Encrypting Emails
Question asked by Francis Gibbons - November 29, 2017 at 10:51 AM
Unanswered
Hello All,
 
I am using Smartermail 15.5 on a Windows 2012 server. I wanted to know is there a way to encrypt mail being sent out of Smartermail webmail/mobile/Outlook? If so can someone provide a walk though or resource on how to do it? And what are the pros/cons of doing this and how does it get de-encrypted on the receiving side?
 
If smartermail doesn't support encrypting emails is there a third party service that does and works with smartermail to encrypt emails?
 
Thank you,
 
Frank G.

11 Replies

Reply to Thread
0
Kyle Kerst Replied
Frank, I don't believe you can directly encrypt the contents of your emails OOB. Your best bet for ensuring encrypted traffic during transmission is to add an SSL certificate to your SMTP port definition, and make TLS mandatory on SMTP. This will ensure your server will use an encrypted session during send/receive operations so long as TLS/SSL is supported on the remote end point.
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com
2
Scarab Replied
Adding a Security Certificate and enabling TLS in Smartermail Enterprise will encrypt messages IN TRANSIT but it will not encrypt them AT REST. If you are needing HIPAA Compliance for Required Providers (as opposed to Addressable Providers for which AT REST encryption is optional), for example, then you would need to use S/MIME or OpenPGP in supported MUA email clients (Outlook, Thunderbird, Apple Mail, IBM Notes). Although SmarterMail does handle the delivery of S/MIME & OpenPGP encrypted emails it can neither display nor create AT REST encrypted emails from within the webmail client itself. 
 
In practice S/MIME & OpenPGP are clumsy at best. We have had only a handful of clients try using it and have all met with frustration as it involves getting a personal Email Certificate to install in their MUA email client and then exchanging Public Keys with their contacts that they want to encrypt emails to by using signed email signatures. Once you have exchanged keys with a contact it is easy however as you can either chose to encrypt & sign all outgoing messages in your MUA email client, or in some cases enforce this as a Domain Policy. Especially since personal Email Certificates need to be renewed annually (just like any other kind of Security Certificate) this becomes troublesome for many end-users, especially if they get a new computer and didn't export their Private Key, resulting in the inability to read encrypted messages sent to them previously...as well as keeping the Public Keys for contacts updated on an annual basis.
 
Step-by-step instructions for setting up Outlook to use S/MIME encryption can be found at https://www.comodo.com/support/products/email_certs/outlook.php. Comodo is the only provider that I am aware of that offers free personal Mail Certificates so we tend to suggest them to our Smartermail users.
 
Alternately you can use a third-party secure Messaging Portal or a service that provides Incoming/Outgoing Gateway Encryption over SMTP TLS although in many cases this requires the recipient to login to those third-party services to access the encrypted email.
0
Kyle Kerst Replied
Excellent response, and clearly details both sides of the coin.
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com
0
Hello Kyle,

Thank you for the response. What happens if TLS/SSL isn't support doesn't that mean the receiving end will not be able to review the email? If so how often does something like this happen?
0
Hello Scarab, thank you for the response. I just don't understand why this all seems so difficult. So if I understand you correctly if I where to use something like OpenPGP the person(s) receiving my emails would have to install an email certificate is that correct. If so that doesn't seem practical and a major hassle. As for the third party that might be a little easier but still a pain. Specially if receiving side isn't aware of doing this. In your own personal option what would you do if you wanted to encrypt your email?
0
Matthew Sine Replied
Scarab,
Would using an encrypting file-system on the server itself qualify for AT REST encryption under HIPPA compliance rules for Required Providers?
Matthew J. Sine, General Manager8Dweb LLC"Making the Web a Happy Place"
0
Kyle Kerst Replied
You're very welcome, always happy to help. In scenarios where TLS/SSL has been forced, and non-encrypted channels are unavailable, the transmitted email would be retried a number of times before being sent back to the sending user as non-deliverable. It becomes critical in these situations to ensure the SSL/TLS suites enabled on your SmarterMail server are configured per best practices, and within industry standards. A good way to go on that front is to install IIS Crypto on the SM server and use the "Best Practices" button. Please keep in mind though that third party email servers NOT adhering to these standards may have trouble delivering mail to your server or vice versa.
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com
0
If anyone is looking for a less configuration required solution that is proven to work reliably there is zixmail. I have a handful of customers that use it. Zix offers both a standalone email client as well as an Outlook plugin that connect to zixmail servers for the encryption key exchange. All this comes at a cost as opposed to OpenPGP etc. but for those not wanting to learn the ins and out of key generation and cipher requirements, it's a good option.
0
Hello Mathew, thank you for the response. Can you tell me what does it cost and is that per mailbox or domain? Also do you find a lot of issue for the receiving end de crypting the mail?
0
Noreen Braman Replied
I have a related question. We are new to this, but handle some confidential information, and have to get up to speed.
 
We have SSL on the mail server. Everyone is encouraged to use the Smartermail interface as opposed to MAC mail to access mail on their desktop (because right now I can't find out if MAC mail is secure). Cell phones are a problem. If people are using their cell phone app, rather than the smartermail mobile interface - does the SSL still apply?
 
Also, what about if you are accessing your email on your phone via the Smartermail mobile interface, and it is coming up Http:// ; instead Https://
 
0
Michael Muller Replied
Regarding your last question: you would add a URL Rewrite rule in IIS (if that's what you're using) to redirect the browser to https if it is not coming in using https.
---
Montague WebWorks
Powered by RocketFusion

Reply to Thread