Ah, got it - and, I guess that would depend on which way the wind is blowing.
Interestingly, at one point in time their music on hold for support started
with Gene Autry's Tumbling Tumbleweeds.
---------------------------------
Sent from my BlackBerry Wireless Handheld
----- Original Message -----
From: Jeff Brown <[EMAIL PROTECTED]>
To: MS-Exchange Admin Issues <exchangelist@lyris.sunbelt-software.com>
Sent: Thu Apr 24 07:06:07 2008
Subject: Re: Email Certificates
I think I understood most of what you were saying. I was referring to
tumbleweeds when I said off-site. (that really is off-site, right?)
On Wed, Apr 23, 2008 at 6:10 PM, Don Andrews <[EMAIL PROTECTED]> wrote:
Didn't mean to imply off-site – both the SMIME proxy and Secure
Messenger solutions are internally hosted – in fact on the same set of servers.
________________________________
Thanks for the input. the off-site solution seems to be very
popular.
On Wed, Apr 23, 2008 at 3:23 PM, Don Andrews <[EMAIL PROTECTED]> wrote:
Yep – SMIME is a client to client protocol – each client will need
their own certificate, then will need to do a certificate exchange etc. etc. –
and bottom line is the sending client is required to ensure that they send
encrypted after all that.
Some of us have gateways that act as SMIME proxies for our internal
users freeing them from this burden, but there is an administrative overhead to
getting it all working the first time – and the external client still has to do
their end – the major advantage is that the server can ensure that outgoing
messages are always encrypted and warn the recipient of unencrypted inbound
messages.
Given the overhead of SMIME encrypted email, some have opted for a
browser based secure FTP-like solution – we use Tumbleweed's Secure Messenger
for this.
________________________________
From: Troy Meyer [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 23, 2008 12:54 PM
To: MS-Exchange Admin Issues
Subject: RE: Email Certificates
Uh-oh that throws a wrench in the bucket, if we cant actually
communicate with the admin of the email server on their end (cox) we may be in
trouble.
If they are using the standard cox server at mx.west.cox.net
<http://mx.west.cox.net/> (or mx.east.cox.net <http://mx.east.cox.net/> ) then
transport encryption may not be possible ( a quick telnet into that address
does not accept a TLS or STARTTLS command, its pretty plain jane).
So options would be setting up SMIME User certificates which is a
little more work and would require some user training. Or if the other company
moved to a different (infer better) email hosting provider then they could
except TLS encrypted email.
No easy options L
-troy
From: Jeff Brown [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 23, 2008 12:04 PM
To: MS-Exchange Admin Issues
Subject: Re: Email Certificates
Any way to set that up from my E2K3 domain to their Outlook client?
Their email is hosted by an ISP and is pop3. (@cox.net <http://cox.net/> email
address)??
On Wed, Apr 23, 2008 at 12:06 PM, Troy Meyer <[EMAIL PROTECTED]> wrote:
Jeff, if you mean simply making sure that the general internet cant see
the messages and you aren't worried about encryption once they reach the other
companies servers, it should be simple; assuming the other company's MTA will
accept TLS encryption, you can create a new routing group connector to that
domain and require TLS and that should encrypt all transport traffic between
your locations (including BB traffic because all BB sending occurs through your
exchange server).
I haven't configured 2003 in a while, but I believe that should be all
that is required. Michael, Kevin, any input?
-troy
From: Jeff Brown [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 23, 2008 9:57 AM
To: MS-Exchange Admin Issues
Subject: Re: Email Certificates
Thank you very much. I will look at that information as time allows.
We are running E2K3 and BES 4.1. Main concern at the moment is that we find a
way to send email from BB's to vendors OUTSIDE our network in a secure way that
is readable by them.
On Wed, Apr 23, 2008 at 11:30 AM, Troy Meyer <[EMAIL PROTECTED]> wrote:
Hi Jeff,
You really need to understand PKI with regards to how it works before
you can really implement encryption. I assume you are running some flavor of
exchange and are looking to encrypt messages, have you looked at this:
http://technet.microsoft.com/en-us/library/bb123466(EXCHG.65).aspx
http://technet.microsoft.com/en-us/library/bb124155(EXCHG.65).aspx
It references 2003, but SMIME/PKI is not largely different between
applications or exchange versions. From the sounds of your email I think you
are confusing different types of encryption, eg: yes you can use transport
encryption with SSL certificates that are trusted by all platforms/browsers
without interchanging keys (because in essence the public key has already been
accepted), but if you are looking for message encryption, you will need USER
certificates, which will still need to be accepted by clients. So when you
tell exchange to encrypt all outgoing email, you are encrypting the transport
from Exchange to the other server, but you are NOT encrypting the message
itself. (Yes you can tell Exchange to encrypt all outgoing, and yes you can
tell Exchange to encrypt transport to only a specific domain.)
So really it comes down to what exactly you are hoping to do, do you
want full message encryption or simply to prevent sniffing of traffic on the
open internet?
As for blackberry, you can do both here as well. If you are running
this you can sign/encrypt individual messages using SMIME.
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB10199&sliceId=SAL_Public&dialogID=55761554&stateId=0%200%2055759922
If you are running BES then your communication is encrypted until it
comes back to your home exchange server, and then it will travel as a normal
message (ie if you are encrypting outbound traffic it will travel over that
tunnel, otherwise it becomes a plain text outbound.)
Hope that helps, it's a lot of information, but security/PKI/SMIME
deployments can be difficult if you don't break down exactly what you (and the
business) want.
-Troy
From: Jeff Brown [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 23, 2008 5:40 AM
To: MS-Exchange Admin Issues
Subject: Email Certificates
I need help correcting filling in/correcting holes in my understanding
of email certificates and how they work.
I purchase a well known cert for my domain so that I can send encrypted
email over the public domain.
Because I laid out the money for this well known cert, I don't have to
exchange certificates with folks outside my domain in order for them to read my
encrypted email, right?
In Outlook, there is a checkbox to encrypt outgoing email. Is there a
way on the org. level to say all mail sent to anyone @thisorg.com
<http://thisorg.com/> outside my domain should always be encrypted?
Because I paid the big bucks, can we just set it on the domain level to
encrypt ALL outgoing email?
Will this well known cert allow my BB users to send encrypted email to
folks not in my org?
TIA, I really appreciate those of you who are able/willing to
"educate" the poorly informed.
Jeff
~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja ~
