How to encrypt email sent from on prem exchange

This should be worth more than points, but here goes.

I have a client who does business with law enforcement and the military.  This company is currently using gsuite for email.  The owner saw a documentary about how google mines his emails for data to sell to third parties and he went ballistic.  To prove the point, we created a new account in gsuite and sent out a couple of emails referencing a fictitious camera by make and model, and we threw in a lens by size.  Within about three minutes, we were receiving ads for this make of camera and lens.  Then, within about five mins, we started getting promo email in the mailbox from B&H photo and others about that make of camera and lens.  The specific model we used wasn't referenced, but that make was.  So, it was clear to him that google is mining the email and he doesn't like it.  That's a lot of typing to say we want to change email providers.

So, the owner reads about Proton mail and I do some research.  I'm not liking the mail living in the cloud and I'm not excited about the mail living in another country either.

In my mind, if you really want to own your email, you need to host it on prem and exchange is the way to go.  I only say that because I'm an exchange guru.  So, the question becomes, if I host the mail in house, on exchange, can I encrypt it?  IF yes, how?  Do I use an appliance like Barracuda or what?

Looking for some feedback on options here.  Options for encrypting email sent by exchange.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Well... First, you simply can't use Gmail. Period.

Also, you can't use any front facing service where you type into some GUI in clear text.

You must use a relay system + encryption, as follows...


1) Use MailGun (pure relay service) + dedicated IP.

If your client is sending massive amounts of email, have them PM me directly + I can suggest how to get the best MailGun tech rep assigned to support their account. Some reps are stellar... Some... sigh... are still learning...

2) Encrypt your email, based on encrypt/decrypt method used by recipient.

3) Super important, if you send any unencrypted email, this email will eventually go over the wire as clear text, unless it's encrypted before hand.

Note: Per #2 both sender + recipient must agree on encrypt/decrypt method for their email, to ensure both sides can read all email in a conversational exchange.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam BrownSenior Systems AdminCommented:
Read for some information about encryption in general and mail encryption in particular.

I would recommend Exchange Online. It's designed for businesses and they make a point of not mining customer's email. If you use Exchange Online (or the business version of Office 365, which contains Exchange), you can purchase an add on subscription for Azure Information Protection (AIP) for about 2 dollars a user. AIP allows you to enable a secure envelope service that can send encrypted emails.

You are going t want to use a cloud provider for secure envelope service, unless you want to force your client and the people he emails to configure S/MIME or install GnuPGP (The only effective free solutions for this type of thing, despite the fact that S/MIME and PGP have major security weaknesses that were exposed a few months back). You should choose a cloud spam filtering provider (Onprem is way more expensive than it's worth for this type of thing, but barracuda has some encryption features that are good, but requires software installed on the sending user's computer). There are many reasons beyond cost to use cloud spam filtering. Specifically, it's actually *more* secure than on-prem, because you can lock down incoming and outgoing port 25 to *only* the IPs used by the cloud filtering provider.

My recommendation, if you want onprem Exchange, is to use Exchange Online Protection ($1 per mailbox), with AIP ($2 per user). This is the absolute least expensive solution that provides secure messaging and spam filtering in one package (based on hours of personal research, though that research was conducted 2 years ago, so things may have changed). This combination will let you have an onprem Exchange server if you choose to go that route, but still have good spam filtering and secure messaging capabilities.
crp0499CEOAuthor Commented:
You see, that's my number one problem with providers...when "they make it a point" to not mine your email, then I send my test with some obscure reference to a non existent object and start getting ads for that non existent object.  I've seen this in MS mail, gmail, etc so I personally don't believe not one word they type in their agreements.  OF course, I also have a bomb shelter under my garage and wear a tin foil hat!  :D

Anyway, thanks for that.  I'm still googling (see, they are mining my info cos I'm seeing ads not for mail encryption services) and I'll see what I can nail down.  I'm leaning towards on prem exchange with a co-located DAG and a couple of Barracudas.
timgreen7077Exchange EngineerCommented:
Are you attempting to encrypt the via TLS which is the email connection in transit is encrypted, or are you attempt to encrypt and encapsulate the actual contents?

So the first option Exchange natively attempts to encrypt the traffic via opportunistic TLS, and you can also elect enforce TLS encryption so that if TLS connection can't be made it will drop the mail, this can have consquences since some of the recipients may not accept the TLS connection.

If you are referring to encapsulating\encryption the actual data, then you will need to look into 3rd party solutions. We use Symantec PGP here but there are a wide variety that you can look into. Just know which type of encryption are you think of.

Depending on how many users you will need to manage for this, it may be easier to use Exchange Online for this all in one solution as mentioned by others. You get the best of both worlds with TLS encryption and encapsulation with IMS is you set it up.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.