RE: digital cert vs. disclaimer

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 2 Mar 2004 09:23:52 -0500

I think that really depends on requirements from a business perspective.
There are products that can do what you speak of, but they don't often come
cheaply.  If the business requirement is to add a disclaimer, signature,
encrypt, and then route the message, then you need something that has
business rules that understand that a message destined for x domain is
encrypted.  Or a message with subject or body text that matches a filter,
must be encrypted no matter the destination.  The message could be
submitted, a disclaimer added, a signature from the server, and then
encrypted.  Any other order of the process will prevent valid sending.
 
Alternatively, you could force the users to add the disclaimer to their
autosig and then continue letting them sign/encrypt messages as they deem
necessary.
 
In that small a shop, I'd opt for the latter solution but that's my
preference.  It has the disadvantage of not allowing you to enforce the
policy centrally, but it has the advantages of low maintenance and low cost.
Since you're a health care org, you'll need to verify that it meets with
your compliance officer's requirements as well, but I can't see any reason
why the policy can't be crafted in a way that allows it.
 
As for the sickness going around, I understand that gargling with cheap
whiskey is a good solution.  To date I can't confirm nor deny it's medicinal
effects as I keep drinking the whiskey first. :-)
 
 
 

  _____  

From: Stelley, Douglas [mailto:dstelley@xxxxxxx] 
Sent: Tuesday, March 02, 2004 7:34 AM
To: [ExchangeList]
Subject: [exchangelist] RE: digital cert vs. disclaimer


http://www.MSExchange.org/

    Encryption is coming as well :-(, we are a hospital with many clinics
and venders. We occasionally have to transmit sensitive data. Right now we
use PGP when we need to encrypt confidential mail, but I'd like to enable
Encryption & Signed mail from within Exchange. And as always, our lawyers
require us to put on the disclaimer (although it really means nothing in
court). 
    I don't know, when I proposed Exchange to the organization it seemed
like a great way to allow communication within & without for us. Now that
I've had it live (Exchange2000 - 1200 users) for a year, its eating up more
and more of my time to the point where its a full time job in itself.
    Don't get me wrong, I've been in IT since '86, everything from
programming in Octal, HEX and binary up to what's out there today. I've been
to as much training as I can get the companies to spring for & I do enjoy
it.
    I get frustrated though, I have 3 full time jobs now (on one paycheck of
course) and its tough to keep up. As the Net admin/ firewall admin/ security
admin, my hands are full enough keeping everything running smoothly. Since
Active Directory (a HUGE improvement over NT by the way), I've been able to
to so much more with less time involved. I'm also an Interface Admin, which
allows different healthcare computer systems to communicate via yet another
language (HL7 & TCL), another full time gig.
    I figured, hey Email, piece of cake, I set up and administrated an
Exchange 5.5 shop in VA for a few years, 5000 employees, why not here? I
made the pitch, admin loved it. Now with all these friggin worms, viruses,
security holes etc, let alone all the internal whiney employees who cant
understand why they can't send/receive 50 meg files via email, I'm goin
nuts!
    Now I gotta get signed, encrypted mail going (along with disclaimers of
course), sheesh.
 
    Forgive the rant, been up late with the sick kids, here's my plight,
sorry to drone on and on.
 
    I can't tell y'all how much time you guys have saved me, by reading
these threads, I gain so much, Thanks
 
    If anyone out there has configured Exchange 2000 (soon 2003) to do
signed, encrypted and disclaimed mail, all from the server ( 3/4 of our
users use strait OWA to anything client side), please share...
 
    (Exchange 2000 on Win 2000 SP4, with all mail going through mail gateway
with GFI Security & GFI Essential for filtering)
 
Doug

  _____  

From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] 
Sent: Monday, March 01, 2004 3:01 PM
To: Stelley, Douglas
Subject: FW: [exchangelist] RE: digital cert vs. disclaimer


One other thing occurred to me while thinking about this.  When you
digitally sign a message, you are ensuring that it is not altered.  That's
not really suited to confidential or sensitive information transferral.  For
that, encryption is a better choice or even both encryption and signature.
You may have already known this, but just in case wanted to be sure it's up
front.
 
Al

  _____  

From: Mulnick, Al 
Sent: Monday, March 01, 2004 12:01 PM
To: [ExchangeList]
Subject: [exchangelist] RE: digital cert vs. disclaimer


http://www.MSExchange.org/

I think you should concentrate on the exception route.  Signed messages come
from the client and as such arrive at the server signed.  Any change will
invalidate the signature.
 
Al

  _____  

From: Stelley, Douglas [mailto:dstelley@xxxxxxx] 
Sent: Monday, March 01, 2004 10:54 AM
To: [ExchangeList]
Subject: [exchangelist] RE: digital cert vs. disclaimer


http://www.MSExchange.org/

If installed GFI Essentials on the Exchange server & had it only do the
disclaimer, wouldn't it also attach the disclaimer after it was signed?
Or maybe I should ask how I could set up to not send signed mail through
that gateway...

  _____  

From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] 
Sent: Monday, March 01, 2004 9:19 AM
To: [ExchangeList]
Subject: [exchangelist] RE: digital cert vs. disclaimer


http://www.MSExchange.org/

I have plenty of ideas, but you may not like any of them.
 
What needs to happen is that the confidential mails either need to be
excluded from the footer or you will need to add the cert signature after
the disclaimer.  Either way would be different than what you're doing now
and would need a different architecture or a signature mechanism with more
intelligence to realize a message shouldn't be changed if it is signed. 
 
Al

  _____  

From: Stelley, Douglas [mailto:dstelley@xxxxxxx] 
Sent: Monday, March 01, 2004 8:43 AM
To: [ExchangeList]
Subject: [exchangelist] digital cert vs. disclaimer


http://www.MSExchange.org/

We have Exchange 2000 and use a windows box as our mail gateway for the
outside world.
On the gateway, we use GFI's Security & Essentials programs for screening.
It really works well for us. Also, we Use GFI to attach our standard
disclaimer, and like that as well, BUT.
Now we have to implement certificates on some of our "confidential" mail.
When I send test messages that are signed, the gateway attaches the
disclaimer, and voila, now the massage has been altered. So then end
recipient thinks the mail is bad. Anyone have any ideas? I kind of need both
items (the disclaimer & the certificate...)
 
 
Doug
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------ 

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the use of
the individual or entity named above. If the reader of this message is not
the intended recipient, or the employee or agent responsible to deliver it
to the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error please notify
the author immediately by replying to this message and deleting the original
message. Thank you.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------ 

Other related posts: