Implementing S/MIME and PGP on Exchange Server 2007 SP3

Hi all,

How can we implement S/MIME to encrypt the email going through the exchange server 2007 ? I need to do this for certain type of email address destination as this is my client requirement, so I wonder what could be the effect with the other client who do not need to implement S/MIME ?

What's the difference in implementing it with PGP ?
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
While it is possible to impliment both though exchange, it is strongly recommended you don't - both s/mime and pgp are effectively email client technologies, and are best integrated into outlook rather than exchange.

Regardless of how you implement, it is impossible to send an encrypted mail to someone you don't have an encryption key for, so there will be no effect on other correspondents.

Ok, now that we have THAT out of the way....

S/Mime is effectively the same technology that secures HTTPS websites and TLS listeners - it is X509 certificate based, and as with HTTPS, you have the choice of going with a Certificate Authority (and paying per year for each email account) or issuing your own using the Microsoft CA built into enterprise class windows servfer.  Exchange facilitates that for you, by having an autoenrollment system where a user can be issued with a (company signed) certificate automatically. See this URL for further details.

This key is used by the user for receiving encrypted mail, and digitally signing mail. for the other side of the coin (sending encrypted mail) you need the public certificate of the intended recipient - the easiest way to obtain that is to accept a signed mail from the intended recipient, and import the certificate from there.

Now, PGP.

PGP is a similar system, but the file format is different and key management is completely different - there is no central issuing authority, each user creates their own keys and decides who to trust or not trust on an individual basis. Outlook does not natively support PGP, but the company who own the commercial product do supply an Outlook plugin with their solution. They also sell the universal gateway product (which sits between exchange and the internet and encrypts/decrypts transparently) but that is very expensive.

On the open source side, the equivalent program is called gnu privacy guard (gpg) and is a command line tool. plugins exist for outlook to use this tool, but some are proprietary or only work with specific releases of outlook (2003 iirc) - list can be found here.

again, the recipient needs a key to decrypt and sign, and the public key of the intended recipient in order to send encrypted mail or verify signatures (gpg does not send the public key with signed mail, so you need to exchange manually or use one of the many internet key servers to search for the key)

If you have any follow-up questions, feel free to post below and we will do our best to explain further :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Dave ! you are amazingly clear in explaining things to me :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.