SBS2008-Exchange2007 setup TLS partner

Hi,

I have a single SBS2008 server with Exchange 2007 SP3. I have been asked to setup encrypted email with a client’s server using TLS. There is a Godaddy UCC certificate on the server which has been working ok for the last 3 years with no problems.  I have created a send connector ok and ticked to use 'Domain Security' (Mutual Auth TLS) & put their Domain in the address field. Is this all that's needed to send encrypted email from our server to the clients server? I am not an Administrator but have been put in charge of getting this done.

Thanks
Stev0WIT CONTRACTORAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Exchange_ImranCommented:
Hello,


 To use TLS to send e-mail messages to a third-party e-mail program

Yes, you need to enable Domain Security (Mutual Auth TLS)

You can verify your send connector settings by following the below article.

http://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx

Regards
Imran Shariff
0
Stev0WIT CONTRACTORAuthor Commented:
Hi Imran,

Thanks for the reply. I will follow through the TechNet article. However after doing a test on the server from 'MXtoolbox' is says 'Warning does not support TLS' so I think I might have bigger problems. Should I close this one and ask a question in a different area?

Thanks

Steve W
0
Exchange_ImranCommented:
Steve,

I would recommend you to perform TLS test in the below website

http://www.checktls.com/

This  will give you the complete result and this website is specifically for TLS and if TLS is not supported it will let you know where the test failed.

Regards
Imran Shariff
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Stev0WIT CONTRACTORAuthor Commented:
Thanks Imran,

I will try that today.

Regards

Steve
0
Stev0WIT CONTRACTORAuthor Commented:
Hi Imran,

I ran the test. And got the reply below. No TLS. But I can't see any errors. Any ideas?



_Your email was sent, however it was NOT SENT SECURELY using TLS.

_____TRANSCRIPT BEGINS ON THE NEXT LINE___
<-- 220 ts3.checktls.com CheckTLS TestSender Wed, 25 Sep 2013 05:17:37 -0400
--> EHLO mail.mydomain.com
<-- 250-ts3.checktls.com Hello mail.mydomain.com [our IP address], pleased to meet you
<-- 250-ENHANCEDSTATUSCODES
<-- 250-8BITMIME
<-- 250-STARTTLS
<-- 250 HELP
--> MAIL FROM:<steve@mydomain.com >
<-- 250 Ok - mail from stevew@mydomain.com
--> RCPT TO:<test@TestSender.CheckTLS.com>
<-- 250 Ok - recipient test@TestSender.CheckTLS.com
--> DATA
<-- 354 Send data.  End with CRLF.CRLF
--> Received: from server.internaldomain.local
--> ([fe80::64bb:7d15:89e9:f804]) by  server.internal domain.local
--> ([fe80::64bb:7d15:89e9:f804%10]) with mapi; Wed,
-->  25 Sep 2013 10:13:01 +0100
--> From: Steve <steve@mydomain.com >
--> To: "test@TestSender.CheckTLS.com" <test@TestSender.CheckTLS.com>
--> Disposition-Notification-To: Steve <steve@mydomain.com >
--> Return-Receipt-To: <steve@mydomain.com>
--> Date: Wed, 25 Sep 2013 10:12:55 +0100
--> Subject: eekqqccnciu8v
--> Thread-Topic: eekqqccnciu8v
--> Thread-Index: Ac65z2TNHRcoH4XMSmqPyetihzYRLg==
--> Message-ID:
--> <CEB3ED92F17BDF4DB9B323C7E071BDD82BBB0D9E6C@SERVER.domain.loc
--> al>
--> Accept-Language: en-US, en-GB
--> Content-Language: en-US
--> X-MS-Has-Attach:
--> X-MS-TNEF-Correlator:
--> acceptlanguage: en-US, en-GB
--> Content-Type: multipart/alternative;
-->       boundary="_000_CEB3ED92F17BDF4DB9B323C7E071BDD82BBB0D9E6CSERVERdomain_"
--> MIME-Version: 1.0
-->
--> --_000_CEB3ED92F17BDF4DB9B323C7E071BDD82BBB0D9E6CSERVERdomain_
--> Content-Type: text/plain; charset="us-ascii"
--> Content-Transfer-Encoding: quoted-printable
-->
-->
-->
--> --_000_CEB3ED92F17BDF4DB9B323C7E071BDD82BBB0D9E6CsSERVERdomain_
--> Content-Type: text/html; charset="us-ascii"
--> Content-Transfer-Encoding: quoted-printable
-->
--> <html xmlns:v=3D"urn:schemas-microsoft-com:vml"
--> xmlns:o=3D"urn:schemas-micr= osoft-com:office:office"
--> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
--> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"
--> xmlns=3D"http:= //www.w3.org/TR/REC-html40"><head><META
--> HTTP-EQUIV=3D"Content-Type" CONTENT= =3D"text/html;
--> charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros= oft
--> Word 14 (filtered medium)"><style><!--
--> /* Font Definitions */
--> @font-face
-->       {font-family:Calibri;
-->       panose-1:2 15 5 2 2 2 4 3 2 4;}
--> /* Style Definitions */
--> p.MsoNormal, li.MsoNormal, div.MsoNormal
-->       {margin:0cm;
-->       margin-bottom:.0001pt;
-->       font-size:11.0pt;
-->       font-family:"Calibri","sans-serif";
-->       mso-fareast-language:EN-US;}
--> a:link, span.MsoHyperlink
-->       {mso-style-priority:99;
-->       color:blue;
-->       text-decoration:underline;}
--> a:visited, span.MsoHyperlinkFollowed
-->       {mso-style-priority:99;
-->       color:purple;
-->       text-decoration:underline;}
--> span.EmailStyle17
-->       {mso-style-type:personal-compose;
-->       font-family:"Calibri","sans-serif";
-->       color:windowtext;}
--> ..MsoChpDefault
-->       {mso-style-type:export-only;
-->       font-family:"Calibri","sans-serif";
-->       mso-fareast-language:EN-US;}
--> @page WordSection1
-->       {size:612.0pt 792.0pt;
-->       margin:72.0pt 72.0pt 72.0pt 72.0pt;}
--> div.WordSection1
-->       {page:WordSection1;}
--> --></style><!--[if gte mso 9]><xml>
--> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
--> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout
--> v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" />
--> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-GB
--> link=3Dblue vli= nk=3Dpurple><div class=3DWordSection1><p
--> class=3DMsoNormal><o:p>&nbsp;</o:p=
--> ></p></div></body></html>=
-->
--> --_000_CEB3ED92F17BDF4DB9B323C7E071BDD82BBB0D9E6CGOLDlendingst_--
--> .
<-- 250 Ok
--> QUIT
<-- 221 ts3.checktls.com closing connection
0
Exchange_ImranCommented:
Hello Steve,

