How to setup TLS for Exchange 2003 when currently using MessageLabs smarthost?
Our organization received a requirement to use TLS for several of its clients. However, we are currently using MessageLabs for outgoing SMTP, anti-virus, and anti-spam. MessageLabs's TLS service is too expensive so we are looking for alternatives.
The attached .JPG shows a brief view of our current mail infrastructure. The two servers, EXF01 and EXF02 are MS Exchange 2003 front-end servers that are supposed to be load balanced on IP 10.10.10.18. However, the Default SMTP virtual servers are configured for each server's respective IP address. Our firewall rule allows SMTP for all three IPs, x.x.x.16-18.
I need to be able to send and receive TLS email to several clients without disrupting the current email infrastructure which does not use TLS.
I have been scouring the Internet for a solution but I cannot seem to find a clear answer. I keep reading that another IP should be set on the server NIC and to add another SMTP virtual server and another SMTP connector. In this case, there is already an additional IP configured on the NIC - 10.10.10.18 - that is not being used but should be used for load balancing.
So, it looks like I need to do the following:
1. Purchase an SSL certificate for exfe.ourdomain.com and install it on the default SMTP Virtual Server. Since load balancing is / should be used, I will have to export the cert and import it on the second front-end.
2. Create another SMTP Connector - NOT another default SMTP Virtual Server - and configure as listed in the attached screenshots (Proposed.TLS.Connector.Se
Is this correct? I should also mention that one of the clients wants to use Forced TLS (Exchange 2003 only support Opportunistic) but since this connector will only be for the TLS clients, there should be no problem, correct? I would like specific steps for this configuration if possible.
I do not particularly like this configuration because the TLS communication will no longer have anti-virus/spam protection. It doesn't seem logical to install anti-virus/spam when we are already paying MessageLabs to provide the service for the bulk of our email. I am also considering adding an open-source SMTP server in our DMZ (ESVA) to solve this issue but that is out of scope for this question. :)
Email.Diagram.jpg
Proposed.TLS.Connector.Setting.doc
The attached .JPG shows a brief view of our current mail infrastructure. The two servers, EXF01 and EXF02 are MS Exchange 2003 front-end servers that are supposed to be load balanced on IP 10.10.10.18. However, the Default SMTP virtual servers are configured for each server's respective IP address. Our firewall rule allows SMTP for all three IPs, x.x.x.16-18.
I need to be able to send and receive TLS email to several clients without disrupting the current email infrastructure which does not use TLS.
I have been scouring the Internet for a solution but I cannot seem to find a clear answer. I keep reading that another IP should be set on the server NIC and to add another SMTP virtual server and another SMTP connector. In this case, there is already an additional IP configured on the NIC - 10.10.10.18 - that is not being used but should be used for load balancing.
So, it looks like I need to do the following:
1. Purchase an SSL certificate for exfe.ourdomain.com and install it on the default SMTP Virtual Server. Since load balancing is / should be used, I will have to export the cert and import it on the second front-end.
2. Create another SMTP Connector - NOT another default SMTP Virtual Server - and configure as listed in the attached screenshots (Proposed.TLS.Connector.Se
Is this correct? I should also mention that one of the clients wants to use Forced TLS (Exchange 2003 only support Opportunistic) but since this connector will only be for the TLS clients, there should be no problem, correct? I would like specific steps for this configuration if possible.
I do not particularly like this configuration because the TLS communication will no longer have anti-virus/spam protection. It doesn't seem logical to install anti-virus/spam when we are already paying MessageLabs to provide the service for the bulk of our email. I am also considering adding an open-source SMTP server in our DMZ (ESVA) to solve this issue but that is out of scope for this question. :)
Email.Diagram.jpg
Proposed.TLS.Connector.Setting.doc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you don't want your inbound mail to find your message labs mx record, you would need a seperate mx record for this seperate TLS domain for inbound mail
ASKER
Thanks for the info.
It is easy to find information about configuring TLS all over this site and from other web sources however, our configuration is a bit different. Since this is a production environment and it is not absolutely clear how to configure TLS in our environment, we will try to setup a test lab and duplicate.
Thank you again for your help.
If we get a clear resolution, I will post additional comments.
It is easy to find information about configuring TLS all over this site and from other web sources however, our configuration is a bit different. Since this is a production environment and it is not absolutely clear how to configure TLS in our environment, we will try to setup a test lab and duplicate.
Thank you again for your help.
If we get a clear resolution, I will post additional comments.
ASKER
Thank you again for your assistance!
ASKER
Thanks for your reply.
I have seen the URL that you provided already but thank you for including it.
In regards to incoming TLS connections, how should external DNS be configured? Since our MX records are pointing to MessageLabs, won't the senders' servers try to negotiate to MessageLabs MTA where the certificate is not installed? Perhaps I could create another MX record called tls<mydomain> and make it the MX=10 and bump the other MX records down in priority?