Our organization received a requirement to use TLS for several of its clients. However, we are currently using MessageLabs for outgoing SMTP, anti-virus, and anti-spam. MessageLabs's TLS service is too expensive so we are looking for alternatives.
The attached .JPG shows a brief view of our current mail infrastructure. The two servers, EXF01 and EXF02 are MS Exchange 2003 front-end servers that are supposed to be load balanced on IP 10.10.10.18. However, the Default SMTP virtual servers are configured for each server's respective IP address. Our firewall rule allows SMTP for all three IPs, x.x.x.16-18.
I need to be able to send and receive TLS email to several clients without disrupting the current email infrastructure which does not use TLS.
I have been scouring the Internet for a solution but I cannot seem to find a clear answer. I keep reading that another IP should be set on the server NIC and to add another SMTP virtual server and another SMTP connector. In this case, there is already an additional IP configured on the NIC - 10.10.10.18 - that is not being used but should be used for load balancing.
So, it looks like I need to do the following:
1. Purchase an SSL certificate for exfe.ourdomain.com and install it on the default SMTP Virtual Server. Since load balancing is / should be used, I will have to export the cert and import it on the second front-end.
2. Create another SMTP Connector - NOT another default SMTP Virtual Server - and configure as listed in the attached screenshots (Proposed.TLS.Connector.Se
Is this correct? I should also mention that one of the clients wants to use Forced TLS (Exchange 2003 only support Opportunistic) but since this connector will only be for the TLS clients, there should be no problem, correct? I would like specific steps for this configuration if possible.
I do not particularly like this configuration because the TLS communication will no longer have anti-virus/spam protection. It doesn't seem logical to install anti-virus/spam when we are already paying MessageLabs to provide the service for the bulk of our email. I am also considering adding an open-source SMTP server in our DMZ (ESVA) to solve this issue but that is out of scope for this question. :)