On Fri, Oct 16, 2009 at 06:36:59PM +0100, Paul Hutchings wrote:
> After a little guidance on what those of you using Postfix as a gateway
> are using for doing s/mime email encryption?
S/MIME is in theory an MUA issue, MTAs just move the mail. This said, if
an end-to-end approach is not for you (as it is for most users), and you
want gateway to gateway security, by far the most widely adopted is TLS,
but this naturally protects only the first hop, and works one direction
at a time, so it is difficult for a recipient to audit sender policy.
A number of vendors offer gateway-to-gateway S/MIME support in the form
of border email security "appliances". I am not in a position to endorse
or specifically recommend any of these, but a *partial* list (sorted from
shortest to longest URL) should help you to search in the right direction:
- http://www.pgp.com/products/universal_server/index.html
- http://www.entrust.com/email-security/messaging-server/index.htm
- http://www.tumbleweed.com/products/mailgate/secure_messenger.html
- http://www.ironport.com/resources/datasheet_ironport_encryption.html
-
http://www.mcafee.com/us/enterprise/products/email_and_web_security/email/email_gateway.html
> I did some digging and it seems you can get certificates that
> authenticate a company for s/mime rather than needing to authenticate
> each individual using a cert on their MUA.
The type of certificates required or supported by the various gateways
is product dependent. Note that for S/MIME it is not enough to be able
to authenticate a certificate when it is presented, one actually needs
to have the relevant public keys on hand to initiate encryption, and
given lack of the mythical global X.500 directory in which such certs are
published securely, keys are deployed manually, at which point signatures
by a trusted third party are less important (but some products will still
want these).
Some of the certificates will be "proxy certificates", and various other
product-specific characteristics will arise, but there is little that
one can generally say beyond "follow the vendor's" directions.
I am not aware of any open-source S/MIME gateway, if someone has a pointer
to something reasonably well-designed/robust, perhaps they will step
forward with a suitable pointer.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
