none
Exchange 2013 and S/MIME / ADRMS signing advice

    Question

  • Hi

    I have very little experience with email certificates and would very much like some advice on the below.

    Today we use a mailGW to sign emails with S/MIME certificates, when users select to sign an email in their Outlook.

    Due to complexity in this system, my boss have asked me to explore the possibility to design a solution where each Exchangeserver have certificates installed,  and that those sign all outgoing emails instead (so the users doesnt have to bother with this anymore).

    What I "thought" I had understood, was that S/Mime were implemented on the client-side, but when I read this article, https://technet.microsoft.com/en-us/library/dn626158(v=exchg.150).aspx, it states that it is possible to put signing certifiactes in a PKI server instead, but are wondering about:

    1) Have I understood it right, that we could have each users certificates (from todays GW) in a PKI store instead, and have the exchange-servers sign emails on behalf of each user when they are sending out emails?

    2) or do we have to use one common certifcate for all users, which they have to select from the trustCenter in Outlook?

    3) Are there any pro/cons by having the the servers sign emails, instead of a GW?

    4) Have anyone a step-by-step guide, other that the above link, how to implement such design?

    Thanks in advance,

    /Peter


    • Edited by Peter_Moe Thursday, December 7, 2017 10:41 AM
    Monday, October 23, 2017 9:45 AM

Answers

  • Hi Peter

    This is a common issue in companys. I can only recommend NOT using S/Mine end to end enryption or signining. At least not for default. You will run into several support issues that you wont like:

    - How you want  forward encrypted e-mails?
    - How you will handle expired certificates from users?
    - What happens to encrypted mails from users that left the Enterprise?
    - Do you have an archive solution? What you will do with encrypted mails in the archive? Usining KRA?

    I think I can ask you many more question out of the daily bisness that will show you, that you dont want to go down the way of S/Mime. S/Mime is soo ninties. If you ask my opinion you should go with Microsoft Right Managment (RMS). RMS is a state of the art system that fits all demands and that is really secure. of couse you should use TLS for the transport way, but thats a different story.

    If your CSO/CEO  instist of using S/Mime go for a Gateway solution like https://www.seppmail.ch/.

    I know, thats not what your boss wants to hear, but that is what is the right way.

    Hopefully it helps.

    regards

    Joerg 

    • Proposed as answer by Jason.ChaoModerator Tuesday, October 24, 2017 6:15 AM
    • Marked as answer by Peter_Moe Monday, December 11, 2017 11:23 AM
    Monday, October 23, 2017 1:20 PM

All replies

  • Hi Peter

    This is a common issue in companys. I can only recommend NOT using S/Mine end to end enryption or signining. At least not for default. You will run into several support issues that you wont like:

    - How you want  forward encrypted e-mails?
    - How you will handle expired certificates from users?
    - What happens to encrypted mails from users that left the Enterprise?
    - Do you have an archive solution? What you will do with encrypted mails in the archive? Usining KRA?

    I think I can ask you many more question out of the daily bisness that will show you, that you dont want to go down the way of S/Mime. S/Mime is soo ninties. If you ask my opinion you should go with Microsoft Right Managment (RMS). RMS is a state of the art system that fits all demands and that is really secure. of couse you should use TLS for the transport way, but thats a different story.

    If your CSO/CEO  instist of using S/Mime go for a Gateway solution like https://www.seppmail.ch/.

    I know, thats not what your boss wants to hear, but that is what is the right way.

    Hopefully it helps.

    regards

    Joerg 

    • Proposed as answer by Jason.ChaoModerator Tuesday, October 24, 2017 6:15 AM
    • Marked as answer by Peter_Moe Monday, December 11, 2017 11:23 AM
    Monday, October 23, 2017 1:20 PM
  • Thanks, Joerg.

    I totally agree, but he want to stick with S/MIME in this matter.

    If we were to move to RMS, it would give us more options, but what I have read it will also require our employees or people we send secured documents to, to have a Windows LiveID. We dont wont that. And, wouldnt we also end up in the same sinkinghole as you described above? Todays GW-certificates would not be compatible with RMS, and already signed/encrypted emails would not be accessable by a RMS solution.

    But, back to my initial questions, will it be possible to skip the GW and put 3rd party certificates, or the ones from the GW, on our exchangeservers instead, and have them sign all outgoing emails, on behalf of the users?  (or will we by this approach, end up with the scenarios you are describing?)

    Have you, or anyonebody else an input on my point four, a guide how to do this?

    Thanks.

    /Peter

    Tuesday, October 24, 2017 6:27 AM
  • I've created a new thread about RMS, https://social.technet.microsoft.com/Forums/en-US/e37c3e0c-ad61-4470-aec8-8dadcc096566/question-about-adrms-smime?forum=rmsapps

    Do anyone have an input on that?

    Thanks

    Thursday, December 7, 2017 9:35 AM