Problem: Your users aren’t using encryption for their email (for various reasons) but you still want to protect SMTP mail they send over the Internet to avoid it being intercepted enroute.
Solution: Implement Exchange 2010 and configure encryption of the mail data at the server level for both servers involved in the transaction.
Caveats: This needs to be configured on both mail servers participating in the mail transaction (sender and receiver) – any mail server your Exchange 2010 server talks to that doesn’t support TLS will still be sent mail in unencrypted format (unless your users encrypt the mail themselves).
Using Domain Security: Configuring Mutual TLS
This topic explains how to configure mutual Transport Layer Security (TLS) for Domain Security, the set of functionality in Microsoft Exchange Server 2010 and Microsoft Office Outlook 2007 that provides a relatively low-cost alternative to S/MIME and other message-level security solutions.
For the purposes of this scenario, this topic explains how Exchange administrators at a fictitious company, Contoso, configure their Exchange 2010 environment to exchange domain-secured e-mail with their partner, Woodgrove Bank. Contoso administrators want to make sure that all e-mail sent to and received from Woodgrove Bank is protected with mutual TLS. Also, they want to configure Domain Security functionality so that all mail to and from Woodgrove Bank is rejected if mutual TLS can’t be used.
Contoso has an internal public key infrastructure (PKI) that generates certificates. The PKI’s root certificate has been signed by a major third-party certification authority (CA). Woodgrove Bank uses the same third-party CA to generate their certificates. Therefore, both Contoso and Woodgrove Bank trust the other’s root CAs.