Thursday, April 26, 2012 7:24 PM
we are a company that needs to sign and encrypt the email going out via one certain user. Vice versa, the email that this user receives shall be decrypted. So far we can do this with Outlook Webaccess and Outlook as a client, yet for a new application we will need to be able to do this via smtp to our server.
This would look as following:
If the user: firstname.lastname@example.org sends an email to email@example.com, than this email shall have a S/MIME signature attached to it. Further if the public key of firstname.lastname@example.org is in the exchange server, than the email shall also be encrypted. If the email email@example.com is not known to the exchange server, than the email shall be sent unencrypted.
My question is how can this be done:
- Without using outlook as a client (owa / client) =
- Without using a third party email security gateway
Ideally this setup would work out of the box with exchange 2010.
Friday, April 27, 2012 5:10 AM
It sounds like you want to use an Exchange 2010 transport rule to automatically encrypt email messages when they meet certain conditions. You can do what you describe by using Active Directory Rights Management Services (AD RMS). It isn't S/MIME but offers some similar benefits. See the article titled Understanding Transport Decryption at http://technet.microsoft.com/en-us/library/dd638122.aspx - it offers some details about the benefits of AD RMS and some of the drawbacks of other email security solutions (including S/MIME). AD RMS will require AD RMS CALs and Exchange Enterprise CALs. In addition, you'll need federation and the destination will need AD RMS. Thus, for your situation (1 user), this isn't a great or very feasible solution.
In my mind, I think you should opt to do this without Exchange being involved. The new application should be developed to use a certificate for encrypting and signing. Then, the email is secure while it travels over the network and through Exchange and the destination email servers. Email coming back wouldn't be decrypted until it reaches your application.
To address your questions directly:
- You can use any client - there are quite a number of open source clients and even command-line clients. Or, you can use your application directly if it is developed with the capability.
- You can perform all encryption and decryption on the client computer with your application and not need an email security appliance (or Exchange).
- Marked As Answer by Frank.WangModerator Thursday, May 03, 2012 1:55 AM