Ask Slashdot: What Is the Best Email Encryption Gateway For a Small Business?

Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"

Outlook.com

[tretre]

Outlook.com offers great features, is fully encrypted and offers everything a small (or larger) business needs. I can truly say how happy I am with their service. It also works great with your existing Microsoft stack.

Re:Outlook.com

I feel dumb, but what is wrong with just Exchange? It can do the ActiveSync policies (passwords, demand encryption, secure erase.) What does a third party product like Good or BES give us except for more management headaches and more money slurped off for licensing fees?

Re:Outlook.com

[RobbieCrash]

BES offers a shitload of benefits if you want to use them. Blocking things like the camera or SMS, limiting WiFi connectivity, security configuration, password requirements, etc, on company owned and paid for phones is a requirement for many large enterprises. Additionally, ActiveSync isn't as feature complete with syncing in most cases (Android doesn't do tasks or notes for example), while BES provides complete bi-directional sync between BlackBerrys and Exchange. Remote software management, an always on administrator controlled VPN connection is another benefit.

We had issues with our Exchange server's gateway and it wasn't able to get to the internet, however the tunnel to our location that had BES was up and it had internet connectivity, so our BBs were receiving email communicating what was going on and who was doing what. Sure we could've done that with personal email or with BBM/GTalk, but this way we didn't need to.

BES is a pain in the ass when you don't need any of the above and all you're doing is syncing email, calendar and contacts. But those are all critical features in many places.

Re:Outlook.com

[sneakyimp]

I disagree that Outlook.com is all that great. If you want your email to be truly secure, you need to encrypt it at the client and, in trying to set this up with one of my clients, I found that a) the documentation on this process using Outlook is very poor, b) one must pay to purchase a Digital Certificate for Outlook, and c) once my client did purchase a Digital Cert from one of the vendors listed on microsoft's website, windows and/or Outlook 2010 could not find this certificate or did not recognize it. A waste of time and money.

I found it much easier to configure Thunderbird with a self-signed certificate and OpenPGP. The email is encrypted on my computer and decrypted on the client's computer. However, it's probably not feasible to train a bunch of tech-challenged workers to do this themselves and would likely introduce too much of a training/support burden for any sizeable IT shop.

I realize that M$ may offer some handy tools for IT managers tasked with managing a large organization -- if you are willing to pay for it. I also find it extremely disappointing that client-based email encryption is not more widespread and easy to implement.

Re:Outlook.com

[Flavianoep]

Are you serious? (hint: "Poe's Law")

Re:Outlook.com

[cultiv8]

I second this, and highly recommend sharepoint for all you collaboration and intranet purposes as well. As a developer, I can truly say how happy I am when I need to work on a Sharepoint site. Sharepoint even integrates with Outlook! Amazing integration with your existing Microsoft stack!

Re:Outlook.com

[v1]

I disagree that Outlook.com is all that great. If you want your email to be truly secure, you need to encrypt it at the client

THIS. Once it gets off your LAN, there are SO many ways for you to get tapped into. Not counting the illegal ways, look at all the options the govt has and is well known to use, often ignoring or pencil-whipping judicial oversight. They can subpoena your ISP, whoever is doing your email encryption, whoever is providing them with their SSL keys, or their ISP.

If you are serious about protecting your privacy, make darn sure your data is secured before it leaves your property. At least then, if they want to snoop, you're a lot more likely to at least know it's happening. And that will keep out most of your threats, short of spear-phishing, stray bait flash drives left in your parking lot, and internal threats. (malicious employees)

In the short term, get everyone an email certificate, and USE them to sign and encrypt outgoing email. (any decent email client will support signing and encryption) That data could still be subpoenaed from the group you get them from though. You can roll your own if you want to also, but you won't be easily able to revoke if need be.

Re:Outlook.com

You have got to be kidding. BES is the biggest turd of an application I've ever worked with in my life. It is slow, bloated, stops working randomly on both the client and server side and is a total security nightmare. You seriously suggest using a program that insists on having read and impersonate access to all of your mailboxes with your encryption? Yikes!

Re:Outlook.com

Sharepoint sucks.
Outlook sucks.

Thunderbird + Enigmail + GPG sucks less. It still sucks, just less.
If you want secure email, run your own servers and encrypt everything from the client.

Re:Outlook.com

Not only that, but BB10 devices support activesync if that's your cup of tea, and bb mobile fusion will do a lot of those management functions for devices other than blackberrys. If you want full security though, you'll probably want the new bb10 handsets with their balance function, so you can control all the data on a separate partition.

Re:Outlook.com

[Ian+A.+Shill]

tl;dr: seriously, wtf?

---

How do you do that? The timing I mean. And your user number means you joined like what, yesterday? Props for being a master of the first post so quickly.

I have to guess you were trolling, right. I get it. Funny.

The succinct, and overloaded words you have chosen in composing your sound advice, make me think of the juice that oozes out when you squeeze a Microsoft marketing executive's head just a little too tight in a vice or somesuch head juice extracting gizmo.

I am confused to how your post makes me feel. If you got paid for it, I wonder how much, and buy whom? Do you need to shower after work? Plus like hey good for you. And of course, can I get in on the action? If you didn't get paid I'm thinking it's gotta be like a joke, right, ironic and hip, yeah I get it, I think. Otherwise I can really only think what the eff, really could anyone really give that much of damn about promoting Exchange (or anything really) to go to that much effort just because they make you happy you are with their service?

Please forgive me if I just didn't get it, sometimes that happens.

Overall, it's got a nice beat and I like to dance to it. I give it a 5.

Re:Outlook.com

[vettemph]

Outlook Not So Good.

Re:Outlook.com

On Exchange, I can block the camera, SMS, and virtually all of the features BES touts, except for one:

Erase device if it is not able to connect to the BES server for a period of time.

Everything else is built into Exchange, no third party software required.

Finally, RIM devices are not out there anymore. The execs want their iPhones, and the other devices are Android, iOS, or Windows Phone 8 which of course works very well with Microsoft's cloud solutions. Unless there was a specific reason for Blackberry to be stated, it is cheaper to replace all the units in the field with iOS or Android devices than it is to keep upgrading BES and its closed ecosystem.

In a BYOD world, one can do something which is a fair compromise of ownership of data on Android. Get the user to install an app like RoadSync, Nitrodesk Touchdown, or even apps that keep the work data completely separate (think the name was Duo or Double, but can't find it.)

BES is a great technology, I will state that. However, the old Novel Netware 3.11 box that has run for over a decade is also great technology. However, its time is past.

Re:Outlook.com

[mysidia]

BES is a pain in the ass when you don't need any of the above and all you're doing is syncing email, calendar and contacts. But those are all critical features in many places.

About that... my complaint about BES is that it's this Java application, that requires this huge install of SQL server just to function, you wind up needing a server with 4GB of RAM, to provide 20 users with mail synchronization.

This is almost as many resources as the complete Exchange system requires....

Re:Outlook.com

[mlts]

It is obvious that once the data leaves your gateway, it is open season, perhaps even sooner if a router or switch gets compromised and a custom firmware uploaded. The endpoint is where the main security should lie.

Ideally, you want people using PGP or GnuPG with some sort of WOT in the company, and some mechanism of securing private keys (Self generated eTokens, or even just a USB flash drive.) For SOX reasons, an ADK might be needed, but it will be obvious that key is added to E-mail exchanges, and hopefully it is stored somewhere secure.

The second decent client utility is using S/MIME. Thunderbird and Outlook happily support it. Other mail programs have various degrees of support from complete to none. Done right, this is decently secure, but it falls into the same trap SSL does -- it is easier to admin than a WoT by having the usual CAs in a root cert, but that means a third party can easily get in and start a MITM attack.

