Solved

Unable to receive encrypted emails using TLS

Posted on 2007-11-27
14
741 Views
Last Modified: 2008-11-17
Help,

I have just configured my 2003 Standard Edition Exchange Server.  I have followed all of the instructions for setting up TLS encryption for encrypting email messages between two domains.  My goal is to send and receive encrypted emails between domain A and domain B.  I am able to send email messages to domain B which are received as encrypted email messages. That is great.  When the users at domain B send messages to domain A, email messages are not encrypted.  I spoke to the exchange administrator at domain B and he said that his configuration is correct for sending encrypted email messages using TLS.  We both followed the same instruction guide.  

The only difference between the two domains is that I have a Microsoft ISA server which uses a rule to publish my Exchange server.  I have an incoming SMTP rule on ISAS which points to the address of my Exchange Server in my private address space.

What could be preventing domain A from receiving encrypted email messages?
0
Comment
Question by:stressedout2004
  • 6
  • 5
  • 3
14 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20358242
What are you doing for SSL certificate support? The most common reason for failure of TLS is that the SSL certificate is not trusted.

Simon.
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20358864
I actually have a godaddy SSL certificate which is assigned to our domain and name of the Exchange server.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20360068
Is that the same name that you have put as the smart host in the SMTP connector? Is it the same name as on the SMTP banner?

For example, if the server announces itself as server.domain.com, but the SSL certificate is mail.domain.com and the SMTP connector is set to [123.123.123.123] then I would expect it to fail.

Simon.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20361105
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part1.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part3.html

Purely from the ISA perspective, there have been a number of issues with TLS through ISA. Just in case this is the issue and Exchange is all sweet, this is the rather elongated article for ISA2004 & 2006. Sorry for posting links rather than a specific reference but it may help later or someone else.

Keith
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20361299
The SSL certificate is the same name as the exchange server. IE the certificate FQDN is the same as the domain name we use to host our email services and the same for our OWA.  

Im not sure if you are refering to SMTP under protocols orRouting Groups Connectors.
Under Protocols, SMTP I do not have a smart host configurded on the SMTP connector only  the  FQDN of the server.  Servername.domain.org.   The SMTP banner is called Default SMTP Virtual Server.  

On my Routing Group Connectors I have two connectors:
All others ( I guess htis is default?)
DamainName.Com   (the server in domain B of where I send encrypted TLS emails messages to)

Hope this helps.
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20367708
Just a point of interest for those of you helping me with this issue.  When I use monitoring on my ISAS server, I noticed that the protocol SMTP server shows up under port 25 for the destination port.  The rule is called Exchange Inbound SMTP SMTP server. The source is the other company mails server and the destination is my mail server.  

The status shows that ISAS closed the connection.  
ISAS ended the connection

When the Exchange administrators at the other company setups his rule to send TLS messages to my company, he gets an error "the receiving  smtp server does not support tls"  and the messages go into a queue and keep retrying.    

Any other ideas????
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20367886
You have got three rules for this haven't you...

An access rule to allow normal smtp outbound
A publishing rule to allow normal smtp inbound.
The publishing rule for the ssl etc?

0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 9

Author Comment

by:stressedout2004
ID: 20396129
keith_alabaster:

I dont have the SSL publishing rule can you help me define what rules I exactly need on ISAS server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20397337
I'm going to consult with one of the guys from the Exchange area.  Will be back shortly - I can't get to my systems at the moment :(
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20406888
Well I have good news and bad news.  The goos news is that I can now receive email from domain B, how ever the emails are not encrypted.

My ISAS server rules are the following
An access rule to allow normal smtp outbound  <from internal and localhost to anywhere>
A publishing rule to allow normal smtp inbound  points to exchange server.
The publishing rule for the ssl points to exchange server.

I used Ethereal on my ISA server and did  not see any traffic using TLS.  Man Im getting confused with this project. Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20409524
And i was just stupid. I sent an email to Sembee to see if he had any thoughts then realised he was already responding on this question - doh!!

I was thinking about this last night in bed after your post (too much info I know) and something doesn't ring correct. This sounds like the fault is at the other end.

You send encrypted - the other end receives encrypted - great.
They state that they are sending encypted but you receive it in clear?

How does that work then?
On any system where I have sent encrypted mails the receiving end gets garbage if they are not set up correctly.

What would be the logic though here? - I'll encrypt my outbound mails as they need to be secured but the other end is not set up so the encryption is just dropped? I don't think so....

0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20428721
Am I supposed to give them a copy of my certificate?  Im not sure how the certificate part fits into this.  Then I went way off on the deep and and started looking the ISA SMTP filter.  The TLS Verb in defined in the smtp filter.sooooo uhhhhh...ahhhhhhhhhhhhhhhhhhhhhhhhhh--------  Hummmm  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20428815
lol :)
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20429444
The certificate bit I can answer.
Unless you are using a home grown certificate you don't have to give the other side a copy of your certificate. If you are using a commercial SSL certificate that is trusted by most systems, then you simply need to ensure that the you tell the other side what name the certificate is in and that it resolves correctly.

So if your certificate is issued to mail.domain.com then the other side needs to send mail to mail.domain.com so that the name on the certificate and the name the other side is expecting match.

Simon.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Read this checklist to learn more about the 15 things you should never include in an email signature.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now