none
Exchange 2007/2013 Environment - Encrypt Message

    Question

  • Hello guys.

    Our company have an Exchange 2007/2013 environment with multiple server in different locations around the world. Same organization group, same unique domain.

    One of our users is trying to send an Encrypted message using Outlook to another user of the company. However, when tries to send the message, Outlook display the following alert: "Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address "user@company.com". Either get a new digital ID to use with this account, or use the Accounts button to send the message using an account that you have certificates for".
    User mailbox that is trying to send the message is in Exchange 2007.

    Questions:

    1) What is the procedure to follow in order to fix this issue.

    2) Is it really necessary to encrypt internal mails? Doesn't Exchange encrypt the message for all internal messages? Please be advice that our environment have 2007 and 2013. 

    Thanks a lot for your help.

    Wednesday, July 5, 2017 12:42 PM

Answers

  • Hi Palem,

    Agree with seanmcavinue.

    In general, internal mail flow have been set for encrypting traffic (TLS) by default, we don't need to encrypt the internal messages again unless there is a requirement must to encrypt.

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by palem20 Thursday, July 6, 2017 12:49 PM
    Thursday, July 6, 2017 8:10 AM
    Moderator
  • Hi Palem20,

    1) yes

    2) yes, S/MIME encrypts messages with certificates and the mails are encrypted at rest, TLS on the other hand encrypts messages in transit but not at rest.

    3) TLS will be configured on the send/receive connectors of the Exchange servers and can be force (do not send/receive a mail unless TLS is available) or opportunistic (attempt a TLS connection and fall back to standard if TLS is not available)

    Image result for send connector exchange 2013 tls


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    • Marked as answer by palem20 Thursday, July 6, 2017 12:49 PM
    Thursday, July 6, 2017 12:13 PM

All replies

  • There is a difference between TLS (encryption of messages in transit) which is that you are referring to in point 2, and S/MIME, which is what your user is trying to implement. For internal messages, unless there is a business requirement for mails to be encrypted at rest, S/MIME may be overkill. 

    See the below links for more info on implementing S/MIME:

    "https://technet.microsoft.com/en-us/library/dn626158%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396"

    https://kb.iu.edu/d/bcta


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    Wednesday, July 5, 2017 1:34 PM
  • Hi Palem,

    Agree with seanmcavinue.

    In general, internal mail flow have been set for encrypting traffic (TLS) by default, we don't need to encrypt the internal messages again unless there is a requirement must to encrypt.

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by palem20 Thursday, July 6, 2017 12:49 PM
    Thursday, July 6, 2017 8:10 AM
    Moderator
  • seanmcavinue, Niko

    Thanks a lot for your help. I have a couple of questions:

    1)  Does this apply to Exchange 2007 as well?

    2) Is there any difference between TLS and S/MIME?

    3) Where can I see in Exchange if TLS is enabled?

    Thanks a lot.

    Thursday, July 6, 2017 11:46 AM
  • Hi Palem20,

    1) yes

    2) yes, S/MIME encrypts messages with certificates and the mails are encrypted at rest, TLS on the other hand encrypts messages in transit but not at rest.

    3) TLS will be configured on the send/receive connectors of the Exchange servers and can be force (do not send/receive a mail unless TLS is available) or opportunistic (attempt a TLS connection and fall back to standard if TLS is not available)

    Image result for send connector exchange 2013 tls


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    • Marked as answer by palem20 Thursday, July 6, 2017 12:49 PM
    Thursday, July 6, 2017 12:13 PM
  • Thanks a lot for your help guys.

    Regards.

    Thursday, July 6, 2017 12:50 PM