Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unable to receive encrypted emails using TLS

Posted on 2007-11-27
14
Medium Priority
?
751 Views
Last Modified: 2008-11-17
Help,

I have just configured my 2003 Standard Edition Exchange Server.  I have followed all of the instructions for setting up TLS encryption for encrypting email messages between two domains.  My goal is to send and receive encrypted emails between domain A and domain B.  I am able to send email messages to domain B which are received as encrypted email messages. That is great.  When the users at domain B send messages to domain A, email messages are not encrypted.  I spoke to the exchange administrator at domain B and he said that his configuration is correct for sending encrypted email messages using TLS.  We both followed the same instruction guide.  

The only difference between the two domains is that I have a Microsoft ISA server which uses a rule to publish my Exchange server.  I have an incoming SMTP rule on ISAS which points to the address of my Exchange Server in my private address space.

What could be preventing domain A from receiving encrypted email messages?
0
Comment
Question by:stressedout2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
14 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20358242
What are you doing for SSL certificate support? The most common reason for failure of TLS is that the SSL certificate is not trusted.

Simon.
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20358864
I actually have a godaddy SSL certificate which is assigned to our domain and name of the Exchange server.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20360068
Is that the same name that you have put as the smart host in the SMTP connector? Is it the same name as on the SMTP banner?

For example, if the server announces itself as server.domain.com, but the SSL certificate is mail.domain.com and the SMTP connector is set to [123.123.123.123] then I would expect it to fail.

Simon.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20361105
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part1.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part3.html

Purely from the ISA perspective, there have been a number of issues with TLS through ISA. Just in case this is the issue and Exchange is all sweet, this is the rather elongated article for ISA2004 & 2006. Sorry for posting links rather than a specific reference but it may help later or someone else.

Keith
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20361299
The SSL certificate is the same name as the exchange server. IE the certificate FQDN is the same as the domain name we use to host our email services and the same for our OWA.  

Im not sure if you are refering to SMTP under protocols orRouting Groups Connectors.
Under Protocols, SMTP I do not have a smart host configurded on the SMTP connector only  the  FQDN of the server.  Servername.domain.org.   The SMTP banner is called Default SMTP Virtual Server.  

On my Routing Group Connectors I have two connectors:
All others ( I guess htis is default?)
DamainName.Com   (the server in domain B of where I send encrypted TLS emails messages to)

Hope this helps.
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20367708
Just a point of interest for those of you helping me with this issue.  When I use monitoring on my ISAS server, I noticed that the protocol SMTP server shows up under port 25 for the destination port.  The rule is called Exchange Inbound SMTP SMTP server. The source is the other company mails server and the destination is my mail server.  

The status shows that ISAS closed the connection.  
ISAS ended the connection

When the Exchange administrators at the other company setups his rule to send TLS messages to my company, he gets an error "the receiving  smtp server does not support tls"  and the messages go into a queue and keep retrying.    

Any other ideas????
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 20367886
You have got three rules for this haven't you...

An access rule to allow normal smtp outbound
A publishing rule to allow normal smtp inbound.
The publishing rule for the ssl etc?

0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20396129
keith_alabaster:

I dont have the SSL publishing rule can you help me define what rules I exactly need on ISAS server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20397337
I'm going to consult with one of the guys from the Exchange area.  Will be back shortly - I can't get to my systems at the moment :(
0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20406888
Well I have good news and bad news.  The goos news is that I can now receive email from domain B, how ever the emails are not encrypted.

My ISAS server rules are the following
An access rule to allow normal smtp outbound  <from internal and localhost to anywhere>
A publishing rule to allow normal smtp inbound  points to exchange server.
The publishing rule for the ssl points to exchange server.

I used Ethereal on my ISA server and did  not see any traffic using TLS.  Man Im getting confused with this project. Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20409524
And i was just stupid. I sent an email to Sembee to see if he had any thoughts then realised he was already responding on this question - doh!!

I was thinking about this last night in bed after your post (too much info I know) and something doesn't ring correct. This sounds like the fault is at the other end.

You send encrypted - the other end receives encrypted - great.
They state that they are sending encypted but you receive it in clear?

How does that work then?
On any system where I have sent encrypted mails the receiving end gets garbage if they are not set up correctly.

What would be the logic though here? - I'll encrypt my outbound mails as they need to be secured but the other end is not set up so the encryption is just dropped? I don't think so....

0
 
LVL 9

Author Comment

by:stressedout2004
ID: 20428721
Am I supposed to give them a copy of my certificate?  Im not sure how the certificate part fits into this.  Then I went way off on the deep and and started looking the ISA SMTP filter.  The TLS Verb in defined in the smtp filter.sooooo uhhhhh...ahhhhhhhhhhhhhhhhhhhhhhhhhh--------  Hummmm  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20428815
lol :)
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20429444
The certificate bit I can answer.
Unless you are using a home grown certificate you don't have to give the other side a copy of your certificate. If you are using a commercial SSL certificate that is trusted by most systems, then you simply need to ensure that the you tell the other side what name the certificate is in and that it resolves correctly.

So if your certificate is issued to mail.domain.com then the other side needs to send mail to mail.domain.com so that the name on the certificate and the name the other side is expecting match.

Simon.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question