We have a copy of each user's S/MIME encryption (well, decryption) private keys as well as their certificate centrally managed in an HSM. We want to configure Exchange to automatically decrypt any encrypted emails sent by our employees or to our employees so we can scan it for compliance and security. However, we want the email to stay in its original S/MIME encrypted format when it reaches its final destination. How can we configure Exchange to do this?
Asked
Active
Viewed 526 times
1 Answers
1
Messages encrypted with most client-based encryption solutions, including S/MIME, prevent content inspection on the server. Without content inspection, an organization can't validate that all messages sent or received by its users comply with messaging policies. For example, to comply with a legal regulation, you've configured a transport rule to detect PII, such as a social security number, and automatically apply a disclaimer to the message. If the message is encrypted, the Transport Rules agent on the Transport service can't access message content, and therefore won't apply the disclaimer. This results in a violation of the policy.
Transport decryption https://technet.microsoft.com/en-us/library/dd638122%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396
In addition, when send an encrypted email, only the intended recipient has the information to perform the decryption operation.
Understanding S/MIME https://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx?f=255&MSPPError=-2147217396
In my opinion, the Exchange server cannot decrypted the encrypted email for compliance and security and then encrypted the email for the intended recipient.
Moreover, if you are using Office 365, you can use the Office Message Encryption (OME). As an admin, you can set up mail flow rules that define the conditions for encryption. When a user sends a message that matches a rule, Office 365 applies encryption automatically.
James Xue
- 11
- 2