Solved

How to enable TLS on incoming emails in Exchange 2003

Posted on 2011-03-09
13
460 Views
Last Modified: 2013-11-30
Hello all,
I have been reading dozens of posts and KB articles but i'm stuck.  

My customer has been told they need to be able to receive secure emaisl via TLS.  

Okay, I have ordered and received the ssl cert for mail.domain.com.  

I understand in Exchange 2003 TLS is either on or off.  they need to receive normal unsecure email and new secure email so I think that means I need two SMTP Virtual servers.  One with TLS and one without.  

I think I am supposed to add a second IP address to the NIC and use that IP address in a new TLS SMTP Virtual server - Is that correct?

If each SMTP VS has a different IP then how do I NAT the incomming emails (port 25) to the two different SMTP ?

Am I completely off the mark???
Thanks
0
Comment
Question by:CITS_User
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
13 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35084751
Yu are correct, you cannot setup opportunistic TLS with Exchange 2003.

There is a step by step here on how to do it: http://support.microsoft.com/kb/823019

You will need to add a second IP to the NIC of the exchange server
0
 

Author Comment

by:CITS_User
ID: 35084914
Thanks JBond2010 but I had already read that one.  

damazter, I read KB823019 but i doesnt really help.  

How does the incoming mail know which SMTP VS to use?
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35119872
incoming mail would your default (public mx record facing) virtual server. no need to change that
The TLS will be negotiated by the sending server (other side). It will request TLS connection (if configured to do so) and your server would oblige (assuming that you install certificate)
you would use your other virtual server to send mail to specific domains (the one you need for TLS)  and TLS would me mandatory on that VS
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:CITS_User
ID: 35126956
The mx record is the wan address which then nats port 25 to the lan ip address of the default smtp vs which does not have tls enabled.  192.168.0.250

The new smtp vs which has tls enabled and ssl cert applied has a different lan ip address.  192.168.0.249

Sending of encrypted mail is not required just receiving from some domains.  

How does the senders encrypted mail get through to the new smtp vs (.249)?

To be honest, I dont know if I have this configured correctly at all.  

Any and all help is greatly appreciated.  

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35128564
check your default smtp vs, access tab, secure communication secrion. Do you have both certificate and communication grey out or the options are available?
0
 

Author Comment

by:CITS_User
ID: 35128891
On the default SMTP VS, access tab, the Certificate button is available, the communication button is greyed out.  

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35129331
click on certificate button, run the wizard to get certificate installed (or to verify that it is there)

once it is done,  telnet on port 25 on your mx record host (external). when your smtp server responded with the greeting, type
ehlo <yourdomain>

Then your server will respond with the list of supported extended smtp commands. If STARTTLS is there - then you are all set
0
 

Author Comment

by:CITS_User
ID: 35130662
Hi
TLS is selected and the cert is installed on the SECOND smtp vs.  

Am I reading your post clearly - I should install the cert on the DEFAULT smtp vs that doesnt have tls selected?

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35130831
yes, you will need to install certificate on the default smtp.
0
 

Author Comment

by:CITS_User
ID: 35244976
Thank you all for your input.  I'm still unclear if I've done it correctly or not.  
I'll keep looking.  
0
 
LVL 17

Accepted Solution

by:
fgrushevsky earned 500 total points
ID: 35245052
you can ask the other side send you email, then examine the header of the received message to see if TLS was used
0
 

Author Closing Comment

by:CITS_User
ID: 35245170
Thanks for the reply.  I'll check the header.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question