Email encryption query
Hi
I had a question on mail encyption that I couldn't find the answer for anywhere on the Net.
We are using Exchange 2003 SP2/ 2007 SP1 and Outlook 2003/2007.
There are murmers from the management that they would like to look into encrypting email messages either internally, sent externally, or both.
Firstly, would I be correct in thinking that messages sent both internally and internally > externally are sent in clear text and therefore can be read easily?
Secondly, if I wanted to implement a system where internal emails are encrypted (or not sent in clear text) how could I do so?
Thirdly, if I wanted to look to implement a system where emails between us and others are encrypted, would I need to implement something like TLS on the Gateways? And would the other side have to do exactly the same?
Finally, do any of the answers change depending on whether we are using Ex2003, Ex2007, or Ex2010?
Thanks for any answers!
August 10th, 2010 8:21pm
On Tue, 10 Aug 2010 17:21:54 +0000, Pancamo wrote:
>Hi I had a question on mail encyption that I couldn't find the answer for anywhere on the Net. We are using Exchange 2003 SP2/ 2007 SP1 and Outlook 2003/2007. There are murmers from the management that they would like to look into encrypting email messages
either internally, sent externally, or both. Firstly, would I be correct in thinking that messages sent both internally and internally > externally are sent in clear text and therefore can be read easily?
More, or less, yes. They certainly aren't encrypted . . . it's more
like obfuscation. Messages moved between the Exchange servers are
usually in TNEF (Transport Neutral Encpasulated Format).
Messages moving between Outlook (MAPI/RPC) and the Information Store
can use either a "lite" encryption (basically a "half-add" or X-OR
encoding -- not really an encryption) or, if it's turned on at the
client, a stronger from of encryption. This is only durning the time
the message is "on the wire".
Once the message is "at rest" it's not encrypted.
>Secondly, if I wanted to implement a system where internal emails are encrypted (or not sent in clear text) how could I do so?
If you chose to use S/MIME you'd issue everyone a person X.509v3
certificate that they'd use to "seal" (encrypt) the messages. This
ensures confidentiality, but not privacy (the message headers aren't
encrypted so it's possible to know the sender, recipients, subject,
data and time, etc.). Message contents encrypted using S/MIME are
secure both at-rest and in-flight.
>Thirdly, if I wanted to look to implement a system where emails between us and others are encrypted, would I need to implement something like TLS on the Gateways?
TLS secures only the transmission channel. It doesn't encrypt the
message.
>And would the other side have to do exactly the same?
S/MIME, while not unuversal, is widely used. If all of your
correspondents can use it then they'd have to encrypt their e-mail to
you, too.
3rd-party security appliances can manage message encryption and do
things that your users are apt to forget. E.g. policy may enforce that
all email between certain domains is sent in an encrypted format, even
if the message isn't encrypted by the sender. It's also possible using
those appliances to exchange encrypted e-mail even if the other party
can't use your method of encryption.
>Finally, do any of the answers change depending on whether we are using Ex2003, Ex2007, or Ex2010? Thanks for any answers!
No.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2010 5:17am