[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Help on TLS in Exchange 2007

Posted on 2012-09-12
10
Medium Priority
?
832 Views
Last Modified: 2012-09-28
We have an Exchange 2007 server and one of our customers has asked the following questions:

Can we enforce TLS for their domain?
Can we enforce Verisign-signed certificate for TLS?

This is looking at setting up secure email but can anyone help explain techncially what I need to do to satisfy this request as I ve never looked at TLS or certificates before.
0
Comment
Question by:DHPBilcare
  • 5
  • 4
10 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 38390593
Enforce TLS isn't an issue.

Enforce Verisign? How good is the customer? As a Verisign certificate is the most expensive type available. You will be looking at over $1000 per server for a two year certificate from Verisign (compare this to another provider where you can get the same certificate without the Verisign name for $60/year!). Is the customer worth that much to your company? It doesn't have to be Verisign to use TLS. All SSL certificates are identical, it just depends on the trust level.

This is the guide for Exchange 2007 to use TLS. Ignore the steps about using an Edge server if you don't have one.
http://technet.microsoft.com/en-us/library/bb123543(v=exchg.80).aspx

Do you already have a trusted SSL certificate in place? If so then you may get away with just making the changes to Exchange and passing the information to the customer. If they are also using Exchange or another major TLS email server then it would work.

Simon.
0
 
LVL 5

Expert Comment

by:joyofsharing
ID: 38390712
Dear DHPBilcare,

Hope this helps you.

http://technet.microsoft.com/en-us/library/ee428172%28v=exchg.80%29.aspx



joyofsharing
0
 

Author Comment

by:DHPBilcare
ID: 38390826
To add to our company:

1) We dont have a trusted SSL certificate in place.
2) We route email out via  a Smart Host.

How will this impact on using TLS with Exchange 2007.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38392147
Why do you use the smart host?
You will need to bypass the smart host for email to that client. Whether that causes a problem will depend on the reason for using the smart host.
Same for inbound email - does that come direct or via another service?

Do you not offer remote access to your Exchange server then? No OWA, ActiveSync or Outlook Anywhere?

You will need to get a commercial signed certificate - this is how to do it, although the examples do not use Verisign.
http://exchange.sembee.info/2007/install/multiplenamessl.asp

Simon.
0
 

Author Comment

by:DHPBilcare
ID: 38392240
At present we use Star and Messagelabs as our ISP and they also provide us with a managed offsite firewall.  All our outgoing email is routed through their SMTP servers as we don't use direct MX/DNS for outgoing email.  

We do use OWA but don't have a trusted certificate in place.  

I'm still learning TSL but I'm assuming that we will need direct DNS for this customer and a trusted public certicate to make TSL work for this client.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38392273
You are going to need a seperate host name for TLS, as it is direct point to point communication. Message Labs could probably do TLS for you, as they are now owned by Symantec, who also own Verisign SSL certificates. However that may not be acceptable to your client.

What I would suggest is that you use the same host name as you do for OWA, then the same common name on the SSL certificate will work for both OWA and SMTP.

Simon.
0
 

Author Comment

by:DHPBilcare
ID: 38392320
Will I require a publically trusted certificate to make this work?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38392376
Yes.
That is why you need to buy a certificate - from Verisign or someone else.

Simon.
0
 

Author Comment

by:DHPBilcare
ID: 38393887
Another question i'm being asked is can we read Verisign signed certificates for TLS?

I'm assuming we can't unles we have a certificate.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 2000 total points
ID: 38394131
I presume that question is for sending email - if that is the case, then you can send email using TLS without a commercial certificate on your side, because it is always the receiving side that presents the SSL certificate.
Same as when you browse to secure sites. When you shop on Amazon and get the padlock, you are using their SSL certificate, they are not accepting one you have. Your SSL certificate would only be used for receiving inbound email.

Simon.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month19 days, 11 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question