I think I understood most of what you were saying. I was referring to tumbleweeds when I said off-site. (that really is off-site, right?)
On Wed, Apr 23, 2008 at 6:10 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > Didn't mean to imply off-site – both the SMIME proxy and Secure Messenger > solutions are internally hosted – in fact on the same set of servers. > > > ------------------------------ > > Thanks for the input. the off-site solution seems to be very popular. > > On Wed, Apr 23, 2008 at 3:23 PM, Don Andrews <[EMAIL PROTECTED]> > wrote: > > Yep – SMIME is a client to client protocol – each client will need their > own certificate, then will need to do a certificate exchange etc. etc. – and > bottom line is the sending client is required to ensure that they send > encrypted after all that. > > > > Some of us have gateways that act as SMIME proxies for our internal users > freeing them from this burden, but there is an administrative overhead to > getting it all working the first time – and the external client still has to > do their end – the major advantage is that the server can ensure that > outgoing messages are always encrypted and warn the recipient of unencrypted > inbound messages. > > > > Given the overhead of SMIME encrypted email, some have opted for a browser > based secure FTP-like solution – we use Tumbleweed's Secure Messenger for > this. > > > ------------------------------ > > *From:* Troy Meyer [mailto:[EMAIL PROTECTED] > *Sent:* Wednesday, April 23, 2008 12:54 PM > > > *To:* MS-Exchange Admin Issues > > *Subject:* RE: Email Certificates > > > > Uh-oh that throws a wrench in the bucket, if we cant actually communicate > with the admin of the email server on their end (cox) we may be in trouble. > > > > If they are using the standard cox server at mx.west.cox.net (or > mx.east.cox.net) then transport encryption may not be possible ( a quick > telnet into that address does not accept a TLS or STARTTLS command, its > pretty plain jane). > > > > So options would be setting up SMIME User certificates which is a little > more work and would require some user training. Or if the other company > moved to a different (infer better) email hosting provider then they could > except TLS encrypted email. > > > > No easy options L > > > > -troy > > > > > > *From:* Jeff Brown [mailto:[EMAIL PROTECTED] > *Sent:* Wednesday, April 23, 2008 12:04 PM > > > *To:* MS-Exchange Admin Issues > > *Subject:* Re: Email Certificates > > > > Any way to set that up from my E2K3 domain to their Outlook client? Their > email is hosted by an ISP and is pop3. (@cox.net email address)?? > > On Wed, Apr 23, 2008 at 12:06 PM, Troy Meyer <[EMAIL PROTECTED]> > wrote: > > Jeff, if you mean simply making sure that the general internet cant see the > messages and you aren't worried about encryption once they reach the other > companies servers, it should be simple; assuming the other company's MTA > will accept TLS encryption, you can create a new routing group connector to > that domain and require TLS and that should encrypt all transport traffic > between your locations (including BB traffic because all BB sending occurs > through your exchange server). > > > > I haven't configured 2003 in a while, but I believe that should be all that > is required. Michael, Kevin, any input? > > > > -troy > > > > > > *From:* Jeff Brown [mailto:[EMAIL PROTECTED] > *Sent:* Wednesday, April 23, 2008 9:57 AM > > > *To:* MS-Exchange Admin Issues > > *Subject:* Re: Email Certificates > > > > Thank you very much. I will look at that information as time allows. We > are running E2K3 and BES 4.1. Main concern at the moment is that we find a > way to send email from BB's to vendors OUTSIDE our network in a secure way > that is readable by them. > > On Wed, Apr 23, 2008 at 11:30 AM, Troy Meyer <[EMAIL PROTECTED]> > wrote: > > Hi Jeff, > > > > You really need to understand PKI with regards to how it works before you > can really implement encryption. I assume you are running some flavor of > exchange and are looking to encrypt messages, have you looked at this: > > > > http://technet.microsoft.com/en-us/library/bb123466(EXCHG.65).aspx > > http://technet.microsoft.com/en-us/library/bb124155(EXCHG.65).aspx > > > > > > It references 2003, but SMIME/PKI is not largely different between > applications or exchange versions. From the sounds of your email I think > you are confusing different types of encryption, eg: yes you can use > transport encryption with SSL certificates that are trusted by all > platforms/browsers without interchanging keys (because in essence the public > key has already been accepted), but if you are looking for message > encryption, you will need USER certificates, which will still need to be > accepted by clients. So when you tell exchange to encrypt all outgoing > email, you are encrypting the transport from Exchange to the other server, > but you are NOT encrypting the message itself. (Yes you can tell Exchange to > encrypt all outgoing, and yes you can tell Exchange to encrypt transport to > only a specific domain.) > > > > So really it comes down to what exactly you are hoping to do, do you want > full message encryption or simply to prevent sniffing of traffic on the open > internet? > > > > As for blackberry, you can do both here as well. If you are running this > you can sign/encrypt individual messages using SMIME. > > > > > http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB10199&sliceId=SAL_Public&dialogID=55761554&stateId=0%200%2055759922 > > > > If you are running BES then your communication is encrypted until it comes > back to your home exchange server, and then it will travel as a normal > message (ie if you are encrypting outbound traffic it will travel over that > tunnel, otherwise it becomes a plain text outbound.) > > > > > > Hope that helps, it's a lot of information, but security/PKI/SMIME > deployments can be difficult if you don't break down exactly what you (and > the business) want. > > > > -Troy > > > > > > *From:* Jeff Brown [mailto:[EMAIL PROTECTED] > *Sent:* Wednesday, April 23, 2008 5:40 AM > *To:* MS-Exchange Admin Issues > *Subject:* Email Certificates > > > > I need help correcting filling in/correcting holes in my understanding of > email certificates and how they work. > > > > I purchase a well known cert for my domain so that I can send encrypted > email over the public domain. > > > > Because I laid out the money for this well known cert, I don't have to > exchange certificates with folks outside my domain in order for them to read > my encrypted email, right? > > > > In Outlook, there is a checkbox to encrypt outgoing email. Is there a way > on the org. level to say all mail sent to anyone @thisorg.com outside my > domain should always be encrypted? > > > > Because I paid the big bucks, can we just set it on the domain level to > encrypt ALL outgoing email? > > > > Will this well known cert allow my BB users to send encrypted email to > folks not in my org? > > > > TIA, I really appreciate those of you who are able/willing to "educate" > the poorly informed. > > > > Jeff > > > > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
