Exchange & Outlook UPDATE, Exchange Edition, May 10, 2002

Secure messaging with Exchange Server; setting up SMTP domains for inbound and relay email in Exchange 2000

Exchange and Outlook UPDATE, Exchange Edition—brought to you by Exchange & Outlook Administrator, a print newsletter from Windows & .NET Magazine that contains practical advice, how-to articles, tips, and techniques to help you do your job today.
http://www.exchangeadmin.com


THIS ISSUE SPONSORED BY

Stop the Fax Machine Madness: Send Faxes via Email (Eval CD)
http://www.faxback.com/cd

Esker Software
http://www.esker.com/exchange0402
(below COMMENTARY)


SPONSOR: SEND, RECEIVE, & MANAGE FAXES FROM EMAIL (EVAL CD)

Give your users the ability to send and receive fax documents from their e-mail system or a browser-based fax application!
http://www.faxback.com/cd

Save money, and make your users more productive. NET SatisFAXtion fax servers seamlessly integrate with all e-mail systems. Register for our 30-day evaluation CD-ROM at:
http://www.faxback.com/cd
or call 800-329-2225, or email [email protected]


May 10, 2002—In this issue:

1. COMMENTARY

  • Secure Messaging and Exchange

2. ANNOUNCEMENTS

  • Mobile and Wireless Solutions—An Online Resource for a New Era
  • Attend Our Free Webinar: Understanding PKI

3. RESOURCES

  • Exchange XCON: Setting Up SMTP Domains for Inbound and Relay E-Mail in Exchange 2000 Server
  • Featured Thread: Public Folder Disaster

4. NEW AND IMPROVED

  • Hypersoft Releases Email-Analysis Software

5. CONTACT US

  • See this section for a list of ways to contact us.

1. COMMENTARY
(contributed by Jerry Cochran, News Editor, [email protected])

  • SECURE MESSAGING AND EXCHANGE

  • I appreciate the feedback I get from readers and often try to incorporate your ideas into this column. This week, by special request from Brian Ko of Minnesota, I want to touch on the problematic subject of using Exchange to provide secure (i.e., digitally signed or encrypted) email.

    Exchange implements secure messaging through the Advanced Security subsystem. This subsystem supports two key functions: signing (i.e., digital signatures for message nonrepudiation) and encryption/decryption. In fact, the Exchange infrastructure and services play a supporting role in secure messaging; the Exchange client (e.g., Outlook, Outlook Express) plays the main role. For secure messaging to work, you need a supporting infrastructure, Exchange services, and client extensions that implement support for digital signing and encryption.

    The infrastructure required for Exchange secure messaging—a public key infrastructure (PKI)—includes many pieces (e.g., directory, Certificate Authority—CA). If you want to extend secure-messaging functionality outside the boundaries of your firewall, secure messaging—and your PKI—become much more complicated. In Exchange Server 5.5 all the necessary infrastructure pieces exist within the Exchange system, so to implement secure messaging through Exchange, you must either deploy an Exchange 5.5-only solution or invest in a third-party solution from a vendor such as VeriSign or Entrust. Because most secure-messaging functionality depends on client capabilities, third-party solutions (which are more easily integrated with both Exchange 5.5 and a variety of clients) are the more likely choice. Exchange 2000 Server and Windows 2000, however, open things up a bit. Exchange 2000—and its clients—can go outside of the Exchange system to use 1) a non-Exchange directory such as Active Directory (AD) or another Lightweight Directory Access Protocol (LDAP) directory, or 2) a Win2K-implemented CA (i.e., Microsoft Certificate Server). Of course, you can still choose a third-party solution, or you can build a hybrid scenario.

    Exchange's Key Management Service (KMS) provides an additional piece of the infrastructure. Whereas earlier versions of Exchange (i.e., Exchange 4.0 to Exchange 5.5) use the KMS and the Exchange Directory Service (DS) as the sole service providers for a PKI infrastructure, Exchange 2000 changes the KMS's role to one that complements the chosen directory, CA, and the rest of the PKI. KMS provides the Certificate Revocation List (CRL), the Certificate Trust List (CTL), and, most importantly, a key-recovery ability for Exchange users. However, an outside (i.e., non-Exchange) source—Win2K, a third-party solution, or a combination of the two—provides the bulk of the PKI functions.

