How to setup TLS for Exchange 2003 when currently using MessageLabs smarthost?

Our organization received a requirement to use TLS for several of its clients. However, we are currently using MessageLabs for outgoing SMTP, anti-virus, and anti-spam. MessageLabs's TLS service is too expensive so we are looking for alternatives.

The attached .JPG shows a brief view of our current mail infrastructure. The two servers, EXF01 and EXF02 are MS Exchange 2003 front-end servers that are supposed to be load balanced on IP However, the Default SMTP virtual servers are configured for each server's respective IP address. Our firewall rule allows SMTP for all three IPs, x.x.x.16-18.

I need to be able to send and receive TLS email to several clients without disrupting the current email infrastructure which does not use TLS.

I have been scouring the Internet for a solution but I cannot seem to find a clear answer. I keep reading that another IP should be set on the server NIC and to add another SMTP virtual server and another SMTP connector. In this case, there is already an additional IP configured on the NIC - - that is not being used but should be used for load balancing.

So, it looks like I need to do the following:

1. Purchase an SSL certificate for and install it on the default SMTP Virtual Server. Since load balancing is / should be used, I will have to export the cert and import it on the second front-end.

2. Create another SMTP Connector - NOT another default SMTP Virtual Server - and configure as listed in the attached screenshots (Proposed.TLS.Connector.Setting.doc).

Is this correct? I should also mention that one of the clients wants to use Forced TLS (Exchange 2003 only support Opportunistic) but since this connector will only be for the TLS clients, there should be no problem, correct? I would like specific steps for this configuration if possible.

I do not particularly like this configuration because the TLS communication will no longer have anti-virus/spam protection. It doesn't seem logical to install anti-virus/spam when we are already paying MessageLabs to provide the service for the bulk of our email. I am also considering adding an open-source SMTP server in our DMZ (ESVA) to solve this issue but that is out of scope for this question. :)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

the easiest way to deploy TLS is to configure an outbound connector (configure a routing group connector and point the ip address to whatever smtp server (or gateway) that is going to initiate a TLS handshake and encryption with other internet mail servers. (internet facing)You do not deploy another smtp virutal server.

this link gives you the screenshots to create the connector:

I have used this scenario when deploying smtp spam and encryption appliances behind a firewall, and port 25 is open on the appliance, not on the exchange servers themselves. TLS is configured on the advanced tab of the connector, then clicking outbound security, then check TLS at the bottom. A certificate needs to be configured, preferably a 3 rd party cert before enabling TLS on the connector.

You can configure the opensource server in a dmz (or an ISA reverse proxy scenario is more secure) and have the connector point to it


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SSAKUSEISHAAuthor Commented:

Thanks for your reply.

I have seen the URL that you provided already but thank you for including it.

In regards to incoming TLS connections, how should external DNS be configured? Since our MX records are pointing to MessageLabs, won't the senders' servers try to negotiate to MessageLabs MTA where the certificate is not installed? Perhaps I could create another MX record called tls<mydomain> and make it the MX=10 and bump the other MX records down in priority?
if you don't want your inbound mail to find your message labs mx record, you would need a seperate mx record for this seperate TLS domain for inbound mail
SSAKUSEISHAAuthor Commented:
Thanks for the info.

It is easy to find information about configuring TLS all over this site and from other web sources however, our configuration is a bit different. Since this is a production environment and it is not absolutely clear how to configure TLS in our environment, we will try to setup a test lab and duplicate.

Thank you again for your help.

If we get a clear resolution, I  will post additional comments.
SSAKUSEISHAAuthor Commented:
Thank you again for your assistance!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.