Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 618
  • Last Modified:

TLS Exchange Setup

Hello,

I was just asked to look into getting a TLS connection established between my company and another company for the purpose of encrypting the communication between our exchange servers.

I dont really know the protocol behind doing this, so I started doing some research.  My company does not have a certificate issued to us by a third party trusted CA, and I imagine that would be something i have to rectify -- what type of certificate exactly am i looking for?  Entrust offers quite a range -- is Standard (1 domain) SSL sufficient?

We are running exchange 2007.

Thanks
0
jiyamoo
Asked:
jiyamoo
  • 4
  • 2
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
You should have a commercial SSL certificate with Exchange 2007, unless you do not allow any remote access to Exchange (so no OWA, ActiveSync or Outlook Anywhere).

This guide goes through the certificate requirement:
http://exchange.sembee.info/2007/install/multiplenamessl.asp

That will be all that you need, as Exchange does opportunist TLS.
If you want to restrict so that email is ONLY received on TLS and rejects otherwise then you have to configure both a Receive Connector and a Send Connector.

http://technet.microsoft.com/en-gb/library/ee428172(v=exchg.80).aspx

Simon.
0
 
jiyamooAuthor Commented:
I went to checktls.com and tried my exchange server -- this is the result:  (changed domain name to WERK)

[000.135]             Connected to server
[000.201]       <--       220 sl.WERK.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Wed, 5 Sep 2012 14:57:03 -0500
[000.202]             We are allowed to connect
[000.202]       -->       EHLO checktls.com
[000.269]       <--       250-sl.WERK.com Hello [204.225.38.191]
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
[000.270]             We can use this server
[000.270]             TLS is not an option on this server
[000.270]       -->       MAIL FROM: <test@checktls.com>
[000.337]       <--       250 2.1.0 test@checktls.com....Sender OK
[000.337]             Sender is OK
[000.338]       -->       RCPT TO: <email3@WERK.com>
[000.404]       <--       250 2.1.5 email3@WERK.com
[000.405]             Recipient OK, E-mail address proofed
[000.405]       -->       QUIT
[000.471]       <--       221 2.0.0 sl.WERK.com Service closing transmission channel
0
 
jiyamooAuthor Commented:
Wait, is Outlook 2007 required?  We are still running Outlook 2003.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
jiyamooAuthor Commented:
Furthermore, i dont believe OWA or anything else of that nature was ever set up when the server was constructed (my predecessor did it).  I just tested and while the internal OWA works, the external address actually is the address for our spamfilter.
0
 
Simon Butler (Sembee)ConsultantCommented:
That isn't Exchange answering.
If you have a spam filter then you have two options.

1. TLS has to be done by the spam filter.
2. You will need a second static IP address, a second host name and an SSL certificate to match that new host name. Then any sites that want to send you email by TLS will need to know the second host name and port.

For outbound email, you will need a second Send Connector and have to bypass any smart host for the list of domains.

TLS has nothing to do with the client - it is a server to server communication.

Simon.
0
 
jiyamooAuthor Commented:
Quick, great response.

Thanks
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now