Solved

Exchange 2007 - How does Opportunistic TLS work?

Posted on 2009-05-11
11
4,123 Views
Last Modified: 2012-08-13
We have a directive to try and encrypt emails between our company and other outside companies we do business with.  Someone said that as long as the outside company has an Exchange 2007 server just like our company then emails are encrypted automatically between the two servers without any additional setup.  

Can you verify if this is true and if not how do I get it to be.

Thanks,

Capt
0
Comment
Question by:capt_morgan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 22

Expert Comment

by:Syed Mutahir Ali
ID: 24358194
Opportunistic TLS is new to Exchange Server 2007. Exchange Server 2007 tries to secure the Message flow with other Exchange Servers or foreign messaging systems. It also tries to enable a TLS session with the other messaging system in the form of an anonymous TLS request. This is different from Exchange Server 2003 where you must manually enable TLS between different Exchange Servers.
http://www.msexchange.org/tutorials/Securing-SMTP-Message-Flow-between-different-Exchange-Server-2007-organizations.html
Above is a great article explaining all you need :-)
Hope this helps
Regards
0
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24358292
I don't think you're going to be able to secure all your messages that you deal with outside of your company with Exchange 2007 alone.  Exchange 2007 will attempt to use TLS(SMTPs), if it can't then it will fall back to just SMTP (unencrypted).  Just because someone have Exchange 2007, it does not mean it will support TLS (requires SSL) or that they've set it up correctly.  I'm not sure how critical or compliance law you have to abide by, but you may want to check out some mail-gateway security.  Just my two cents, but the article from mutahir is execellent.
0
 
LVL 9

Expert Comment

by:xcomiii
ID: 24358368
As far as I know, it will only try TLS by default and then by regular SMTP if the other server don't support it. In order to support TLS on the recieving server, the server needs a TLS certificate wich is trusted, in other words from a trusted CA. That means either using a public CA or your own CA and then import the root certificate into the other organisation.

No, it will not encypt by default if the recieving server does not have a certificate you trust.

Check out this on microsoft.com:
http://technet.microsoft.com/en-us/library/bb430753.aspx
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:capt_morgan
ID: 24359014
I am still a little confused on how Oppertunistic TLS works.  Some of you say that it is automatic between Exchange 2007 as long as they have it turned on but others are saying that you need to import certtificates from the foreign Exchagne 2007 into my Exchange 2007 before it will work.  I read the URL links but they are still leaving me confused.  

Can someone tell me if hwo I know this is working and if they have done it themselves?

Capt.
0
 
LVL 9

Expert Comment

by:xcomiii
ID: 24359103
The sending Ex2007 tries to send TLS if the other Ex2007 server supports it. This is different from just having it enabled by default, that doesn't mean it actually will work out of the box.

In order to support TLS on the recieving server, yes, you must have TLS sertificates. If all servers where just using self-signed certificates, it would break the trust completly and therefore that is why TLS won't work right out of the box, even if Ex2007 has STARTTLS enabled by default on outgoing SMTP.

Does this make any sense to you?

0
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24359173
Yes xcomiii is correct. TLS would not be used if any certificate is not trusted or invalid.
0
 

Author Comment

by:capt_morgan
ID: 24363808
xcomiii,

Thanks for that explanation.  This helped to clear some things up about TLS.  So basically as you said both Exchange Servers must trust the others certificate for this to work.  And the only way to establish trust in certificates would be for each company to get buy a 3rd party certificate from either Thawt or VeriSign and add them to their exchange 2007 servers. In addition would each company have to include the others certificate in their Trusted CA store which I assume is a manual process.  

Just trying to get the steps correct so I can submit something to management.  


Capt.
0
 
LVL 9

Accepted Solution

by:
xcomiii earned 300 total points
ID: 24367729
Yes, you are right. But you can also do this with other methods, as mentioned in the link I gave you before.You could set up direct trust of the certs, but that's impractically when you need to send mail to unknow reciepients/domains, and that's what the trust from 3.party CA's like Verisign and others come into play.
0
 

Author Comment

by:capt_morgan
ID: 24367801
Has here successfully implemented Opportunistic TLS in their environment and if so how difficult was it to setup?  
0
 
LVL 7

Assisted Solution

by:LANm0nk3y
LANm0nk3y earned 200 total points
ID: 24368861
It's not that difficult, it's just a matter of selecting the SSL cert.  I have a cert, but like I said before -- it doesn't always work if the recipient server doesn't support it.
http://msexchangeteam.com/archive/2007/05/03/438266.aspx
0
 
LVL 7

Assisted Solution

by:LANm0nk3y
LANm0nk3y earned 200 total points
ID: 24368902
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question