Solved

Encrypting emails using Exchange 2003

Posted on 2009-04-03
6
158 Views
Last Modified: 2012-05-07
We are needed to get a more secure system in place for sending private information to certain companies. We Have a small business server 2003 that hosts our exchange email system (exchange 03). What is the best way to do this? We want to integrate in with outlook and make it as user friendly as possible. Also, does encrypting an email therefore encrypt the file? Would we still need to password protect for encrypt the file more? Would a digital certificate be the way to go?
0
Comment
Question by:FIFBA
  • 3
  • 2
6 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24066823
First step is to see what the receiving companies can handle - the choices really boil down to:

1) TLS encryption (encrypted channel from your server to theirs)

This is pretty commonly supported, requires *no* configuration at the outlook client (all done by the server) and is built into Exchange 2003 (I am not sure that 2003 can *insist* on TLS though, while 2007 can). for this, you set up a second SMTP route for JUST the specific mail domains involved, and make sure that connector uses TLS. This requires a digital certificate at the recipient's mail server.

2) S/MIME encryption

This is built into outlook, and requires a digital certificate very similar to the ones used for webservers (and renewable periodically). Unlike webservers, the recipient (not the sender) must buy or create the key, and get that to the sender by some method. once in the microsoft keystore on the sender's machine, the sender can encrypt the entire message (including the attachments) by hitting an encrypt button that appears on the compose mail dialogue box. There is a more complex system called pgp (or openpgp, or gpg) that requires installing software to use, and works similarly.

3) proprietary web-based systems

There are a few solutions out there (Cisco's Ironport pxe is considered one of the better ones) that use a web "oracle" service to provide key management and decryption - those are effective, and not recipient-led (which is the weakness of most  encryption systems) but are quite expensive.

As I say, ask your recipients what they can support - most of the heavy lifting and key management has to be done by them anyhow, and once *you* have their public key, you can push it out to whatever machines need it.
0
 

Author Comment

by:FIFBA
ID: 24115937
Is there a good 3rd party solution for this?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24116092
As I say, the first step is to contact the recipients of the mails and see what they will/can support. The ironport solution is the only one that doesn't require prior actions by the recipient to make it work (or even by the sender - encryption can be controlled by corporate policy), but isn't particularly cheap; I know quite a few sites are implementing it though, as it gives the sender control over the encryption instead of the recipient.
0
 

Author Comment

by:FIFBA
ID: 24116239
OK. I will be at this client next week. I will see what I can figure out.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24116258
Its the best first step. spending thousands on an ironport solution *will* solve the problem, but if you can do something else suitable to both you and your customer for free, and get as much if not more security from doing it, there is no real benefit to substituting money for dialogue :)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now