Sign in
 
HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog
TechCenter >
singn and encrypting email with exchange 2010

已答复 singn and encrypting email with exchange 2010

  • Thursday, April 26, 2012 7:24 PM
     
     
    Sign In to Vote
    0

    Hello together,

    we are a company that needs to sign and encrypt the email going out via one certain user. Vice versa, the email that this user receives shall be decrypted. So far we can do this with Outlook Webaccess and Outlook as a client, yet for a new application we will need to be able to do this via smtp to our server.

    This would look as following:

    If the user: user32@company.com sends an email to user09@anyexternalcompany.com, than this email shall have a S/MIME signature attached to it. Further if the public key of user09@anyexternalcompany.com is in the exchange server, than the email shall also be encrypted. If the email user09@anyexternalcompany.com is not known to the exchange server, than the email shall be sent unencrypted.

    My question is how can this be done:

    1. Without using outlook as a client (owa / client) =
    2. Without using a third party email security gateway

    Ideally this setup would work out of the box with exchange 2010.

     

    Thanks

    Wolf  

     

All Replies

  • Friday, April 27, 2012 5:10 AM
     
     Answered
    Sign In to Vote
    0

    It sounds like you want to use an Exchange 2010 transport rule to automatically encrypt email messages when they meet certain conditions.  You can do what you describe by using Active Directory Rights Management Services (AD RMS).  It isn't S/MIME but offers some similar benefits.  See the article titled Understanding Transport Decryption at http://technet.microsoft.com/en-us/library/dd638122.aspx - it offers some details about the benefits of AD RMS and some of the drawbacks of other email security solutions (including S/MIME).  AD RMS will require AD RMS CALs and Exchange Enterprise CALs.  In addition, you'll need federation and the destination will need AD RMS.  Thus, for your situation (1 user), this isn't a great or very feasible solution.

    In my mind, I think you should opt to do this without Exchange being involved.  The new application should be developed to use a certificate for encrypting and signing.  Then, the email is secure while it travels over the network and through Exchange and the destination email servers.  Email coming back wouldn't be decrypted until it reaches your application.

    To address your questions directly:

    1. You can use any client - there are quite a number of open source clients and even command-line clients.  Or, you can use your application directly if it is developed with the capability.
    2. You can perform all encryption and decryption on the client computer with your application and not need an email security appliance (or Exchange).

    Brian