    Perhaps the most complicated part of secure messaging—encryption and signing—is performed by the client and has little to do with Exchange. This fact is one reason that plugging-in a third-party secure-messaging solution is relatively easy. The only thing that Exchange does for this aspect of secure messaging is provide Secure MIME (S/MIME) support. S/MIME adds additional MIME content types to messages to provide confidentiality, integrity, and nonrepudiation. Clients use a scheme called asymmetric encryption to secure email messages. This technique uses a pair of keys, one public and one private, that are mathematically related according to a specified algorithm. When you want to send an encrypted message to someone, your email client retrieves the recipient's public key (from his or her X.509v3 certificate, which is stored in the directory) and uses that key to encrypt the message body and attachments. When the recipient receives the encrypted message, he or she simply uses his or her private key to decrypt the contents. Signing works in similar fashion: The sender uses his or her private key to sign a message, then sends the message. When the recipient receives the message, the recipient's email client locates the sender's public key and uses it to verify the sender's authenticity and the message's integrity.

    Secure messaging should be 100 percent business-driven, not just implemented for the sake of using the technology. To use secure messaging outside of your organization, you must open up your directory (or some portion of it) to partners and customers with whom you want to exchange secure messages. In other words, you essentially must publish your users' public keys—something that many organizations don't want to do because this step is rather difficult and full of potential security risks. This problem exists even when you use third-party solutions. Another challenge is interoperability with partners' secure-messaging systems. Not everyone uses Exchange as a messaging system and Win2K AD as a directory. You can resort to an LDAP directory as a lowest common denominator, but this approach has its problems as well. Finally, the list of mail clients that can participate in secure messaging is limited. For example, there is really no viable solution for a PDA-type client's participation in secure messaging. Even Microsoft Pocket PC devices have no real S/MIME solution (although some solutions are on the horizon).

    These concerns have led many organizations to give up on secure messaging. However, some have persevered, including a rag-tag group spearheaded by The Open Group Electronic Messaging Association (EMA) Forum. The EMA Forum has successfully demonstrated that secure messaging can work across organizations, OSs, PKI providers, and messaging systems. For more information about this project, see
    http://www.ema.org/challenge/SecureMessagingChallenge1-21-02_files/frame.htm


    SPONSOR: ESKER SOFTWARE

    Streamline document exchange, accelerate business processes, and increase user productivity with Pulse for Fax. Pulse for Fax tightly integrates with Microsoft Exchange Server providing a single messaging platform — allowing users to send and receive faxes through their standard Outlook or Exchange client. Intelligent Pulse for Fax technologies streamline fax processing and delivery. Keep your critical documents in motion with Pulse for Fax. Request your FREE information kit today at
    http://www.esker.com/exchange0402


    2. ANNOUNCEMENTS

  • MOBILE AND WIRELESS SOLUTIONS—AN ONLINE RESOURCE FOR A NEW ERA

  • Our mobile and wireless computing site has it all—articles, product reviews, and other resources to help you support a wireless network and mobile users. Check it out today!
    http://www.mobile-and-wireless.com

  • ATTEND OUR FREE WEBINAR: UNDERSTANDING PKI

  • Implementing public key infrastructure (PKI) successfully requires an understanding of the technology with all its implications. Attend the latest Webinar from Windows & .NET Magazine and develop the knowledge you need to address this challenging technology and make informed purchasing decisions. We'll also look closely at three possible content-encryption solutions, including PKI. Register for FREE today!
    http://www.winnetmag.com/webinar/pki.cfm

    3. RESOURCES

  • EXCHANGE XCON: SETTING UP SMTP DOMAINS FOR INBOUND AND RELAY E-MAIL IN EXCHANGE 2000 SERVER

  • Each week, Microsoft posts several Exchange Server how-to articles to its Knowledge Base. This week, learn how to set up SMTP domains in Exchange 2000 Server.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;q260973

  • FEATURED THREAD: PUBLIC FOLDER DISASTER

  • Kevin runs Exchange 2000 Server on a single Windows 2000 Active Directory (AD)-integrated domain. He needs to use the public store for document exchange but is having trouble related to an earlier restore. To offer your advice or join the discussion, go to the following URL:
    http://www.exchangeadmin.com/forums/thread.cfm?cfapp=72&thread_id=104013&mc=1

    4. NEW AND IMPROVED
    (contributed by Bob Kretschman, [email protected])

  • HYPERSOFT RELEASES EMAIL-ANALYSIS SOFTWARE

  • Hypersoft Information Systems released OmniAnalyser 7.1, which provides both automated reporting about corporate messaging systems and communication-pattern analysis. OmniAnalyser can show administrators the number of delayed and nondelivered messages in various parts of a company's email system, the number of messages sent between users and departments, and information about the performance of a company's antivirus software. The product works with Exchange 2000 Server and Exchange Server 5.5. Licensing for one Exchange server costs $600. For more information, contact Hypersoft at [email protected]
    http://www.hypersoft.com

    5. CONTACT US

    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This email newsletter is brought to you by Exchange & Outlook Administrator, the print newsletter with practical advice, tips, and techniques covering migration, backup and restoration, security, and much more. Subscribe today!
    http://www.exchangeadmin.com/sub.cfm?code=neei23xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish