locked
Setup TLS outbound email using smart host RRS feed

  • Question

  • Hi Guys,

    I am having issue find instruction on how to setup Exchange 2013 to send email using TLS via a smart host. I can see instruction on setup TLS with Partner, but that only lets you send via MX records using DNS. I need to use a smart host. I don't know if I can setup a partner and then add in the smart host after, if this will still use TLS. 

    So we have all outbound mail go via Mimecast, and I would like to enforce TLS for all outbound traffic using mimecast. We have a public certificate and this is bound the IIS and SMTP. 

    Can someone please send me a link or instruction on how to setup TLS for all outbound email using a SMART host? 

    Thanks in advance.

    Craig 


    Craig G

    Monday, April 20, 2020 9:26 AM

Answers

  • hello,

    use the command to enforce TLS

    Set-SendConnector "to mimecast" -RequireTLS $true

    For the blank, i dont know, i always prefere to use named send connector ( with correct FQDN) And use a certificat with this name as principale name or SAN name.

    Olivier

    Tuesday, April 21, 2020 7:26 AM

All replies

  • Hello,

    By default your send connector will try to send by TLS.

    if you want to send only by tls you have to change this value to only try TLS :

    Set-SendConnector "Contoso.com Send Connector" -RequireTLS $true

    but, if mimecast accepte TLS, all your email will be send with TLS (because exchange always try tls at frist)

    Olivier


    Monday, April 20, 2020 3:11 PM
  • Hi Oliver,

    Thanks for the message. I understand optional TLS should be in use, but we have a requirement to enforce TLS at least to mimecast. Mimecast can then enforce to selected clients.  

    I was reading some where you need to set the TlsAuthLevel, which I am not sure what the correct setting should be, from your response this is not required. 

    Also if possible can you confirm that the TlsCertificateName  should be blank as this ensure using the most resent certificate. Is there a way to confirm the correct certificate is bound to the sender connector or is this not required as the sender connector is only worried about destination validation and the remote host is not required to validate the sending server.  I assume I am also good to keep using port 25, and no need to change to port 587 or 586. 

    Thanks for your time.

    Craig



    Craig G

    Monday, April 20, 2020 10:36 PM
  • hello,

    use the command to enforce TLS

    Set-SendConnector "to mimecast" -RequireTLS $true

    For the blank, i dont know, i always prefere to use named send connector ( with correct FQDN) And use a certificat with this name as principale name or SAN name.

    Olivier

    Tuesday, April 21, 2020 7:26 AM