I would not recommend using PGP/SMIME for internal<->internal communication.
In that case, I would rather recommend firewalling your POP3 and IMAP
server, while also configuring your SMTP to only allow relaying from
internal hosts, and then use a secure VPN for those users.
So users that want to send or receive mail, has to connect with VPN to your
server.
To prevent your mails from getting exposed while users might attempt to send
mail without VPN on, you configure the SMTP server in those mail clients to
be internal (192.168.x.x or 10.x.x.x), so no communication would be setup
unless they are on VPN.
The good of that is that the complete communication channel, inclusive
subject, from, to, and also password to the SMTP/POP3/IMAP server and
everything, get encrypted, and also, it protects your IMAP/POP3 server from
compromise by bruteforce/dictionary attacking.
Thats a lot easier to set up aswell. Another good idea is to use TLS
encryption on your mail server, both for SMTP and IMAP/POP3.
However, Ciphermail is great for:
Automatically decrypting mail that arrives to your destination. The good
with that, is that no sensitive key material is left on user's devices or
computers, so if a device or computer is lost, access can be easily revoked
without having to replace any user keys or user certificates. This means
decryption is handled by your MTA, and thus key material can be stored
safely there, for example inside a HSM.
Automatically encrypting external mail to users that either have an
encryption key programmed into Ciphermail (for example contractors), or to
"random users" (with the webmail/PDF functionality).
Automatically signing outgoing mail, and verifying incoming signatures, is
also a great idea.
-----Ursprungligt meddelande-----
···
Från: users-bounces(a)lists.djigzo.com [mailto:users-bounces(a)lists.djigzo.com]
För Assaf Dahary
Skickat: den 1 augusti 2016 11:31
Till: users(a)lists.djigzo.com
Ämne: CipherMail GW anywhere
Hi,
I've read the CipherMail gateway documents and got impressed from all the
capabilities that can be used to encrypt end-to-end users' emails.
I need to provide for 50 none-tech users:
1. end-2-end encrypted emails for managed users registered with the
same email domain (internal users). From the docs I understand that either
PGP or S/MIME is used.
2. For the internal users to send secure email to any other external
email address (other domains). From the docs I understand that WebMail or
PDF is used.
3. Simple remote installation/setup and users' usage (people with 0
tech capabilities).
Both, Internal and External, users can be anywhere connected over the open
Internet (not in secure LAN/Intranet).
I've already install the CipherMail gateway and looked into it, but I'm
missing the overall picture for how to start with the system setup.
I would appreciate any advice/tip/direction to.
Regards
Assaf
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users