CipherMail GW anywhere

Hi,

I've read the CipherMail gateway documents and got impressed from all the
capabilities that can be used to encrypt end-to-end users' emails.

I need to provide for 50 none-tech users:

1. end-2-end encrypted emails for managed users registered with the
same email domain (internal users). From the docs I understand that either
PGP or S/MIME is used.

2. For the internal users to send secure email to any other external
email address (other domains). From the docs I understand that WebMail or
PDF is used.

3. Simple remote installation/setup and users' usage (people with 0
tech capabilities).

Both, Internal and External, users can be anywhere connected over the open
Internet (not in secure LAN/Intranet).

I've already install the CipherMail gateway and looked into it, but I'm
missing the overall picture for how to start with the system setup.

I would appreciate any advice/tip/direction to.

Regards

Assaf

I would not recommend using PGP/SMIME for internal<->internal communication.

In that case, I would rather recommend firewalling your POP3 and IMAP
server, while also configuring your SMTP to only allow relaying from
internal hosts, and then use a secure VPN for those users.
So users that want to send or receive mail, has to connect with VPN to your
server.
To prevent your mails from getting exposed while users might attempt to send
mail without VPN on, you configure the SMTP server in those mail clients to
be internal (192.168.x.x or 10.x.x.x), so no communication would be setup
unless they are on VPN.

The good of that is that the complete communication channel, inclusive
subject, from, to, and also password to the SMTP/POP3/IMAP server and
everything, get encrypted, and also, it protects your IMAP/POP3 server from
compromise by bruteforce/dictionary attacking.

Thats a lot easier to set up aswell. Another good idea is to use TLS
encryption on your mail server, both for SMTP and IMAP/POP3.

However, Ciphermail is great for:
Automatically decrypting mail that arrives to your destination. The good
with that, is that no sensitive key material is left on user's devices or
computers, so if a device or computer is lost, access can be easily revoked
without having to replace any user keys or user certificates. This means
decryption is handled by your MTA, and thus key material can be stored
safely there, for example inside a HSM.

Automatically encrypting external mail to users that either have an
encryption key programmed into Ciphermail (for example contractors), or to
"random users" (with the webmail/PDF functionality).

Automatically signing outgoing mail, and verifying incoming signatures, is
also a great idea.

-----Ursprungligt meddelande-----

···

Från: users-bounces(a)lists.djigzo.com [mailto:users-bounces(a)lists.djigzo.com]
För Assaf Dahary
Skickat: den 1 augusti 2016 11:31
Till: users(a)lists.djigzo.com
Ämne: CipherMail GW anywhere

Hi,

I've read the CipherMail gateway documents and got impressed from all the
capabilities that can be used to encrypt end-to-end users' emails.

I need to provide for 50 none-tech users:

1. end-2-end encrypted emails for managed users registered with the
same email domain (internal users). From the docs I understand that either
PGP or S/MIME is used.

2. For the internal users to send secure email to any other external
email address (other domains). From the docs I understand that WebMail or
PDF is used.

3. Simple remote installation/setup and users' usage (people with 0
tech capabilities).

Both, Internal and External, users can be anywhere connected over the open
Internet (not in secure LAN/Intranet).

I've already install the CipherMail gateway and looked into it, but I'm
missing the overall picture for how to start with the system setup.

I would appreciate any advice/tip/direction to.

Regards

Assaf

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

1. end-2-end encrypted emails for managed users registered with the
same email domain (internal users). From the docs I understand that either
PGP or S/MIME is used.

If your internal users are using the same e-mail system then e-mails between them most likely won't even hit the ciphermail gateway to even perform any type of encryption.

2. For the internal users to send secure email to any other external
email address (other domains). From the docs I understand that WebMail or
PDF is used.

The options to send e-mail from internal to external are encrypted PDF, S/MIME and PGP

3. Simple remote installation/setup and users' usage (people with 0
tech capabilities).

S/MIME for sure will require some basic knowledge of using the PC in order to install certs on their PCs. I haven't used PGP but I understand that it functions very similar to S/MIME. In my experience using ciphermail on customer installation is as follows:

If there are external users that you internal customer will be e-mailing on a regular basis and those e-mail must be encrypted, you would set those external users in ciphermail beforehand with mandatory encryption. I would recommend PDF encryption with a static password that you give those external users. If you want to go the route of S/MIME or PGP you will have to get involved with installing/configuring certs on those users PCs if we are talking about users with little or no tech experience. I've done it before and it's a pain. Biggest issue I've ran into is the expectation for the external users to be able to encrypt back to my internal users. Ciphermail will handle that but the external user has to be able to remember to encrypt those e-mail using s/mime or PGP from their end using their e-mail client (outlook etc...).

···

-----Original Message-----