• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4216
  • Last Modified:

Exchange 2007 - How does Opportunistic TLS work?

We have a directive to try and encrypt emails between our company and other outside companies we do business with.  Someone said that as long as the outside company has an Exchange 2007 server just like our company then emails are encrypted automatically between the two servers without any additional setup.  

Can you verify if this is true and if not how do I get it to be.

Thanks,

Capt
0
capt_morgan
Asked:
capt_morgan
  • 4
  • 3
  • 3
  • +1
3 Solutions
 
Syed Mutahir AliTechnology ConsultantCommented:
Opportunistic TLS is new to Exchange Server 2007. Exchange Server 2007 tries to secure the Message flow with other Exchange Servers or foreign messaging systems. It also tries to enable a TLS session with the other messaging system in the form of an anonymous TLS request. This is different from Exchange Server 2003 where you must manually enable TLS between different Exchange Servers.
http://www.msexchange.org/tutorials/Securing-SMTP-Message-Flow-between-different-Exchange-Server-2007-organizations.html
Above is a great article explaining all you need :-)
Hope this helps
Regards
0
 
LANm0nk3yCommented:
I don't think you're going to be able to secure all your messages that you deal with outside of your company with Exchange 2007 alone.  Exchange 2007 will attempt to use TLS(SMTPs), if it can't then it will fall back to just SMTP (unencrypted).  Just because someone have Exchange 2007, it does not mean it will support TLS (requires SSL) or that they've set it up correctly.  I'm not sure how critical or compliance law you have to abide by, but you may want to check out some mail-gateway security.  Just my two cents, but the article from mutahir is execellent.
0
 
xcomiiiCommented:
As far as I know, it will only try TLS by default and then by regular SMTP if the other server don't support it. In order to support TLS on the recieving server, the server needs a TLS certificate wich is trusted, in other words from a trusted CA. That means either using a public CA or your own CA and then import the root certificate into the other organisation.

No, it will not encypt by default if the recieving server does not have a certificate you trust.

Check out this on microsoft.com:
http://technet.microsoft.com/en-us/library/bb430753.aspx
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
capt_morganAuthor Commented:
I am still a little confused on how Oppertunistic TLS works.  Some of you say that it is automatic between Exchange 2007 as long as they have it turned on but others are saying that you need to import certtificates from the foreign Exchagne 2007 into my Exchange 2007 before it will work.  I read the URL links but they are still leaving me confused.  

Can someone tell me if hwo I know this is working and if they have done it themselves?

Capt.
0
 
xcomiiiCommented:
The sending Ex2007 tries to send TLS if the other Ex2007 server supports it. This is different from just having it enabled by default, that doesn't mean it actually will work out of the box.

In order to support TLS on the recieving server, yes, you must have TLS sertificates. If all servers where just using self-signed certificates, it would break the trust completly and therefore that is why TLS won't work right out of the box, even if Ex2007 has STARTTLS enabled by default on outgoing SMTP.

Does this make any sense to you?

0
 
LANm0nk3yCommented:
Yes xcomiii is correct. TLS would not be used if any certificate is not trusted or invalid.
0
 
capt_morganAuthor Commented:
xcomiii,

Thanks for that explanation.  This helped to clear some things up about TLS.  So basically as you said both Exchange Servers must trust the others certificate for this to work.  And the only way to establish trust in certificates would be for each company to get buy a 3rd party certificate from either Thawt or VeriSign and add them to their exchange 2007 servers. In addition would each company have to include the others certificate in their Trusted CA store which I assume is a manual process.  

Just trying to get the steps correct so I can submit something to management.  


Capt.
0
 
xcomiiiCommented:
Yes, you are right. But you can also do this with other methods, as mentioned in the link I gave you before.You could set up direct trust of the certs, but that's impractically when you need to send mail to unknow reciepients/domains, and that's what the trust from 3.party CA's like Verisign and others come into play.
0
 
capt_morganAuthor Commented:
Has here successfully implemented Opportunistic TLS in their environment and if so how difficult was it to setup?  
0
 
LANm0nk3yCommented:
It's not that difficult, it's just a matter of selecting the SSL cert.  I have a cert, but like I said before -- it doesn't always work if the recipient server doesn't support it.
http://msexchangeteam.com/archive/2007/05/03/438266.aspx
0
 
LANm0nk3yCommented:
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now