Encrypting emails using Exchange 2003

Posted on 2009-04-03
Last Modified: 2012-05-07
We are needed to get a more secure system in place for sending private information to certain companies. We Have a small business server 2003 that hosts our exchange email system (exchange 03). What is the best way to do this? We want to integrate in with outlook and make it as user friendly as possible. Also, does encrypting an email therefore encrypt the file? Would we still need to password protect for encrypt the file more? Would a digital certificate be the way to go?
Question by:FIFBA
  • 3
  • 2
LVL 33

Expert Comment

by:Dave Howe
ID: 24066823
First step is to see what the receiving companies can handle - the choices really boil down to:

1) TLS encryption (encrypted channel from your server to theirs)

This is pretty commonly supported, requires *no* configuration at the outlook client (all done by the server) and is built into Exchange 2003 (I am not sure that 2003 can *insist* on TLS though, while 2007 can). for this, you set up a second SMTP route for JUST the specific mail domains involved, and make sure that connector uses TLS. This requires a digital certificate at the recipient's mail server.

2) S/MIME encryption

This is built into outlook, and requires a digital certificate very similar to the ones used for webservers (and renewable periodically). Unlike webservers, the recipient (not the sender) must buy or create the key, and get that to the sender by some method. once in the microsoft keystore on the sender's machine, the sender can encrypt the entire message (including the attachments) by hitting an encrypt button that appears on the compose mail dialogue box. There is a more complex system called pgp (or openpgp, or gpg) that requires installing software to use, and works similarly.

3) proprietary web-based systems

There are a few solutions out there (Cisco's Ironport pxe is considered one of the better ones) that use a web "oracle" service to provide key management and decryption - those are effective, and not recipient-led (which is the weakness of most  encryption systems) but are quite expensive.

As I say, ask your recipients what they can support - most of the heavy lifting and key management has to be done by them anyhow, and once *you* have their public key, you can push it out to whatever machines need it.

Author Comment

ID: 24115937
Is there a good 3rd party solution for this?
LVL 33

Expert Comment

by:Dave Howe
ID: 24116092
As I say, the first step is to contact the recipients of the mails and see what they will/can support. The ironport solution is the only one that doesn't require prior actions by the recipient to make it work (or even by the sender - encryption can be controlled by corporate policy), but isn't particularly cheap; I know quite a few sites are implementing it though, as it gives the sender control over the encryption instead of the recipient.

Author Comment

ID: 24116239
OK. I will be at this client next week. I will see what I can figure out.
LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 24116258
Its the best first step. spending thousands on an ironport solution *will* solve the problem, but if you can do something else suitable to both you and your customer for free, and get as much if not more security from doing it, there is no real benefit to substituting money for dialogue :)

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question