Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 168
  • Last Modified:

Encrypting emails using Exchange 2003

We are needed to get a more secure system in place for sending private information to certain companies. We Have a small business server 2003 that hosts our exchange email system (exchange 03). What is the best way to do this? We want to integrate in with outlook and make it as user friendly as possible. Also, does encrypting an email therefore encrypt the file? Would we still need to password protect for encrypt the file more? Would a digital certificate be the way to go?
0
FIFBA
Asked:
FIFBA
  • 3
  • 2
1 Solution
 
Dave HoweCommented:
First step is to see what the receiving companies can handle - the choices really boil down to:

1) TLS encryption (encrypted channel from your server to theirs)

This is pretty commonly supported, requires *no* configuration at the outlook client (all done by the server) and is built into Exchange 2003 (I am not sure that 2003 can *insist* on TLS though, while 2007 can). for this, you set up a second SMTP route for JUST the specific mail domains involved, and make sure that connector uses TLS. This requires a digital certificate at the recipient's mail server.

2) S/MIME encryption

This is built into outlook, and requires a digital certificate very similar to the ones used for webservers (and renewable periodically). Unlike webservers, the recipient (not the sender) must buy or create the key, and get that to the sender by some method. once in the microsoft keystore on the sender's machine, the sender can encrypt the entire message (including the attachments) by hitting an encrypt button that appears on the compose mail dialogue box. There is a more complex system called pgp (or openpgp, or gpg) that requires installing software to use, and works similarly.

3) proprietary web-based systems

There are a few solutions out there (Cisco's Ironport pxe is considered one of the better ones) that use a web "oracle" service to provide key management and decryption - those are effective, and not recipient-led (which is the weakness of most  encryption systems) but are quite expensive.

As I say, ask your recipients what they can support - most of the heavy lifting and key management has to be done by them anyhow, and once *you* have their public key, you can push it out to whatever machines need it.
0
 
FIFBAAuthor Commented:
Is there a good 3rd party solution for this?
0
 
Dave HoweCommented:
As I say, the first step is to contact the recipients of the mails and see what they will/can support. The ironport solution is the only one that doesn't require prior actions by the recipient to make it work (or even by the sender - encryption can be controlled by corporate policy), but isn't particularly cheap; I know quite a few sites are implementing it though, as it gives the sender control over the encryption instead of the recipient.
0
 
FIFBAAuthor Commented:
OK. I will be at this client next week. I will see what I can figure out.
0
 
Dave HoweCommented:
Its the best first step. spending thousands on an ironport solution *will* solve the problem, but if you can do something else suitable to both you and your customer for free, and get as much if not more security from doing it, there is no real benefit to substituting money for dialogue :)
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now