Announcement

Collapse
No announcement yet.

Budget E-mail Encryption for Exchange 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Budget E-mail Encryption for Exchange 2003

    Our company is wanting to begin e-mail encryption and I'm the one to do it, but only have a vague idea of where to start. I've read about various methods, but without the funds or luxury of ample testing time, I must revert to the hands-on experience of those other than myself for projects I've never tackled.

    The scenario is we'd like to encrypt e-mail communication when we send information outside our network....from [email protected] to [email protected].

    Do I just purchase an SSL certificate from GoDaddy and install it on the Exchange server without setting up Certificate Authority (CA)on the local server? We can't afford thousands of dollars here...we're hoping to buy one certificate if this is possible.

    Once the certificate is installed and I've solved this first step, I'm sure I can manage to find tutorials on how to configure Exchange 2003, BUT I'm not sure how I would go about doing the rest. Do I have to BUY a certificate for each office employee? or is that what CA is for? Also, how do outside companies handle the encrypted messages once received? Do they get prompted to accept my certificate or can their admin globally accept our certificate so their facility isn't always clicking YES to accept a certificate every time they open and e-mail from our company's employees?

    Thanks a ton! I don't want to try one of the many scenarios out there only to find I've created a monster or just plain done the wrong thing....

  • #2
    Re: Budget E-mail Encryption for Exchange 2003

    The point is what do you want to encrypt?
    Do you want to encrypt just the message flow, or do you want to encrypt each message?

    If you want to encrypt the message flow then the SSL certificate that you have purchased is fine. You will use something called TLS or SMTP over SSL. However the other end needs to support it as well.

    If you want to encrypt each email message then you will have to look at a different solution.

    You don't need the Microsoft CA, I would actually advise against it because any recipients will not be able to access it to verify the encryption. You need to use public services to encrypt the message so that it can be decrypted by the recipient easily.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Budget E-mail Encryption for Exchange 2003

      Thanks for your reply! At this point, the message flow. What is involved in having our clients support the two methods you mentioned (TLS or SMTP over SSL)?

      Again, we want a cost effective and low maintenance solution that will not burden our IT staff or theirs, though will still offer a reasonable level of encryption.

      Comment


      • #4
        Re: Budget E-mail Encryption for Exchange 2003

        To clarify,
        You have external users using Outlook or Outlook Web Access to access their emails on your server and you want to encrypt data from your server to them?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Budget E-mail Encryption for Exchange 2003

          Originally posted by Ossian View Post
          To clarify,
          You have external users using Outlook or Outlook Web Access to access their emails on your server and you want to encrypt data from your server to them?
          Sure...here goes: Actually, we want to encrypt the messages that we send from our Exchange 2003 server to our various clients (they may use other platforms and are external entities). The messages will be sent from Outlook 2003, where they user will specify to use encryption when they are going to send sensitive information to a client. Our concern is encrypting the information we externally send out to our clients via e-mail, not internal relaying among our own employees.

          Let me know if you need anything else...

          Comment


          • #6
            Re: Budget E-mail Encryption for Exchange 2003

            You can get a Digital ID for each user and then slect the option in Outlook to encrypt all outgoing messages. I do not know what is required on the recipient side so you may want to test this with yourself first.

            Comment


            • #7
              Re: Budget E-mail Encryption for Exchange 2003

              Originally posted by joeqwerty View Post
              You can get a Digital ID for each user and then slect the option in Outlook to encrypt all outgoing messages. I do not know what is required on the recipient side so you may want to test this with yourself first.
              We use Microsoft Exchange for our office users and to send e-mails to our clients. Doesn't Digital ID's require POP mail use instead? We want our users to still use Exchange....

              Comment


              • #8
                Re: Budget E-mail Encryption for Exchange 2003

                Not that I'm aware of.

                Comment


                • #9
                  Re: Budget E-mail Encryption for Exchange 2003

                  I'm a little lost here...can anyone point me in the right direction. I'm seeing information on Digital ID's, S/MIME, certificates, signing, encryption, you name it.

                  Most tutorials are not clear cut and don't outline how the encrypted e-mail is handled by the external recipient's e-mail client. They are very vague on what is required and other specifics as well.

