?
Solved

Exchange 2007 - How does Opportunistic TLS work?

Posted on 2009-05-11
11
Medium Priority
?
4,178 Views
Last Modified: 2012-08-13
We have a directive to try and encrypt emails between our company and other outside companies we do business with.  Someone said that as long as the outside company has an Exchange 2007 server just like our company then emails are encrypted automatically between the two servers without any additional setup.  

Can you verify if this is true and if not how do I get it to be.

Thanks,

Capt
0
Comment
Question by:capt_morgan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 22

Expert Comment

by:Syed Mutahir Ali
ID: 24358194
Opportunistic TLS is new to Exchange Server 2007. Exchange Server 2007 tries to secure the Message flow with other Exchange Servers or foreign messaging systems. It also tries to enable a TLS session with the other messaging system in the form of an anonymous TLS request. This is different from Exchange Server 2003 where you must manually enable TLS between different Exchange Servers.
http://www.msexchange.org/tutorials/Securing-SMTP-Message-Flow-between-different-Exchange-Server-2007-organizations.html
Above is a great article explaining all you need :-)
Hope this helps
Regards
0
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24358292
I don't think you're going to be able to secure all your messages that you deal with outside of your company with Exchange 2007 alone.  Exchange 2007 will attempt to use TLS(SMTPs), if it can't then it will fall back to just SMTP (unencrypted).  Just because someone have Exchange 2007, it does not mean it will support TLS (requires SSL) or that they've set it up correctly.  I'm not sure how critical or compliance law you have to abide by, but you may want to check out some mail-gateway security.  Just my two cents, but the article from mutahir is execellent.
0
 
LVL 9

Expert Comment

by:xcomiii
ID: 24358368
As far as I know, it will only try TLS by default and then by regular SMTP if the other server don't support it. In order to support TLS on the recieving server, the server needs a TLS certificate wich is trusted, in other words from a trusted CA. That means either using a public CA or your own CA and then import the root certificate into the other organisation.

No, it will not encypt by default if the recieving server does not have a certificate you trust.

Check out this on microsoft.com:
http://technet.microsoft.com/en-us/library/bb430753.aspx
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:capt_morgan
ID: 24359014
I am still a little confused on how Oppertunistic TLS works.  Some of you say that it is automatic between Exchange 2007 as long as they have it turned on but others are saying that you need to import certtificates from the foreign Exchagne 2007 into my Exchange 2007 before it will work.  I read the URL links but they are still leaving me confused.  

Can someone tell me if hwo I know this is working and if they have done it themselves?

Capt.
0
 
LVL 9

Expert Comment

by:xcomiii
ID: 24359103
The sending Ex2007 tries to send TLS if the other Ex2007 server supports it. This is different from just having it enabled by default, that doesn't mean it actually will work out of the box.

In order to support TLS on the recieving server, yes, you must have TLS sertificates. If all servers where just using self-signed certificates, it would break the trust completly and therefore that is why TLS won't work right out of the box, even if Ex2007 has STARTTLS enabled by default on outgoing SMTP.

Does this make any sense to you?

0
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24359173
Yes xcomiii is correct. TLS would not be used if any certificate is not trusted or invalid.
0
 

Author Comment

by:capt_morgan
ID: 24363808
xcomiii,

Thanks for that explanation.  This helped to clear some things up about TLS.  So basically as you said both Exchange Servers must trust the others certificate for this to work.  And the only way to establish trust in certificates would be for each company to get buy a 3rd party certificate from either Thawt or VeriSign and add them to their exchange 2007 servers. In addition would each company have to include the others certificate in their Trusted CA store which I assume is a manual process.  

Just trying to get the steps correct so I can submit something to management.  


Capt.
0
 
LVL 9

Accepted Solution

by:
xcomiii earned 1200 total points
ID: 24367729
Yes, you are right. But you can also do this with other methods, as mentioned in the link I gave you before.You could set up direct trust of the certs, but that's impractically when you need to send mail to unknow reciepients/domains, and that's what the trust from 3.party CA's like Verisign and others come into play.
0
 

Author Comment

by:capt_morgan
ID: 24367801
Has here successfully implemented Opportunistic TLS in their environment and if so how difficult was it to setup?  
0
 
LVL 7

Assisted Solution

by:LANm0nk3y
LANm0nk3y earned 800 total points
ID: 24368861
It's not that difficult, it's just a matter of selecting the SSL cert.  I have a cert, but like I said before -- it doesn't always work if the recipient server doesn't support it.
http://msexchangeteam.com/archive/2007/05/03/438266.aspx
0
 
LVL 7

Assisted Solution

by:LANm0nk3y
LANm0nk3y earned 800 total points
ID: 24368902
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
New style of hardware planning for Microsoft Exchange server.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses
Course of the Month9 days, 17 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question