Re:Outlook.com

[St.Creed]

I know your comment is meant to be funny (and it is), but what I really don't get is why everyone is talking about Outlook (argh) and sharepoint (*shudder*), and not about Lotus Domino. I'm also a bit... confused about why Lotus Domino isn't the default choice for anyone even remotely thinking about secure mail.

Lotus had a place for storing certificates since they were invented. In fact, ALL authorization is done using keys. It's been designed to work with them from the ground up. If the admin manages to remove his ID from the database, he's just as thoroughly holed under the waterline as any user. Inside the company everything can remain encrypted and when going out you can use encryption for everyone you have the certificates for, or make it impossible to send unencrypted mail. Using Lotus there is absolutely no barrier to using encryption (only to using the damn client in the first place - the GUI has issues).

Ofcourse, one can also keep on bolting random software on top of other software, like that factory in Bangladesh: at some point, the foundation can't hold the weight anymore and you're done.

Re:Outlook.com

BES10 gives you much less control over client devices.

Voltage is pretty good

[seanmcelroy]

I'd ask for a different account rep. I've used Voltage for about 10 employees to great results. I've never encountered this professionalism problem you report.

Re:Voltage is pretty good

[Obfuscant]

I'm not sure that I'd rate a failure of the account rep to predict every issue that a "stakeholder" might come up with and tell the purchaser how to deal with it in advance a "lack of professionalism". That sounds a lot like trying to aim at a moving target to me. "Oh, can your product also do X? It has to do X, which I just thought of..."

Re:Voltage is pretty good

And I would recommend not relying on email for critical communications. If you must, just use normal email. Install TrueCrypt, and manually encrypt files by hand and then attach. If your staff can't handle that, then they have no business dealing with sensitive information to begin with.

Re:Voltage is pretty good

I'd ask for a different account rep. I've used Voltage for about 10 employees to great results. I've never encountered this professionalism problem you report.

I bet the professionalism problem is just him discovering that it actually takes some setup to do(stakeholders at _his_ end). That is, he can't just install a magic piece of sw and expect magically every email communication from his firm to be encrypted.

Re: Voltage is pretty good

truecrypt as attachment? you maybe overdoing it liken to hitting a fly with a hammer, use simpler methods but powerful encryption like axcrypt

Re: Voltage is pretty good

[bobstreo]

Voltage is very good, especially when combined with software/appliances that can scan email for Compliance (Business, HIPAA, ...)
that will then direct the emails to be encrypted.

The "weak" link in PGP or any other manual encryption is always the end user.

I've worked with Voltage, they're very professional and have gone above and beyond on support issues.

Re:Voltage is pretty good

This is the first thing I thought when reading the story as well. Seems like someone (and someone's editor) don't know what "professionalism" means. Not surprising, considering that this is /., though.

gmail

gmail supports encryption and you can use feature rich email clients like MS Outlook with it. Do you really need to have a mail server in-house anymore these days?

Re:gmail

[egcagrac0]

Do you really need to have a mail server in-house anymore these days?

That really depends on the confidentiality requirements of your email.

If I were the business was healthcare, a law firm, or an accounting firm... yes, I'd feel a need to run the email in-house.

Re: gmail

I hope you're joking, there is nothing secure about gmail or other mail providers like them.

Re:gmail

The email is by default, no matter what you do, is not secure from end to end and at rest. I believe, sending medical information over email is not permitted by HIPA, unless sent as encrypted asymmetrically on the client side. I believe the technologies that meet this requirement are things like PGP/GPG.

I don't believe there is legal standard for legal confidential data, as there isn't a standard for FERPA data, just that it be "secured."

Re: gmail

[HiThere]

Additionally, Google has repeatedly dropped unpaid services without warning or alternative. Not a good match for a business. If you don't run your own e-mail server, you at least want it to be run by someone contractually obligated to meet certain expectations.

Re: gmail

[DuckDodgers]

Gmail has hundreds of millions of users, and provides ad revenue for Google. It's not going anywhere. I would also assume Google Plus, Google Search, Google Ad Sense, and Android are fundamental to the future of the company and safe to use. (That's not an endorsement, just a guess that those services will last as long as the company.)

And while Google App Engine is less essential to the company future, and is as vulnerable to the axe as Google Wave and Google Reader, there's an open source implementation of the APIs called "AppScale" which offers a migration path if Google shuts App Engine down.

Re:gmail

I love the idea of those places running things in house, but in my experience, specifically with law firms, they do not even when they are big enough for it to make a huge difference. They are also some of the most technologically misinformed and lazy people I have met. I've got three really good examples of this.

First example is Dropbox and other services like it. A local attorney was in a big surprise when Dropbox complied with a subpoena and turned over all documents they had that the attorney and his client had uploaded to their dropbox accounts. The court had a special master review them for confidential information and turned over a ton of documents and data. Suffice it to say, they "lost" the divorce case when the information included pictures of a second home (complete with GPS coordinates), multiple cars and other hidden assets.

The second is that many solos and small firms (about 40% of practicing attorneys) use the email service provided by the state bar association. The email service that does not have SSL or TLS support. Webmail, pop3, IMAP, SMTP, LDAP and the rest are all unencrypted. When I asked the tech guy at the association about why it was unencrypted, he pointed me to the board minutes, where at every meeting, they refused to approve a certificate because, as one put it, "it was a waste of money." During an experiment conducted at a legal education program (which I'll detail below), they came up with quite the large amount of information.

The third is the experiment I mentioned. At a legal education program, they partnered with a security group and they set up a device to log all the attempts to connect to wireless networks as well as real access points. The access points were protected by WPA2, but the password was given with the materials. It then had a screen presented with a TOS and privacy policy that they had to agree to before being granted access. The TOS gave all this away and included a button to click so we could see how many people actually read them (the people who clicked saw a stat page, which included a bar graph so you could see it over time). The access point was setup to log all the traffic (which ended up being gigabytes of data, they said, due to all the videos people watched) as the traffic came in. They then analyzed it for key words and statistics. A team of attorneys and people from the ethics committee cleared all the info that was presented in the speech about safety and being careful online. They talked about all the video, and news people checked, and then it slowly got more personal. They started referencing people's email, a snippet of a person's VOIP session and a document uploaded to some service. They then talked about safety steps like TLS, truecrypt and being careful and that you need to check that you are connecting to who you think you are as well as other things. The best part was right at the end, the speaker said "Jody wants you to remember to pick of a pizza on the way home," and about 25 people all went for their phones to see if they were talking about them. Incidentally, after the presentation, encrypting the bar association's email was added to their 5-year plan for year 5(!), but I guess it is better than nothing.

Last thing I will note is the mixed advice. For example, the latest, or maybe previous issue, of the ABA magazine had an article detailing the dangers of the cloud, especially dropbox as it is unencrypted, they keep your files after you delete them, and you can get them anywhere. Less than 20 pages later was an article that declared dropbox a "MUST HAVE" app for any attorney for the exact same reasons that the previous said were dangerous.

Re: gmail

[AvitarX]

Google doesn't offer unpaid email to business anymore.

Re:gmail

I should point out that the 40% figure I cited is for my state, not any other demographic group.

Re: gmail

[Bert64]

You can pay for gmail, and then they will be beholden to the contract you have with them.
There is nothing to stop any company dropping a service, even one you pay for and have a contract for... The most you can hope for is that they give you notice that the service will be discontinued and you can migrate.

This is also why you should always have your own dedicated domain... The beauty of email is that it's a standard, so if you need to you can take your domain elsewhere and continue using email just fine. A much worse problem is when businesses start to rely on non standard services, like skype, twitter, facebook etc... These services could be pulled at any time, and you'd have no option to move your addresses to a third party service.

