More than just another patch
By the time you read this article, Service Pack 1 (SP1) for Microsoft Exchange Server 5.5 will probably be available at http://www.microsoft.com/exchange. Microsoft doesn't produce service packs for Exchange very often because the product's code base has matured, so Exchange users have waited a long time for SP1.
SP1 includes important new features and bug fixes, most of which are already available from Microsoft's Product Support Services (PSS). Microsoft's inclusion of new features in SP1 isn't surprising. Exchange's next major functional release won't ship until after Windows NT 5.0 ships. Thus, Exchange 5.5 SP1 delivers features that help maintain Exchange's position as the most widely used messaging server for NT, while users wait for the next major Exchange release. Exchange's new features include the ability to send secure mail to users on other platforms and a message journaling function.
Interoperable Secure Email
Microsoft planned to overhaul Exchange's advanced security subsystem in version 5.5 but dropped the overhaul from the final release. Instead, Microsoft incorporated the security changes into SP1. These changes move Exchange from a proprietary security mechanism toward a security infrastructure that enables interoperability with other messaging systems. (For more information about email security in Exchange, see "Maintaining Secure Exchange Servers," October 1997.)
Secure MIME (S/MIME). Versions of Exchange before 5.5 SP1 use proprietary encryption and digital signature formats and implement mail security through Messaging API (MAPI) properties. When an Exchange server transfers a message to another platform, it strips the message of its MAPI properties, so previous versions of Exchange can't transport secure messages to other platforms.
SP1's security upgrades use S/MIME to create encrypted and digitally-signed messages that users on other platforms can access. Many email vendors, including Lotus, Novell, and Netscape, have agreed to build products that support the S/MIME standard, so Exchange can send secure messages to users on other platforms.
When users send encrypted messages through an SP1 server, their email client verifies that the recipient client uses advanced security. The email client translates the message content into encrypted body parts that look like standard MIME-encoded content. The Exchange server transports the message to its recipient. S/MIME is a MIME content type, so Exchange treats S/MIME content as a message attachment, like an audio clip or PowerPoint presentation. When the recipient S/MIME client receives the message, it decrypts the content from the S/MIME body parts.
Exchange has always been able to use the Internet Mail Service (IMS) to convert Simple Mail Transfer Protocol (SMTP) and MIME messages to or from Exchange's internal storage format. These IMS conversions work nearly perfectly, and they translate MIME content with a high degree of fidelity. But, the IMS is unacceptable for transporting digital signatures, because digital signatures must be flawless for recipients to accept them as valid. Exchange 5.5 introduces a Clients support S/MIME signatures option for the IMS, as Screen 1 shows. If you select the option, the IMS sends S/MIME signature information with the message content as one attachment. The IMS doesn't try to translate the attachment into Exchange internal format, but leaves the decryption of the S/MIME message and validation of the signature to the receiving client.
Older MAPI clients can't process S/MIME attachments. Users who receive a signed S/MIME message that their mail client can't process see an error message every time they read the email. By default, the Clients support S/MIME signatures option is off in Exchange 5.5 and SP1, so the IMS removes signature information before sending messages. Only after most of your users convert to an S/MIME client can you send signed S/MIME messages without risking recipient errors.