                  I just want to send encrypted e-mail without annoying our several thousand external recipients by asking them to get certificates or whatever. I just want OUR outgoing e-mails to be encrypted (not just signed), hopefully without having to involve users by asking them to get certificates...we all know what happens when users are asked to get involved--they either hate us even more, don't do anything, or cause more problems.

                  I've been browsing the Internet for days now....any help would be appreciated.

                  Comment


                  • #10
                    Re: Budget E-mail Encryption for Exchange 2003

                    To encrypt properly, you need pairs of keys (public and private):

                    You want to send a secure email to Fred:
                    You look up Fred's public key
                    You encrypt message
                    You send Message
                    Fred decrypts with his own private key -- nothing else will do.

                    So, each recipient will need their own private key and you will need the corresponding public key. Lots of work!
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: Budget E-mail Encryption for Exchange 2003

                      Would our many, many, many external clients that we do business with will need to BUY their own digital ID or certificate (which one I'm not sure)?

                      Or does only OUR employees who are SENDING the confidential e-mail to "Fred at XYZ, Inc." purchase a certificate and then send all outgoing e-mails encrypted.

                      If the second is true, then when Fred gets our encrypted e-mail the first time, how do we go about making sure he can open it with a private key? Do we send it to him in an initial e-mail where his browser stores some type of certificate or Digital ID for future e-mails (i.e. so he's not "Accepting" a certificate each time).

                      Hopefully I'm on the right track here...

                      Comment


                      • #12
                        Re: Budget E-mail Encryption for Exchange 2003

                        No, the owner of the private key needs to generate the certificate, which contains the matching public key
                        (OK, this is a vague approximation of the process, so don't be too critical of me)

                        Fred keeps his private key strictly private! He distributes his public key freely, so anyone wanting to send encrypted files to Fred can get the key. Fred is responsible for creating the key and distributing it.

                        In certificate terms, Fred (or each of your clients) must buy or make up a certificate, give you a copy, which you use to encrypt emails to Fred alone. If you have 1000 clients, each must create a key pair, give you the certificate (the public key) and make sure they dont lose their matching private key.

                        The complexity of this is why much email traffic is not encrypted.

                        As an alternative, for confidential emails, consider
                        Creating a password protected Word document
                        Attaching it to an email
                        Phoning the client with the password.

                        Not completely uncrackable but marginally better than nothing
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Budget E-mail Encryption for Exchange 2003

                          I would suggest that you start off by looking at something like PGP. That is a common application with Outlook plugins. The recipient should then be able to cope with decrypting the message.

                          Simon.
                          --
                          Simon Butler
                          Exchange MVP

                          Blog: http://blog.sembee.co.uk/
                          More Exchange Content: http://exchange.sembee.info/
                          Exchange Resources List: http://exbpa.com/
                          In the UK? Hire me: http://www.sembee.co.uk/

                          Sembee is a registered trademark, used here with permission.

                          Comment


                          • #14
                            Re: Budget E-mail Encryption for Exchange 2003

                            In most cases, most you and your recipients will need to exchange some kind of keys or certificates.

                            The most common ways to encrypt the emails between individuals is thru the use of digital personal certificates or PGP-like products.

                            In all cases however, this will take quite a bit of work to setup the environments to support encryption and especially to train the various users on how to make all of this work.

                            Personal digital certificates are used by the individuals in their email clients, you do not need to purchase any for the server. They are relatively inexpensive (around $20/year), but if you need to provide them to hundreds of employees that is a different story. In that case, you could install the (free) Certificate Authority Server included in the Windows Server installations. You can then generate your own digital certificates to your employees. You could also use this Certificate Authority (CA Server) to issue certificates to the various recipients of the companies you deal with, to avoid forcing them to buy their own.
                            The use of encryption using digital certificates is relatively simple to use (once everything has been setup) as many email clients (especially Microsoft's) have built-in support for them.

                            PGP is now a commercial company that sells their products and services. There is an older freeware version of PGP (6.5.8 - Google it to find download sites) that is available and is legitimate to use for non-commercial purposes. There are similar free products like GPG that are based on the same key concepts used by PGP. In both cases users are provided encryption keys and various utilities that encrypt text that is then pasted into the email clients. Some products do provide more direct integration with the email clients...

                            To summarize however... This is not going to be a quick and easy solution unless you have just a handful of users to deal with.

                            Comment

                            Working...
                            X