Encrypting emails generated by ASP.NET

Question

I'm working on a UK NHS project whereby confidential information needs to be sent via email to a known number of select users using Microsoft Outlook. It is our intention to manually install a client certificate on these machines only, and we have a server certificate loaded onto the server by the clients ISP

However I can only seem to find 3rd party solutions using mainly COM dlls to send encrypted mail (e.g. http://www.aspencrypt.com/) and the ISP won't allow 3rd party software on the servers.

Is it Is it possible to encrypt outgoing SMTP Generated emails using the System.Net.Main Namespace (or similar) using our server certificate?

Answer 1

Certificates are meant to support end-to-end encryption and authentication. These occur directly in the software the user sees, i.e. Outlook. The format you need is called S/MIME. At the SMTP layer, the various components see the encrypted mail only. In particular, there is nothing to do on the servers, only the clients need to know what happens.

A plain Outlook knows how to use S/MIME, if it is configured that way. A simple Google search excavated this article which apparently describes what you want to know.

Encrypting outgoing traffic at the SMTP level only protects data from eavesdroppers on the network, but the server itself will get the emails in cleartext, which is usually considered a misfeature in an email protection system. Apart from SMTP extensions for that (which exist; lookup "SMTP STARTTLS"), you get a somewhat equivalent model with a VPN between the client machine and the SMTP server. Either way, the server must be aware of the security feature, and refrain from forwarding the email without equivalent security. Also, emails are then stored in cleartext.