Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to enable TLS on incoming emails in Exchange 2003

Posted on 2011-03-09
13
Medium Priority
?
468 Views
Last Modified: 2013-11-30
Hello all,
I have been reading dozens of posts and KB articles but i'm stuck.  

My customer has been told they need to be able to receive secure emaisl via TLS.  

Okay, I have ordered and received the ssl cert for mail.domain.com.  

I understand in Exchange 2003 TLS is either on or off.  they need to receive normal unsecure email and new secure email so I think that means I need two SMTP Virtual servers.  One with TLS and one without.  

I think I am supposed to add a second IP address to the NIC and use that IP address in a new TLS SMTP Virtual server - Is that correct?

If each SMTP VS has a different IP then how do I NAT the incomming emails (port 25) to the two different SMTP ?

Am I completely off the mark???
Thanks
0
Comment
Question by:CITS_User
  • 6
  • 5
13 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35084751
Yu are correct, you cannot setup opportunistic TLS with Exchange 2003.

There is a step by step here on how to do it: http://support.microsoft.com/kb/823019

You will need to add a second IP to the NIC of the exchange server
0
 

Author Comment

by:CITS_User
ID: 35084914
Thanks JBond2010 but I had already read that one.  

damazter, I read KB823019 but i doesnt really help.  

How does the incoming mail know which SMTP VS to use?
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35119872
incoming mail would your default (public mx record facing) virtual server. no need to change that
The TLS will be negotiated by the sending server (other side). It will request TLS connection (if configured to do so) and your server would oblige (assuming that you install certificate)
you would use your other virtual server to send mail to specific domains (the one you need for TLS)  and TLS would me mandatory on that VS
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 

Author Comment

by:CITS_User
ID: 35126956
The mx record is the wan address which then nats port 25 to the lan ip address of the default smtp vs which does not have tls enabled.  192.168.0.250

The new smtp vs which has tls enabled and ssl cert applied has a different lan ip address.  192.168.0.249

Sending of encrypted mail is not required just receiving from some domains.  

How does the senders encrypted mail get through to the new smtp vs (.249)?

To be honest, I dont know if I have this configured correctly at all.  

Any and all help is greatly appreciated.  

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35128564
check your default smtp vs, access tab, secure communication secrion. Do you have both certificate and communication grey out or the options are available?
0
 

Author Comment

by:CITS_User
ID: 35128891
On the default SMTP VS, access tab, the Certificate button is available, the communication button is greyed out.  

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35129331
click on certificate button, run the wizard to get certificate installed (or to verify that it is there)

once it is done,  telnet on port 25 on your mx record host (external). when your smtp server responded with the greeting, type
ehlo <yourdomain>

Then your server will respond with the list of supported extended smtp commands. If STARTTLS is there - then you are all set
0
 

Author Comment

by:CITS_User
ID: 35130662
Hi
TLS is selected and the cert is installed on the SECOND smtp vs.  

Am I reading your post clearly - I should install the cert on the DEFAULT smtp vs that doesnt have tls selected?

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35130831
yes, you will need to install certificate on the default smtp.
0
 

Author Comment

by:CITS_User
ID: 35244976
Thank you all for your input.  I'm still unclear if I've done it correctly or not.  
I'll keep looking.  
0
 
LVL 17

Accepted Solution

by:
fgrushevsky earned 1000 total points
ID: 35245052
you can ask the other side send you email, then examine the header of the received message to see if TLS was used
0
 

Author Closing Comment

by:CITS_User
ID: 35245170
Thanks for the reply.  I'll check the header.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question