Other than the .NET FRAMEWORK v4.6.2 prerequisite that needs to be installed on a Windows 2012 server, once GTMailPlus is installed you will need to enable EFS folder encryption on the MailBoxRepository folder located in the C:\Encore folder or the Encore service (essential to mail transmission) will fail.
Data Recovery Agent
Note that EFS requires a certificate and this is associated with the logged on user. In the case of the server that logged on user is the Administrator. In the event the server goes down the files in the folder will be locked and can only be opened with the correct certificate. The Administrator is therefore the only EFS Data Recovery Agent. Any other user will need a copy of the key installed on their computer before the files can be opened. So it is good practice to export the key(s) and keep it/them in a safe place just in case.
Step By Step Guide
Create a New EFS Data Recovery Agent
On the server go to Administration Tools, Group Policy Management
Click on the domain name and expand
Right Click on Default Domain Policy object, Edit
In the Group Policy Management Editor interface, click Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System.
Next, right-click the Administrator certificate, and then click Delete… and confirm Delete. Click Yes
In the Group Policy Management Editor, right-click Encrypting File System, and then click Create Data Recovery Agent…
Close Group Policy Management Editor interface and Group Policy Management tool
Next, open Windows PowerShell , then type gpupdate /force and press Enter…
Create the Data Recovery Agent Certificates
Now Go to Start, Run and type MMC press Enter
In the Console1 interface, click File, and then click Add/Remove Snap-in…
In the Add or Remove Snap-ins interface, click Certificates, and then click Add…
In the Add Or Remove Snap-ins interface, click OK…
In the left pane, expand Certificates – Current User, right-click Personal, click All Tasks, and then click Request New Certificate…
The Certificate Enrollment interface pops up, click Next…
On the Select Certificate Enrollment Policy interface, verify that you have Active Directory Enrollment Policy, and then click Next…
On the Request Certificates interface, click the Basic EFS check box, and then click Enroll…
On the Certificate Installation Results interface, verify that the Status : Succeeded and then click Finish…
In the Console1 interface, expand Certificates – Current User, expand Personal, and then click Certificates, on the right pane verify that under issued to, your present Log in User Name is listed and verify also that it was issued by SERVERNAME
Right click on the Administrator certificate, All Tasks, Export…
In the Certificate Export Wizard click Next, select Yes export the private key. Next
Personal Information Exchange – PKCS #12(.PFX) and check Include all certificates in certification path if possible. Next
Check Password and enter password (sealion). Next
Browse to a location and enter a filename (EFSkey) to save the .pfx file.
If there is a second EFS Certificate – save that also
Enable EFS Encryption on MailBoxRepository folder
- Navigate to the GTMAIL’s MailRepository folder – C:\Encore
- Select MailBoxRepository – right click, Properties.
- In the General tab – select Advanced button
- Check Encrypt contents to secure data. OK
- In the General tab – click Apply
NB: If enabled (Folder Options, View – check Show encrypted or compressed files in colour) you will see the folder and any files within coloured green (Windows 10 has this off by default. For Windows Server 2012 it is on)
References
Step by Step : Encrypting User Data with EFS in Windows Server 2012 R2
http://windowsitpro.com/security/fast-way-find-efs-folders-and-files
https://www.nextofwindows.com/how-to-check-a-pfx-certifications-expiry-date-on-windows