Didn't mean to imply off-site - both the SMIME proxy and Secure Messenger solutions are internally hosted - in fact on the same set of servers.
________________________________ Thanks for the input. the off-site solution seems to be very popular. On Wed, Apr 23, 2008 at 3:23 PM, Don Andrews <[EMAIL PROTECTED]> wrote: Yep - SMIME is a client to client protocol - each client will need their own certificate, then will need to do a certificate exchange etc. etc. - and bottom line is the sending client is required to ensure that they send encrypted after all that. Some of us have gateways that act as SMIME proxies for our internal users freeing them from this burden, but there is an administrative overhead to getting it all working the first time - and the external client still has to do their end - the major advantage is that the server can ensure that outgoing messages are always encrypted and warn the recipient of unencrypted inbound messages. Given the overhead of SMIME encrypted email, some have opted for a browser based secure FTP-like solution - we use Tumbleweed's Secure Messenger for this. ________________________________ From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 23, 2008 12:54 PM To: MS-Exchange Admin Issues Subject: RE: Email Certificates Uh-oh that throws a wrench in the bucket, if we cant actually communicate with the admin of the email server on their end (cox) we may be in trouble. If they are using the standard cox server at mx.west.cox.net <http://mx.west.cox.net/> (or mx.east.cox.net <http://mx.east.cox.net/> ) then transport encryption may not be possible ( a quick telnet into that address does not accept a TLS or STARTTLS command, its pretty plain jane). So options would be setting up SMIME User certificates which is a little more work and would require some user training. Or if the other company moved to a different (infer better) email hosting provider then they could except TLS encrypted email. No easy options :-( -troy From: Jeff Brown [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 23, 2008 12:04 PM To: MS-Exchange Admin Issues Subject: Re: Email Certificates Any way to set that up from my E2K3 domain to their Outlook client? Their email is hosted by an ISP and is pop3. (@cox.net <http://cox.net/> email address)?? On Wed, Apr 23, 2008 at 12:06 PM, Troy Meyer <[EMAIL PROTECTED]> wrote: Jeff, if you mean simply making sure that the general internet cant see the messages and you aren't worried about encryption once they reach the other companies servers, it should be simple; assuming the other company's MTA will accept TLS encryption, you can create a new routing group connector to that domain and require TLS and that should encrypt all transport traffic between your locations (including BB traffic because all BB sending occurs through your exchange server). I haven't configured 2003 in a while, but I believe that should be all that is required. Michael, Kevin, any input? -troy From: Jeff Brown [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 23, 2008 9:57 AM To: MS-Exchange Admin Issues Subject: Re: Email Certificates Thank you very much. I will look at that information as time allows. We are running E2K3 and BES 4.1. Main concern at the moment is that we find a way to send email from BB's to vendors OUTSIDE our network in a secure way that is readable by them. On Wed, Apr 23, 2008 at 11:30 AM, Troy Meyer <[EMAIL PROTECTED]> wrote: Hi Jeff, You really need to understand PKI with regards to how it works before you can really implement encryption. I assume you are running some flavor of exchange and are looking to encrypt messages, have you looked at this: http://technet.microsoft.com/en-us/library/bb123466(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/bb124155(EXCHG.65).aspx It references 2003, but SMIME/PKI is not largely different between applications or exchange versions. From the sounds of your email I think you are confusing different types of encryption, eg: yes you can use transport encryption with SSL certificates that are trusted by all platforms/browsers without interchanging keys (because in essence the public key has already been accepted), but if you are looking for message encryption, you will need USER certificates, which will still need to be accepted by clients. So when you tell exchange to encrypt all outgoing email, you are encrypting the transport from Exchange to the other server, but you are NOT encrypting the message itself. (Yes you can tell Exchange to encrypt all outgoing, and yes you can tell Exchange to encrypt transport to only a specific domain.) So really it comes down to what exactly you are hoping to do, do you want full message encryption or simply to prevent sniffing of traffic on the open internet? As for blackberry, you can do both here as well. If you are running this you can sign/encrypt individual messages using SMIME. http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&extern alId=KB10199&sliceId=SAL_Public&dialogID=55761554&stateId=0%200%20557599 22 If you are running BES then your communication is encrypted until it comes back to your home exchange server, and then it will travel as a normal message (ie if you are encrypting outbound traffic it will travel over that tunnel, otherwise it becomes a plain text outbound.) Hope that helps, it's a lot of information, but security/PKI/SMIME deployments can be difficult if you don't break down exactly what you (and the business) want. -Troy From: Jeff Brown [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 23, 2008 5:40 AM To: MS-Exchange Admin Issues Subject: Email Certificates I need help correcting filling in/correcting holes in my understanding of email certificates and how they work. I purchase a well known cert for my domain so that I can send encrypted email over the public domain. Because I laid out the money for this well known cert, I don't have to exchange certificates with folks outside my domain in order for them to read my encrypted email, right? In Outlook, there is a checkbox to encrypt outgoing email. Is there a way on the org. level to say all mail sent to anyone @thisorg.com <http://thisorg.com/> outside my domain should always be encrypted? Because I paid the big bucks, can we just set it on the domain level to encrypt ALL outgoing email? Will this well known cert allow my BB users to send encrypted email to folks not in my org? TIA, I really appreciate those of you who are able/willing to "educate" the poorly informed. Jeff ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
