none
Questions regarding TLS and Exchange 2007

    คำถาม

  • We've been asked by one of our business partners using Postfix to set up our Exhange 2007 SP3 servers to use "enforced" TLS encryption when sending mail to their mail servers.  I had been reviewing this article:

    http://technet.microsoft.com/en-us/library/bb123543(v=exchg.80).aspx

    But in reviewing this forum post:

    http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/31278283-66fa-44e0-8ab8-799cd46ce2ee/

    it sounds as if Mutual TLS as described is purely an Exchange to Exchange idea:

    "On the question of securing your Exchange 2007 Org and you partner, I don't think you can use DomainSecure(Mutual TLS) unless both ends are Exchange 2007 and there is no hop in between"

    I clearly have someone on the other end who is not using Exchange.  At that point, is it true that the best we can do is encrypt the communications channel but provide no authentication?  Both sides will be using publicly obtained, trusted certificates, but I don't imagine that will help with authentication as we are already doing opportunistic TLS with the self signed certificates that are currently on our edge transport servers.

    If it's the case that encryption but no authentication is the best we can do in my scenario, can anyone point me toward a resource similar to the guide above, but appropriate to my situation? 

    Thanks for any assistance.

    23 กุมภาพันธ์ 2555 16:45

คำตอบ

ตอบทั้งหมด

  • OK, so I found this article:

    How to Use TLS Authentication in Exchange 2007 to Send and Receive Messages with Third-Party E-Mail

    http://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx

    That seems like a good fit for what I am trying to accomplish.  The problem is that the send connector they would have you create for sending to the remote domain is no different than the ones that are created by default.  They have the Mutual Auth TLS box checked, which as far as I know means that the send connector will try to use TLS when sending to the remote host, but if it cannot it will send in the clear.

    I need to make sure that if we cannot establish TLS with this specific remote domain, the mail will not go in the clear.

    The above article does not have me take the step of issuing this command:

    Set-TransportConfig -TLSSendDomainSecureList woodgrovebank.com

    I believe this command would force TLS for the specified domain, but I don't know if I can use the command if the remote servers are running third party (not Exchange) TLS capable email servers.

    Can I use this command?

    24 กุมภาพันธ์ 2555 3:20
  • Hi Sgravel,

    If you want use TLS in Exchange 2007 to send and receive message with third-party email, you can refer to this document:

    How to Use TLS Authentication in Exchange 2007 to Send and Receive Messages with Third-Party E-Mail
    http://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  



    Evan Liu

    TechNet Community Support

    24 กุมภาพันธ์ 2555 4:21
    ผู้ดูแล
  • Hi Evan,

    Yes, I referenced that document in the post directly above your reply.  My questions about the steps outlined in that document were:

    1. The send connector you end up with by following those steps looks just like the one you get by simply setting up an edge subscription.  Isn't it true that checking the Mutual Auth TLS box does not ENFORCE encryption, but rather uses it if the other side supports it?  That's certainly the way all our send connectors with that box checked seem to behave.
    2. Assuming #1 is the case, can I use the "Set-TransportConfig -TLSSendDomainSecureList woodgrovebank.com" command to ENFORCE encryption with a remote email domain that is using third party email servers?  It's not discussed in the document, but I believe that's what it is used for.  The potential issue is that I don't know if it works when third party email servers are involved on the other end.

    Thanks,

    Steve

    24 กุมภาพันธ์ 2555 4:49
  • Put a different way, our business partner is going to test our config by disabling TLS on their end to see if our servers simply send the email unencrypted.  Seeing as how our other send connectors that are used for general mail delivery, and set up just like the one described in this document will send unencrypted mail to servers that don't support TLS (in that instance an intentional, good thing), I am thinking we will fail their test by sending email in the clear.  

    I need to have the mail not be delivered to this one partner if we cannot encrypt it for some reason.

    24 กุมภาพันธ์ 2555 4:53
  • Have you read through the article below? if not, do it since it will guide you through all steps :)

    http://www.msexchange.org/tutorials/Securing-SMTP-Message-Flow-between-different-Exchange-Server-2007-organizations.html


    Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

    24 กุมภาพันธ์ 2555 9:29
  • Hi Jonas,

    Yes, I looked at it, but the other organization is not running Exchange - they have Postfix.  I did not want to count on the steps being relevant, given the title of the article.  Would those steps be appropriate in my case even though it's not Exchange to Exchange?

    If those steps don't apply, is there no way to force Exchange on my side to use encryption when sending to this one domain that uses Postfix?  I don't care about authentication, I just want encryption (or failing that, not to send the messages).  I realize that leaves me vulnerable to MITM attacks, but it may be the best I can do in this case.

    Thanks,

    Steve


    • แก้ไขโดย sgravel 24 กุมภาพันธ์ 2555 12:40 typo
    24 กุมภาพันธ์ 2555 12:39
  • Hi Steve,

    Sorry, when I replied  to your question, I didn’t see your second post.

    For your issue, I am trying to involve someone familiar with this topic to further look at the issue, there might be some time delay.

    Thanks for your understanding.

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttngfb@microsoft.com 


    Evan Liu

    TechNet Community Support

    27 กุมภาพันธ์ 2555 9:58
    ผู้ดูแล
  • OK thanks Evan.  There doesn't seem to be a lot of clear direction in this area where the "other side" is not Exchange.  I appreciate your asking around.
    27 กุมภาพันธ์ 2555 13:52
  • It doesn't matter if the other side is Exchange or not, when they talk via SMTP and use TLS, the certificates will be validated and if they aren't trusted or can't establish a TLS connection then it won't send the email.

    I assume this is what you want i.e if either side can't use TLS, then fail?


    Sukh

    29 กุมภาพันธ์ 2555 0:21
  • Hi Sukh,

    Yes, that's exactly what I want.  Are you describing the behavior when just the "Enable Domain Security (Mutual Auth TLS)" checkbox is checked (as in the document about securing mailflow with another organization using a third party mail server), or is that behavior only expected when the additional step of adding them to the DomainSecure list with the "Set-TransportConfig -TLSSendDomainSecureList " is taken as well?  That second step is only discussed in the documents I've seen where both sides are Exchange.

    I ask because our send connectors already have the "Enable Domain Security" checkbox checked, and they do drop back to sening mail in the clear if TLS cannot be set up between the servers. 

    Thanks

    1 มีนาคม 2555 13:34
  • You need to use Set-TransportConfig -TLSSendDomainSecureList  and yes it will work with non-exchange systems.


    Sukh

    • ทำเครื่องหมายเป็นคำตอบโดย sgravel 2 มีนาคม 2555 20:53
    2 มีนาคม 2555 20:31
  • Perfect.  I will coordinate with our business partner as to when we can test this without impacting production mail flow.  Thanks!

    2 มีนาคม 2555 20:54
  • Just remember if it goes through the cloud, you need to FORCE TLS then this needs to be c-ordinated with your ISP/Hoster or if it's direct then it shouldn't really matter.

    Sukh

    2 มีนาคม 2555 20:58
  • The only mpact, if any experienced will be the mail shoudl queue somewhere depending on your topolgy for x hours/days, shouldn't lose the message.

    Sukh

    2 มีนาคม 2555 21:00