Secure Messaging with S/MIME and OWA on Exchange Server 2007 SP1


S/MIME support for Exchange Outlook Web Access (OWA) was introduced in Exchange 2003. In Exchange 2007 SP1, we are adding S/MIME support back and making it more reliable and powerful. Below, is a short introduction to S/MIME and simple end-to-end steps for how to use S/MIME with OWA on Exchange Server 2007 SP1.

Introduction

The S/MIME feature in OWA is about secure messaging - enabling OWA to send and receive signed and encrypted email.  Signed messages allow the recipient to verify that the message came from the person that the message claims to be from.  Encrypted messages allow the sender to ensure that only the intended recipients can read messages that are sent to them. While it’s true that the message is unreadable to anyone who might intercept it while in transit, it is also true that even the Exchange administrator cannot read these messages.

Install the S/MIME control

You need to install the S/MIME control to use S/MIME in OWA. Here’s how you do it:

1) Launch IE and log in to OWA.

2) In the main window, navigate to the Options page (top of the page on the right):

3) Click "E-Mail Security" and click "Download the Outlook Web Access 2007 S/MIME control",

4) Follow the installation steps.

Get a certificate

You need to get an email certificate to send and receive signed/encrypted messages. Note: if you sign a message without encrypting it, the message will be viewable by someone who intercepts it in transit.

To get a certificate, you can either:

  1. Get a certificate from the certificate authority service in your organization. Contact your IT department for that.
  2. Get a certificate from the public certificate authority service

There are several public services issuing email certificates (ex. Comodo, VeriSign).

The choice of certificate authority is up to the user. Note: Comodo currently provides a free email certificate without a trial period expiration.

Once you have requested an email certificate from a certificate authority (e.g. Comodo), you will receive an email informing you how to get, and install, the certificate on your local machine.

If enrolling the certificate is completed successfully, your certificate, with private key, will be installed on your computer (or in your smart card depending on the template you select).

Working with signed or encrypted messages in Exchange 2007 SP1 OWA

After installing the S/MIME control and getting an email certificate, you will be able to read, send encrypt and sign messages in OWA.

Reading and verifying a signed message

Open a signed message. In the message window, you can verify the signature by reading the "Signed By" information. This link tells you if the signature is valid, or not, and who signed the message.

On the "Signed by" line, there can be a few icon options:

  • One is shown if the signature is valid. The icon is followed by the email address of the signer.
  • The other is shown if the signature is invalid.
  • The third icon is shown if the signature is valid but the certificate that used to sign the message has expired.

Clicking the "more information" link in a message will display a dialog with certificate information.

If the signature is valid, the dialog will show you additional details about the signature such as who sent the mail, who the signer is identified as and who the certificate authority that issued the certificate was.

If the signature is invalid, the dialog will show you why the signature is invalid.

Reading an encrypted message

  • Insert your smart card if your email certificate is stored on your smart card.
  • Open the encrypted message.
  • You may be prompted with a dialog to enter the PIN of the smart card if your email certificate is on the smart card. If so, enter the PIN and click "ok".
  • The encrypted message will be shown in the message window.

Sending a signed message

  • Insert your smart card if the email certificate is stored on your smart card.
  • Compose a new message.
  • Click the "signed" button on the message window toolbar.
  • Send the message. You may be prompted with a dialog to enter the PIN of your smart card if your email certificate is on your smart card. If so, enter the PIN and click "ok".

Sending an encrypted message

  • Insert your smart card if the email certificate is stored on your smart card.
  • Compose a new message.
  • Click the "encrypted" button on the message window toolbar.
  • Send the message. You may be prompted with a dialog to enter the PIN of your smart card if your email certificate is on your smart card. If so, enter the PIN and click "ok".

- Chongwen Xie

Comments (5)
  1. msternin says:

    Can the same certificate be installed on a client machine running Outlook 2007?

  2. Chongwen Xie says:

    Hi msternin,

    Usually, the certificate is separated into two parts. One is the public portion which contains the public key. The other is the private portion which contains the private key. The public portion is on the server (i.e. in the Active Directory) and is retrieved by the email client to encrypt the message. The private portion is kept by yourself (can be in the certificate store of the client machine or in the smart card) and is used to sign the message or decrypt the message.

    So as for you question, the answer is ‘yes’. The private portion of the certificate can be installed on a client machine running Outlook 2007. Outlook 2007 and OWA 2007 can use the same certificate to secure your email.

  3. Bas says:

    Hi Chongwen Xie,

    what troubles me for a time about Microsoft and handling S/MIME mail is the following. When the option ‘send clear text signed messages when sending signed messages’ is checked (this is the default) outlook sends messages that a really old mail client (e.g. mail under UNIX) can read. The signature is sort of an added extra for clients that do understand it. However a lot of Microsoft webmail (including OWA 2003 and OWA 2007, possibly older OWA’s and hotmail) suppress the plain text content and display an empty message having only an attachment people don’t get.

    Don’t know if this is really a client or a server issue but there used to be time when this did work. To me, getting responses from my customers that they only receive empty mail was the reason to forego on S/MIME totally which is rather a shame in a world where thrustworthy email is a grood gift.

    Can you give your view on this?

  4. Chongwen Xie says:

    Hi bas,

    From my understanding, OWA 2007 doesn’t support S/MIME. But it can show the message body for clear-signed message. While the attachments won’t be shown. OWA 2007 SP1 Beta2 supports S/MIME and you will be able to view the full content of the clear-signed message with the S/MIME active control installed. Event if you doesn’t install the S/MIME active control, you can view the body and attachments of a clear-signed message in OWA 2007 SP1 Beta2.

    The situation you describe is more like an opaque-signed message or encrypted message.

  5. tony says:

    You guys are the best!  What you like to be perfect?  have a printable version of you "how too’s"

    I currently upgraded to exchange 2007 and lost inbound mail so currently unavailable but good job guys,

Comments are closed.

Skip to main content