Solved

How to enable TLS on incoming emails in Exchange 2003

Posted on 2011-03-09
13
454 Views
Last Modified: 2013-11-30
Hello all,
I have been reading dozens of posts and KB articles but i'm stuck.  

My customer has been told they need to be able to receive secure emaisl via TLS.  

Okay, I have ordered and received the ssl cert for mail.domain.com.  

I understand in Exchange 2003 TLS is either on or off.  they need to receive normal unsecure email and new secure email so I think that means I need two SMTP Virtual servers.  One with TLS and one without.  

I think I am supposed to add a second IP address to the NIC and use that IP address in a new TLS SMTP Virtual server - Is that correct?

If each SMTP VS has a different IP then how do I NAT the incomming emails (port 25) to the two different SMTP ?

Am I completely off the mark???
Thanks
0
Comment
Question by:CITS_User
  • 6
  • 5
13 Comments
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Yu are correct, you cannot setup opportunistic TLS with Exchange 2003.

There is a step by step here on how to do it: http://support.microsoft.com/kb/823019

You will need to add a second IP to the NIC of the exchange server
0
 

Author Comment

by:CITS_User
Comment Utility
Thanks JBond2010 but I had already read that one.  

damazter, I read KB823019 but i doesnt really help.  

How does the incoming mail know which SMTP VS to use?
0
 
LVL 17

Expert Comment

by:fgrushevsky
Comment Utility
incoming mail would your default (public mx record facing) virtual server. no need to change that
The TLS will be negotiated by the sending server (other side). It will request TLS connection (if configured to do so) and your server would oblige (assuming that you install certificate)
you would use your other virtual server to send mail to specific domains (the one you need for TLS)  and TLS would me mandatory on that VS
0
 

Author Comment

by:CITS_User
Comment Utility
The mx record is the wan address which then nats port 25 to the lan ip address of the default smtp vs which does not have tls enabled.  192.168.0.250

The new smtp vs which has tls enabled and ssl cert applied has a different lan ip address.  192.168.0.249

Sending of encrypted mail is not required just receiving from some domains.  

How does the senders encrypted mail get through to the new smtp vs (.249)?

To be honest, I dont know if I have this configured correctly at all.  

Any and all help is greatly appreciated.  

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
Comment Utility
check your default smtp vs, access tab, secure communication secrion. Do you have both certificate and communication grey out or the options are available?
0
 

Author Comment

by:CITS_User
Comment Utility
On the default SMTP VS, access tab, the Certificate button is available, the communication button is greyed out.  

Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Expert Comment

by:fgrushevsky
Comment Utility
click on certificate button, run the wizard to get certificate installed (or to verify that it is there)

once it is done,  telnet on port 25 on your mx record host (external). when your smtp server responded with the greeting, type
ehlo <yourdomain>

Then your server will respond with the list of supported extended smtp commands. If STARTTLS is there - then you are all set
0
 

Author Comment

by:CITS_User
Comment Utility
Hi
TLS is selected and the cert is installed on the SECOND smtp vs.  

Am I reading your post clearly - I should install the cert on the DEFAULT smtp vs that doesnt have tls selected?

Thanks
0
 
LVL 17

Expert Comment

by:fgrushevsky
Comment Utility
yes, you will need to install certificate on the default smtp.
0
 

Author Comment

by:CITS_User
Comment Utility
Thank you all for your input.  I'm still unclear if I've done it correctly or not.  
I'll keep looking.  
0
 
LVL 17

Accepted Solution

by:
fgrushevsky earned 500 total points
Comment Utility
you can ask the other side send you email, then examine the header of the received message to see if TLS was used
0
 

Author Closing Comment

by:CITS_User
Comment Utility
Thanks for the reply.  I'll check the header.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now