none
Email Encryption with Shared Mailboxes RRS feed

  • Question

  • We are thinking about implementing email/message encryption using S/MIME and I wanted to know how it all works with shared mailboxes. I'm not sure how it all works, but I wanted to know more about how it works with shared mailboxes.

    From what I understand, for regular users, every user has a certificate assigned to him and when sending emails to other users with their own certificate, they can open the encrypted emails. But, when creating a shared mailbox, Exchange actually creates a disabled user in AD and the mailbox is classified as SharedMailbox, not UserMailbox.

    So I have a few questions...

    Can a certificate be assigned to a shared mailbox / a shared mailbox disabled user? 
    Can users with permissions to the shared mailbox be able to open encrypted emails sent to the shared mailbox by other users or by one of the users who have permissions to the shared mailbox?

    Hope you can help me figure it out. Any documentation will be also helpful.

    Tuesday, October 24, 2017 2:48 PM

Answers

  • Hi Avisa,

    Appreciate your patience. 

    Yes, S/MIME can work with shared mailbox for signing and encryption when sending or receiving an email based on my test. As you can see in the screenshot below. User Jessie has full access to the shared mailbox SMB which is a shared mailbox. The emails sent to SMB is encrypted and can be decrypted and displayed correctly in the user's Outlook.

    The key point to to get appropriate certificates for the user mailboxes and shared mailbox. A certificate templet would be required if you are using a enterprise CA in your environment. Perhaps you have created it for your users. Here is an article how to create a certificate templet for S/MIME http://davidmtechblog.blogspot.sg/2013/06/exchange-2010-security-smime-part-1.html.

    Since the account of a shared mailbox is disabled, you as the administrator can enroll a certificate for the shared mailbox. See: Enroll for Certificates on Behalf of Other Users. You will need a certificate to do this.

    After enrolling a certificate, export the certificate with private key and import it into other computer who uses this shared mailbox. To send an encrypted email to other user from the shared mailbox, manually change the From address to the shared mailbox. In the new email, click Options-> enable encypt and digital signature. Under Security settings, click Change Settings to choose the shared mailbox's certificate and save the settings to send.

    If the certificate for the shared mailbox is missing or invalid, you can not sign or encrypt this message.

    From my understanding, the mechanics how S/MIME works for a shared mailbox should be same with how it works for normail users. When sending a message, the send's private key is used for sign and the recipient's public key for encryption. When the message is delivered, the recipient uses his private key to decrypt the message and uses the sender's public key to verify if he is the real signer. Here the ricipient is the shared mailbox, and its certificate is used for encrypt and decrypt. You can see the following article for detailed explanation: https://technet.microsoft.com/library/aa995740(v=exchg.65).aspx.


    Regards,

    Alex Sun


    Please remember to mark the replies as an answer if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Alex Sun MS Friday, October 27, 2017 1:29 PM
    • Marked as answer by Avisa Monday, October 30, 2017 2:56 PM
    Friday, October 27, 2017 12:49 PM

All replies

  • Hi Avisa,

    Based on my research, there is no article that covers the S/MIME function for a shared mailbox. From my understanding, it is critical whether we can get a certificate for the shared mailbox and retrieve its public key for encryption and private key for decryption. We may need to build the environment for a test. Could you allow us some time? We will post back after there is any update.

    Regards,

    Alex Sun


    Please remember to mark the replies as an answer if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 25, 2017 9:29 AM
  • Hi Alex,

    Thank you for your reply!
    I've been searching for hours for for an article that covers this as well with no luck..

    Regarding your question, Of course! If you can build a test environment to check it, go ahead and let me know what you find.

    Thanks!

    Wednesday, October 25, 2017 2:02 PM
  • Hi Avisa,

    Appreciate your patience. 

    Yes, S/MIME can work with shared mailbox for signing and encryption when sending or receiving an email based on my test. As you can see in the screenshot below. User Jessie has full access to the shared mailbox SMB which is a shared mailbox. The emails sent to SMB is encrypted and can be decrypted and displayed correctly in the user's Outlook.

    The key point to to get appropriate certificates for the user mailboxes and shared mailbox. A certificate templet would be required if you are using a enterprise CA in your environment. Perhaps you have created it for your users. Here is an article how to create a certificate templet for S/MIME http://davidmtechblog.blogspot.sg/2013/06/exchange-2010-security-smime-part-1.html.

    Since the account of a shared mailbox is disabled, you as the administrator can enroll a certificate for the shared mailbox. See: Enroll for Certificates on Behalf of Other Users. You will need a certificate to do this.

    After enrolling a certificate, export the certificate with private key and import it into other computer who uses this shared mailbox. To send an encrypted email to other user from the shared mailbox, manually change the From address to the shared mailbox. In the new email, click Options-> enable encypt and digital signature. Under Security settings, click Change Settings to choose the shared mailbox's certificate and save the settings to send.

    If the certificate for the shared mailbox is missing or invalid, you can not sign or encrypt this message.

    From my understanding, the mechanics how S/MIME works for a shared mailbox should be same with how it works for normail users. When sending a message, the send's private key is used for sign and the recipient's public key for encryption. When the message is delivered, the recipient uses his private key to decrypt the message and uses the sender's public key to verify if he is the real signer. Here the ricipient is the shared mailbox, and its certificate is used for encrypt and decrypt. You can see the following article for detailed explanation: https://technet.microsoft.com/library/aa995740(v=exchg.65).aspx.


    Regards,

    Alex Sun


    Please remember to mark the replies as an answer if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Alex Sun MS Friday, October 27, 2017 1:29 PM
    • Marked as answer by Avisa Monday, October 30, 2017 2:56 PM
    Friday, October 27, 2017 12:49 PM
  • Hi Alex,

    Thank you very much for taking the time to test and explain this!
    Really appreciate it!


    Avi.

    Monday, October 30, 2017 2:58 PM
  • Hi

    I appreciate that this is an old thread but as its similar to my issue i though i would add this here hopefully to get a response.

    I did post a seperate thread but after 114 views i have had no response. Here is my post

    Hi

    We have an Exchange 2016 Server and need to set up s/mime with a shared mailbox for users using Outlook 2010.

    I have two points i need help with.

    I plan to purchase a client certificate for this but as the account of the shared mailbox is disabled can anyone point me in the direction of how to enrol the certificate for the shared mailbox.

    Also as the encrypted emails will be coming into the shared mailbox after enrolling the certificate and exporting to users pc will they be able to decrypt mail sent into the shared mailbox or do they also require a certificate for their own mailbox

    Any help appreciated

    Regards

    John

    Thursday, May 16, 2019 12:54 PM