Re:gmail

You don't need to pay anything to get a certificate. You only need if you want it signed by a major CA. Something with closed membership like the bar association could just publish the fingerprint and have everyone trust the certificate manually.

Re:gmail

[gl4ss]

You don't need to pay anything to get a certificate. You only need if you want it signed by a major CA. Something with closed membership like the bar association could just publish the fingerprint and have everyone trust the certificate manually.

it might be even wiser.

Re:gmail

[m1bxd]

Please don't knock DropBox, configure up your clients up with Boxcryptor for Windows which uses EncFS (opensource). You can only use the opensource support for windows using Dokan. http://members.ferrara.linux.it/freddy77/encfs.html Under Mac and Linux you can also use EncFS. Assume the cloud is compromised with a limited SLA, but a jolly useful resource.

Re:gmail

The email service that does not have SSL or TLS support. Webmail, pop3, IMAP, SMTP, LDAP and the rest are all unencrypted. When I asked the tech guy at the association about why it was unencrypted, he pointed me to the board minutes, where at every meeting, they refused to approve a certificate because, as one put it, "it was a waste of money."

Seriously? You can buy a Godaddy SSL certificate for around $15 with a coupon code.

I don't think anyone would complain about physical locks on their physical doors, and that decent locks cost more than $15.

Re:gmail

I'm not knocking Dropbox; I'm knocking how they use Dropbox. That is, how they send sensitive documents in the clear. I agree that encryption would fix a lot of their problems, but the point is that they are either too lazy, not properly informed about the danger or not properly informed about how to do it. It is the same with email. Email is very useful, but they really should encrypt email whenever they can.

Re:gmail

[steviesteveo12]

You don't need to pay anything to get a certificate. You only need if you want it signed by a major CA. Something with closed membership like the bar association could just publish the fingerprint and have everyone trust the certificate manually.

it might be even wiser.

Yeah, I know I'd be happier with a bar issued certificate than a, say, DigiNotar one.

Simple

[ehud42]

The one that you (or someone you trust) can effectively manage.

Cisco

Cisco IronPort. We use it and rely on it heavily for secure emails regarding pii for our pension fund

Re:Cisco

[stephanruby]

Cisco IronPort. We use it and rely on it heavily for secure emails regarding pii for our pension fund

Yeah, we did the same at my company.

Our IT Staff just threw their hands in the air, and now we just use a public bulletin board for our all our internal electronic communications (with private messaging disabled). And once in a while just to be thorough, we let a spammer come in to post viagra ads on it, just to remind all of our employees that our bulletin board is completely opened to the outside world and nothing posted on it will ever be private.

Re:Cisco

[rot26]

Ironport blacklisted my mail server because I was in the same class C address space as a "suspected" spammer, despite the fact that no spam had ever been reported from my IP's. There is (or wasn't at that time) ANY REMEDY for getting off of their blacklist.

Proofpoint

[Rinoa]

It's a small company but have absolutely stellar encryption and archiving products and good service. http://www.proofpoint.com/products/privacy/email-encryption.php

Re:Proofpoint

proofpoint just resells the voltage encryption product as far as I know.

Re:Proofpoint

They haven't been a Voltage reseller in a few years. They developed their own product.

Re:Proofpoint

We run proofpoint gateways. I believe they dropped the voltage encryption as of their version 7 release. I think the new encryption piece is something they wrote in-house, or is, at least, not obviously a rebrand.

Re:Proofpoint

Proofpoint introduced their own technology several years and severed the relationship with Voltage. Both products are easy to use, do not require certificates or software to communicate securely and offer several methods of authentication to fit the needs of the customer, from simple to highly secure. As has been stated elsewhere, it is incumbent upon the consumer to determine their needs, correctly communicate them to the vendor(s), and choose the solution which best suits their needs/financial constraints/recipient profile.

the one certainty for email encryption is that having senders and recipients deal with certificates is a non-starter for the vast majority of users!

Good Luck!

PGP

[koinu]

Use PGP/GPG for god's sake. Since when do you delegate encryption and integrity to any gateways? You cannot trust ANYONE except yourself when signing private documents. Do you delegate signatures in sensitive and confidential cases to your co-workers?

Re:PGP

[sneakyimp]

YES! Mod parent up. It's nice to see the old security paranoia in somebody else.

Re:PGP

[TheCarp]

This is exactly what I was thinking. An "encryption gateway" just sounds like one more vector for a problem. This is especially the case when its not needed. Pgp/gpg works and has worked for a long time, and requires no real infrastructure.

Re:PGP

[Arrogant-Bastard]

This. THIS.

You cannot outsource security and expect to succeed. (Consider, for example, Vendor X. Do you think that every single employee of Vendor X is absolutely trustworthy? Really? You don't think that ANY of them are struggling financially, or maybe having an affair, or perhaps amenable to a payoff in crisp folding tax-free income? Because if there exists a non-empty set of Vendor X employees who are less than absolutely trustworthy, you are completely screwed: eventually someone will figure out which one(s) and which lever(s) to pull to subvert them. And note that this is even before we consider that Vendor X will, if sufficiently successful, inevitably be targeted by attackers, since of course hacking Vendor X comes with a very high payoff. And note that this is also before we even consider what governments armed with extrajudicial wiretaps and NSLs and such will do. In both these latter cases, Vendor X will be highly motivated not to inform you -- and that's optimistically presuming they even know.) You MUST do security in-house, which means you need to do it with open software and open standards that are fully subject to peer review.

Re:PGP

[SpaceCadetTrav]

So who is going to teach Gladys from accounting how to store her contacts' PGP keys and encrypt her email? And are you also going to train everyone she sends email to, as well? Out here in the real world we have to support non-techies and gateways are the most reasonable compromise.

Re:PGP

[HiThere]

What you meantion is a valid problem with the PGP type solution.

Unfortunately, the solution of "let joe do it" opens you up not only to joe, but also to anyone who snoops the unencrypted transmission between Gladys and joe.

In each case you evaluate how much the security matters to you, and to others. The more it matters, the closer to the origin the encryption needs to be done. (You'll have noticed I didn't encrypt this at all.) PGP is pretty good if there's enough importance for you to ensure that it's properly used. If you aren't, then "let joe do it" for, again, varying values of joe. Internal IP is probably more secure than someone outside, but you need to care enough to ensure that they do the job properly. (An easier job then ensuring that every Gladys does her encryption properly, but less easy than delegating it to someone outside.) At every step removed, the security decreases, and the ease increases. Make the trade off that YOU deem appropriate.

Re:PGP

Doesn't Outlook and other programs support automatic encryption? Either way, where I work we are set up to have email automatically encrypted if we know the other party's public key. Doing encrypted email is no harder then normal email, it just takes a little longer to send. They also tell us to send an email first that is not sensitive if the recipient has never received an email from us before saying that we support email encryption. A little warning pops up if your email won't be encrypted and a blue icon is missing when you compose it (a red one seems to be there regardless). Additionally, they store our certificates somewhere, so we don't have to worry about losing them, we can use the webmail service at home, we only have to do that "we support encryption" email once per recipient and they can access our mail if they need to conduct an investigation or turn it over to someone else.

Re:PGP

Use PGP/GPG for god's sake.

I would suggest S/MIME certificates instead, far more email programs support S/MIME out of the box than PGP.

Do you delegate signatures in sensitive and confidential cases to your co-workers?

Yes. It's quite common for a business to have a recovery key. And sometimes you do want to delegate functions to someone else.

