asp.net-mvcemailssl-certificatesmtpclientsmime

Send email using SMIME in ASP.Net Mvc and Installation of certificates


I have ASP. Net MVC web application that send temporary password to client email in plain text when user hits "Forgot Password" link.

Now we have a requirement to use S/MIME to send password in more secure way.

I did some research on the web and this is what i found .

At very high-level S/MIME encrypts and digitally signs emails to ensure that the email is authenticated and its contents have not been altered in any way. And In order to achieve this S/MIME certificates has to be installed on all the email clients of both the recipient and the sender side. since there could be 1000's of clients, then we would need a cert for every customer and a way to determine the correct cert to use for each customer. Probably these certificates has to publish to Active Directory for distribution.

My question here is , since my application is the only one sending mail to clients ,not expecting anything back from them.

In that case, do i have to install certificates on all the client machine? Would it be ok if only sender has certificates but not receivers/clients ?

            smtpClient.Port = 56;
            smtpClient.EnableSsl = false;
            MailMessage mailMessage = new MailMessage()
            mailMessage.From = fromAddress;
            mailMessage.Subject = subject;
            mailMessage.Body = body;
            smtpClient.Send(mailMessage);

Solution

  • You can't encrypt a message to a customer unless you have that customer's S/MIME certificate and public key.

    In that case, do i have to install certificates on all the client machine?

    That seems like an odd question to ask... but I guess if you were going to force S/MIME down your customers' throats, then "yes"?

    Would it be ok if only sender has certificates but not receivers/clients ?

    You could certainly generate S/MIME certificates and keys for each customer that you send an email to and just store it locally on the server, but I'm not sure how useful that would be to your customers...

    How would they decrypt it if they don't have the certificate and the private key?