Link to home
Start Free TrialLog in
Avatar of capt_morgan
capt_morganFlag for United States of America

asked on

Exchange 2007 - How does Opportunistic TLS work?

We have a directive to try and encrypt emails between our company and other outside companies we do business with.  Someone said that as long as the outside company has an Exchange 2007 server just like our company then emails are encrypted automatically between the two servers without any additional setup.  

Can you verify if this is true and if not how do I get it to be.

Thanks,

Capt
Avatar of Syed Mutahir Ali
Syed Mutahir Ali
Flag of United Kingdom of Great Britain and Northern Ireland image

Opportunistic TLS is new to Exchange Server 2007. Exchange Server 2007 tries to secure the Message flow with other Exchange Servers or foreign messaging systems. It also tries to enable a TLS session with the other messaging system in the form of an anonymous TLS request. This is different from Exchange Server 2003 where you must manually enable TLS between different Exchange Servers.
http://www.msexchange.org/tutorials/Securing-SMTP-Message-Flow-between-different-Exchange-Server-2007-organizations.html
Above is a great article explaining all you need :-)
Hope this helps
Regards
I don't think you're going to be able to secure all your messages that you deal with outside of your company with Exchange 2007 alone.  Exchange 2007 will attempt to use TLS(SMTPs), if it can't then it will fall back to just SMTP (unencrypted).  Just because someone have Exchange 2007, it does not mean it will support TLS (requires SSL) or that they've set it up correctly.  I'm not sure how critical or compliance law you have to abide by, but you may want to check out some mail-gateway security.  Just my two cents, but the article from mutahir is execellent.
Avatar of xcomiii
xcomiii

As far as I know, it will only try TLS by default and then by regular SMTP if the other server don't support it. In order to support TLS on the recieving server, the server needs a TLS certificate wich is trusted, in other words from a trusted CA. That means either using a public CA or your own CA and then import the root certificate into the other organisation.

No, it will not encypt by default if the recieving server does not have a certificate you trust.

Check out this on microsoft.com:
http://technet.microsoft.com/en-us/library/bb430753.aspx
Avatar of capt_morgan

ASKER

I am still a little confused on how Oppertunistic TLS works.  Some of you say that it is automatic between Exchange 2007 as long as they have it turned on but others are saying that you need to import certtificates from the foreign Exchagne 2007 into my Exchange 2007 before it will work.  I read the URL links but they are still leaving me confused.  

Can someone tell me if hwo I know this is working and if they have done it themselves?

Capt.
The sending Ex2007 tries to send TLS if the other Ex2007 server supports it. This is different from just having it enabled by default, that doesn't mean it actually will work out of the box.

In order to support TLS on the recieving server, yes, you must have TLS sertificates. If all servers where just using self-signed certificates, it would break the trust completly and therefore that is why TLS won't work right out of the box, even if Ex2007 has STARTTLS enabled by default on outgoing SMTP.

Does this make any sense to you?

Yes xcomiii is correct. TLS would not be used if any certificate is not trusted or invalid.
xcomiii,

Thanks for that explanation.  This helped to clear some things up about TLS.  So basically as you said both Exchange Servers must trust the others certificate for this to work.  And the only way to establish trust in certificates would be for each company to get buy a 3rd party certificate from either Thawt or VeriSign and add them to their exchange 2007 servers. In addition would each company have to include the others certificate in their Trusted CA store which I assume is a manual process.  

Just trying to get the steps correct so I can submit something to management.  


Capt.
ASKER CERTIFIED SOLUTION
Avatar of xcomiii
xcomiii

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Has here successfully implemented Opportunistic TLS in their environment and if so how difficult was it to setup?  
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial