Thank you very much. I will look at that information as time allows. We are running E2K3 and BES 4.1. Main concern at the moment is that we find a way to send email from BB's to vendors OUTSIDE our network in a secure way that is readable by them.
On Wed, Apr 23, 2008 at 11:30 AM, Troy Meyer <[EMAIL PROTECTED]> wrote: > Hi Jeff, > > > > You really need to understand PKI with regards to how it works before you > can really implement encryption. I assume you are running some flavor of > exchange and are looking to encrypt messages, have you looked at this: > > > > http://technet.microsoft.com/en-us/library/bb123466(EXCHG.65).aspx > > http://technet.microsoft.com/en-us/library/bb124155(EXCHG.65).aspx > > > > > > It references 2003, but SMIME/PKI is not largely different between > applications or exchange versions. From the sounds of your email I think > you are confusing different types of encryption, eg: yes you can use > transport encryption with SSL certificates that are trusted by all > platforms/browsers without interchanging keys (because in essence the public > key has already been accepted), but if you are looking for message > encryption, you will need USER certificates, which will still need to be > accepted by clients. So when you tell exchange to encrypt all outgoing > email, you are encrypting the transport from Exchange to the other server, > but you are NOT encrypting the message itself. (Yes you can tell Exchange to > encrypt all outgoing, and yes you can tell Exchange to encrypt transport to > only a specific domain.) > > > > So really it comes down to what exactly you are hoping to do, do you want > full message encryption or simply to prevent sniffing of traffic on the open > internet? > > > > As for blackberry, you can do both here as well. If you are running this > you can sign/encrypt individual messages using SMIME. > > > > > http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB10199&sliceId=SAL_Public&dialogID=55761554&stateId=0%200%2055759922 > > > > If you are running BES then your communication is encrypted until it comes > back to your home exchange server, and then it will travel as a normal > message (ie if you are encrypting outbound traffic it will travel over that > tunnel, otherwise it becomes a plain text outbound.) > > > > > > Hope that helps, it's a lot of information, but security/PKI/SMIME > deployments can be difficult if you don't break down exactly what you (and > the business) want. > > > > -Troy > > > > > > *From:* Jeff Brown [mailto:[EMAIL PROTECTED] > *Sent:* Wednesday, April 23, 2008 5:40 AM > *To:* MS-Exchange Admin Issues > *Subject:* Email Certificates > > > > I need help correcting filling in/correcting holes in my understanding of > email certificates and how they work. > > > > I purchase a well known cert for my domain so that I can send encrypted > email over the public domain. > > > > Because I laid out the money for this well known cert, I don't have to > exchange certificates with folks outside my domain in order for them to read > my encrypted email, right? > > > > In Outlook, there is a checkbox to encrypt outgoing email. Is there a way > on the org. level to say all mail sent to anyone @thisorg.com outside my > domain should always be encrypted? > > > > Because I paid the big bucks, can we just set it on the domain level to > encrypt ALL outgoing email? > > > > Will this well known cert allow my BB users to send encrypted email to > folks not in my org? > > > > TIA, I really appreciate those of you who are able/willing to "educate" > the poorly informed. > > > > Jeff > > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~