Solved

Unable to receive encrypted emails using TLS

Posted on 2007-11-27
14
736 Views
Last Modified: 2008-11-17
Help,

I have just configured my 2003 Standard Edition Exchange Server.  I have followed all of the instructions for setting up TLS encryption for encrypting email messages between two domains.  My goal is to send and receive encrypted emails between domain A and domain B.  I am able to send email messages to domain B which are received as encrypted email messages. That is great.  When the users at domain B send messages to domain A, email messages are not encrypted.  I spoke to the exchange administrator at domain B and he said that his configuration is correct for sending encrypted email messages using TLS.  We both followed the same instruction guide.  

The only difference between the two domains is that I have a Microsoft ISA server which uses a rule to publish my Exchange server.  I have an incoming SMTP rule on ISAS which points to the address of my Exchange Server in my private address space.

What could be preventing domain A from receiving encrypted email messages?
0
Comment
Question by:stressedout2004
  • 6
  • 5
  • 3
14 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
What are you doing for SSL certificate support? The most common reason for failure of TLS is that the SSL certificate is not trusted.

Simon.
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
I actually have a godaddy SSL certificate which is assigned to our domain and name of the Exchange server.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Is that the same name that you have put as the smart host in the SMTP connector? Is it the same name as on the SMTP banner?

For example, if the server announces itself as server.domain.com, but the SSL certificate is mail.domain.com and the SMTP connector is set to [123.123.123.123] then I would expect it to fail.

Simon.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part1.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part3.html

Purely from the ISA perspective, there have been a number of issues with TLS through ISA. Just in case this is the issue and Exchange is all sweet, this is the rather elongated article for ISA2004 & 2006. Sorry for posting links rather than a specific reference but it may help later or someone else.

Keith
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
The SSL certificate is the same name as the exchange server. IE the certificate FQDN is the same as the domain name we use to host our email services and the same for our OWA.  

Im not sure if you are refering to SMTP under protocols orRouting Groups Connectors.
Under Protocols, SMTP I do not have a smart host configurded on the SMTP connector only  the  FQDN of the server.  Servername.domain.org.   The SMTP banner is called Default SMTP Virtual Server.  

On my Routing Group Connectors I have two connectors:
All others ( I guess htis is default?)
DamainName.Com   (the server in domain B of where I send encrypted TLS emails messages to)

Hope this helps.
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
Just a point of interest for those of you helping me with this issue.  When I use monitoring on my ISAS server, I noticed that the protocol SMTP server shows up under port 25 for the destination port.  The rule is called Exchange Inbound SMTP SMTP server. The source is the other company mails server and the destination is my mail server.  

The status shows that ISAS closed the connection.  
ISAS ended the connection

When the Exchange administrators at the other company setups his rule to send TLS messages to my company, he gets an error "the receiving  smtp server does not support tls"  and the messages go into a queue and keep retrying.    

Any other ideas????
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
You have got three rules for this haven't you...

An access rule to allow normal smtp outbound
A publishing rule to allow normal smtp inbound.
The publishing rule for the ssl etc?

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
keith_alabaster:

I dont have the SSL publishing rule can you help me define what rules I exactly need on ISAS server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
I'm going to consult with one of the guys from the Exchange area.  Will be back shortly - I can't get to my systems at the moment :(
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
Well I have good news and bad news.  The goos news is that I can now receive email from domain B, how ever the emails are not encrypted.

My ISAS server rules are the following
An access rule to allow normal smtp outbound  <from internal and localhost to anywhere>
A publishing rule to allow normal smtp inbound  points to exchange server.
The publishing rule for the ssl points to exchange server.

I used Ethereal on my ISA server and did  not see any traffic using TLS.  Man Im getting confused with this project. Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
And i was just stupid. I sent an email to Sembee to see if he had any thoughts then realised he was already responding on this question - doh!!

I was thinking about this last night in bed after your post (too much info I know) and something doesn't ring correct. This sounds like the fault is at the other end.

You send encrypted - the other end receives encrypted - great.
They state that they are sending encypted but you receive it in clear?

How does that work then?
On any system where I have sent encrypted mails the receiving end gets garbage if they are not set up correctly.

What would be the logic though here? - I'll encrypt my outbound mails as they need to be secured but the other end is not set up so the encryption is just dropped? I don't think so....

0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
Am I supposed to give them a copy of my certificate?  Im not sure how the certificate part fits into this.  Then I went way off on the deep and and started looking the ISA SMTP filter.  The TLS Verb in defined in the smtp filter.sooooo uhhhhh...ahhhhhhhhhhhhhhhhhhhhhhhhhh--------  Hummmm  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
lol :)
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The certificate bit I can answer.
Unless you are using a home grown certificate you don't have to give the other side a copy of your certificate. If you are using a commercial SSL certificate that is trusted by most systems, then you simply need to ensure that the you tell the other side what name the certificate is in and that it resolves correctly.

So if your certificate is issued to mail.domain.com then the other side needs to send mail to mail.domain.com so that the name on the certificate and the name the other side is expecting match.

Simon.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now