Solved

Setup TLS on exchange 2003

Posted on 2009-05-05
26
763 Views
Last Modified: 2012-05-06
I bought an SSL ceIftificate from godaddy and tried to setup an TLS on exchange 2003. I did some rearch and found some info how to setup an TLS. I check Require secure channel box and click on Require 128 bit and tried to sent out email but it just return back and said "Must issue a STARTTLS command first". Please need help how to setup.
0
Comment
Question by:bengxiong
  • 12
  • 8
  • 3
  • +1
26 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 24317974
Hello,

Are you trying to setup TLS on the default connector or have you setup a dedicated SMTP connector to exchange mail with TLS enabled domains?

Jamie
0
 

Author Comment

by:bengxiong
ID: 24318475
I setup a dedicated SMTP connector to exchange mail with TLS.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 24318501
Have you verified that the domain you are trying to Exchange mail with is setup properly with TLS and you have addded that domain to the dedicated SMTP connector?

JJ
0
 
LVL 17

Expert Comment

by:Suraj
ID: 24318712
TLS in exchange server 2003.
Remember the following for configuring TLS
lets say you want to configure tls with ABC.COM
Outbound :
=========
for outbound you will have to create a dedicated smtp connector with address space abc.com smarthosted to the mx of remote domain. on that smtp connector enble TLS

Inbound:
========
on the default smtp virtual server .. you can install the certificate.

restart the smtp and routing engine service... this will fix the issue..

-x-sam-
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 24319012
Actually, you don't need to set a smarthost. Just use DNS. That way, you can setup a single connector to use with all TLS domains.

JJ
0
 
LVL 17

Expert Comment

by:Suraj
ID: 24319185
smart host is better.. why using DNS and delaying.. when TLS is used between two domains.
0
 

Author Comment

by:bengxiong
ID: 24320549
Ok, Let me tell you want I have done so far. I'm installed the SSL ceft. it works fine. I went to exchange systems manager, click on the name of the server, click on smtp virtual, click on access and check on TLS encryption. And the second step I did was go to Connector and create an new SMTP Connector and name it xxxx.com. Ok, if i don't have a smarthost would it still work? I used a linux box to do my mail filtering (Mailcleaner) so what I did was just pointing the mail exchange and linux box's ip address to the smarthost  where it said "Foward all mail through this connector to the following smarthost". Did i configured it correctly? and one another thing when I go to the SMTP virtual and click on access tab, click on commucation tab, check on Secure Channel and 128 bit. When I sent out email it go through but when someone send me a email it will just bounce back and said " "Must issue a STARTTLS command first".  Don't know what I did wrong.
0
 

Author Comment

by:bengxiong
ID: 24320621
Can someone remote in to my server and help me configured the TLS. I willing to pay. Let me know.

Thanks,

BX
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24320645
Support outside of the site is not allowed.

The reason a smart host is usually used is to ensure that the email flows to the TLS enabled server.
The side sending you email must use the alternative port or another host name, because Exchange 2003 cannot do opportunist TLS. You cannot have TLS enabled on your regular MX records.

Simon.
0
 

Author Comment

by:bengxiong
ID: 24333332
Ok, I got the TLS setup. How do I test out to see if TLS is working on exchange server?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24346422
The most that you can do is telnet in to the server, issue a EHLO and see if startTLS is listed. If it is then Exchange is listening for the TLS. However as it is Server to Server, you need to get someone else to send you an email and see if it is received.

When a message that is secured by TLS is received Exchange will write to the headers that it was secured by TLS.

Simon.
0
 

Author Comment

by:bengxiong
ID: 24352251
If I don't check on the Box where it said Secure Channel and 128 bit would it still be secure by TLS? When I sent out emails to some people that does not have TLS secure enable would it still show the secure header where it said secured by TLS?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24353668
When you send email out, the settings on the SMTP virtual server do not apply, because it isn't your server controlling the connection. It is the setting on the SMTP Connector. The SMTP virtual server is for inbound email only.

