xiiirolls Posted February 1, 2012 Share Posted February 1, 2012 Hi Everyone, Nice day to everyone. I have an exchange setup which make use of outlook anywhere and a private generated cert (https). Every user that need to use outlook anywhere have to import the private generated cert. I keep on hearing people say email encryption so that no one can read your mail even if it was hijacked. Is outlook anywhere safe from this when sending email to internal user? is the email encryption necessary? Thanks a lot guys. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 1, 2012 Veteran Share Posted February 1, 2012 Well outlook anywhere uses encryption (https) in your case, so yes it would be safe. Link to comment Share on other sites More sharing options...
ybrett23 Posted February 1, 2012 Share Posted February 1, 2012 Well outlook anywhere uses encryption (https) in your case, so yes it would be safe. perfectly safe Link to comment Share on other sites More sharing options...
xiiirolls Posted February 2, 2012 Author Share Posted February 2, 2012 Is it necessary to have another software encryption for this? like a add-ins or something on the outlook for the user to encrypt their mails? or is it redundent? Thanks a lot guys. Link to comment Share on other sites More sharing options...
pupdawg21 Posted February 2, 2012 Share Posted February 2, 2012 I think you are confusing using encrypted e-mail and simply encrypting the session. HTTPS simply encrypts the session of you viewing/sending your e-mail. So someone who intercepts the message in transit won't be able to sniff the traffic and read the messages. Anyone internally or externally that receives an e-mail from you will be able to read it if it is not encrypted with S/Mime or similar which is entirely different from simply connecting to the session using HTTPS. In large companies typically they will send encrypted e-mail as well as have the sessions encrypted if highly confidential messages are being sent. So in effect, even if a person were to guess your password and connect to your e-mail, they still would not be able to read ANY of your encrypted e-mails sent to you without an appropriate certificate. Link to comment Share on other sites More sharing options...
Roger H. Veteran Posted February 2, 2012 Veteran Share Posted February 2, 2012 As pupdawg21 says above, you are probably talking about email encryption where even if I sent an email with confidential information to the wrong person, they wouldn't be able to view it without the private key from the sender. So in essence you can send that email to anyone but only people with the right key/cert will be able to open and view it. Link to comment Share on other sites More sharing options...
xiiirolls Posted February 2, 2012 Author Share Posted February 2, 2012 I think you are confusing using encrypted e-mail and simply encrypting the session. HTTPS simply encrypts the session of you viewing/sending your e-mail. So someone who intercepts the message in transit won't be able to sniff the traffic and read the messages. Anyone internally or externally that receives an e-mail from you will be able to read it if it is not encrypted with S/Mime or similar which is entirely different from simply connecting to the session using HTTPS. In large companies typically they will send encrypted e-mail as well as have the sessions encrypted if highly confidential messages are being sent. So in effect, even if a person were to guess your password and connect to your e-mail, they still would not be able to read ANY of your encrypted e-mails sent to you without an appropriate certificate. As pupdawg21 says above, you are probably talking about email encryption where even if I sent an email with confidential information to the wrong person, they wouldn't be able to view it without the private key from the sender. So in essence you can send that email to anyone but only people with the right key/cert will be able to open and view it. Yeah, sorry i think i was confused. I got it now. Any free software to achieve this? Link to comment Share on other sites More sharing options...
Roger H. Veteran Posted February 2, 2012 Veteran Share Posted February 2, 2012 http://www.marknoble.com/tutorial/smime/smime.aspx quickest google search brought me there. Apparently you can get free certs for use with emails only. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 2, 2012 Veteran Share Posted February 2, 2012 When I was doing research on this, there were no free providers. Everything was pay for. Basically, you would send an email and if the other side does not have the same service, it stores it on the provider site and a link to that site is sent to the user. The user would then have to create a user id and password for the site to be able to retrieve the email. zixcorp has a free trial if you want to see what I am talking about. PGP used to be free, now it is payfor barracuda is now offering it with their spam firewall device cisco has it with their spam solution These services do not require the receiver to have anything on their pc as far as having a matching private key to your public key. Can't really expect the receiver to load anything on their computers even if it is beneficial to them. Link to comment Share on other sites More sharing options...
xiiirolls Posted February 6, 2012 Author Share Posted February 6, 2012 If i were to do it (email encryption, SMIME) in medium office (40 users) does that mean i need to have each user a certificate? Is there a way to create the SMIME cert with the windows 2008 r2 cert authority? How do i make it as friendly as possible to the user? Thanks alot guys. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 6, 2012 Veteran Share Posted February 6, 2012 imo, it is pointless for internal users as once in the db it doesn't leave the db. You would be encrypting so that it cannot be intercepted by someone unauthorized. so no you wouldn't do this for your internal users. read the documentation that was posted by shotta. this is what would happen to an internal user: you send a message - encrypted to mail server - mail gets delivered to internal person this is what would happen to an external user you send a message - encrypted to mail server - mail server sends on your behalf - unencrypted to the internet - user mail server accepts it - don't know what user has for a client or security, possibly encrypted to client but more than likely not encrypted to client - mail gets delivered to external person Link to comment Share on other sites More sharing options...
Recommended Posts