We are interested in rising the security level of the corporate emails for a few reasons: 1) Protect internal information from leaks. 2) Mails to customers would be Signed. 3) A way to mark that a mail came from the outside (to prevent social engineering attacks fishing for things, or trying to issue orders instead of a manager etc).
As a solution, we are thinking of this schema (I know GPG pretty well, so I will use these terms to describe the solution):
1) All internal emails (from/to corporate domain(s) would be sent encrypted, using the Employee's GPG secret key, which would be signed by a master key (CA key for the whole corporation).
2) Emails sent outside to customers, would only be signed using the employee's private key, so if they desire, they can verify his key is valid on our public server.
3) ANY Mails detected coming from outside the corporation, would have extra line attached, saying "External mail" or something to that effect.
The advantage of working in that structure, would be that should an employee resign, get fired, betray, or his key stolen - it is easy enough to revoke its validity using the corporate main CA key. I am not sure yet how to do it exactly, but that works on GPG.
The disadvantage is of course, that ALL employees especailly the dumb ones, will be a big headache to setup encryption, and to ensure they encrypt every internal email.
I read these similar questions:
Best encryption client for Outook 2007/Exchange?
Looking for an email encryption solution
The second seem to be overly complex for our needs, but the Ironport sounded promising.. however I cant find anything relevant on their website - am I looking wrong?
I will also mention, that we are running a Datacenter, so a solution has to be one we can integrate on our premises.
So, what do you think people? and any suggestions? :)