24.1 What is S/MIME?

Secure/Multipurpose Internet Mail Extensions (S/MIME) provides a consistent way for email users to send and receive secure MIME data, using digital signatures for authentication, message integrity and non-repudiation and encryption for privacy and data security. S/MIME version 3.1 (RFC 3851) is supported.

Several email clients support the S/MIME specification, including Microsoft Outlook Express and Mozilla mail.

You can deploy a secure mail solution by using Messaging Server and S/MIME. Communications Express webmail users who are set up to use S/MIME can exchange signed or encrypted messages with other users of Communications Express, Microsoft Outlook Express, and Mozilla mail systems. A messaging proxy can provide an additional layer of security at the firewall to further protect information assets within Messaging Server

The Communications Express webmail client supports S/MIME with these features:

• Create a digital signature for an outgoing mail message to assure the message’s recipient that the message was not tampered with and is from the person who sent it

• Encrypt an outgoing mail message to prevent anyone from viewing, changing or otherwise using the message’s content before the message arrives in the recipient’s mailbox

• Verify the digital signature of an incoming signed message with a process involving a certificate revocation list (CRL)

• Automatically decrypt an incoming encrypted message so the recipient can read the message’s contents

• Exchange signed or encrypted messages with other users of an S/MIME compliant client such as Communications Express Mail and Mozilla mail systems

The remainder of this chapter describes how to configure Messaging Server and Communications Express for S/MIME. Note that you do not have to exclusively use Communications Express to be able to use S/MIME with Messaging Server.

24.1.1 Concepts You Need to Know

To properly administer S/MIME, you need to be familiar with the following concepts:

• Basic administrative procedures for your platform

• Structure and use of a lightweight directory access protocol (LDAP) directory

• Addition or modification of entries in an LDAP directory

• Configuration process for the Sun Java System Directory Server

• Concepts and purpose of the following:

  • Secure Socket Layer (SSL) for a secured communications line

  • Digitally signed email messages

  • Encrypted email messages

  • Local key store of a browser

  • Smart cards and the software and hardware to use them

  • Private-public key pairs and their certificates

  • Certificate authorities (CA)

  • Verifying keys and their certificates

  • Certificate revocation list (CRL). (See 24.9.2 When is a Certificate Checked Against a CRL?)