Solved

How to enable TLS on incoming emails in Exchange 2003

Posted on 2011-03-09
13
457 Views
Last Modified: 2013-11-30
Hello all,
I have been reading dozens of posts and KB articles but i'm stuck.  

My customer has been told they need to be able to receive secure emaisl via TLS.  

Okay, I have ordered and received the ssl cert for mail.domain.com.  

I understand in Exchange 2003 TLS is either on or off.  they need to receive normal unsecure email and new secure email so I think that means I need two SMTP Virtual servers.  One with TLS and one without.  

I think I am supposed to add a second IP address to the NIC and use that IP address in a new TLS SMTP Virtual server - Is that correct?

If each SMTP VS has a different IP then how do I NAT the incomming emails (port 25) to the two different SMTP ?

Am I completely off the mark???
Thanks
0
Comment
Question by:CITS_User
  • 6
  • 5
13 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35084751
Yu are correct, you cannot setup opportunistic TLS with Exchange 2003.

There is a step by step here on how to do it: http://support.microsoft.com/kb/823019

You will need to add a second IP to the NIC of the exchange server
0
 

Author Comment

by:CITS_User
ID: 35084914
Thanks JBond2010 but I had already read that one.  

damazter, I read KB823019 but i doesnt really help.  

How does the incoming mail know which SMTP VS to use?
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35119872
incoming mail would your default (public mx record facing) virtual server. no need to change that
The TLS will be negotiated by the sending server (other side). It will request TLS connection (if configured to do so) and your server would oblige (assuming that you install certificate)
you would use your other virtual server to send mail to specific domains (the one you need for TLS)  and TLS would me mandatory on that VS
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:CITS_User
ID: 35126956
The mx record is the wan address which then nats port 25 to the lan ip address of the default smtp vs which does not have tls enabled.  192.168.0.250

The new smtp vs which has tls enabled and ssl cert applied has a different lan ip address.  192.168.0.249

Sending of encrypted mail is not required just receiving from some domains.  

How does the senders encrypted mail get through to the new smtp vs (.249)?

To be honest, I dont know if I have this configured correctly at all.  

Any and all help is greatly appreciated.  

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35128564
check your default smtp vs, access tab, secure communication secrion. Do you have both certificate and communication grey out or the options are available?
0
 

Author Comment

by:CITS_User
ID: 35128891
On the default SMTP VS, access tab, the Certificate button is available, the communication button is greyed out.  

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35129331
click on certificate button, run the wizard to get certificate installed (or to verify that it is there)

once it is done,  telnet on port 25 on your mx record host (external). when your smtp server responded with the greeting, type
ehlo <yourdomain>

Then your server will respond with the list of supported extended smtp commands. If STARTTLS is there - then you are all set
0
 

Author Comment

by:CITS_User
ID: 35130662
Hi
TLS is selected and the cert is installed on the SECOND smtp vs.  

Am I reading your post clearly - I should install the cert on the DEFAULT smtp vs that doesnt have tls selected?

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
ID: 35130831
yes, you will need to install certificate on the default smtp.
0
 

Author Comment

by:CITS_User
ID: 35244976
Thank you all for your input.  I'm still unclear if I've done it correctly or not.  
I'll keep looking.  
0
 
LVL 17

Accepted Solution

by:
fgrushevsky earned 500 total points
ID: 35245052
you can ask the other side send you email, then examine the header of the received message to see if TLS was used
0
 

Author Closing Comment

by:CITS_User
ID: 35245170
Thanks for the reply.  I'll check the header.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question