Email Encryption protects email content from exposure to inappropriate recipients. Encrypting email doesn’t require the sender certificate but the certificate and the public key of the recipient.
For example:
sender@emailarchitect.net sends an email to
rcpt@emailarchitect.net with digital signature,sender@emailarchitect.net,rcpt@emailarchitect.net can send an email encrypted by public key of this certificate back to
sender@emailarchitect.net.sender@emailarchitect.net can read this email, because this email can ONLY be decrypted by private key of
sender@emailarchitect.net.
Therefore, you must receive a digital signed email from other people ( Most email clients such as outlook, outlook express will add the certificate to the Other People Storage automatically once an digital signed email is received) before you can return an encrypted email to this people.
To encrypt email with EA S/MIME in your IIS SMTP Service or Exchange Server, you need to export the recipient’s certificate first.
Most popular email clients support email encryption. To enable email encryption in your email client, you need the certificate of the email recipient. You can refer to the documentation of your email client for the settings.
This tutorial introduces how to use S/MIME Plugin to encrypt email in IIS SMTP Service or Exchange 2003 automatically without an email client. If you send emails from an email tool that doesn’t support email encryption, this plugin can help to encrypt email on server side.
In IIS SMTP Service or Exchange 2003, S/MIME Plugin works as a SMTP event sink; in Exchange 2007/2010/2013/2016, it works as a transport agent. It encrypts an email with a digital certificate based on pre-defined rules.
An encryption rule can be defined for a single recipient or multiple recipients.
To view/import/export certificate in
Current User Store and
Local Machine Store, you can open the
Certificates MMC Snap-in like this:
Windows Start menu, click
Run, and then type
mmc. Click Enter. This starts the
Microsoft Management Console (MMC).File menu and then click
Add/Remove Snap-in.
Add/Remove Snap-in window, click the
Add button.Certificates and then click
Add.My user account,Certificates and then click
Add again.Computer account, and then click
Next.Local computer, and then click
Finish. This adds the Certificates Snap-in to the list. Close the window.OK. This adds the Certificates snap-in to the mmc console.Now you can view all certificates in current user store and local machine store.
As S/MIME Plug can’t access certificates from the
Current User Store, if your certificate is stored in the
Current User Store, you must export it from the
Current User Store.
You can export certificate from
Current User Store like this:
Certificates MMC Snap-in, select
Certificates - Current User ->
Personal ->
Certificates,Certificates - Current User ->
Other People ->
Certificates,Ctrl +
Left Click,All Tasks ->
Export ->
Next
No, do not export the private key,
DER encoded binary X.509 (.CER),Microsoft Serialized Certificate Store (.SST) or
Personal Information Exchange - PKCS #12 (.PFX) ->
Next,Password, and input a password as protection password,You can use the exported certificate file as Certificate Source in S/MIME Plugin.
Note
The certificate without a private key is used for email encryption only.
You can import a certificate file to
Certificate Machine Store like this:
Certificates MMC Snap-in, select
Certificates - (Local Computer) ->
Personal ->
Certificates,All Tasks ->
Import,
Next,Mark this key as exportable ...,Personal ->
Next ->
Finish.After certificate file was imported to
Certificate Machine Store, you can use
Certificate Machine Store as
Certificate Source instead of certificate file.
If the email digital certificate is not issued by third-party authorities, the email client will prompt an error of “Certificate is not issued by a trusted publisher”.
However, for internal enterprise usage or test purpose, you can create a self-signed root certificate and issue this digital
certificate to internal users by
New-SelfSignedCertificate PowerShell cmdlet.
Note
If you have an existing certificate from third-party authorities, you can skip this section.
Note
New-SelfSignedCertificate requires PowerShell 3.0 on Windows 10, Windows 8/8.1 and Windows Server 2012/2012 R2/2016.
You can create a root certificate like this:
New-SelfSignedCertificate -Type Custom -HashAlgorithm sha256 -KeyLength 2048 -KeyUsage CRLSign, CertSign, KeyAgreement, DataEncipherment, KeyEncipherment, DigitalSignature -KeyAlgorithm RSA -Subject "CN=Test Root V1" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (get-date).AddDays(7300)
Then the new root certificate can be found in
Certificates MMC Snap-in, select
Certificates - Current User ->
Personal ->
Certificates.
Now you can issue the certificate to users from root certificate like this:
Here is an example to issue the certificate from the root certificate generated in the previous section.
Set-Location -path cert:\CurrentUser\My
$signer = Get-Childitem -DnsName "Test Root V1"
New-SelfSignedCertificate -HashAlgorithm sha256 -Type Custom -Subject "E=test@emailarchitect.net,CN=SMIME Tester 2048" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.4","2.5.29.17={text}email=test@emailarchitect.net&upn=test@emailarchitect.net") -KeyLength 2048 -KeyAlgorithm RSA -SmimeCapabilities -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (get-date).AddDays(365) -Signer $signer
Then the new email certificate can be found in
Certificates MMC Snap-in, select
Certificates - Current User ->
Personal ->
Certificates.
