We are evaluating the gateway as a means to integrating a new ticketing system that does not handle PGP itself. We have users who have keys on their existing ticket system which signs/encrypts mails to given recipients and decrypts messages for display in the webUI. With the gateway the user would either send an email from the new ticket system web UI, which connects to the exchange service as the MX unencrypted, to then connects to the encryption gateway to find the key to encrypt/sign to the recipient, and the same in reverse. The users are stating that is unacceptable as there are points where the message is not encrypted from point of sending.
Is there a mitigation for this from other users?
Are there other web based ticketing systems that also have this issue?
Is this an issue? And if not, why not?
What protects the message in flight between senders machine to exchange, and from exchange to Ciphermail encryption gateway?
It’s difficult to give a general advise on whether gateway level email encryption is sufficient because it depends on the details.
I my opinion if you can be certain that the connection between the ticket system and the CipherMail gateway is protected with (enforced) TLS, it should be secure enough for most setups. This requires that the complete connection between ticket system and CipherMail gateway is protected with TLS.
So for example
Ticket system --TLS–> Exchange --TLS–> CipherMail
If all the TLS connections are enforced and you can be 100% certain that they are enforced then the email can at least not be intercepeted (in clear text) while in transit.
Whether or not this is secure enough for you case depends on whether you are in control of all the involved systems and/or whether you trust the admins of those systems.