Re:PGP

[Arrogant-Bastard]

Gateways are NOT a "compromise": they are total failure. That say to the world "we care about the appearance of security/privacy/integrity; we just can't trouble ourselves to actually, really, truly, provide those things."

Speaking as someone who's taught Gladys from accounting how to use mutt and GPG -- several thousand Gladys, actually -- it CAN be done. It requires effort, it requires time, it requires budget: but it can be done. Consider it an investment: is it better to spend these resources on Gladys, our valued employee, or is it better to spend these resources on a vendor?

Re:PGP

[westlake]

So who is going to teach Gladys from accounting how to store her contacts' PGP keys and encrypt her email?

Not to be mention the fact that Gladys is a temp and Harriet is an intern and both will gone within a week.

Re:PGP

[Attila+Dimedici]

How do you convince your clients to install PGP certificates on their end? I need a solution that does not require those who we send email to to do anything other than act in response to the email they get from us.

Re:PGP

[Bert64]

The IT department provides all staff with a client that is already configured to send and receive PGP email...
The client is configured to automatically encrypt when sending mail to a recipient for which it has a public key, and displays a warning if it doesn't have a key available.
When it receives a public key via email it prompt the user to import it.

It's really not terribly difficult if done right, and users will soon be sending encrypted mail without even realising it.

Re:PGP

If you can't get people on the other end to exchange some setup information out-of-band you *cannot* have confidential, authenticated data exchanges. Full stop.

You can get confidentiality from something like SSL (which is what many gateways do to avoid client software -- provide an HTTPS site that does server-side decryption of the message) but there's no authentication available.

If you setup a website secured with SSL, and you got people to create accounts out-of-band, you could use such a system to remove the requirement to install client software. But that's not typically how such sites are configured.

Re: PGP

[koinu]

I wouldn't have a problem with delegation of one's personal security responsibilities when predictable things like Comodo or Diginotar would not happen. But they do... and it's pretty obvious. Second thing is that I have not seen anyone taking CRLs seriously with S/MIME, yet.

Re:PGP

Out here in the real world we have to support non-techies and gateways are the most reasonable compromise.

No, not-having-the-gateway is the most reasonable compromise. It has all of the security advantages of gateway snakeoil, but at a fraction of the cost.

If Gladys can't learn about key exchange, then it truly and simply IS impossible for her to have really secure email, period. Anyone who says they can offer her secure mail without teaching her key exchange, is in the fraud business, not the security business.

If you relax the constraint that she must be MitM proof (you want to make her safe from passive snooping and are ok if she is defeated by targeted MitM attacks) then you can also lose the training, and use something that works just as well as a gateway but at a fraction of the cost: PGP. Just have her email client automatically get her contacts' keys from public keyservers whenever they're needed, configure it to always encrypt by default (so far I think we're up to the massive training being: the admin, not Gladys, has to click two checkboxes, for most email clients anyway) lower the trust threshold (admin guy will need to learn a bit for that), and you're done. Only training Gladys needs, is to enter her passphrase sometimes, for signing or decrypting. And if she can't do that, she also can't type subject lines either, so she probably wasn't anble to use unencrypted email either.

Re:PGP

[LateArthurDent]

Use PGP/GPG for god's sake. Since when do you delegate encryption and integrity to any gateways? You cannot trust ANYONE except yourself when signing private documents. Do you delegate signatures in sensitive and confidential cases to your co-workers?

I'd go with s/mime, because most e-mail clients will support it without having to install anything else.

Re:PGP

[Dadoo]

So who is going to teach Gladys from accounting how to store her contacts' PGP keys and encrypt her email?

Maybe PGP is a little on the difficult side, but at my company, we use a dedicated server for any email that needs to be encrypted. It has a little web app (written by a former employee) people can use to send and receive messages, with attachments, if necessary. All the data is transferred through HTTPS. I don't use it, myself, but it must be pretty easy, because we have to follow HIPAA regulations and we have plenty of people here who aren't exactly computer experts.

Re:PGP

[St.Creed]

Configuring outlook for encryption is doable. It's doable for techies in Windows mail as well (unless you start using two accounts and don't want to encrypt one of them - the settings are global and unpolished) but I've had a client who wanted encryption and didn't get it working on his client, not even with a manual with screenprints.

As I've said in this discussion before: why not use Lotus Domino? It's been built from the ground up for exactly this. I know it's clunky and expensive but I've worked with a lot of sysadmins that, once they worked with it, never wanted to go back to Exchange/outlook. It's so much less of a hassle once you have the setup working. And secure too.

Re:PGP

[mysidia]

Unfortunately, the solution of "let joe do it" opens you up not only to joe, but also to anyone who snoops the unencrypted transmission between Gladys and joe.

You can still use crypto to secure the transmission from Gladys to Joe; as long as you trust Joe, use a TLS encrypted session from Gladys to Joe. E.g. SMTP over TLS to the gateway, with Gladys' username, and password + OTP token generated key to authenticate Gladys to Joe.

Entrust

[sinij]

I use and like Entrust Entelligence PKI solution. Signed and/or encrypted email, used by most US gov. agencies for easier interoperability.

GPG?

[NoImNotNineVolt]

GPG?

I agree

[daninaustin]

I use it as well and it works great.

email encryption gateways

[nimbius]

seem like a gimmick. taking steps like ensuring your MTA always delivers using a TLS connection is probably the most interoperable decision, seeing as endpoint encryption requires two mta's to be using the same hardware or software to encrypt/decrypt, assuming its PKI. endpoint encryption raises big questions like at what point does the message become decrypted? where are keys stored? how do you independently verify key integrity or revoke keys that have been compromised? is there a 'barracuda back door?' and can the system be arbitrarily bypassed. These tend to be the kinds of questions that force vendors to seem standoffish or unprofessional because they dont know the answers.

if you need real crypto, then use an open standard thats auditable and verifiable. assign keys to users, and revoke them when they become compromised or the employee leaves. you might consider configuring your mailserver to reject unencrypted messages, which can be detected using spamassassin or plain regex to ensure compliance. Make sure the stakeholders on your end are well informed as to the SLA and method/type of crypto being employed (TLS tunnel vs actual message or even both.) Encrypted messages have the potential to make collaboration cumbersome if not outright impossible without defeating the crypto at some point, while encrypted gateways can cause problems in the event certificates are checked against an authority for self-signature, or expiration. its also worth nothing once again that just because an email system is encrypted, does not mean you will receive less UBE (spam) or phishing attempts (in fact a compromised key makes these attacks far more effective.) encrypted email by nature also requires you to reveal envelope headers in plaintext, and does not excuse a mail administratior from considering or employing SDF and DKIM signatures.

disclaimer: ive done email for more than a decade for search engine companies.

Re:email encryption gateways

[chispito]

seem like a gimmic

A government-mandated gimmic, depending on your field.

Re:email encryption gateways

[Bert64]

One issue with encrypted messages however, is that unless your mail filters have the private keys they cannot look inside the encrypted mail for spam or malware...

Re:email encryption gateways

[St.Creed]

Spearfishing is an issue there. Although I'm assuming here that there is a trace to whoever has received email from you in the first place so spearfishing would be risky.

Spam, not so much. I really don't think spammers are going to check public keys before sending out spam. The computational complexity for doing that would raise their mailing cost without increasing profit.

Re:email encryption gateways

[mysidia]

seem like a gimmick. taking steps like ensuring your MTA always delivers using a TLS connection is probably the most interoperable decision

This is a good first step, but protects the transport not the message.

If you want the message to be secure, the end should encrypt the message, then transmit it over a MTA that leverages TLS to further protect the transportation of the encrypted message payload, hop-by-hop, until the encrypted message is downloaded to the authorized reader's computer, AND then, the software on the authorized reader's computer decrypts and displays the message using a secure viewer (without writing any part of the file to disk), after the authorized user inserts their hardware security module (HSM / Smartcard), and types their secret passphrase.

