Exchange Server 2003 Message Security Guide: Introduction


Topic Last Modified: 2005-05-19

With the growth of the Internet in recent years, e-mail has fundamentally changed. It is no longer only an internal tool within companies and organizations. Instead, it now unites people across companies, countries, and has even allowed people on earth to share information with those in space, as if they were in the same building. E-mail has arguably become the single most important benefit of the Internet to date. As people and companies increasingly integrate e-mail into their lives, its importance increases daily. Where e-mail was once a convenience, now it is a necessity. Before, people used e-mail to simply send short, unimportant notes to one another. Now, though, people use e-mail to send critical information.

The unprecedented growth of e-mail has been enabled by the worldwide adoption of the underlying protocol or language of Internet e-mail: Simple Mail Transfer Protocol (SMTP). The SMTP standard makes it possible for different e-mail systems connected to the Internet to exchange information with one another.

However, despite all the benefits that SMTP has brought to the Internet, it has an inherent problem. The SMTP standard was originally developed to carry brief, relatively unimportant messages on a closed network, not to carry critical and sensitive information in an interconnected world. No one who developed SMTP imagined that it would play the role it plays today. Because of that, SMTP was not designed to protect the type of information it carries today across the networks it crosses today. It was designed to carry simpler information across simpler networks, hence the name Simple Mail Transfer Protocol. For example, SMTP sends information across the Internet in a way that allows anyone to read the message.

Fortunately, Secure/Multipurpose Internet Mail Extension (S/MIME) has emerged as a standard to enhance SMTP e-mail messages with security capabilities. Using S/MIME, encryption protects the contents of e-mail messages and digital signatures verify the identity of a purported sender of an e-mail message.

Implementing S/MIME for e-mail requires a solution that spans multiple products and technologies. This book provides guidance on how to implement S/MIME with Microsoft® Exchange Server 2003. In addition, this book provides guidance and pointers to other resources where those are necessary.

Essentially, this book provides detailed answers to the following questions:

  • What is S/MIME?

  • What security services does S/MIME provide?

  • What are the components of an Exchange 2003-based S/MIME system?

  • What steps need to be taken with other technologies to implement S/MIME in Exchange 2003?

  • How does someone using Key Management Server in Exchange Server version 5.5 or Exchange 2000 Server upgrade to Exchange 2003?

  • What is the Microsoft Office Outlook® Web Access with S/MIME control, and how does it work?

Although practically anyone with a technical background can benefit from reading this book, it is designed to produce maximum benefits for the following professionals.

Exchange Administrators

Those individuals responsible for installation, maintenance, and administration of Exchange Server 2003 in the enterprise.

E-Mail Client Administrators

Those individuals responsible for installation, maintenance, and administration of e-mail client software in the enterprise.

Public Key Infrastructure (PKI) Administrators

Those individuals responsible for planning, deployment, maintenance, and administration of the PKI in the enterprise.

Before reading this book, you may find it helpful to familiarize yourself with the following terms.


An encryption mechanism that is used when storing S/MIME digital certificates in a directory. PKCS #7 is used in Microsoft Active Directory® directory service to store digital certificates in the userSMIMECertificate attribute.

Distinguished Encoding Rules (DER) Encoded

An encryption mechanism that is used when storing X.509 v3 digital certificates in a directory. Active Directory uses DER encoding to store digital certificates in the userCertificate attribute.


In this book, plaintext (or cleartext) is used to differentiate unencrypted information from encrypted information. Do not confuse plaintext with plain text when referring to the format of an e-mail message. In that context, plain text is used to differentiate a message's format from HTML format or Rich Text Format (RTF). When discussing message security, plaintext is used to differentiate from ciphertext to indicate that the text is not encrypted.

For more information, see the Exchange Server 2003 Glossary.