Solution for encryption
- Hello,
we would like to encrypt all local/intern emails on our Echange Server 2007. At the moment i have only found S/Mime as solution. Is there another solution beside S/Mime?
Best Regards
Florian
Answers
- By default server to server communication is encrypted in Exchange 2007. The same goes for virtual directories for your CAS communication. You can even be extra safe by forcing your Exchange 2007 to not allow unencrypted RPC traffic from clients by running the following command:
Set-MailboxServer -MAPIEncryptionRequired:$True
You will then have to ensure that Outlook is configured to use RPC Encryption. By default, Outlook 2007 does use it and Outlook 2003 doesn't. You can use an Outlook GPO to set this option and enforce it.
MVP | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorTuesday, October 06, 2009 10:01 AM
Hi Florian,
You could use Active Directory Rights Management Services (AD RMS) with Exchange, then you could set permission on the mails. It prevent unauthorized user from reading/forwarding message. It's a kind of permission management. As Martin mentioned, it works with OWA, but you need to install an IE add-on.
Regarding RMS, the following articles for your reference:
http://technet.microsoft.com/en-us/library/bb123950.aspx
http://www.msexchange.org/tutorials/Rights-Management-Service-Exchange-2003-Part1.html
If you have any further questions about deploying RMS, you could write a post on our RMS newsgroup:
Thanks,
Elvis
- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorTuesday, October 06, 2009 10:00 AM
All Replies
- By default server to server communication is encrypted in Exchange 2007. The same goes for virtual directories for your CAS communication. You can even be extra safe by forcing your Exchange 2007 to not allow unencrypted RPC traffic from clients by running the following command:
Set-MailboxServer -MAPIEncryptionRequired:$True
You will then have to ensure that Outlook is configured to use RPC Encryption. By default, Outlook 2007 does use it and Outlook 2003 doesn't. You can use an Outlook GPO to set this option and enforce it.
MVP | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorTuesday, October 06, 2009 10:01 AM
- You might also find helpful RMS / IRM protection for emails. Here is a good place to start http://technet.microsoft.com/en-us/windowsserver/dd448611.aspx and http://office.microsoft.com/en-us/outlook/CH010500851033.aspx or http://office.microsoft.com/en-us/outlook/HA101003661033.aspx.
Best regards
Martin Rublik Hi Florian,
I think you mean you want encrypt the mail flow in your organization, right? By default, the communication between Exchange hub server is via smtp with TLS. Regarding the client and server communication, you could refer to the following article, the article also provide the steps for deploying GPO to enforce RPC encryption.
http://www.shudnow.net/2008/02/10/client-to-server-secure-smtp-connectivity-in-exchange-server-2007/
If you mean you want to encrypt email itself, but not the mailflow, as far as I know, s/mime is the only solution.
Thanks,
Elvis
- Hi,
thank you for your respons. I mean the email itself that i would to encrypt. Is s/mime the only solution or encrypt RMS / IRM the email too. What is with Outlook Web Access and RMS/IRM?
Thanks Florian - You can use SMIME or you can use Domain Security to force TLS with a specific organization. Read the article I wrote above which Elvis linked to. This article I wrote is a bit more relevant though: http://www.shudnow.net/2008/11/08/exchange-2007-mail-flow-dns-records-connectors-and-tls/ . It talks more about how Exchange uses TLS out of the box but it still does not force TLS. It's more of a "try TLS first and if that fails, do it unencrypted." So you'd still want to utilize something like SMIME.
MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net - RMS / IRM encrypts the email as well. It also works with OWA, if you have Rights management Add-on for Internet Explorer installed.
Best regards
Martin Rublik Hi Florian,
You could use Active Directory Rights Management Services (AD RMS) with Exchange, then you could set permission on the mails. It prevent unauthorized user from reading/forwarding message. It's a kind of permission management. As Martin mentioned, it works with OWA, but you need to install an IE add-on.
Regarding RMS, the following articles for your reference:
http://technet.microsoft.com/en-us/library/bb123950.aspx
http://www.msexchange.org/tutorials/Rights-Management-Service-Exchange-2003-Part1.html
If you have any further questions about deploying RMS, you could write a post on our RMS newsgroup:
Thanks,
Elvis
- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorTuesday, October 06, 2009 10:00 AM
- Hi Florian,
Just check if you have any further questions regarding the thread. If so, let us know.
Thanks,
Elvis
