Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Encrypting emails using Exchange 2003

Posted on 2009-04-03
Medium Priority
Last Modified: 2012-05-07
We are needed to get a more secure system in place for sending private information to certain companies. We Have a small business server 2003 that hosts our exchange email system (exchange 03). What is the best way to do this? We want to integrate in with outlook and make it as user friendly as possible. Also, does encrypting an email therefore encrypt the file? Would we still need to password protect for encrypt the file more? Would a digital certificate be the way to go?
Question by:FIFBA
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 33

Expert Comment

by:Dave Howe
ID: 24066823
First step is to see what the receiving companies can handle - the choices really boil down to:

1) TLS encryption (encrypted channel from your server to theirs)

This is pretty commonly supported, requires *no* configuration at the outlook client (all done by the server) and is built into Exchange 2003 (I am not sure that 2003 can *insist* on TLS though, while 2007 can). for this, you set up a second SMTP route for JUST the specific mail domains involved, and make sure that connector uses TLS. This requires a digital certificate at the recipient's mail server.

2) S/MIME encryption

This is built into outlook, and requires a digital certificate very similar to the ones used for webservers (and renewable periodically). Unlike webservers, the recipient (not the sender) must buy or create the key, and get that to the sender by some method. once in the microsoft keystore on the sender's machine, the sender can encrypt the entire message (including the attachments) by hitting an encrypt button that appears on the compose mail dialogue box. There is a more complex system called pgp (or openpgp, or gpg) that requires installing software to use, and works similarly.

3) proprietary web-based systems

There are a few solutions out there (Cisco's Ironport pxe is considered one of the better ones) that use a web "oracle" service to provide key management and decryption - those are effective, and not recipient-led (which is the weakness of most  encryption systems) but are quite expensive.

As I say, ask your recipients what they can support - most of the heavy lifting and key management has to be done by them anyhow, and once *you* have their public key, you can push it out to whatever machines need it.

Author Comment

ID: 24115937
Is there a good 3rd party solution for this?
LVL 33

Expert Comment

by:Dave Howe
ID: 24116092
As I say, the first step is to contact the recipients of the mails and see what they will/can support. The ironport solution is the only one that doesn't require prior actions by the recipient to make it work (or even by the sender - encryption can be controlled by corporate policy), but isn't particularly cheap; I know quite a few sites are implementing it though, as it gives the sender control over the encryption instead of the recipient.

Author Comment

ID: 24116239
OK. I will be at this client next week. I will see what I can figure out.
LVL 33

Accepted Solution

Dave Howe earned 2000 total points
ID: 24116258
Its the best first step. spending thousands on an ironport solution *will* solve the problem, but if you can do something else suitable to both you and your customer for free, and get as much if not more security from doing it, there is no real benefit to substituting money for dialogue :)

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question