TLS and Exchange 2003

I am trying to enable TLS for my organization.  We use a Websense SMTP server on the outside edge of our network and an exchange 2003 box on the inside.  I have installed a certificate (verisign) on the websense smtp server for TLS use and do not have one on my internal exchange server since we feel it is not necessary to encrypt from the websense server to the exchange server.

The problem that is occurring is that when I enable TLS (allow it to be inspected and used) on our ASA I cannot send or receive emails from my exchange server.  I think the problem is that the exchange server is responding to the EHLO command with a starttls command and the exchange 2003 server does not have a certificate installed.

I have attached a document with the wireshark packet capture on the communication between the 2 for a specific email I sent from the outside and also a snippet of all the communication between the servers.  The websense server (10. network) server is able to receive the email from outside with no issues, it is only when the communicateion between the websense and exchange 2003 sever occurs the errors happen.  

Is the issue with TLS?  Or is there something else going on here?

Wire-shark-packets-text.txt
message-analysis.txt
gshapiroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hilal1924Commented:
You can enable TLS for internal communication between Exchange Server and WebSense Gateway. Actually it is one of the best practices to use TLS for internal MTA's. You can use a self signed certificate to enable TLS on SMTP Virtual Server.
Protocol Inspection for TLS/SMTP is not such a good idea. By Default ESMTP is inspected by ASA. Disable protocol inspection on ASA and communication will be much faster.

Cheers,
Hilal
0
gshapiroAuthor Commented:
Was really looking to validate the issue I was having was related to TLS between the exchange server and the websense server.  
0
Hilal1924Commented:
"You can enable TLS for internal communication between Exchange Server and WebSense Gateway. Actually it is one of the best practices to use TLS for internal MTA's. You can use a self signed certificate to enable TLS on SMTP Virtual Server. "
This is what I had suggested in my earlier comment. you can try this out and see if it works for you. I studied the wireshark log and it does not have any mention of communication getting rejected. It follows the regular code 220,250. Only the data part is missing like you pointed out, which could be because the communication channel was not encrypted and they failed to negotiate the data transfer. In this scenarion a TLS tunnel would be a better option since both will have a uniform method of communication and encryption.

Cheers,
Hilal
0
gshapiroAuthor Commented:
I agree with you on the communication channel.  I have been studying the log from both sides sending and receiving emails, inbound and outbound of the organization and I do not see any TLS exchange.  I know the websense system has an option for opportunistic TLS and that is what is configured.  I am wondering if the ASA is preventing this traffic from being communicated or causing some other issue.

If you have any other ideas let me know.
0
Hilal1924Commented:
ru this command on ASA and.see.if it makes any difference

no ispect protocol esmtp

cheers
Hilal
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.