Exchange 2007 and TLS setup

I've been researching setting up TLS on Exchange 2007.  I've read some posts in regards to the setup and it doesn't seem too complex.  My understanding is Exchange 2007 is set for opportunistic TLS by default.  However, we have one client that wants the TLS forced, rather than reverting to plain text (we're only receiving, not sending).  My concern is if I do this on the current smtp receiver connector, this will implement across the board and bounce back any emails sent without TLS and obviously cause major issues.  My question is do I need to setup a new IP and smtp receiver connector exclusively for enforcing TLS?  Thank you in advance for the help.
guiness74Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BusbarSolutions ArchitectCommented:
enforcing TLS with partners (in your case) will require partners cooperation, if they don't setup TLS with you, you will have leave the traffic unencrypted.
the new connector idea will work but how you will enforce the people to use TLS, this is the issue, I believe that the original request lacks technical background as no way to enforce TLS over partners.
0
guiness74Author Commented:
Sorry, I should have specified.  The client (sender) is requesting this of us, so they'll be sending via TLS; they just don't want it to resort to plain text if TLS should fail.  As for enforcement, I thought this could be done on the receive connector.  In this TechNet white paper under "Configuring Inbound Domain Security" and "Configuring a Receiver Connector," it sounds like this can be done with the following commands:

1.  Set-TransportConfig -TLSReceiveDomainSecureList %senderdomain%
2.  Set-ReceiveConnector Inet -DomainSecureEnabled:$True -AuthMechanism TLS

Maybe I'm misunderstanding . . .
0
guiness74Author Commented:
0
guiness74Author Commented:
Looks like it comes down to enabling the domain security and then running the two commands I mentioned.  And it looks like this can be applied to the current receiver connector without breaking transmissions for those sending non-TLS:

"Other senders that aren't listed on the TLSReceiveDomainSecureList parameter in the Set-TransportConfig cmdlet will only use TLS if TLS is supported by the sending system."

http://technet.microsoft.com/en-us/library/bb123543.aspx

Thank you for your help.  It helped guide me in the right direction.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.