summit_pcguy
asked on
How do I send authenticated encrypted e-mail to Exchange 2007?
I have an employee who has a Palm mobile phone and needs to use our Exchange server.
Company policy is that internal e-mail must be encrypted.
I am using an Outlook 2007 IMAP/SMTP connection to test and am unable to send e-mail through the Exchange server using port 587 and SSL or TLS. Appropriate firewall ports are open - when I Telnet to port 587 I get a 220 connection message. I can send through the normal SMTP port 25.
I appreciate your assistance. Thank you.
Company policy is that internal e-mail must be encrypted.
I am using an Outlook 2007 IMAP/SMTP connection to test and am unable to send e-mail through the Exchange server using port 587 and SSL or TLS. Appropriate firewall ports are open - when I Telnet to port 587 I get a 220 connection message. I can send through the normal SMTP port 25.
I appreciate your assistance. Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SatyaPathak: Thank you for the response.
That was a great article. I didn't understand as much as I had wished. My background is in Exchange 2003.
The article appeared to provide instructions for setting up send and receive connections for servers with fixed IP addresses. Unfortunately, the wireless device that will be sending information to my server does not have a fixed IP address. Otherwise, it seemed to me the information was verification of link #1 by ahmedabdelbaset in post #1.
That was a great article. I didn't understand as much as I had wished. My background is in Exchange 2003.
The article appeared to provide instructions for setting up send and receive connections for servers with fixed IP addresses. Unfortunately, the wireless device that will be sending information to my server does not have a fixed IP address. Otherwise, it seemed to me the information was verification of link #1 by ahmedabdelbaset in post #1.
ASKER
Mestha: Thank you for your response.
If I browse to the https://servername.mydomain.net/owa prompt I get a nice 1024 bit lock and Outlook Web Access on IE or Firefox.
Outlook Anywhere works perfectly outside the firewall (only ports 25, 443, 993, and 587 open).
The Palm device does support ActiveSynch. But only 1 push mail setup. That setup is being used by the part-time employee for his other job's Exchange server. We are planning on minimizing the risk of device theft by only keeping 1 day's messages on the device. Also he will be primarily using OWA and Outlook Anywhere - the device is primarily for notices and alerts while in the field, however confidential information could be sent which is why we want to encrypt. I confess that I am more worried about device theft than over the wire packet theft, but there is no budget to buy and maintain a cell phone. Hopefully, the next Pocket PC version will have multiple activesynch connections and he will upgrade to that phone.
Since you brought up the issues of certificates:
The Exchange 2007 server has two installed certificates: One is a 3rd party and handles the OWA, Pocket PC push-mail, and Outlook Anywhere with no problems. Unfortunately, I (and the Experts on this forum) have been unable to figure out the problem with my 3rd Party Cert not working for IMAP, so I created an Exchange Self-Signed certificate for IMAP that now allows secure IMAP on port 993.
The next part of this, of course, is being able to send securely to the server.
If I browse to the https://servername.mydomain.net/owa prompt I get a nice 1024 bit lock and Outlook Web Access on IE or Firefox.
Outlook Anywhere works perfectly outside the firewall (only ports 25, 443, 993, and 587 open).
The Palm device does support ActiveSynch. But only 1 push mail setup. That setup is being used by the part-time employee for his other job's Exchange server. We are planning on minimizing the risk of device theft by only keeping 1 day's messages on the device. Also he will be primarily using OWA and Outlook Anywhere - the device is primarily for notices and alerts while in the field, however confidential information could be sent which is why we want to encrypt. I confess that I am more worried about device theft than over the wire packet theft, but there is no budget to buy and maintain a cell phone. Hopefully, the next Pocket PC version will have multiple activesynch connections and he will upgrade to that phone.
Since you brought up the issues of certificates:
The Exchange 2007 server has two installed certificates: One is a 3rd party and handles the OWA, Pocket PC push-mail, and Outlook Anywhere with no problems. Unfortunately, I (and the Experts on this forum) have been unable to figure out the problem with my 3rd Party Cert not working for IMAP, so I created an Exchange Self-Signed certificate for IMAP that now allows secure IMAP on port 993.
The next part of this, of course, is being able to send securely to the server.
ASKER
dematzer: Thank you for your response. The Technet guide was mostly stuff I had read before, however the authentication opens were better described so I tried different ones with no difference.
I am still getting this from Oulook 2007 (using this for testing) when testing send mail with the Exchanger server even after trying the stuff in the Technet guide: (I have tried using TLS and SSL settings)
"
Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.
