none
Is TLS encryption safe? Will it break anything?

    Question

  • I am thinking about implementing TLS encryption on my Exchange server in order to communicate securely with another company's email server.  They are the only one with TLS implemented.  The Default SMTP Virtual server is running.  Will setting up TLS interfere or break any incoming/outgoing communication with non-TLS mail servers out there?
    • Edited by Banc0 Tuesday, June 25, 2013 1:56 PM
    Tuesday, June 25, 2013 1:55 PM

Answers

  • No.

    Many (most?) SMTP servers attempt to negotiate use of TLS and if both parties agree, then TLS will be used. You can see this process in the SMTP logs. If one of the servers cannot use TLS for some reason, then mail is exchanged without encryption.

    I believe that called "opportunistic TLS".

    You can impose the use of TLS between specific organizations. This will not force the use of TLS by default.

    So you would do that with your partner organization and leave the other settings at default values.

    I believe that involves creating a separate send/receive connectors but I have not looked at this for a while (glanced at it for certification, we don't use it where I work in production). So you might want to verify that.

    This guide might be a good start:

    http://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx

    That's for 2010. I've read that TLS functions the same way for 2013. You might google/bing for the equivalent 2013 article.

    So in summary, forcing TLS for a specific partner domain will not force TLS use in general.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, June 25, 2013 5:52 PM
  • Another discussion with possibly useful links:

    http://social.technet.microsoft.com/Forums/exchange/en-US/4e8a1b15-08e6-4cbf-9272-37ad6d551af6/tls-encryption-exchange-2010

    Check the related threads to the left of the current discussion.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, June 25, 2013 5:56 PM

All replies

  • No.

    Many (most?) SMTP servers attempt to negotiate use of TLS and if both parties agree, then TLS will be used. You can see this process in the SMTP logs. If one of the servers cannot use TLS for some reason, then mail is exchanged without encryption.

    I believe that called "opportunistic TLS".

    You can impose the use of TLS between specific organizations. This will not force the use of TLS by default.

    So you would do that with your partner organization and leave the other settings at default values.

    I believe that involves creating a separate send/receive connectors but I have not looked at this for a while (glanced at it for certification, we don't use it where I work in production). So you might want to verify that.

    This guide might be a good start:

    http://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx

    That's for 2010. I've read that TLS functions the same way for 2013. You might google/bing for the equivalent 2013 article.

    So in summary, forcing TLS for a specific partner domain will not force TLS use in general.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, June 25, 2013 5:52 PM
  • Another discussion with possibly useful links:

    http://social.technet.microsoft.com/Forums/exchange/en-US/4e8a1b15-08e6-4cbf-9272-37ad6d551af6/tls-encryption-exchange-2010

    Check the related threads to the left of the current discussion.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, June 25, 2013 5:56 PM