Re:email encryption gateways

[mysidia]

One issue with encrypted messages however, is that unless your mail filters have the private keys they cannot look inside the encrypted mail for spam or malware...

Don't read encrypted mail that is also not signed. If the signer is not in your contact list, then reject the message. To be clear, this should be done in software, that automatically executes this based on IT defined policies.

In practice, spammers and automatic malware rarely if ever encrypt the message. One of the main reasons would be users would have no idea to decrypt, also, it takes computational work to encrypt a message; which would add up very quickly if sending a lot of messages.

That's also a way of deterring spammers -- only implement message decryption techniques that required significant computational work to encrypt the message; in fact require a proof of work in every email, equivalent to approximately 2 to 3 minutes worth of an average workstation's compute time, before a decrypted message will be displayed.

For the sender it would be a minor annoyance.... for spammers, it could be crippling.

Zixmail

I've worked for companies who have used this in the past and it has worked quite well.

Re:Zixmail

I setup a ZixGateway appliance and it's worked quite well for encrypting mail. Users can enter a keyword in the subject line and it will encrypt the messages, or if it scans a message and finds something that's in one the lexicons it encrypts it. They were very professional during initial setup and every time I've had to contact support things have gone well with quick responses. Not sure how small of a company you're working for but we're under 100 people and this solution works well for us.

Re:Zixmail

[bill_mcgonigle]

I'm working with one currently. It's postfix under the covers, so you can at least see what it's doing. The app is tomcat. More importantly, many of their business partners use the same solution, so they have an easy, if proprietary way to interconnect.

My e-mail is on the TLS list so it goes through normally, but if I got the "You've got a new message from foo@exmaple.com, go to this website for your message" e-mail instead of a real one, I'd probably just delete it.

I understand why people do this, but the results are too close to phishing and scams for me to participate.

My e-mail systems can all do end-to-end and transport-layer encryption; the gateways are so often so others don't have to bother with a decent setup. And often the others are customers of large ISP's who don't know any better. But the problems aren't technical so much as ease-of-use and integration.

Re:Zixmail

Zix implementation here . . . was a piece of cake. First did the hardware then yanked it out when we virtualized our server room and used the Zix App. Quite knowledgeable staff.

Re:Zixmail

In my experience the Zix gateway is not much better than glorified TLS as it dos not encrypt at the desktop or while emails are at rest in the mailbox.

Not really the best practice

[Bruce+Perens]

Rather than an encryption gateway, having your email client handle encryption avoids the problem of man-in-the-middle attacks between the gateway and the client.

I don't have much reason to encrypt, but Thunderbird has my certificate installed and does my digital signing. This is not unusual for a modern email client.

Re:Not really the best practice

[apleschu]

Bingo! If you have the need or wish to encrypt you NEED to do it yourself. Each and every email client worth something is able to encrypt/decrypt. And the ones that are not I'd let go as fast as I let go of a hot coal. At the same time you cannot be hit by a 'quiet' discovery, you know that each employee has their own key, and so on. if you NEED encrypotion there is just no good reason to have encryption farmed out.

Re:Not really the best practice

[kwerle]

But getting folks to understand security and encryption is pretty hard.

Hybrid solutions are what you often want for a business. If the client has encrypted the message, then great - forward it through. If it has not, then encrypt it on the gateway. If it can't figure out how (missing keys), then reject the message.

It's a shame there isn't a commonly used encryption standard. I blame the US government for making this basically illegal to implement without worrying about who a person is and what country they live in/are from.

Re:Not really the best practice

[Bruce+Perens]

For years, we have had a cut-out in ITAR 121 that applies to Open Source, it is due to a lawsuit that Phil Karn brought against the Federal Government. Thus, you can implement with impunity, and export to anywhere, as long as it's Open Source.

Re:Not really the best practice

I still maintain that chip&pin credit cards should be the basis for the public key encryption system. Let the banks (As they're already mandated by law to do) validate the identity when they issue cards, and maintain the public key repository. put a public ID on credit cards, so that if I want to send an encrypted email to you, I can encrypt it against 232424@id.suntrust.com 's public key. The bank is still somewhat capable of doing a MITM attack, but it at least would give you access to a crypt token that everyone in europe carries anyway, and everyone in the US would if they weren't so collectively stupid. Don't trust a particular bank? Don't get a credit card from them. For the more paranoid, use a gift card, which, while not truly anonymous, is pretty close.

Re:Not really the best practice

[mysidia]

I totally agree this is the ideal situation. The problem is, many e-mail clients don't provide easy-to-use encryption; they require a lot of work from the end user, they don't make it simple enough -- and they don't implement both S/MIME and GPG / OpenPGP, so there are two conflicting standards.

S/MIME has a higher barrier to entry, due to the need for the end user to purchase, or otherwise obtain a personal X509 certificate; typically requiring a formal certificate enrollment process, then the certificate is only good for a limited amount of time, and the user has to repeat this inconvenience every 1 to 3 years.

Some e-mail clients such as Outlook and iPhones have supported S/MIME. In MS exchange, previously, Outlook Web Access in Exchange supported some "S/MIME browser plugin" that could be used to decrypt mail, however, support for that capability from OWA has been discontinued and removed as of Exchange 2013.

GPG/PGP again have the problem of lacking or no native support on common e-mail clients.

These usability challenges make a gateway, with possible use of TLS encryption between client and mail gateway, a more realistic idea, in most cases.

ROT13

sdfer afdghwe gyfr!!!

Re:ROT13

ROT26 is twice as secure.

Re:ROT13

[arfonrg]

/me goes to decode the above message to find out what he TRUELY said...

Astaro / Sophos UTM with mail security

Great functions, free for personal use. Mail encryption gateway, openpgp and s/mime.

Email Encryption

[SecurityPro]

I would recommend Zix http://www.zixcorp.com/ or ProofPoint http://www.proofpoint.com/ Both are very good solutions and both have given me no issues with implementation. We sell both and have quite a few satisfied customers with both products. No one is perfect but these are our best vendors.

Re:Not Voltage's problem: buyer error.

Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end.

That makes no sense.

Is it or isn't it in the contract?

Before signing it, did you check with your stakeholders?

Did you run it past a lawyer?

This doesn't sound like a vendor problem to me. It sounds like someone signed something without reading the contract and completely understanding it.

Your sir should be fired and learn a valuable lesson from it.

Contact, not contract. Read it again and it makes more sense.

Axway's Mailgate (Used to be Tumbleweed)

http://www.axway.com/products-solutions/email-identity-security/comprehensive-email-security/mailgate

Sophos Gateway

[Noan21]

I worked at a small 25 bed hospital, we implemented the Sophos email appliance. It was fantastic, the basic setup was incredibly easy to do. When you send an encrypted email out the recipient gets an email asking them to register, they create a password and are then mailed a PDF protected with the password they set. That same password will encrypt all of the PDFs they receive until they don't receive one for a period of time that you choose, at which point they create a new password. An outlook add-in is available that will allow you to quickly and easily stamp an email to be encrypted. It also functioned as our spam / virus filter and was fantastic at it. We never setup or configured the scanning of outbound emails to force encryption although that was an option. Loved it 5/5 wish we had it at my current place of employment. After I put it in place and configured it, I almost never touched it again.

Re:Sophos Gateway

[dskoll]

One thing I don't understand about these things: If an adversary can intercept your email, he/she can intercept the email asking for registration and create a password.

Without an out-of-band way to register, I fail to see how these things add security.

