Solved

Exchange 2007 - How does Opportunistic TLS work?

Posted on 2009-05-11
11
4,060 Views
Last Modified: 2012-08-13
We have a directive to try and encrypt emails between our company and other outside companies we do business with.  Someone said that as long as the outside company has an Exchange 2007 server just like our company then emails are encrypted automatically between the two servers without any additional setup.  

Can you verify if this is true and if not how do I get it to be.

Thanks,

Capt
0
Comment
Question by:capt_morgan
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 22

Expert Comment

by:mutahir
ID: 24358194
Opportunistic TLS is new to Exchange Server 2007. Exchange Server 2007 tries to secure the Message flow with other Exchange Servers or foreign messaging systems. It also tries to enable a TLS session with the other messaging system in the form of an anonymous TLS request. This is different from Exchange Server 2003 where you must manually enable TLS between different Exchange Servers.
http://www.msexchange.org/tutorials/Securing-SMTP-Message-Flow-between-different-Exchange-Server-2007-organizations.html
Above is a great article explaining all you need :-)
Hope this helps
Regards
0
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24358292
I don't think you're going to be able to secure all your messages that you deal with outside of your company with Exchange 2007 alone.  Exchange 2007 will attempt to use TLS(SMTPs), if it can't then it will fall back to just SMTP (unencrypted).  Just because someone have Exchange 2007, it does not mean it will support TLS (requires SSL) or that they've set it up correctly.  I'm not sure how critical or compliance law you have to abide by, but you may want to check out some mail-gateway security.  Just my two cents, but the article from mutahir is execellent.
0
 
LVL 9

Expert Comment

by:xcomiii
ID: 24358368
As far as I know, it will only try TLS by default and then by regular SMTP if the other server don't support it. In order to support TLS on the recieving server, the server needs a TLS certificate wich is trusted, in other words from a trusted CA. That means either using a public CA or your own CA and then import the root certificate into the other organisation.

No, it will not encypt by default if the recieving server does not have a certificate you trust.

Check out this on microsoft.com:
http://technet.microsoft.com/en-us/library/bb430753.aspx
0
 

Author Comment

by:capt_morgan
ID: 24359014
I am still a little confused on how Oppertunistic TLS works.  Some of you say that it is automatic between Exchange 2007 as long as they have it turned on but others are saying that you need to import certtificates from the foreign Exchagne 2007 into my Exchange 2007 before it will work.  I read the URL links but they are still leaving me confused.  

Can someone tell me if hwo I know this is working and if they have done it themselves?

Capt.
0
 
LVL 9

Expert Comment

by:xcomiii
ID: 24359103
The sending Ex2007 tries to send TLS if the other Ex2007 server supports it. This is different from just having it enabled by default, that doesn't mean it actually will work out of the box.

In order to support TLS on the recieving server, yes, you must have TLS sertificates. If all servers where just using self-signed certificates, it would break the trust completly and therefore that is why TLS won't work right out of the box, even if Ex2007 has STARTTLS enabled by default on outgoing SMTP.

Does this make any sense to you?

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24359173
Yes xcomiii is correct. TLS would not be used if any certificate is not trusted or invalid.
0
 

Author Comment

by:capt_morgan
ID: 24363808
xcomiii,

Thanks for that explanation.  This helped to clear some things up about TLS.  So basically as you said both Exchange Servers must trust the others certificate for this to work.  And the only way to establish trust in certificates would be for each company to get buy a 3rd party certificate from either Thawt or VeriSign and add them to their exchange 2007 servers. In addition would each company have to include the others certificate in their Trusted CA store which I assume is a manual process.  

Just trying to get the steps correct so I can submit something to management.  


Capt.
0
 
LVL 9

Accepted Solution

by:
xcomiii earned 300 total points
ID: 24367729
Yes, you are right. But you can also do this with other methods, as mentioned in the link I gave you before.You could set up direct trust of the certs, but that's impractically when you need to send mail to unknow reciepients/domains, and that's what the trust from 3.party CA's like Verisign and others come into play.
0
 

Author Comment

by:capt_morgan
ID: 24367801
Has here successfully implemented Opportunistic TLS in their environment and if so how difficult was it to setup?  
0
 
LVL 7

Assisted Solution

by:LANm0nk3y
LANm0nk3y earned 200 total points
ID: 24368861
It's not that difficult, it's just a matter of selecting the SSL cert.  I have a cert, but like I said before -- it doesn't always work if the recipient server doesn't support it.
http://msexchangeteam.com/archive/2007/05/03/438266.aspx
0
 
LVL 7

Assisted Solution

by:LANm0nk3y
LANm0nk3y earned 200 total points
ID: 24368902
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now