Outlook Web Access and S/MIME
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2007-08-17
This topic provides an introduction to using Secure/Multipurpose Internet Mail Extensions (S/MIME) to help secure messages. S/MIME support has been returned to Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007 Service Pack 1 (SP1).
Using S/MIME prevents impersonation and tampering with e-mail messages in Outlook Web Access. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. With S/MIME, users can also digitally sign outgoing messages. When users digitally sign a message, they provide the recipients with a way to verify the identity of the sender and that the message has not been tampered with.
Users must have a digital ID and must install the S/MIME control for Outlook Web Access before they can send encrypted and digitally-signed messages by using Outlook Web Access. They must also have a digital ID and the S/MIME control to read encrypted messages in Outlook Web Access. The S/MIME control is necessary to verify the signature on a digitally-signed message.
The S/MIME control for Outlook Web Access is installed on a user’s computer by using the Outlook Web Access E-Mail Security page in Options. After the user has received a digital ID and the S/MIME control has been installed on their computer, they can use S/MIME to help secure e-mail mail messages.
To support S/MIME in your Exchange organization, you must build a Public Key Infrastructure (PKI).
A PKI is a system of digital certificates, certification authorities, and registration authorities (RAs) that verify and authenticate the validity of each party that is involved in an electronic transaction by using public key cryptography. When you implement a certification authority (CA) in an organization that uses the Active Directory directory service, you provide an infrastructure for certificate life-cycle management, renewal, trust management, and revocation. However, there is some additional cost involved in deploying servers and infrastructure to create and manage Microsoft Windows PKI-generated certificates.
Certificate Services is required to deploy a Windows PKI and can be installed through Add or Remove Programs in Control Panel. You can install Certificate Services on any server in the domain.
If you obtain certificates from a domain-joined Windows CA, you can use the CA to request or sign certificates to issue to the servers or computers on your network. This enables you to use a PKI that resembles a third-party certificate vendor, but is less expensive. Although these PKI certificates cannot be deployed publicly, as other types of certificates can be, when a PKI CA signs the requestor's certificate by using the private key, the requestor is verified. The public key of this CA is part of the certificate. A server that has this certificate in the trusted root certificate store can use that public key to decrypt the requestor's certificate and authenticate the requestor.
A PKI enables organizations to publish their own certificates. Clients can request and receive certificates from a PKI on the internal network. The PKI can renew or revoke certificates.
S/MIME is supported in Outlook Web Access Premium and requires that users log on to Outlook Web Access by using Internet Explorer 7. In addition to requiring Internet Explorer 7, S/MIME also requires that Secure Sockets Layer (SSL) be used by the /owa virtual directory.
When they use S/MIME, users gain additional features that are not otherwise available in Outlook Web Access. These features include the ability to do the following:
Attach messages to messages
Paste images in messages
Attach files by using a simpler UI and let users attach multiple files in a single operation.
When they use S/MIME, users will encounter the following limitations:
WebReady Document Viewing only works in clear-signed messages. It does not work in encrypted messages or in opaque-signed messages.
When some content types are sent from Outlook as S/MIME messages, they cannot be displayed in Outlook Web Access. Outlook Web Access will display a banner in the message header when this happens.
Most S/MIME features are not available when a user opens a folder in another mailbox or uses explicit logon to open another user's mailbox. The only S/MIME feature that is available in those cases is verification of digital signatures.
For information about how to administer S/MIME for Outlook Web Access, see How to Manage S/MIME for Outlook Web Access and How to Enable or Disable S/MIME in Outlook Web Access.
For more information about certificates, see Public Key Infrastructure for Windows Server 2003.
For more information about best practices for implementing a Windows PKI, see Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure.
For more information about how to deploy a Windows PKI, see the Windows Server 2003 PKI Operations Guide.