Re:Sophos Gateway

[Bert64]

Also, an email asking you to visit a website in order to register looks very much like a phishing scam...

Re:Sophos Gateway

This is also dangerous because many of the exploits we receive (a little less than half) is in the form of PDFs and another huge chunk are .exe files that claim to be encrypted PDFs.

Really?

Encrypting the content of the e-mail is only 1 part of the problem. The recipient of the e-mail needs to know that the e-mail really did come from you, and was not spoofed by some one else ... DKIM

Re:Not Voltage's problem: buyer error.

[NatasRevol]

But then again, which one is the typo?

How about SSL?

[guruevi]

Most SMTP servers can communicate over SSL or TLS with each other these days and if you set it up correctly (eg. Postfix), it will do so and fallback on non-encrypted methods.

For message encryption, you're better off giving each person a personal SSL certificate (setting up a PKI should've been done for other purposes already) and all of the clients I know off support SSL encryption.

Enigmail for Thunderbird

[sl4shd0rk]

To ease the GPG pain*. Enigmail does a great job but it's only half the battle. How you are going to reconfigure every Recipients client without causing sheer panic is going to be interesting. Please report back when you do.

[*] - http://www.enigmail.net/home/index.php

Re:Not Voltage's problem: buyer error.

[guruevi]

Voltage is a slimeball company though. They typically sell to really big institutions for many times the original quoted costs once you figure in all the 'appliances', upgrades, support contracts, implementation engineers and contractors and then their product usually doesn't deliver. They're the PWC, PeopleSoft or Gartner of e-mail.

Beware of blackboxes

[gmuslera]

Trusting in someone that could be forced by law to give your encrypted communications (after all they have the right to see all your mails), or modify packaged software to let them in is risky this days. You maybe could trust in the FBI as in a concept, an entity that won't be interested in your trade secrets, but there are people working for them, and people and corporations giving orders to them directly or indirectly that have no problem abusing the power they have.

Open source, widely tested encryption and secure channels are your best options.

Re:Beware of blackboxes

[Attila+Dimedici]

I don't need to encrypt the email to keep it from the government. I need to encrypt the email because the government requires it.

Symantic PGP Gateway

http://www.symantec.com/gateway-email-encryption

Depends on the needs

[edelbrp]

I've dabbled with a variety of solutions, but it really depends on what it is you are trying to secure, between whom, and where.

GPG/PGP has been around a while, but it usually requires some third party software/plugins. I seems a little clunky to me as most email clients already have S/MIME support built in which brings me to...

S/MIME requires you get a cert through a third party (Thawte used to provide free email certs). By just sending a signed email to somebody they will then have your public key.

If you are talking about securing email between two email relays, then you can just configure the relays to enforce TLS.

If you are talking about securing the link between clients and email sending/receiving, you can just configure the mail server (if it isn't already) to only accept connections on pop3s/imaps/smtps/etc.

Other ideas is setting up encrypted tunnels between relays (like how ssh can do port forwarding), etc.

Need more information.

You didn't really explain the scope of what you're doing here, or what your actual requirements are.

In our scenario voltage is used between our enterprise and destinations that we do not have an explicit TLS path defined. So before an outbound message leaves the enterprise, it goes through a DLP implementation, if DLP flags it as containing pii/sensitive info without TLS inplace to the target then the message is routed to voltage to be encrypted and then delivered off to the target.

I guess what are you really trying to do? If it's just securing mail to a handful of clients/suppliers, then just work on key exchange and forced TLS for the target domains, if it's general everything that goes out needs to be encrypted, then voltage is not a bad option depending on weather your using their hosted service or running their software locally in your shop. I've shared some of your frustration around deploying their stuff though, especially if you move outside of their comfort zone for how they expect it to be deployed. We've gone the multiple sec-mail gateways at different physical locations and for different functions, with multiple management consoles for dr/bcp etc and yeah a lot of things come up after the fact. It has not been easy, especially when you start going further with custom requirements for integration.

Re:Need more information.

[Attila+Dimedici]

You hit the problem on the head. And your description of the problems dealing with Voltage hit the problem I have with them on the head as well.

Re:Need more information.

Hi,

The offer stands to reach out directly to us from both myself and our CTO. As I cannot locate a record of any inquiry with us based on your identity used in this forum, I kindly ask you to reach out to us again to info@voltage.com. If you are working with a reseller partner, please also reach out so we can connect to the reseller team.

I'm sure we can resolve your questions.

I would also re-iterate that for Voltage SecureMail we license by user count (on premise) and by annual subscription in the Voltage SecureMail Cloud. Anyone with any inquiries relating to products, support, pricing, technology or about our company is welcome to contact us directly thought the various contact processes outline on our website at any time.

Mark Bower
Vice President, Products
Voltage Security, Inc.

Then I can't (won't) read email from you.

[Ungrounded+Lightning]

Cisco IronPort. We use it and rely on it heavily for secure emails regarding pii for our pension fund.

Then I can't (won't) read any email you send me.

To read Cisco IronPort mail you must install software from Cisco.

To install the software from Cisco you must sign an EULA - which makes a BIG POINT of being a binding contract.

The EULA has anti-reverse-engineering terms that, were I to sign them, would (IMHO) make me unemployable in the computer security field.

Therefore I will not install the software.

Therefore I cannot decrypt "secure" email you send me.

Therefore I will not do business with your company.

Do you REALLY want to FORCE your clients to CONTRACT WITH A THIRD PARTY and SIGN AWAY THEIR RIGHTS in order to exchange important email with you?

Re: Then I can't (won't) read email from you.

That is incorrect information. The email is stored on the device and a recipient is given a link to read the email using their provided credentials from the send secure client plugin in outlook

Re: Then I can't (won't) read email from you.

[markdavis]

And what if you don't and/or can't run Outlook?

Re: Then I can't (won't) read email from you.

They offer numerous ways and plugins for email clients

Re: Then I can't (won't) read email from you.

[gl4ss]

They offer numerous ways and plugins for email clients

..which is the sw from cisco that was bitched about with it's eula...

Re:Then I can't (won't) read email from you.

[mysidia]

The EULA has anti-reverse-engineering terms that, were I to sign them, would (IMHO) make me unemployable in the computer security field.

Then have your IT administrator install the software for you, so you are not bound by the contract, you just can't install or redistribute the software, only use the application that was installed for you.

Re:Then I can't (won't) read email from you.

Complete bunk. What software? We use Ironport, and specifically picked Ironport because it's message based encryption (PostX) didn't require anything more than a web browser and an Internet connection to decrypt messages. If you are talking about the outlook plugin on the sender side to "encrypt" it, that's totally unnecessary - all it does is mark the message (by modifying the subject I believe) so that the Ironport appliance can recognize it and apply encryption. (Rather than using that, we just have people set the "sensitivity" to "confidential" and use that as a trigger to encrypt.) There is no software on the desktop related to Ironport that does actual encryption/decryption there (other than a common non-proprietary web browser).

That said, a couple things are missing in the original post, like "what are your requirements for encryption?". The large majority of financial institutions, for example, are only concerned with protecting the message "in transit" over public networks (i.e. the Internet) - i.e. TLS. The reason being that they feel (right or wrong) that other security measures protect the mail "at rest" on their inhouse servers (very few major financial institutions would trust something like email in the cloud). More importantly, message based encryption prevents auditing, virus scanning, spam filtering, or effective archiving, which is all important to these organizations.

