• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4775
  • Last Modified:

Exchange 2010 - TLS E-mail Transmission

I'm trying to configure TLS in my Exchange 2007/2010 environment and having some issues.

We have a send connector (Default) just sends mail out to (*) to the internet based on MX records. However we would like for the following to happen.

We would like to be able to FORCE TLS on specific domains.

To my knowledge we would have to create an additional send connector for those specific domains and force it to only send that mail encrypted and all other domains can go through the default (current) send connector.

I followed this article from Microsoft.

Set-TransportConfig -TLSSendDomainSecureList domain.com
Set-SendConnector "Secured Send Connector" -DomainSecureEnabled:$True

I've also used http://www.checktls.com/TestSender and I get my reply as 'successful'. Not sure what this means.

However, I just need to make sure if I send an e-mail someone@somewhere.com that it WILL be sent SECURELY or it will FAIL.

I just feel like Microsoft kicked the bucket on this. Considering if I ever need to add a domain to the list, I'd have to do it via command list and also include domains that already exist in that list that has no command to show.

Any guidance would be greatly appreciated.

Thanks in advance!

2 Solutions
J PCommented:
you can set/force the connector to only send TLS messages, this is done by:

Set-SendConnector "name_of_send_connector" -RequireTLS:$true

to answer the other aprt of your question
"include domains that already exist in that list":
Get-TransportConfig | format-list TLS*Domain*

another command you may find useful is, to wipe the domains list, starting fresh:
Set-TransportConfig -TLSSendDomainSecureList $null

hope this help
The CheckTLS.com test you ran verifies that you CAN send TLS email.  It doesn't verify that you HAVE TO use TLS to send.  Most email systems "fall back" to insecure mode if they cannot get TLS to work.

CheckTLS.com has a test that does exactly what you want: verifies that your site HAS TO use TLS when sending to certain other domains.

Add the domain "AssureTLS.CheckTLS.com" to your SendDomainSecureList (the list of domains that you want to ONLY use TLS, i.e. "TLS or die"), then browse to www.checktls.com, pull down the Tests menu and choose TLS Only Sender.  Follow the instructions to send an email to Test@AssureTLS.CheckTLS.com.

In about 30 minutes (one queue retry), you'll know if you are correctly requiring TLS or not.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now