Configuring S/MIME Security with Outlook Web Access 2003

Email Security has become increasingly important because of the possibility of man-in-the-middle attacks or the risk of an unknown third person that may sniff your SMTP traffic within the internet or even your intranet. In addition, in some countries there are laws preventing you from sending insecure email. Therefore Microsoft implemented the S/MIME standard in its Exchange Server architecture. The feature to encrypt or sign your emails became a default feature within all messaging and collaboration systems. Within this article we will look at how S/MIME has to be configured and how it works.
Markus Klein photo

Within earlier versions of Exchange Server, Microsoft enabled S/MIME Security using MAPI clients, but did not recognize that Outlook Web Access became more and more interesting for business use. So with Exchange Server 2003, Microsoft implemented this feature with Outlook Web Access too.

Basics of Email encryption and Email signing

The technique of S/MIME relies on complex algorithms that create the appropriate key pair:

  • The public key
  • The private key

This key pair needs to be available if any encryption or signing is being used. If one is missing, you won’t be able to use the corresponding key anymore.

The public key has to be published, the private key can be compared with your identity card or your driving license, it declares your digital identity.

Email Encryption

When you try to secure email to make sure that no one can read the SMTP packages on its way from sender to recipient you will have to encrypt them.

This feature works the following way:

  1. The messaging platform looks for the public key of the recipient
  2. It now encrypts the message using this public key
  3. The message is now being delivered to the target system
  4. If the recipient tries to open the message his system will have to own his private key to be able to decrypt the message

Email Signature

When you want to use the digital signature you have to make sure that the recipient can recognize that you yourself wrote this email and not anyone else. In addition, you can be sure that the email has not been changed during its way.

Email Signing works the following way:

  1. The messaging platform looks for the private key of the sender
  2. It now hashes the message and then encrypts this fingerprint with this private key
  3. The message is now being delivered to the target system
  4. If the recipient tries to open the message his system will have to be able to access the recipient’s public key
  5. If now hashes the message again, decrypts the fingerprint using the public key
  6. If the sender’s and recipient’s fingerprint are the same you can be sure that the message was originally sent from the sender and has not been changed in between

Configuring Outlook Web Access 2003 for S/MIME Security

With Exchange Server 2003, Microsoft added the S/MIME feature to Outlook Web Access using a control. It relies on the interaction of the Web browser and the Exchange server to provide full functionality. This functionality differs from Outlook Web Access without the S/MIME control because this control provides a fully functional S/MIME email client. It is designed to integrate seamlessly with Microsoft Internet Explorer 6.x or later. The control itself is a Common Object Model (COM) object that also uses dynamic HTML (DHTML) to support the basic message security services. It controls all access to any certificates required for S/MIME security.

To install Outlook Web Access with the S/MIME control using the download, the users must have administrative privileges to install the control itself on his workstation.

These are the steps in details to install the control:

  1. Use a computer running Windows 2000 or later with Internet Explorer 6 or later and log on to Outlook Web Access.
  2. In OWA click Options in the navigation pane.
  3. Under Email-Security click Download
  4. Install the control on your local machine.


Figure 1: Download and install the S/MIME Control

After a successful installation, you can now configure the general options for digital signing and signature.


Figure 2: General Settings for Encryption and Signature

To digitally sign an or encrypt any messages from now on in Outlook Web Access you will have use the following two new buttons:


Figure 3: Setting Email security individually

If you want you can configure digital signature and encryption by default, you can find these settings on the options page of Outlook Web Access.

To configure the behaviour of the Outlook Web Access S/MIME Control itself, you should have a look at the Exchange Server Message Security Guide, which can be found at:

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx

Troubleshooting S/MIME Security

In general there won’t be any deep problems when configuring S/MIME security with Outlook Web Access. S/MIME is a default feature with all well-known messaging platforms and therefore your architecture design will be the problem itself in most times.

If S/MIME does not work properly you should check whether your certificate chain is configured properly and that all certificates are available as needed and that they are being trusted. This can be done by having a close look into the certificate store of each machine in the configuration chain.

If there are still problems, you should check whether your infrastructure is working without any problems not using S/MIME just using unencrypted and unsigned transfers.

Conclusion

As described in the chapters above, you can see that configuring S/MIME security is no real big problem. You just have to configure S/MIME as stated in the step-by-step guide above and should make sure that all certificates are valid.

S/MIME is a good security feature and will grow within the near future due to security risks and other problems. But if you think of virus scanning you should have to rethink your virus scanning infrastructure, because as of today nearly none of the virus scanning engines is able to scan secure email. This is due to the design of email security itself and can only be changed if you are implementing a second key into each package to be able to scan it properly.

For further information regarding this topic please do not hesitate to contact me.

About Markus Klein

Markus Klein photo Markus Klein is a MCSA/MCSE Messaging & Security and Microsoft Certified Trainer. From the beginning of 2009, he has started work as an International System Administrator for www.krohne.com and is a part-time freelance trainer. He is specialized in Active Directory, Exchange, Security, ISA Server and Clustering on Windows 2000 and Windows Server 2003 designs, migrations and implementations. Markus is a graduate of economical informatics from the University of Applied Science in Osnabrueck/Germany.

Click here for Markus Klein's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on MSExchange.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the MSExchange.org Monthly Newsletter, written by Exchange MVP Henrik Walther, containing news, the hottest tips, Exchange links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly MSExchange.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an MSExchange.org member!

Discuss your Exchange Server issues with thousands of other Exchange experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred Email Archiving solution?