none
TLS domain secure email and securenet smart host

    Question

  • Hello

    I have to send and receive mutual TLS  email to and from an external domain (bank). We currently do not use EDGE servers, we use securenet for AV and antispam. MX records for our domain point to securenet and we send outbound email to the internet through securenet via a smart host on a send connector. From reading the documentation around Exchange 2010 and  mutual TLS it doesn't sound like i can use smart host for TLS? How can i get this to work when using a smart host in Exchange 2010? The high level steps i am thinking of taking are below, please let me know if  i am on track with this.

    Thank you.

    #1Import the cert into Exchange 2010 HT servers, bind the cert to the SMTP protocol. Then follow http://technet.microsoft.com/en-us/library/bb123543.aspx#Step1 to configure the TLS between the two domains.

    #2 export the same cert and import it into securenet, configure securenet to accept the TLS SMTP traffic from the remote domain, and configure securenet to send TLS SMTP traffic back to Exchange 2010.

    Will this work?


    Bulls on Parade

    Tuesday, June 12, 2012 9:15 PM

All replies

  • Hi

    Unless securenet have their own TLS solution that you can use to secure end to end then I don't think that this will work. 

    I would create a different send connector scoped for the bank's domain which is configured to use DNS rather than the smart host, enable mutual TLS on that connector. You should also create a custom receive connector for mutual TLS.

    Steve 


    Wednesday, June 13, 2012 8:09 AM
  • All you need to do is make sure you use TLS between your Exch server and the smarthost.  Onwards form there is down the securenet and hops it's takes to the bank, this is out of your control.

    Sukh

    Wednesday, June 13, 2012 8:51 AM
  • I agree with steve siyavaya about send/receive connector; the best idea is to establish end-to-end connectivity (IP and Send/Receive) between servers.

    If you should use smart host and it's not under your control - then (as I think) it's not a good idea to establish partner auth with it, because the main idea about secure mail is: message was not read nor changed during server-to-server transmission.

    If smart host is under your control - I would suggest to implement EDGE server; anti-spam solution integrated/installed with Edge have one more valuable feature - it's integrated with SafeList (trusted senders, that each user can configure in MS Outlook).

    Wednesday, June 13, 2012 9:58 AM
  • Hi Steve

    This is probably the best idea. In order to get this to work i would need to configure a second ip address on the hub transport server, then create a new send connector and somehow try and bind the new send connector to the second ip,  then create a NAT rule on my firewall to allow SMTP out from the second ip and in to the second ip. I know i need to configure the send connector to use DNS, rather than smart host, however i dont think i can bind a specific ip address to a send connector when the send connector is on a hub transport server, i know this works on an EDGE server but not HUB. So how can i make sure that emails from connector using TLS auth to the remote domain that requires TLS auth are going out the correct exteranl ip address on my firewall? I know i can create a second NAT rule on my firewall, but as i said i before i cannot bind a specific ip address on a send connector when the send connector is on a HT server

    Thank you for your help


    Bulls on Parade

    Wednesday, June 13, 2012 1:09 PM
  • Hi Steve

    This is probably the best idea. In order to get this to work i would need to configure a second ip address on the hub transport server, then create a new send connector and somehow try and bind the new send connector to the second ip,  then create a NAT rule on my firewall to allow SMTP out from the second ip and in to the second ip. I know i need to configure the send connector to use DNS, rather than smart host, however i dont think i can bind a specific ip address to a send connector when the send connector is on a hub transport server, i know this works on an EDGE server but not HUB. So how can i make sure that emails from connector using TLS auth to the remote domain that requires TLS auth are going out the correct exteranl ip address on my firewall? I know i can create a second NAT rule on my firewall, but as i said i before i cannot bind a specific ip address on a send connector when the send connector is on a HT server

    Thank you for your help


    Bulls on Parade

    Wednesday, June 13, 2012 1:09 PM
  • No problem.

    I don't follow the part about creating an additional IP address - as you have seen only Edge severs can use a specific address for the connector.  Multiple hub servers can be the source server for a single send connector so it is not possible to set an IP.

    Wednesday, June 13, 2012 1:27 PM
  • Hi Skipster,

    Some other information for you :
    Exchange 2010 Domain message security
    For outbound email, if you have other sender connector setted to specific domain, it is not need to bind a new IP for it.
    If you have other confused point, please feel free let us know.

    Regards!

    Gavin

    TechNet Community Support


    Monday, June 18, 2012 6:20 AM