Setup TLS for Exchange 2003 for outbound email without using TLS for internal domains via SMTP Connector

I need to configure TLS to Postiti for email bound for the Internet.  I have three (3) exchange 2003 standard servers.  Two are database servers and one is a front-end server.  Only one (1) database server is the bridgehead server.  Currently all email goes out unencrypted, is routed through Postini for filtering and content inspection, and delivered.

Outbound email is being send via two SMPT connectors, SharePoint Connector and SMTP Out connector.  One (1) is for email transmission to a server running SharePoint with plain old SMTP services.  This connector looks at the address space sps.<mydomain>.local.  The other connector's address space is "*" and sends all other email to a Postini server via a SmartHost.

Can anyone give me some guidance to help me figure out how/where to setup TLS so that it's only used for outbound email to the Internet and not used for any internal MAPI clients or internal email to sps.<mydomain>.local.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Find out what the postini dns name is and setup the connector with mail going to * to do TLS with Postini.  Any mail going to the sharepoint connector will not be in TLS.
blanchard81Author Commented:
Thanks for the response.

Having not previously setup TLS, I'm a bit confused on where I should be setting it up if I'm using SMTP Connectors rather than (or in addition to? ) the Default SMTP Virtual Server to send out mail.  I also realized that I need to allow for inbound TLS from Postini as well.

All documentation I read seems to indicate that I need to install an x.509 cert on the Default SMTP Virtual Server ( in order to encrypt outbound email.  Assuming that's done, should I eliminate the SMTP Out connector all together and let the Default SMTP Virtual Server handle the outbound traffic (except the traffic that would go out on the internal SharePoint connector)?  Would the SharePoint Connector still trump the Virtual Server and allow for uncrypted email, or would I have to leave the two connectors?

Install the certificate on the Default SMTP Virtual Server on your Exchange Front-End server.  No TLS settings need to be made on the virtual server.  If you already have a cert there for webmail, the same certificate can be used.

Create a connector or use the existing connector to send email to postini.  Put the Front-end server as the Local Bridge Head server.  On the Advanced tab of the connector select Outboud Security and select TLS Encryption.

If the certificate has been installed on the front end server it will automatically do TLS with any incoming source that is TLS compatible.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.