When you send an email and an attachment via SSL, it travels from the PC to the office email server. Once the recipient collects the email, the message and attachment travels again via SSL to their PC. However, if an email is sent to someone outside the organization, the email is likely to be sent in plaintext. Despite this limitation, it is certainly better to use SSL for all SMTP connections that cross the Internet and other public networks.
To use SSL, you must install a digital certificate on your mail server and encrypt both mail collection as well as mail delivery. Encrypting only the SMTP protocol protects just the mail that's delivered to a Microsoft Exchange server, and not, for example, the POP3 or the IMAP4 mail collection. It's also important to remember that your message, even when sent over an SSL connection, is only encrypted during transit. The message will appear in plaintext while at rest on the mail server or the recipient's PC and on any backup media.
Therefore, to ensure email messages and attachments are secure, it is wise to encrypt them before they are sent. Using file encryption not only protects the attachment while in transit, but also protects the file as it is stored on a PC, while it passes through any mail servers and when it arrives at the recipient's machine. I also recommend signing any important messages. However, never blind carbon copy (bcc) someone an encrypted email because most email clients make it easy for the recipient to see who was bcc'd!
This was first published in October 2006