none
opportunistic and Forced TLS

    Question

  • I'm looking for the way to establish TLS connection between us and client per client request,

    I sent the mail via oppotunistic TLS email to client by test, client was blocking the mail because of establishing Forced TLS.

    When clients set up forced TLS from our domain, they blocked the oppotunistic TLS(not forced TLS)mail also.

    Sorry i have no information about TLS.





    • Edited by tanale Monday, October 19, 2015 4:14 AM
    Monday, October 19, 2015 1:54 AM

Answers

  • Hi,

    To force Exchange to use TLS to send email to particular domains, you need to do the below tasks:

    1. Create a new send connector and configure it to be used for the domains that require TLS and use DNS for delivery of email and not a smart host
    2. Configure a public FQDN on the send connector 
    3. Configure this send connector to require TLS: Get-SendConnector "Internet Send Connector" | Set-SendConnector -RequireTLS:$true
    4. Install a trusted certificate with a name that matches the name used by the send connector
    5. Enable this certificate for SMTP using Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxx -Services SMTP

    To test your configuration, add TestSender.CheckTLS.com as a domain on the send connector you've created above then run the "Sender (mail from)" test on http://www.checktls.com. This test allows you to send a test email to their test system and it'll respond with the TLS test results by email.

    Let us know if this answers your question.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by tanale Tuesday, October 20, 2015 4:37 AM
    Monday, October 19, 2015 1:09 PM

All replies

  • Opportunistic TLS is established when both sides in the conversation can support it.  In my experience, it just works; you don't have to do anything special to your Exchange server to enable opportunistic TLS except install a publicly trusted certificate installed with a common name (CN), subject alternative name (SAN), or a wildcard that matches the hostname which is used for SMTP connections to the Internet, and that certificate must be enabled for SMTP in Exchange.  When your Exchange server contacts another server that supports opportunistic TLS, they should use it.  The headers of a message should show that the message was sent via TLS.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Monday, October 19, 2015 6:45 AM
    Moderator
  • Hi,

    To force Exchange to use TLS to send email to particular domains, you need to do the below tasks:

    1. Create a new send connector and configure it to be used for the domains that require TLS and use DNS for delivery of email and not a smart host
    2. Configure a public FQDN on the send connector 
    3. Configure this send connector to require TLS: Get-SendConnector "Internet Send Connector" | Set-SendConnector -RequireTLS:$true
    4. Install a trusted certificate with a name that matches the name used by the send connector
    5. Enable this certificate for SMTP using Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxx -Services SMTP

    To test your configuration, add TestSender.CheckTLS.com as a domain on the send connector you've created above then run the "Sender (mail from)" test on http://www.checktls.com. This test allows you to send a test email to their test system and it'll respond with the TLS test results by email.

    Let us know if this answers your question.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by tanale Tuesday, October 20, 2015 4:37 AM
    Monday, October 19, 2015 1:09 PM