confidential), your desktop client picks up on that, queries the PGP server for the appropriate key(s) to encrypt to and sends the e-mail encrypted to those keys.
*On the receiving end, the e-mail comes into the mailbox (Exchange for us) and retrieved by the users Outlook client.
*When the user tries to open it, the desktop client again recognizes that it is encrypted and prompts the user for the passphrase associated with their private key, and if the passphrase it correct decrypts the e-mail.

This protects e-mail from being sniffed over a network. Therefore only those in the recipient list will be able to open the e-mail. This doesn't seem to fully meet your requirement, because it sounds like you want to be able to send to anybody and have only those who have had their key manually added to the e-mail be able to decrypt. However, this doesn't make much sense, because if you can be careful enough to add and encrypt to specific keys, can't you be careful enough to only send encrypted e-mails to the correct recipients? Finally this should completely solve your authentication issue, because each e-mail that is decrypted is signed with the senders key id.

PGP has been an excellent solution for our company with approximately 1000 users using the messaging functions at about 185 encrypted mails per day.
0
 
yinolatAuthor Commented:
Hi,

Thank you all for your comments.  We have decided to go the TLS way and it has been set up.  Is there any way that we can VERIFY that it's working fine, i.e. that the mails being sent to and received from a specific domain is encrypted?  The configurations have been done by creating an SMTP connector for the domain and specifying TLS encryption, just need a confirmation.

Thank you.
0
 
dworltonCommented:
Sorry it has been a while here. The only way I can think to test is maybe do a packet capture at some switch or device that is between the sending and receiving PC and see if any data is readable as plaintext (or base64 in the case of MIME attachments). Also, you are aware that the e-mail received will not be encrypted. TLS is only an encrypted tunnel, once the e-mail gets to the receiver it is fully unencrypted and plaintext. If you don't have a full hard disk encryption solution, a third party could retrieve the e-mails if they gained physical access to the receiving computer.
0
 
dworltonCommented:
It seems yinolat decided to go with his own solution on his first question, but then followed up with another question. I think my answer to his second question is accurate and useful, but without further word from the asker I can't tell. Any further comments yinolat?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now