Hi Jeff, You really need to understand PKI with regards to how it works before you can really implement encryption. I assume you are running some flavor of exchange and are looking to encrypt messages, have you looked at this:
http://technet.microsoft.com/en-us/library/bb123466(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/bb124155(EXCHG.65).aspx It references 2003, but SMIME/PKI is not largely different between applications or exchange versions. From the sounds of your email I think you are confusing different types of encryption, eg: yes you can use transport encryption with SSL certificates that are trusted by all platforms/browsers without interchanging keys (because in essence the public key has already been accepted), but if you are looking for message encryption, you will need USER certificates, which will still need to be accepted by clients. So when you tell exchange to encrypt all outgoing email, you are encrypting the transport from Exchange to the other server, but you are NOT encrypting the message itself. (Yes you can tell Exchange to encrypt all outgoing, and yes you can tell Exchange to encrypt transport to only a specific domain.) So really it comes down to what exactly you are hoping to do, do you want full message encryption or simply to prevent sniffing of traffic on the open internet? As for blackberry, you can do both here as well. If you are running this you can sign/encrypt individual messages using SMIME. http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB10199&sliceId=SAL_Public&dialogID=55761554&stateId=0%200%2055759922 If you are running BES then your communication is encrypted until it comes back to your home exchange server, and then it will travel as a normal message (ie if you are encrypting outbound traffic it will travel over that tunnel, otherwise it becomes a plain text outbound.) Hope that helps, it's a lot of information, but security/PKI/SMIME deployments can be difficult if you don't break down exactly what you (and the business) want. -Troy From: Jeff Brown [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 23, 2008 5:40 AM To: MS-Exchange Admin Issues Subject: Email Certificates I need help correcting filling in/correcting holes in my understanding of email certificates and how they work. I purchase a well known cert for my domain so that I can send encrypted email over the public domain. Because I laid out the money for this well known cert, I don't have to exchange certificates with folks outside my domain in order for them to read my encrypted email, right? In Outlook, there is a checkbox to encrypt outgoing email. Is there a way on the org. level to say all mail sent to anyone @thisorg.com<http://thisorg.com> outside my domain should always be encrypted? Because I paid the big bucks, can we just set it on the domain level to encrypt ALL outgoing email? Will this well known cert allow my BB users to send encrypted email to folks not in my org? TIA, I really appreciate those of you who are able/willing to "educate" the poorly informed. Jeff ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~