With the "Internal Encryption" function, emails can be redirected to an internal inbox via the SEPPmail Secure E-Mail Gateway, encrypted there and returned to the internal email server for delivery.

To do this, a number of conditions must be met. The registry configuration value "InternalRecipient" must contain an email address that is not assigned to (the) proprietary email domain(s) and does not exist on the Internet. This ensures that the email server recognises this email as external and forwards it to the SEPPmail Secure E-Mail Gateway. Additionally, it is to be ensured that X-headers are not removed on any system located between the Outlook client and the SEPPmail Secure E-Mail Gateway.

 

By default, the entry under "InternalRecipient" is "ime@imepseudodomain.local". This defines the IME 1.0 procedure:

When sending an email, the original recipient (To, CC, BCC) of the email is initially taken over by the  SEPPmail Microsoft Outlook Add-In into the X-headers "X-SM-ORIGTO", "X-SM-ORIGCC" and "X-SM-ORIGBCC". As recipient, only the "InternalRecipient" from the registry is added. Additionally, a technical marker "Internal Encryption" is set.

The SEPPmail Secure E-Mail Gateway recognises based on the recipient address "ime@imepseudodomain.local"that the email is (also) to be encrypted internally. This means that the recipients from the X-headers "X-SM-ORIGTO", "X-SM-ORIGCC" and "X-SM-ORIGBCC" are restored, the X-headers are deleted and the original sender is added as another recipient. Now, the email is encrypted for the recipients (with S/MIME, provided that corresponding key material for the recipient(s) is present on the SEPPmail Secure E-Mail Gateway, otherwise it is encrypted by means of the GINA technology) and sent.

 

When the thus encrypted email is received by the original sender, the  SEPPmail Microsoft Outlook Add-In detects based on the X-header "X-ESWmail-InternalEncrypt-sentcopy"that this is the sent email which was to be internally encrypted and moves this - also encrypted, of course - email to the "Sent Items" folder. Here, the technical "Internal Encryption" marking is removed.

If, in the folder "Sent Items", an email which has the technical "Internal Encryption" marking set is stored, the email is deleted. This ensures that the originally sent, still unencrypted email is removed from the "Sent Items" folder.

 

If the value of "InternalRecipient" is changed, IME 2.0 is defined:

If the internal encryption is activated, when sending the email, the  SEPPmail Microsoft Outlook Add-In stores the created email in a signed and encrypted container email, which is then sent to the SEPPmail Secure E-Mail Gateway configured "InternalRecipient"address (usually domain-confidentiality-authority@ime.<ihremanageddomain.tld>).

The SEPPmail Secure E-Mail Gateway then unpacks the container emails which have been sent to the entered "InternalRecipient" address, encrypts them with the key material provided to the original recipient (see also Encryption Hierarchy) and sends them to the original recipients.

 

The certificates required for this purpose are to be provided in the client.

One the one hand, this is the certificate for encryption to be created under Mail System Managed Domains ADD/EDIT MANAGED DOMAIN Internal Mail Encryption. To be able to use the certificate with the SEPPmail Microsoft Outlook Add-In later, usually, a contact with the email address from the CN of this IME certificate and this certificate itself is created in the "global address list (GAL)" of the Exchange server. In most cases, this adds the certificate of the contact into the machine-related certificate memory of the clients under "Other persons" "Certificates".

 

 

On the other hand, this is a - usually self-signed - S/MIME key pair of the sender for signing which is generally provided in the certificate memory, under "Own Certificates" "Certificates".

 

Details can be obtained from the HowTo Encrypt Internal Emails.