Encrypted emails to a distribution list?

ROBERTO PAREJA
ROBERTO PAREJA used Ask the Experts™
on
We have a Windows 2003 Server with Exchange 2003 Enterprise and also the Microsoft Certificate Authority running without any problem at all.... until a couple of weeks ago.

I understand that to be able to encrypt an email using the Digital Signature generated by our own Certificate Authority, first the user has to send his certificate and the recipient has to reply with his certificate. From that point on, both users can send encrypted email between them. That part has been working fine.

The problem we are having now is that somehow, some users can encrypt to a distribution list... And some members of that distribution list have not changed certificates with the sender... so some members are not able to read the email.

===============================================================================
NOTE:
I understand that in Outlook, after selecting the distribution list, if the sender clicks on the + sign, the distribution list will expand and the email is no longer being sent to the distribution list, but instead it is sent to each member of that distribution list. This way the sender (as long as he has all certificates from the recipients) will be able to encrypt the email.

But this is not the case.... The user is only typing SUPPORT@DOMAIN.COM, and is able to send it encrypted.
===============================================================================

1) If it's only a distribution list, how is it possible that some users can encrypt to them?
2) How can I correct the situation so it does not keep happening?

Thanks for your help,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
one thing to make sure is that there is no certificate for SUPPORT@DOMAIN.COM.

In the environement you've described there is no need to exchange certificates.  A user on the AD should be able to see all the public certificates of the other exchange users that have them.

It might be that the users that have certificates are "authorized" and using their certificate decrypt the originally encrypted message with the  SUPPORT@DOMAIN.COM certificate. Those users who do not have a certificate, do not have a way to validate to get the email client to decrypt the email message.

To correct this, make sure all users have a certificate assigned?  Presumably you are using the auto-enroll mechanism to issue certificates to users/computer/systems?
ROBERTO PAREJAIT Manager

Author

Commented:
thanks arnold.
1. there is no certificate for support@domain.com
2. maybe since the beginning something was defined or configured wrong, because even with all the users being in the same domain, they DO have to exchange certificates to start encrypting between them. 
3. there is no autoenroll defined. whenever an email account is created the user has to connect to certificates.domain.com and manually request the certificate, download it and install it in their machine. Then change certificates with everyone, and after that they can start encrypting.
Hope this information will let you guide me in what to do.
Distinguished Expert 2017

Commented:
Is it possible that the users who are having issue have requested and received a second certificate but did not exchange it with the senders?
i.e. usera obtained a certificate last year.  This year instead of renewing the user got a new certificate.
The others still have the old public certificate and can encrypt the message for usera who no longer has access to the old certificate which has expired?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

ROBERTO PAREJAIT Manager

Author

Commented:
It could be. I will make sure of that and let you know.


Questions:
Is it possible to encrypt to a distribution list as long as the sender has the correct certificate of every member of the list?
How can I make sure of the correct operation of the certificates that you mentioned, in reference to all users from domain.com should be able to automatically encrypt between them without having to change certificates with each other? Is it in the Exchange application, is it in the Certification Authority application, is it in the Outlook application of each user?


Thanks
Distinguished Expert 2017

Commented:
Is your issuing certs server/servers members of the domain?

http://www.outlookexchange.com/articles/JasonSherry/sherry_c13p1.asp
i.e. you would apply the autoenroll to a users' OU.
ROBERTO PAREJAIT Manager

Author

Commented:
There is only 1 server having all modules: 
Windows 2003 Exchange and the Microsoft Certificate Authority installed on a Windows 2003 Enterprise R2.
ParanormasticCryptographic Engineer

Commented:
You want to update the certificate template on the general tab to publish certificates to AD - this will give the desired behavior that arnold was describing for future issued certs.  You can also import them manually into AD for existing certs if you like using dsa.msc (AD Users/computers) - view - advanced - search user and open - published certificates.  You can get the certs to publish from the CA if you get the OID # from the Extensions tab of the template - Certificate Template Information - copy the really long number - open certsrv.msc and point to your CA - right click issued certs - view - filter - certificate template - paste long OID #.  Add date range of expiring after today if desired, but not necessary since this sounds pretty new from your description.
ParanormasticCryptographic Engineer

Commented:
Alternatively you can have users use the Publish to GAL button on the security tab in outlook's options.  Note may take a few minutes for AD to replicate.
ParanormasticCryptographic Engineer
Commented:
yes, you can send to a distribution list if you have already exchanged keys or they are available in AD.  If some users that have the certs for everyone are having issues, check here:

http://technet.microsoft.com/en-us/library/bb738151.aspx
expand smime category out, search for Distribution List Expansion Timeout, for one example.  If there are larger distribution lists or slower connections that could be one area to look at, otherwise review the rest of the page to see if something pops out that is more relevant to your situation.
ROBERTO PAREJAIT Manager

Author

Commented:
I will follow the microsoft guide to finish our problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial