Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!
Learn how Concerto can help you.
Solved
Exchange 2007/2010 - TLS
Posted on 2013-01-08
Hi Experts,
I've never really attempted to configure TLS on any of our customer Exchange servers before.
I've read this:
http://technet.microsoft.com/en-us/library/aa998840(v=exchg.141).aspx
But I'm a bit confused on what certificates are required.
We have multiple hub transport servers, sending and receiving emails to/from the Internet.
Are we able to enable TLS if there is a smart host in the way?
If we are sending from multiple hub transport servers, do we need a cert for each of these? or can these be covered by a single cert?
Any help is appreciated!
I've never really attempted to configure TLS on any of our customer Exchange servers before.
I've read this:
http://technet.microsoft.com/en-us/library/aa998840(v=exchg.141).aspx
But I'm a bit confused on what certificates are required.
We have multiple hub transport servers, sending and receiving emails to/from the Internet.
Are we able to enable TLS if there is a smart host in the way?
If we are sending from multiple hub transport servers, do we need a cert for each of these? or can these be covered by a single cert?
Any help is appreciated!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
4 Comments
Hi,
In Exchange 2007/2010 each server have its own self-signed certificate by default.
Exchanger servers inside the organisation ALWAYS use TLS between them.
Enabling TLS for external servers is probably a bit useless because I really doubt many external servers use it.
If you plan to enable TLS anyway on send connectors you should NEVER REQUIRE TLS ! You can enable it but do not require it !
Exchange servers inside the Exchange organization must authenticate each other and then use TLS certificate in that manner, added to the need of encryption.
As far as I know, using TLS with external servers is just for encryption and this will not be used for authentication. That means that you should not be forced to use publicly trusted certificates and you should be able to use your own self-signed and free certificates...
TLS with external servers is negociated and should stay negociated. It should never be required. So if servers are not able to use TLS they will use unencrypted SMTP.
The real question is why the hell to do want to encrypt dialogs with external servers ? This is not a security enforcement because you can not be sure that the message will still be encrypted on the next hop !
If you plan to encrypt messages so that they won't be read during the transfer to the destination you should encrypt the message body with S/MIME or any sort of PGP software. This is the only way to protect the mail content.
Have a good day.
In Exchange 2007/2010 each server have its own self-signed certificate by default.
Exchanger servers inside the organisation ALWAYS use TLS between them.
Enabling TLS for external servers is probably a bit useless because I really doubt many external servers use it.
If you plan to enable TLS anyway on send connectors you should NEVER REQUIRE TLS ! You can enable it but do not require it !
Exchange servers inside the Exchange organization must authenticate each other and then use TLS certificate in that manner, added to the need of encryption.
As far as I know, using TLS with external servers is just for encryption and this will not be used for authentication. That means that you should not be forced to use publicly trusted certificates and you should be able to use your own self-signed and free certificates...
TLS with external servers is negociated and should stay negociated. It should never be required. So if servers are not able to use TLS they will use unencrypted SMTP.
The real question is why the hell to do want to encrypt dialogs with external servers ? This is not a security enforcement because you can not be sure that the message will still be encrypted on the next hop !
If you plan to encrypt messages so that they won't be read during the transfer to the destination you should encrypt the message body with S/MIME or any sort of PGP software. This is the only way to protect the mail content.
Have a good day.
Active today
we use TLS and enforce it for quite a few customers. We use Microsoft FOPE as service to do email filtering.
We enforce TLS between our edge servers and Microsoft so that are emails between use and the cloud are secure.
Between Microsoft specific customers we enforce TLS and if its fails then the email does not send. For other mail it can send eiher with or without i.e. opportunistic negotiation.
Depending ho how you have set up your certificates you can install the same cert on all hub/edge servers and make sure the FQDN connector matches the name in the cert.
If you have different FQDN's then you would need to include them all on one cert or have different certs attached the SMTP service
We enforce TLS between our edge servers and Microsoft so that are emails between use and the cloud are secure.
Between Microsoft specific customers we enforce TLS and if its fails then the email does not send. For other mail it can send eiher with or without i.e. opportunistic negotiation.
Depending ho how you have set up your certificates you can install the same cert on all hub/edge servers and make sure the FQDN connector matches the name in the cert.
If you have different FQDN's then you would need to include them all on one cert or have different certs attached the SMTP service
Active 5 days ago
Thanks for the quick reply!
I was thinking of creating an additional send connector, locked down for that particular domain that would like to use encryption.
On a totally different note, Digital Signatures *could* be used to encrypt data between 2 particular users between 2 different Exchange Organizations right?
Thanks again!
I was thinking of creating an additional send connector, locked down for that particular domain that would like to use encryption.
On a totally different note, Digital Signatures *could* be used to encrypt data between 2 particular users between 2 different Exchange Organizations right?
Thanks again!
Active today
yes a scoped send connector would be the way to enforce TLS to a specific Domain
as far as i am aware digital signatures (within Exchange) can be used to sign emails but not encrypt them, this is using the Exchange Rights Management to do this which is a load of extra infrastructure an licensing. If you want to do user to user encryption then PGP is a good choice.
there is a PGP universal server which does gateway encryption which means it sits next to the exchange server and does the encryption there and removes the need to end user setup with software and encryption keys
as far as i am aware digital signatures (within Exchange) can be used to sign emails but not encrypt them, this is using the Exchange Rights Management to do this which is a load of extra infrastructure an licensing. If you want to do user to user encryption then PGP is a good choice.
there is a PGP universal server which does gateway encryption which means it sits next to the exchange server and does the encryption there and removes the need to end user setup with software and encryption keys
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online.
The email signature template has been downloaded from:
www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month7 days, 19 hours left to enroll
715 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.