If you have TLS enabled and the remote site does not support it, then the email will fail. Exchange 2003 doesn't do opportunist TLS, it is either on or off. Therefore you have to know which domains support TLS and set an SMTP connector for them specifically.

Simon.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:bengxiong
ID: 24372016
Ok, I sent out a test to one of my client that is using TLS and their tech said my configuration might not be correct because my code is different from others that are using TLS. On mine it doesn't said" (using TLSv1)" Here's the example below that they sent me please let me know what I misconfigured.

Their TLS email: (They said it supposed to look like this)

Received: from psmtp.com ([65.18.10.100]) by tsd.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
       Wed, 22 Apr 2009 09:02:15 -0500

Received: from source ([217.71.201.349) (using TLSv1) by tsd.com ([64.10.10.10]) with SMTP;

                Wed, 22 Apr 2009 06:02:15 PST

Received: from 10.1.1.63 [10.1.1.63]

                by mailserver2.com

                over TLS secured channel

                with XWall v3.43a ;
================================================================

My email that I sent them.

Microsoft Mail Internet Headers Version 2.0

Received: from psmtp.com ([92.10.2.10]) by mydomain.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);

             Fri, 8 May 2009 09:33:25 -0500

Received: from source ([10.10.10.1]) by serverdomain.com ([yourdomain.com]) with SMTP;

            Fri, 08 May 2009 08:33:26 MDT

            boundary="----_=_NextPart_001_01C9CFEA.669186DF"



0
 
LVL 65

Expert Comment

by:Mestha
ID: 24372799
The different ways that the TLS is flagged is down to each individual product. Microsoft doesn't says "TLSv1", what they put in their headers is the line that you can see "over TLS secured channel". Therefore it would appear to be working at least part of the way.

However for it to be a valid TLS secured transaction, all hops outside of your network and theirs need to be using TLS. So the internal hop will be fine, it is the hop from your public facing system to them.

Simon.
0
 

Author Comment

by:bengxiong
ID: 24376281
Ok, how do I fix the issue or need to do?

Thanks for your help.

BX
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24377474
There is nothing to fix.
It is just the way the transfer is labelled.

Simon.
0
 

Author Comment

by:bengxiong
ID: 24378779
Ok, my client said the email that I sent them is not encrypt because it doesn't show"TLSv1" when Received: from source ([217.71.201.349) (using TLSv1) by tsd.com ([64.10.10.10]) with SMTP. (Not quite understand what their tech mean) So what do you mean by:
"However for it to be a valid TLS secured transaction, all hops outside of your network and theirs need to be using TLS. So the internal hop will be fine, it is the hop from your public facing system to them" Can you eplain it to me a little bit? so is there something misconfigured from my end? or when I sending them the email it is not encrypt at all?

Thanks for your help.

BX
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24379080
The other side is expecting to see something that they will never see.

The TLSv1 is how their product reports the use of TLS. Microsoft's product reports it in a different way. TLS is being used.

Due to the way that you have munged the headers it is hard to tell which email is which. There is Postini involved as well, which further complicates matters.

Simon.
0
 

Author Comment

by:bengxiong
ID: 24379455
Ok, attachment is the real email they sent me.
Received.doc
0
 

Author Comment

by:bengxiong
ID: 24379487
Their tech said it supposed to look like the top one. The one below is my email I sent them.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24380799
This is just going round in circles, because if the email is coming in to Exchange it will not say the TLSv1 that they are looking for. The server that is receiving the email is what makes the line on the header.

Simon.
0
 

Author Comment

by:bengxiong
ID: 24381827
Simon,
My question is did I set up the TLS correctly?

Thanks,

BX
0
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
ID: 24382756
You are seeing the Microsoft TLS information in the headers so it would appear so.

Simon.
0
 
LVL 17

Expert Comment

by:Suraj
ID: 24385346
If you do a netmon trace and check the communication between the two domains. it will clearly prove you if there was a TLS communication happenning or not..

-x-sam-
0
 

Author Comment

by:bengxiong
ID: 24385523
Simon,
Thank You.

BX
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Resolve DNS query failed errors for Exchange
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now