The above test says that the email went in normal mode and NOT SENT SECURELY using TLS.

Run this command and verify whether the TLSSendDomainSecureList shows the domain which you have added in the connector,

Get-TransportConfig

also lemme the type of send connector you have created

Internet
Custom
Partner
Internal

If you are specifically sending Email through TLS connection for one single domain then i recommend you to configure partner connector, which will by default enable Mutual Auth TLS.

Description : Partner Send Connector are used to send email to partner domains. This connector will be configured to only allow connections to servers that authenticate with TLS certificates for SMTP domains that are included in the list of domain-secured domains. you can add domains to this list by using the TLSSend Domain Secure List Parameter in the Set-TransportConfig command

The other type of Send connectors can also send email through TLS however we have to manually enable the Mutual Auth TLS.


If the provided KB article is tough to understand then go through the below article to create a send connector to send emails through TLS

http://exchange.sembee.mobi/2010/hub/mutualtls.asp

Follow all the steps and make sure everything is fine then perform the test again in www.checktls.com

Regards
Imran Shariff
0
Stev0WIT CONTRACTORAuthor Commented:
Hi Imran,

its a partner send connector.

I followed the 'how to' you sent and have now added the partners domain to the TLSSendDomainSecurelist & TLSReceiveDomainSecureList .

I have run the command to enable them and restarted the Exchange transport service.

I used the www.checktls.com to test and got the same result as last time.

I have also tried to telnet to our server and when I use the 'STARTTLS' command it says:
'500 5.3.3 unrecognized command'
I tried someone else's server and got: '220.0.0 SMTP server ready' with the STARTTLS command.

Any ideas?

Thanks

for you help

Steve
0
Stev0WIT CONTRACTORAuthor Commented:
Hi Imran,

Just an additional bit of information. I setup a TLS connection with a friends server.
When I send the email to him he gets in his SmtpSend logs:

"Message to secure domain 'friendsserver.com' on send connector 'TLS Domains' failed because TLS was not offered.

So it looks like TLS isn't working for some reason.
0
Stev0WIT CONTRACTORAuthor Commented:
Worked on this for a few days on have come across a few articles which mention that this can happen if you have a Cisco ASA firewall with  ESMTP inspection enabled. Disabling the ESMTP policy resolved the problem.

I am awarding the points to Imran because the article on how to create a send connector to send emails through TLS helped to point me in the right direction.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Exchange_ImranCommented:
Hi Steve,

Good to hear that the issue is resolved.

Regards
Imran Shariff
0
Stev0WIT CONTRACTORAuthor Commented:
As mentioned above it was a firewall problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.