Implementing and Maintaining Exchange 2003 Support for Message Security
In the message security system, Exchange is limited to delivering and storing S/MIME e-mail messages. The e-mail client and PKI provide functions for digital signatures and encryption. You integrate these components, rather than configure Exchange Server 2003 to support S/MIME.
If you are familiar with earlier versions of Exchange, you may expect to configure Exchange to issue digital certificates or to configure the Exchange directory so that e-mail clients can access digital certificates. However, these functions are no longer offered by Exchange. PKI functionality for issuing digital certificates with the Key Management Server has been removed from the current version of Exchange. You can now use either Microsoft Windows Server™ 2003 Certification Services or another S/MIME version 3 PKI to issue digital certificates. In addition, the Microsoft Active Directory® directory service replaced the Exchange directory and now provides all directory support. Because of these changes, you do not need to configure Exchange to issue or publish digital certificates.
Administrators of both PKI and the e-mail client must configure their respective systems for issuing and making available digital certificates. Specific information for connecting to an Exchange 2003-based message security system is discussed in later sections.
When Exchange delivers S/MIME e-mail messages, they are handled the same way as other e-mail messages. There are no separate steps to follow to enable or maintain delivery of S/MIME-based e-mail messages. If you can ensure the delivery of e-mail messages between users, you automatically ensure that those users can exchange S/MIME-based e-mail messages.
When Exchange stores S/MIME e-mail messages, the only requirement is that the message store is configured to handle S/MIME signatures. Because S/MIME messages can be held in both user mailboxes and public folders, both public stores and mailbox stores are configured to hold messages with S/MIME signatures. By default, all public stores and mailbox stores are configured to handle messages with S/MIME signatures. Unless you change the default setting, the Exchange stores hold messages with S/MIME signatures without requiring any actions on your part.
Important
It is recommended that you do not change the default support for messages with S/MIME signatures. If you disable support for messages with S/MIME signatures on a store, messages with S/MIME signatures cannot be held in the store with the changed configuration. If you change the configuration, all messages with S/MIME signatures in that store may be lost. There is no reason to disable support for messages with S/MIME signatures. Disabling this support does not provide performance or storage benefits.
For detailed steps, see How to View the Message Store Configuration for S/MIME Signatures.
When implementing S/MIME in an Exchange 2003 environment, be aware of:
Issues when event sinks interact with digitally signed S/MIME messages.
Issues when server-based antivirus software interacts with S/MIME messages.
Event Sinks and Digitally Signed Messages
Because event sinks perform actions on e-mail messages when the Exchange server handles them, some event sinks alter the content and headers of an e-mail message. A valid digital signature indicates that a message has not been altered in transit. An event sink that alters the e-mail message invalidates digital signatures. When the recipient receives the message and processes the digital signature, the digital signature will be invalid because the event sink changed the message after the sender signed it.
In addition, event sinks that alter information in the From header of a message can cause issues with e-mail clients that match the sender information in the From header to the X.509 subject name on the digital certificate used to sign the e-mail message. These e-mail clients cannot match the e-mail message to the certificate and may determine that the signature is invalid. For more information about how the e-mail client performs signature validation, see your e-mail client documentation. This issue can be resolved by reissuing the sender's digital certificate to match the address that the event sink puts in the From header.
Antivirus Software and S/MIME Messages
When using a server-based antivirus solution, encryption that protects the confidentiality of the message body and any attachments from unauthorized users also prevents server-based antivirus software from inspecting the message and attachments for viruses. Because the antivirus software cannot inspect the message, an encrypted message could include a virus as an attachment. You should determine how to address this risk in accordance with your security policy.
Also, if an antivirus program detects a virus in a digitally signed e-mail message and cleans the message, this action can render the digital signature invalid because the antivirus program has altered the message while in transit. Although the alteration is not malicious, from the perspective of the digital signature, the message is changed and the message will be identified as altered.
Note
New in SP1 An important new feature in Exchange Server 2003 Service Pack 1 (SP1) includes the ability to scan signed S/MIME messages for viruses. Scanning signed messages is now core functionality for virus scanners that use Virus Scanning API (VSAPI) 2.5 on the Exchange mailbox server. In earlier versions of Exchange, S/MIME messages were left to the individual virus-scanning vendor to parse and scan. Now, all clear-signed and opaque-signed messages are streamed to the virus scanner in the same way as other non-S/MIME messages are streamed. By default, any antivirus product that is running on the Exchange server and uses the Exchange VSAPI will now scan signed S/MIME messages.