Hi I had a question on mail encyption that I couldn't find the answer for anywhere on the Net. We are using Exchange 2003 SP2/ 2007 SP1 and Outlook 2003/2007. There are murmers from the management that they would like to look into encrypting email messages either internally, sent externally, or both. Firstly, would I be correct in thinking that messages sent both internally and internally > externally are sent in clear text and therefore can be read easily? Secondly, if I wanted to implement a system where internal emails are encrypted (or not sent in clear text) how could I do so? Thirdly, if I wanted to look to implement a system where emails between us and others are encrypted, would I need to implement something like TLS on the Gateways? And would the other side have to do exactly the same? Finally, do any of the answers change depending on whether we are using Ex2003, Ex2007, or Ex2010? Thanks for any answers!

On Tue, 10 Aug 2010 17:21:54 +0000, Pancamo wrote: >Hi I had a question on mail encyption that I couldn't find the answer for anywhere on the Net. We are using Exchange 2003 SP2/ 2007 SP1 and Outlook 2003/2007. There are murmers from the management that they would like to look into encrypting email messages either internally, sent externally, or both. Firstly, would I be correct in thinking that messages sent both internally and internally > externally are sent in clear text and therefore can be read easily? More, or less, yes. They certainly aren't encrypted . . . it's more like obfuscation. Messages moved between the Exchange servers are usually in TNEF (Transport Neutral Encpasulated Format). Messages moving between Outlook (MAPI/RPC) and the Information Store can use either a "lite" encryption (basically a "half-add" or X-OR encoding -- not really an encryption) or, if it's turned on at the client, a stronger from of encryption. This is only durning the time the message is "on the wire". Once the message is "at rest" it's not encrypted. >Secondly, if I wanted to implement a system where internal emails are encrypted (or not sent in clear text) how could I do so? If you chose to use S/MIME you'd issue everyone a person X.509v3 certificate that they'd use to "seal" (encrypt) the messages. This ensures confidentiality, but not privacy (the message headers aren't encrypted so it's possible to know the sender, recipients, subject, data and time, etc.). Message contents encrypted using S/MIME are secure both at-rest and in-flight. >Thirdly, if I wanted to look to implement a system where emails between us and others are encrypted, would I need to implement something like TLS on the Gateways? TLS secures only the transmission channel. It doesn't encrypt the message. >And would the other side have to do exactly the same? S/MIME, while not unuversal, is widely used. If all of your correspondents can use it then they'd have to encrypt their e-mail to you, too. 3rd-party security appliances can manage message encryption and do things that your users are apt to forget. E.g. policy may enforce that all email between certain domains is sent in an encrypted format, even if the message isn't encrypted by the sender. It's also possible using those appliances to exchange encrypted e-mail even if the other party can't use your method of encryption. >Finally, do any of the answers change depending on whether we are using Ex2003, Ex2007, or Ex2010? Thanks for any answers! No. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP