Ability to deliver e-mails from CRES encrypted or dedicated TLS based on recipient?

Jason Meyer · ‎09-03-2015

We currently have 7500 internal users authorized to do e-mail encryption via our on-premise IronPort appliances and CRES. All is working great except for responses from external recipients. I have about 4000 users that do not want those e-mails encrypted, and want them delivered via a required TLS connection, mostly because they do not want to decrypt all of the e-mails. Well, I also have about 3500 users who want the e-mails encrypted for security reasons.

My understanding is I can either setup CRES to deliver all e-mails to my organization encrypted or all e-mails to my organization via required TLS connection. Still correct? If so, how do I resolve the above problem?

My work around is I could possibly encrypt the e-mails after they arrive at my organization for the 3500 users, but this doesn't make much sense to me as they have already traversed the internet (albeit via a TLS connection) to get to me.

Thoughts?

David Miller · ‎10-20-2015

Hi Jason,

Rather late response but I only just saw this.

Your analysis is correct, and I think your workaround (encrypting incoming replies) is the only option. Whether that is worth doing depends on why the 3500 users want the replies encrypting to their desktop. Is there some regulatory reason? Do the senders want to authenticate? Do they not trust the internal network? You will need to find the business reason behind this or convince them that is is secure enough with TLS to your gateway.

Hope this helps, Dave