Unable to receive encrypted emails using TLS

Help,

I have just configured my 2003 Standard Edition Exchange Server.  I have followed all of the instructions for setting up TLS encryption for encrypting email messages between two domains.  My goal is to send and receive encrypted emails between domain A and domain B.  I am able to send email messages to domain B which are received as encrypted email messages. That is great.  When the users at domain B send messages to domain A, email messages are not encrypted.  I spoke to the exchange administrator at domain B and he said that his configuration is correct for sending encrypted email messages using TLS.  We both followed the same instruction guide.  

The only difference between the two domains is that I have a Microsoft ISA server which uses a rule to publish my Exchange server.  I have an incoming SMTP rule on ISAS which points to the address of my Exchange Server in my private address space.

What could be preventing domain A from receiving encrypted email messages?
LVL 9
stressedout2004Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
You have got three rules for this haven't you...

An access rule to allow normal smtp outbound
A publishing rule to allow normal smtp inbound.
The publishing rule for the ssl etc?

0
 
SembeeCommented:
What are you doing for SSL certificate support? The most common reason for failure of TLS is that the SSL certificate is not trusted.

Simon.
0
 
stressedout2004Author Commented:
I actually have a godaddy SSL certificate which is assigned to our domain and name of the Exchange server.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
SembeeCommented:
Is that the same name that you have put as the smart host in the SMTP connector? Is it the same name as on the SMTP banner?

For example, if the server announces itself as server.domain.com, but the SSL certificate is mail.domain.com and the SMTP connector is set to [123.123.123.123] then I would expect it to fail.

Simon.
0
 
Keith AlabasterEnterprise ArchitectCommented:
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part1.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part3.html

Purely from the ISA perspective, there have been a number of issues with TLS through ISA. Just in case this is the issue and Exchange is all sweet, this is the rather elongated article for ISA2004 & 2006. Sorry for posting links rather than a specific reference but it may help later or someone else.

Keith
0
 
stressedout2004Author Commented:
The SSL certificate is the same name as the exchange server. IE the certificate FQDN is the same as the domain name we use to host our email services and the same for our OWA.  

Im not sure if you are refering to SMTP under protocols orRouting Groups Connectors.
Under Protocols, SMTP I do not have a smart host configurded on the SMTP connector only  the  FQDN of the server.  Servername.domain.org.   The SMTP banner is called Default SMTP Virtual Server.  

On my Routing Group Connectors I have two connectors:
All others ( I guess htis is default?)
DamainName.Com   (the server in domain B of where I send encrypted TLS emails messages to)

Hope this helps.
0
 
stressedout2004Author Commented:
Just a point of interest for those of you helping me with this issue.  When I use monitoring on my ISAS server, I noticed that the protocol SMTP server shows up under port 25 for the destination port.  The rule is called Exchange Inbound SMTP SMTP server. The source is the other company mails server and the destination is my mail server.  

The status shows that ISAS closed the connection.  
ISAS ended the connection

When the Exchange administrators at the other company setups his rule to send TLS messages to my company, he gets an error "the receiving  smtp server does not support tls"  and the messages go into a queue and keep retrying.    

Any other ideas????
0
 
stressedout2004Author Commented:
keith_alabaster:

I dont have the SSL publishing rule can you help me define what rules I exactly need on ISAS server.
0
 
Keith AlabasterEnterprise ArchitectCommented:
I'm going to consult with one of the guys from the Exchange area.  Will be back shortly - I can't get to my systems at the moment :(
0
 
stressedout2004Author Commented:
Well I have good news and bad news.  The goos news is that I can now receive email from domain B, how ever the emails are not encrypted.

My ISAS server rules are the following
An access rule to allow normal smtp outbound  <from internal and localhost to anywhere>
A publishing rule to allow normal smtp inbound  points to exchange server.
The publishing rule for the ssl points to exchange server.

I used Ethereal on my ISA server and did  not see any traffic using TLS.  Man Im getting confused with this project. Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh  
0
 
Keith AlabasterEnterprise ArchitectCommented:
And i was just stupid. I sent an email to Sembee to see if he had any thoughts then realised he was already responding on this question - doh!!

I was thinking about this last night in bed after your post (too much info I know) and something doesn't ring correct. This sounds like the fault is at the other end.

You send encrypted - the other end receives encrypted - great.
They state that they are sending encypted but you receive it in clear?

How does that work then?
On any system where I have sent encrypted mails the receiving end gets garbage if they are not set up correctly.

What would be the logic though here? - I'll encrypt my outbound mails as they need to be secured but the other end is not set up so the encryption is just dropped? I don't think so....

0
 
stressedout2004Author Commented:
Am I supposed to give them a copy of my certificate?  Im not sure how the certificate part fits into this.  Then I went way off on the deep and and started looking the ISA SMTP filter.  The TLS Verb in defined in the smtp filter.sooooo uhhhhh...ahhhhhhhhhhhhhhhhhhhhhhhhhh--------  Hummmm  
0
 
Keith AlabasterEnterprise ArchitectCommented:
lol :)
0
 
SembeeCommented:
The certificate bit I can answer.
Unless you are using a home grown certificate you don't have to give the other side a copy of your certificate. If you are using a commercial SSL certificate that is trusted by most systems, then you simply need to ensure that the you tell the other side what name the certificate is in and that it resolves correctly.

So if your certificate is issued to mail.domain.com then the other side needs to send mail to mail.domain.com so that the name on the certificate and the name the other side is expecting match.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.