locked
Require TLS Send Connectors Through Smart Host? RRS feed

  • Question

  • Our new Exchange 2013 Server will not be directly connected to the Internet.  It will first forward to a spam filtering appliance on our internal network and then to another non-Exchange SMTP server at the edge of our network.

    I don't see how a special Send Connector configured on Exchange to require TLS would work when it doesn't have direct access to send mail outside.  We have to point the send connectors to the smart host anyway since that is the only path out of the network.

    What is the best way to configure mandatory TLS to specific domains when Exchange has to relay through other servers?

    Friday, May 9, 2014 3:50 AM

Answers

  • The one way you can do this is if your smart host (edge SMTP server) can be configured for Mutual TLS to the other domains. You would then need to configure all traffic to use TLS internally i.e. between your Exchange and the spam appliance and between the spam appliance and the SMTP server. For mutual TLS to work the send ping and receiving server authenticate each other using their own certificate, this authentication cannot be relayed or proxied via another server so each server needs to authenticate to the next hop.
    • Marked as answer by MyGposts Friday, May 9, 2014 6:22 PM
    Friday, May 9, 2014 7:05 AM

All replies

  • From Exchange 2010 we have oppurtunistic TLS by which we don't need to install seperate certificate since it has self signed certificate for TLS.
    You just need to check if the self signed certificate is enabled.
    You can also check 250 STARTTLS should be visible on telnet to any external domain which confirms that TLS is enabled.

    And for your Last question

    Create a dedicated send connector for that TLS domain
    set-sendconnector -identity "Outbound to tlsdomain.com" -requiretls $true
    You can probably smart host the emails directly to the domain to which you want to set TLS connection if you suspect any encryption/decryption issues in spam filters.

    For receiving TLS emails you can create a seperate receive connector and specify their remote ip ranges
    You can run the below command
    set-receiveconnector -identity "Inbound from TLS parters" -requiretls $true

    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on www.exchangequery.com

    Friday, May 9, 2014 4:12 AM
  • How can we create dedicated send and receive connectors to that requires these domains when we always have to go through the smart host?

    We cannot make a send connector directly to external domains because we always have to connect to the smart host first to get outside.

    Friday, May 9, 2014 4:22 AM
  • The one way you can do this is if your smart host (edge SMTP server) can be configured for Mutual TLS to the other domains. You would then need to configure all traffic to use TLS internally i.e. between your Exchange and the spam appliance and between the spam appliance and the SMTP server. For mutual TLS to work the send ping and receiving server authenticate each other using their own certificate, this authentication cannot be relayed or proxied via another server so each server needs to authenticate to the next hop.
    • Marked as answer by MyGposts Friday, May 9, 2014 6:22 PM
    Friday, May 9, 2014 7:05 AM