You can export it together with a private key as a pfx file and use it in
Certificate Source. Alternatively, you can install a pfx file to
Certificates (Local Computer) ->
Personal ->
Certificates and use
Machine Store as
Certificate Source.
If you used the above certificate to sign emails, email client would give an error about
Certificate is not issued by a trusted publisher. You can install the root certificate to client machines like this to avoid the error.
Now you can export the root certificate to a cert file and install it on
Trusted Root Certification Authorities:
Certificates MMC Snap-in, select
Certificates - Current User ->
Personal ->
Certificates,All Tasks ->
Export ->
Next
No, do not export the private key,
DER encoded binary X.509 (.CER),Install it to
Local\Computer\Trusted Root Certification Authorities
Certificates MMC Snap-in, select
Certificates - (Local Computer) ->
Trusted Root Certification Authorities ->
Certificates,All Tasks ->
Import,Next,Trusted Root Certification Authorities ->
Next ->
Finish.Install it to
Current User\Trusted Root Certification Authorities
Certificates MMC Snap-in, select
Certificates - Current User ->
Trusted Root Certification Authorities ->
Certificates,All Tasks ->
Import,Next,Trusted Root Certification Authorities ->
Next ->
Finish.After you installed the root certificate to
Trusted Root Certification Authorities, user certificate chain becomes valid now.
Let’s create a test email encryption rule for a recipient like this:
Email Encryption ->
New,Recipient Address,
Certificate Source to
Cert file (.cer),Cert file path,Important
IIS SMTP Service is running as
Local System user, and Exchange Transport Agent is running as
Network Service user, so do not put the certificate file to
Desktop or user-dependent folder, S/MIME Plugin doesn’t have permission to read certificate files in these locations.
Save to save current rule.After rule is saved, click
Test, current rule will be executed with a virtual email message, you can find the result in test dialog box.
If
Test all rules is checked, all rules defined on current machine will be executed with a virtual email message.
If the test result looks good, you can send a test email to that recipient, and validate if the received email was encrypted.
A single email address or email address with wildcard (* and ?) can be used in Recipient Address. It indicates current rule is only enabled for matched recipient address.
An encryption certificate can be only used for a specific email address. For example, you cannot use
test@emailarchitect.net's certificate to encrypt email to
support@emailarchitect.net, email client would prompt an error due to address not match.
Therefore, if you used wildcard (* and ?) in recipient address, you should specify a
Certificate Source that contains multiple certificates, and set
Certificate Match Rule to
Match certificate by recipient email address, to enable S/MIME Plugin to find the correct certificate to encrypt the email.
Note
If no certificate is identified for all recipients, the message won’t be encrypted.
Look up the certificate from Windows built-in certificate machine store.
Look up the certificate from specified P12/Pfx (.pfx, .p12) file.
Look up the certificate from specified Sst (.sst) file.
Look up the certificate from specified Cert (.cer) file.
Machine store, pfx file and sst file can contain multiple certificates, while cert file can only contain one certificate. Please refer to Import, Export and Generate Test Certificate to learn how to import/export certificate from certificate store.
This option is recommended. The digital certificate can be found based on recipient email address, it can be used with any certificate source.
To use this option,
Recipient Address should not contain wildcard (* and ?). You can use it when the certificate subject doesn’t contain an email address.
Rc2, TripleDes, Aes-128, Aes-192 and Aes-256 are supported. For security reason, Aes-128, Aes-192 or Aes-256 is recommended.
To comply with EDIFACT in Germany/EUROPE, please select sha256 or higher SHA algorithm in OAEP hash algorithm option and use AES-128/192/256 encryption algorithm.
Tnef is an internal email format in Exchange Server. If this option is checked, Tnef messages will first be converted to RFC822/message format by S/MIME Plugin, and then be encrypted by the specified certificate.
See Also
Email Disclaimer
Digital Signature
Journal and Troubleshooting
Appendix - Set up DomainKeys/DKIM
Appendix - Set up SPF record in DNS server
Online Tutorials:
Add Disclaimer or Signature with Embedded Images in Exchange Server 2007/2010/2013/2016/2019 - Tutorial
Add Digital Signature (S/MIME) to Email in Exchange Server 2007/2010/2013/2016/2019 - Tutorial
Encrypt Email (S/MIME) in Exchange Server 2007/2010/2013/2016/2019 - Tutorial
Add Disclaimer or Signature with Embedded Images in IIS SMTP Service and Exchange Server 2003 - Tutorial
Add Digital Signature (S/MIME) to Email in IIS SMTP Service and Exchange Server 2003 - Tutorial
Encrypt Email (S/MIME) in IIS SMTP Service and Exchange Server 2003 - Tutorial