Hi All, If anyone can help me out with this. I would really appreciate. I need to enable two users from different exchange organizations to be able to send and receive secure e-mail between them. High level and low level steps would be appreciated. Thanks in advance.

Hi, what do you mean when you say "send and receive secure e-mail"? Do you mean encrypted mail? If so the two persons need to get an Key for encryption and shre the public key with each other. Then the public key is used for encrypting the mail and the private key is used to decrypt the received mail. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

Thanks for the reply. Yes, I want to encrypt e-mail between two end users from different exchange organizations. They both use their own private CA Server. So, in this scenario, how can it be achieved. Thanks in advance.

OK, tell the two users to send only an signed mail to each other. After this each of the userr should create a contact from that mail in the personal contact folder. After this the user should try sending an excrypted mail to the otherr user. It is important to create a local contact because otherwise the public key stored in the personal certificate store isn´t used. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

Thanks a lot for the response. Is that all that is required. I am rephrasing your steps. Correct me if i am wrong. 1. User A in Exchange Organization A should send a signed e-mail to User B in Exchange Organization B. 2. User B in Exchange Organization B should send a signed e-mail to User A in Exchange Organization A. 3. User A should create a contact of User B from that signed e-mail. 4. User B should create a contact of User A from that signed e-mail. 5. User A can now send encrypted e-mail to User B. 6. User B can now send encrypted e-mail to User A. Kindly, correct me if I am wrong. A question also, is it not necessary for both users to install each others Root Certificate Authority to their Trust Root Certificate Authorities? Thanks in advance.

Yes you are right, The root Certificates from user A must be installed on computer of user B and vice versa. After you read the signed mail. You are able to check if the public certificate is stored on the PC. Therefor start mmc and import plug-in certificates for a current user account. Then scroll down the tree and enter certificates from other users and have a look at the certificates. The certificate from user A should appear in that space for user B and backwards. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

Thanks for the reply. But, is this final piece of the puzzle or still something is missing? Thanks.

Hello, no this should be final nothing else missing. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

Hi, Peddy1st is right. Sending and viewing encrypted e-mail messages requires both sender and recipient to share their digital ID, or public key certificate. Digital ID contains a private key that stays on the sender's computer and a certificate (with a public key). The certificate is sent with digitally signed messages. Recipients save the certificate and use the public key to encrypt messages to the sender. This means you and the recipient each must send the other a digitally signed message, which enables you to add the other person's certificate to your Contacts. Once both parties have shared certificates, sending and viewing encrypted e-mail messages between them is the same as with any other e-mail messages. More information about “Encrypt e-mail message” http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for reply both of you, have been a great help. So, in conclusion if I have understood correctly: Both users need to send a signed email to each other and then save the contact of each other from that signed email and then that is it. After that they would just need to send encrypted e-mail. There is no need to manually install each other trusted root CA. Kindly, correct me if I am wrong. Also, addendum to the question. Is the sole purpose of a signed e-mail is to send identity/certificate to recipient so that both can then exchange encrypted e-mail? Or does it server any other purpose as well. Thanks in advance.

No, you have to install the certification tree from the user A Certificate in the profile of userr B and vice versa. If you send an encrypted mail the recipient is sure that this mail was send from the sender and the content of the message isn´t changed during the transmission process of that mail. So you are ble to proof the authenticity of the mail and the sender. The condition for that scenario is that the sender dosn´t lose his digital ID. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

If both users have at least Exchange 2007, e-mail is encrypted.

That´s not right emails are encrypted on the users PC and not on the Exchange Server. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com