SECURING


Encrypting mail

Encrypt outgoing, incoming, and saved mail to protect messages while they are in transit and stored in mail databases on the server. Users can encrypt outgoing mail messages sent to recipients who use either Notes® or S/MIME. If recipients prefer to receive mail in MIME format, then encrypted mail will be in S/MIME format. Users can encrypt incoming and saved mail only if they use Notes mail.

Parent topic: Mail encryption

To encrypt outgoing mail

About this task

Encrypting outgoing mail ensures that only the recipient of a message can read it while the message is in transit, stored in intermediate mailboxes, or in the recipient's mail file.

Each Notes client user must encrypt outgoing mail. The administrator cannot encrypt all outgoing mail on a server.

Senders control the choice of MIME format or Notes format when sending mail directly to the Internet or for messages that are addressed to Internet addresses. Mail recipients control the format of incoming mail in their user preferences. The message format determines the choice of encryption method.

Notes uses S/MIME encryption for outgoing mail in the following situations:


The sender of an encrypted S/MIME mail message must find an Internet certificate for each intended recipient and a cross-certificate that verifies the Internet certificate. The Internet certificate can be stored in the Domino Directory, an LDAP directory that is accessible to the sender, or in the sender's Contacts. The cross-certificate must be stored in the sender's Contacts. If a Notes recipient's Internet certificate is not available to the sender, Notes attempts to use the recipient's Notes public key (if available) to encrypt the message.

Some recipients may have dual Internet certificates, meaning one certificate is for encryption and the other is for signatures and SSL. If the recipient uses dual certificates, Notes extracts the Internet encryption certificate and uses it to encrypt the message.

The sender of an encrypted Notes mail message must have the public key for each intended recipient. The public key can be stored in the Domino Directory, in an LDAP directory that is accessible to the sender, or in the sender's Contacts.

To encrypt incoming mail for a mail file

About this task

If users have Editor access to their Person documents in the Domino Directory, they can encrypt all incoming mail they receive. Otherwise, the administrator must complete this procedure for them.

Procedure

1. Open the user's Person document in the Domino Directory.

2. Click Edit Person, and then click Basics.

3. In the field When receiving unencrypted mail, encrypt before storing in your mail file, select Yes.

4. Save the document.

To encrypt saved mail

About this task

Users can encrypt drafts of unsent messages and messages that they save after sending. For unsent mail, the message is encrypted only with the sender's public key. For sent mail, the message is encrypted with the sender's and the recipient's public keys.

Only messages saved after this option is chosen are encrypted. To encrypt previously saved messages, users must open and resave the messages. Encrypting saved mail prevents unauthorized access to messages by other users with unauthorized access to the mail server.

Related concepts
Mail encryption
Setting up Notes clients for S/MIME
Dual Internet certificates for S/MIME encryption and signatures

Related tasks
Adding a Notes public key to the Domino Directory
Adding an Internet certificate and cross-certificate for encrypted S/MIME messages