"
Further: looking in the event logs on the server:
"
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 9/14/2009
Time: 11:42:48 AM
User: N/A
Computer: PEGASUS
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name pegasus.mydomain.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default PEGASUS with a FQDN parameter of pegasus.mydomain.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
"
Since I know someone will ask:
"[PS] U:\>get-exchangecertificat
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {pegasus, pegasus.mydomain.net}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=pegasus
NotAfter : 9/18/2010 10:05:27 PM
NotBefore : 9/18/2009 10:05:27 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : [blanked]
Services : IMAP, POP
Status : Valid
Subject : CN=pegasus
Thumbprint : [blanked]4C4F
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {pegasus.mydomain.net, www.pegasus.mydomain.net}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=COMODO High Assurance Secure Server CA, O=COMODO CA Lim
ited, L=Salford, S=Greater Manchester, C=GB
NotAfter : 8/2/2010 7:59:59 PM
NotBefore : 7/6/2009 8:00:00 PM
PublicKeySize : 1024
RootCAType : Unknown
SerialNumber : [blanked]
Services : IIS, SMTP
Status : Invalid
Subject : CN=pegasus.mydomain.net, OU=Comodo InstantSSL, OU=my department, O=[blanked], STREET=address, STREET=suite, L=city, S=state, PostalCode=90210, C=US
Thumbprint : [blanked]2C45
"
I am still getting this from Oulook 2007 (using this for testing) when testing send mail with the Exchanger server even after trying the stuff in the Technet guide: (I have tried using TLS and SSL settings)
"
Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.
"
Further: looking in the event logs on the server:
"
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 9/14/2009
Time: 11:42:48 AM
User: N/A
Computer: PEGASUS
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name pegasus.mydomain.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default PEGASUS with a FQDN parameter of pegasus.mydomain.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
"
Since I know someone will ask:
"[PS] U:\>get-exchangecertificat
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {pegasus, pegasus.mydomain.net}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=pegasus
NotAfter : 9/18/2010 10:05:27 PM
NotBefore : 9/18/2009 10:05:27 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : [blanked]
Services : IMAP, POP
Status : Valid
Subject : CN=pegasus
Thumbprint : [blanked]4C4F
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {pegasus.mydomain.net, www.pegasus.mydomain.net}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=COMODO High Assurance Secure Server CA, O=COMODO CA Lim
ited, L=Salford, S=Greater Manchester, C=GB
NotAfter : 8/2/2010 7:59:59 PM
NotBefore : 7/6/2009 8:00:00 PM
PublicKeySize : 1024
RootCAType : Unknown
SerialNumber : [blanked]
Services : IIS, SMTP
Status : Invalid
Subject : CN=pegasus.mydomain.net, OU=Comodo InstantSSL, OU=my department, O=[blanked], STREET=address, STREET=suite, L=city, S=state, PostalCode=90210, C=US
Thumbprint : [blanked]2C45
"
ASKER
FYI here is my testing setup:
Outlook 2007 using IMAP/SMTP account setup...
IMAP: Port 993 with SSL checked....no problems...
Outgoing server:
Port 25 sending - no encryption - no problems
Port 587 sending - no encryption - no problems
Port 587 sending - TLS - error about incorrect encryption with server
Port 57 sending - SSL - error about incorrect encryption with server
Outlook 2007 using IMAP/SMTP account setup...
IMAP: Port 993 with SSL checked....no problems...
Outgoing server:
Port 25 sending - no encryption - no problems
Port 587 sending - no encryption - no problems
Port 587 sending - TLS - error about incorrect encryption with server
Port 57 sending - SSL - error about incorrect encryption with server
ASKER
At this point I have been unable to resolve this issue either myself or with the help of the experts.
We are able to receive e-mail encrypted and send in the clear and that will just have to be good enough.
Experts, I appreciate your help.
Request the moderator close the question.
We are able to receive e-mail encrypted and send in the clear and that will just have to be good enough.
Experts, I appreciate your help.
Request the moderator close the question.
ASKER
Mestha's ideas are absolutely correct. Unfortunately, this solution was cost prohibitive.
No one was able to address (as far as I can tell) a solution to the specific problem that I am having and a workaround from another EE post is working...
No one was able to address (as far as I can tell) a solution to the specific problem that I am having and a workaround from another EE post is working...
ASKER
I had looked at the first link before and his screen shots look exactly like mine.
The second link states SSL/SMTP on port 465 - My Exchange 2007 server was configured out of the box for 587 so I thought staying with that was the best idea. Would changing them help? Note that I am unable to connect properly inside the firewall as well. The Exchange server does respond to telnet connections on port 587.
As for the third article: I don't think that I need to change any ports on the server. Server to server SMTP (port 25) and client to server SMTP (port 25) as well as OWA (443), Outlook Anywhere, and Pocket PC pushmail are working great.