Implementing and Maintaining Message Security Support for E-Mail Clients in Exchange 2003

In addition to implementing and maintaining support for message security in Exchange 2003, you must also implement and maintain support for the e-mail client.

As discussed in Understanding How Exchange 2003 Supports Message Security, Exchange supports S/MIME in e-mail clients through the same protocol that it provides for all e-mail clients. Any e-mail client that can connect to Exchange 2003 that also supports S/MIME version 3 is a possible S/MIME e-mail client for an Exchange-based S/MIME system. The e-mail clients that Exchange provides support for are:

• Microsoft Outlook® MAPI-based clients

• Internet standards Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) clients

• Outlook Web Access clients

• Outlook Mobile Access clients

• Exchange ActiveSync® clients

The e-mail client and PKI work together to provide the functionality for message security, digital signatures, and encryption. The Exchange server only provides delivery and storage of the S/MIME messages.

Because Exchange places no limitation on which e-mail clients can provide S/MIME functionality, any Exchange 2003 client could be an S/MIME client if the e-mail client provides S/MIME functionality. However, not all clients that connect to Exchange 2003 provide S/MIME functionality. Specifically, only the following e-mail clients provide full S/MIME functionality:

• Outlook clients (MAPI-based)

• Internet standards clients (POP3 and IMAP4)

• Outlook Web Access clients using the S/MIME control (Internet Explorer 6 or later with the S/MIME control)

The following Exchange 2003 clients do not provide support for S/MIME functionality:

• Outlook Web Access clients without the S/MIME control

• Outlook Mobile Access clients

• Exchange ActiveSync clients

The only S/MIME operation that these e-mail clients support is reading clear-signed e-mail messages. The signatures on these messages are not verified or kept. When you implement support for e-mail clients in Exchange, consider the limitations of some of the Exchange e-mail clients. Appendix A, "S/MIME Support in Exchange 2003 E-Mail Clients," provides a complete list of Exchange e-mail clients and the S/MIME functionality that they support.

Because the Exchange server only provides delivery and storage of S/MIME messages, implementing and maintaining support in Exchange means supporting the e-mail client protocols that the e-mail clients use. By supporting e-mail client protocols, you also support those clients who deliver and store S/MIME messages. For more information, see Implementing and Maintaining E-Mail Clients to Support Message Security in Exchange 2003 and Implementing and Maintaining the Outlook Web Access S/MIME Control.

Protocol connectivity is not all that is required for e-mail clients to use S/MIME. Because the e-mail client and PKI provide S/MIME functionality, before S/MIME is fully functional, both the e-mail client and PKI must be configured to work together and to work with the Exchange server.

The following table lists each component that needs to be configured, the component to which it is connected, and a source of information.

Configuring component connectivity and sources of information for e-mail client functionality

If you do not currently have a PKI and do not want to deploy a PKI, you can still consider the advantages of S/MIME. Depending on the e-mail clients that are deployed and their support for PKIs, you may be able to implement e-mail clients to use a public certification authority. For more information, see Implementing and Maintaining E-Mail Clients to Support Message Security in Exchange 2003 and Implementing and Maintaining the Outlook Web Access S/MIME Control.