S/MIME EMail - Overview

S/MIME Email is a standards-based method for sending and receiving secure, verified email messages. It involves using public/private-key based certificates to encrypt and/or sign an email message, so that only the recipient of the email can open it (if encrypted), and the recipient knows with a high degree of certainty who sent the message (if signed).

MOVEit Central ships with S/MIME support, but the actual S/MIME operations occur in one or two pre-qualified scripts. Likewise, S/MIME parameters are expressed as task-level parameters which control qualified scripts rather than source or destination options.

How Does S/MIME Work?

Encrypting, signing, and decrypting S/MIME email messages requires the use of certificates. Certificates are simply public and/or private keys wrapped up in a specific format, so that they can be used together and understood by various programs. The Email Architect tools rely on Microsoft Windows Certificate Stores to contain and manage the various certificates that may be used to create and receive S/MIME emails.

An S/MIME email message can be signed, encrypted, or both. Encrypting a message is done using the public key certificate of the recipient of the message. This ensures that only the recipient can decrypt the message, as the encryption is done so that only the recipient's private key certificate can reverse the encryption. Signing the message is done with the sender's private key certificate, and ensures to the recipient that the sender of the message is who they say they are. A hash of the message is also created by the signing process so that the recipient of the message knows that the message has not been changed since it was written.

As with PGP encryption/decryption, some amount of key exchange is required. In order to encrypt a message to a given recipient, the sender must have a copy of the recipient's public key certificate. This is generally accomplished by having the recipient send the sender a signed S/MIME email message. S/MIME signatures are done in such a way that the sender's public key certificate can be extracted and stored for later use. Most modern email clients, including Microsoft Outlook Express and Mozilla Email Client will automatically recognize a signed message, extract the public key certificate, and store it for examination and later use.