If, on the other hand, you do want end to end encryption, there are solutions like S/MIME and pgp plugins that are installed in your desktop client, which has the client encrypt it before submitting it to your email gateway. This ensures the message is encrypted from you to the recipient, and is protected "at rest", but is also intrusive on the sender and recipient - you typically have to buy or generate a certificate/key for each sender and manage that (i.e. configure their desktop/email client, copy it to each PC they use, deal with expired/compromised keys, etc), often requires software/plugins be installed on the sender and recipients computers, and tends to require an exchange of keys with each recipient you communicate securely with - a nightmare that has pretty much kept things like S/MIME from ever succeeding.

The OP mentioned a gateway product - this kind of presumes that they don't want to do all this per user key management and desktop config. In this case, the sender typically tags the message in some way (prefixing the subject with a keyword, setting sensitivity, etc) so that the gateway identifies it as needing encryption. The gateway then does the encryption (so it's not end-to-end, but sender gateway to recipient endpoint). These often offer "universal" solutions, in that they encrypt it in such a way that the recipient only needs a browser that runs javascript and an Internet connection to decrypt. Some of these solutions are "hosted" in that the message is redirected to a "secure" web server and the message is replaced with a https link to the "encrypted" message, with the concern then being that your mail is stored in the cloud, with all the security concerns and subpoena concerns that has. (There are solutions that allow you to do this with self hosted appliances/software as well - there's almost an unlimited number of approaches to this problem...) FWIW, with Ironport's message based encryption, at most Cisco manages key exchange between sender and recipient, but never sees the actual message, even in encrypted form (another reason we selected it).

BTW, Ironport is excellent (even after being bought by Cisco), but is *not* cheap, so may not realistically apply to a small business.

One final point - securing the mail assumes that both sender and recipient want it secure. The fatal flaw in any email encryption solution is if the recipient doesn't take appropriate care, and forwards it, or copies/pastes the content and resends it without any protection - ultimately, because of this, it's impossible to completely protect anything 100%. (Another reason why in a general purpose solution like this, TLS may be enough...)

Re: Then I can't (won't) read email from you.

They offer numerous ways and plugins for email clients

..which is the sw from cisco that was bitched about with it's eula...

Which is unneeded to use their encryption.

Re:Then I can't (won't) read email from you.

[The+RealWizard+of+Oz]

CISCO and Security should not be uttered in same sentence. They are definately not a Next Generation Firewall... (or at least not that IDC or Gartner recognize... not to mention the fact that the Security industry does not recognize any work they have done since the PIX... and that gentleman now works for SonicWALL) If you are looking for something used by the large companies... government agencies.. etc... look at SonicWALL email appliance (can also be run as a Virtual Machine)... it provides Anti-Spam, Anti-Phising, Anti-Virus, DHA/DoS protection, Policy Violations to enforce Email Compliance. For small businesses this is hard to beat... it works traditional email servers and hosted email solutions. Even provides for freeword text searches within email to determine if someone is mailing your company secrets outside the company. (or if a botnet virus is doing so...) If you combine this with SMARSH, you can have full Secure Archiving for email, urls, SMS, IMs.

I need to buy a car

[EmagGeek]

I need to buy a car, but so far the cars I've looked at haven't suited my needs, and I don't like the car dealer very much.

Will the Slashdot community help me buy a car?

(functionally equivalent)

Barracuda hands down

Best email gateway for the price I found (and they give back to opensource projects they use).

Happy to help - Voltage Security

If you are not getting what you need from your contact, please feel free to reach out to me directly.

There are millions of happy users across thousands of enterprises around the world using Voltage SecureMail either on-premise or from the Voltage SecureMail Cloud to secure emails and files end to end. Banks from the likes of Wells Fargo and JPMC use it universally, Cloud providers for Exchange including Microsoft use it as a security option for Office365 cloud offerings, and smaller businesses such as lawfirms, credit unions, and financial agencies also enjoy its simplicity in enabling privacy, even to and from popular smartphones. The cloud version simplifies deployement for SMBs in particular, and deployment can even be hybrid cloud to suit particular needs.

We are very pround of our reputation with our customers, proven by exceptional long term relationships and repeat business across our data security product set.

I look forward to helping resolve whatever issue caused the concern.

For the record - we license by active user count, not appliances, in respect to the comment on price.

Best regards,
Mark Bower
VP Product Management
contact : info@voltage.com - ask to reach me personally

Open source

[X10]

Djigzo email encryption gateway is open source, you can download a free version from www.djigzo.com. It supports S/MIME, it has a lot of cool features. Used by major corporations all over the world. Just give it a try, it's free.

Steal this ideea

What if Google or other large providers were to add a time penalty to all non TLS mail they receive ? Start with 1 minute and gradually increase as TLS deployment grows. SMTP error: 455 Non TLS delivery delayed, try again in one minute

This way admins have an incentive to deploy TLS: it reaches gmail faster. Plaintext delivery on port 25 should die, pure and simple.

How about smtp.nsa.gov?

[CheckeredFlag]

I hear they have excellent decypt...I mean encryption. I'm sure they'd be delighted to handle all your sensitive information for you! Also saves them the trouble and bandwidth of having to rerouting your email to them.

Please contact me to fix this

[TerenceSpies]

I'm the CTO at Voltage, and I'm disappointed to hear that the original poster is having a poor experience with us. While I'm not going to claim the Voltage's gateway product is the ideal solution for every small business, we do feel like we do a great job helping businesses of many sizes that handle and exchange sensitive data comply with privacy requirements. There are a lot of security solutions that have been mentioned in this thread, ranging from GPG to SMTP over TLS. All of these solutions have value, depending on the problem that you are trying to solve. Our product focusses on encrypting email messages to end users without needing to enroll those users into a traditional certificate structure, and allowing those users to decrypt those messages with minimal difficulty. Regardless, I'd like to solve the original poster's problem. I'd ask that he contacts me at Voltage, and I'll handle any issue he's having at the moment.

Re:Please contact me to fix this

Your name is "Spies" and you do email encryption ?

Re:Please contact me to fix this

[TerenceSpies]

Sigh. Yes, you can't make stuff like that up.

Re:Please contact me to fix this

[ls671]

Regardless, I'd like to solve the original poster's problem. I'd ask that he contacts me at Voltage, and I'll handle any issue he's having at the moment.

If you do not already know who he is and therefore you can't contact him then; Are you sure that he is real?

I would be curious to know if he is a real customer of yours first. Just post the reply to my message here.

Re:Please contact me to fix this

[cupnoodleboy]

Does anyone notice the name of this poster? According to wikipedia, "Spies" most commonly refers to people who engage in spying, espionage or clandestine operations. And someone claiming to be the CTO of a company providing Email Encryption Gateway has the name "Spies". If this is not a joke, the irony is incredible.

Re:Please contact me to fix this

Fuck off.
We're talking _about_ you, not _to_ you.

Re:Please contact me to fix this

https://www.voltage.com/company/leadership/

Re:Please contact me to fix this

[mysidia]

It does seem in poor taste that the original author choose to vent over a personal experience with some contact at Voltage in an Ask slashdot article, having perhaps done inadequate research, and/or asked inadequate questions to learn sufficiently about the solution before presenting to stakeholders.

I don't understand that... taking a trial of an enterprise software product, or at least reading all the technical manuals, should be key, before presenting it to stakeholders within one's own organization, as the solution, just as much as getting the pricing.

Re:Please contact me to fix this

Should be. But clearly you've never been on the receiving end of a JFDI project or one where management have already decided what the best product to use is based on their own extensive knowledge^H^H^H drinking buddies recommentation.

Barracuda Networks

[charnov]

Can work through their or standalone web service. They also have just about the best customer service of any company I have ever worked with.

https://www.barracuda.com/products/emailsecurityservice

Develop a Thunderbird extension to automate

[Cacadril]

People fuss to much about the security of the passphrase and such things. The effect is that almost nobody uses encryption.

Make a Thunderbird extension that automatically sets up a default configuration that works from the get-go.
In this default configuration the private key could be stored in a local file encrypted with a passphrase that is hardwired into the program.
Totally insecure if there is a virus that targets this arrangement, but still a million times safer than sending everything over the wire in the clear.

Add simple functions to synchronize the security parameters, including the private key(s), on multiple laptops and computers.

Have the extension generate a mail that can be sent to yourself or stored in the drafts folder of your IMAP account, containing the synchronization data.
Upon opening such a mail, or even just upon downloading it, the extension should know what to do and do it.

Add a good user interface to perform key management tasks and to configure all these dangerous things, like turning off some automatic actions, or adding a true user-selected password to the private key file.

Add a feature, active by default, to include in all MIME-encapsulated mails an attachment containing your public key,
and another feature to automatically harvest all public keys that your Thunderbird installations come across. If you send a mail to some party with a known public key, encrypt automatically. If you receive an encrypted mail, decrypt automatically.
If one copy of Thunderbird does not have the private key it needs to decrypt a mail it has received/downloaded, generate a special request mail that other instances of Thunderbird will know to answer if they have the private key requested. Etc.

If such an extension becomes included in the standard distribution, more and more people will begin using it, and then other people will hear about it and request it from their mail application vendors.

Re:Develop a Thunderbird extension to automate

[Decker-Mage]

Unfortunately nothing gets done because all the experts jump in stating their opinions of what is "good enough." And "good enough" for constant use is what any sane engineer (albeit sane and engineer is a bit of an oxymoron) should/would attempt. If the solution isn't used by the users, what's the frigging point. This is the dividing line between "business requirements" and user-requirements which are rarely the same IMNSHO. So all you academic/theoretical security types get together and come up with something just "good enough" that it would pass the (grand-)mother test. Please!

Totemo

[hubertf]

www.totemo.ch - somewhat pricy, but very nice handling:

based upon a ruleset, it can send mails encrypted with PGP or S/MIME (if keys are known), as encrypted PDF (sender gets password for manual transmission) or store the message on a webserver and just give login/password to the recipient.
if no prior key exchange happened, the PDF-solution creates a PGP-key and a S/MIME cert and sends both public keys with the PDF, so the recipient can choose whatever they want.
when receiving mails with attached PGP/SMIME public keys/certs, totemo takes the certs and stores them for future communication in the opposite direction.

I've seen other solutions, but Totemo seems pretty mature and works very well for me with several companies.

  - Hubert

Re:Totemo

[modir]

I can only second totemo. Their product is really very good.

Another one I can recommend is http://www.seppmail.ch/en/home/ (If you have Blackberries then totemo is the better choice.)

What is the best?

[bmo]

The one that satisfies your needs. It's like on /g/ when someone says "What's the best Linux distro" to start a flamewar (it works), or what's the best motorcycle to ride, or what's the best chef's knife to wield in your kitchen.

The answer is always "It depends."

It depends on how much you want to spend and your technical expertise - whether you want to farm it out or DIY. There are arguments for and against both. To ask third parties that aren't intimately knowledgeable of your situation what's the "best" anything for you is silly.

--
BMO

IBM Domino AKA (Lotus Domino)

Seriously I know there is a lot of hate out there but IBM Domino (Server) & Notes (Desktop Client) & Traveler (mobile client) are seriously worth considering.
I have 10+ years of admin experience of both Exchange and Domino environments. I have to say I prefer Domino because of Encryption, Digital Signatures and Replication.

Axway Secure Messenger

Very simple to use. www.axway.com

The Perfect Solution

[hodet]

For the perfect solution simply follow the instructions below;

-----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.14 (MingW32) hQIOAy7t6bIA+H1sEAf7BBJ/h/p1oGgPcpLDPChJu99apWYTPGxThrgrFLS1o5N5 Sr8b+fFcTGVByvKGvrfDQTr2vnCJ7ezLyLyBnj2H+C/RdKOqFfp8PWjWpzhVXquW JAA4eLVC5B9eLQKcYFufvtS/Ad0I1SRc/vlDcrtezcZf5ify8SRLKIRxMMuRhunw WktClayAGrhgfofg3wN2B6F6TB3afpPL4HQLqaz7PL8ZrDcwqof0ExJw8kx+Jx2t Q58YBtwnKuN4ynXTxImjpZBncsWsRztIQa53Xt00gy2yhdWHaIdoEtif5u6AhiP8 GVLYvmJNKBUozsyO2HyKuCwh6phaQMlPts8boL3pvAgA5RMWxAmrXDE+D0IlJWks 58NGo4D+/0xvKC3UT6ZscSRKDc6fdt7Eec1eYJ4MW1i+qlP+9JCYVFGa7uANc8St 2wCSAa1FIV4scytAZIbTvpHCyQ51faS1m23WXHkmBg7/AiaKuh+YOvaCzdGueFXc stBWzYVSjiEKp4vAJjD4GDyx3v1flgSwUl2kKFErbRRerKeTxRvfL+c7VCID+vh4 7JTLT0ySAYr3xCDys1W6NLEIdkNBlojh+laQmo8/8tCCLKST0D2KMmI2RKuf+rS4 TOrMceKGZ8WcgGPckhsSnR883hU/iUPU887Mfb3iUfBiKZsBTyeAIwaKSM8O0agX I8ky7LMBuYdTuLoF+wGsNqsudjfxkaTH3mnjdcAdlQPVkPjoDTO9XIljLkQh4cTM BDQ4vu4= =keTX -----END PGP MESSAGE-----

You are welcome!

Oblig

[solarissmoke]

http://xkcd.com/1181/

PKI

[ls671]

1) You encrypt with the public key(s) of the recipient(s). Then, only him can decrypt the content using its private key.

2) You sign with your private key. Then, anybody can verify your signature using your public key. The content really comes from you as long as your private key wasn't compromised.

EXACTLY... SMIME is Standard !

[johnjones]

please pretty please kill these gateway "hacks" just send mail correctly using a standard http://en.wikipedia.org/wiki/S/MIME

get a real account and sell a real product

what your selling is snake water and your sales people know that

No complaints here

[rickb928]

We use Voltage here, the Outlook plug-in is what users see, and it is trouble-free.

But we have 65,000 users. YMMV.

Users perspective of Voltage

Also consider what you actually want from your encryption - apart from the security. As a user, voltage actually works pretty well for one on one, or largely uni-directional email.

Where it has big problems is the kind of many-many scenario you get when using email to co-ordinate document review. Then it turns into a terrible clunky pain in the ass.

I accept that's probably not the primary use case, but that's what people here are using it for in the absence of anything better. And it sucks.

Best-of-breed

Depending on what you're looking for, there are really only a handful of best-of-breed vendors for email encryption in the space that will be able to truly help you out. DataMotion and ZixCorp are the 2 major players in the space. I'd look at them above all other options. They both have their advantages but from what I've seen, DataMotion tends to offer a bit more flexibility. Just my two cents.

BINGO

[dcavanaugh]

The privacy threat that people are MOST LIKELY TO FACE is the government investigating you as a "person of interest" for various reasons. Once they get your private messages, it's fairly easy to become a target for harassment. Sure, they could always get a search warrant and pressure you to decrypt the information. But hardly any of these "investigations" are backed by enough evidence to justify that tactic. The "invisible hand" prefers to work invisibly. Most email providers will quietly hand over your information to the government without so much as a whimper of protest.

Encryption that won't survive a subpoena of your ISP or email service provider is simply not worth doing. Client-based encryption is tough to set up because your contacts need to do the encryption and decryption on their machines. But it works.