?
Solved

Verify TLS Exchange communication

Posted on 2013-11-13
7
Medium Priority
?
295 Views
Last Modified: 2013-12-02
Hello,

I would like to know a fool proof way to verify if my exchange server 2007 is communicating with another domain over TLS.

If anyone in my LAN sends an email using my exchange to xyz.com, how can I verify if the mail was sent over TLS?

Thank you.
0
Comment
Question by:netcmh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39645492
You can look at the SMTP Send logs and search for the xyz.com domain.  If TLS is being used, you'll see the related communication in those logs.
0
 
LVL 21

Author Comment

by:netcmh
ID: 39645504
Can you give me a step by step? I'm not the mail admin. He's out and I'm tasked with the work.
0
 
LVL 21

Author Comment

by:netcmh
ID: 39645546
I dug around a bit. So, in the Exchange Management Console, I chose Message Tracking under Toolbox.

Then, I put in the recipient, the eventid as send and chose the start and end dates; and hit next.

I see a whole bunch of email logs and I'm going to go out on a limb and say that the recipientStat is the column I'm supposed to look at, as it has the 250 2.1.5 ok status. I think the 250 is the indicator that TLS is being used.

Please let me know if I'm way off base, and where else I can check to see if this domain is actually configured as a TLS communicator.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 2000 total points
ID: 39645562
First, you have to make sure that your Send connector is set to Verbose logging.  The easiest way to do this is to open the Exchange Management Console/Organization/Hub Transport and look at the properties of the Send Connector. On the General tab there is a drop-down to set the logging level. There are only two options, None and Verbose.  If it's already set to Verbose, then you're good.  If it was set to None, then you need to change it to Verbose, restart the Transport service, and do a test email to that domain to generate the log entries.

The SMTP Send protocol logs are by defaulte located in the following folder:

C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend

However, your Exchange admin could have moved these folders, so you might have to search around to find them.  The logs can be opened in any basic text editor.  Once you have the log open, then search for the domain name until you find an email being sent to that domain.  The specific log entries you're looking for are similar to this:

2013-11-13T00:22:02.381Z,External SMTP Connector,08D09BAD42D08496,12,10.10.10.1:44551,64.12.139.193:25,<,250-STARTTLS,
2013-11-13T00:22:02.381Z,External SMTP Connector,08D09BAD42D08496,13,10.10.10.1:44551,64.12.139.193:25,<,250 DSN,
2013-11-13T00:22:02.381Z,External SMTP Connector,08D09BAD42D08496,14,10.10.10.1:44551,64.12.139.193:25,>,STARTTLS,
2013-11-13T00:22:02.412Z,External SMTP Connector,08D09BAD42D08496,15,10.10.10.1:44551,64.12.139.193:25,<,220 2.0.0 Ready to start TLS,
2013-11-13T00:22:02.412Z,External SMTP Connector,08D09BAD42D08496,16,10.10.10.1:44551,64.12.139.193:25,*,,Sending certificate
2013-11-13T00:22:02.412Z,External SMTP Connector,08D09BAD42D08496,17,10.10.10.1:44551,64.12.139.193:25,*,"CN=[your server FQDN], OU=Domain Control Validated",Certificate subject
2013-11-13T00:22:02.412Z,External SMTP Connector,08D09BAD42D08496,18,10.10.10.1:44551,64.12.139.193:25,*,"SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=""GoDaddy.com, Inc."", L=Scottsdale, S=Arizona, C=US",Certificate issuer name
2013-11-13T00:22:02.412Z,External SMTP Connector,08D09BAD42D08496,19,10.10.10.1:44551,64.12.139.193:25,*,2798C66B88BB77,Certificate serial number
2013-11-13T00:22:02.412Z,External SMTP Connector,08D09BAD42D08496,20,10.10.10.1:44551,64.12.139.193:25,*,5112EB98C90808FFA84C1D5EE79A2442A450615F,Certificate thumbprint
2013-11-13T00:22:02.412Z,External SMTP Connector,08D09BAD42D08496,21,10.10.10.1:44551,64.12.139.193:25,*,[list of valid server FQDNs for your certificate],Certificate alternate names
2013-11-13T00:22:02.506Z,External SMTP Connector,08D09BAD42D08496,22,10.10.10.1:44551,64.12.139.193:25,*,,Received certificate
2013-11-13T00:22:02.506Z,External SMTP Connector,08D09BAD42D08496,23,10.10.10.1:44551,64.12.139.193:25,*,2A2E9B5C7B49EB536F69D84BECB1724AFB003BEE,Certificate thumbprint
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39645570
No, the 250 only indicates that the communication was successful.
0
 
LVL 21

Author Comment

by:netcmh
ID: 39645859
Thank you. Where else I can check to see if this domain is actually configured as a TLS communicator?
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39645903
By default, on the sending side Exchange 2007 will use what is termed "opportunistic TLS."  This means that if an external server requests that the communication be encrypted, the Exchange 2007 server will respond by sending the SSL certificate information and encrypting the communication.  You set the options for receiving email in the properties of your Receive Connector(s), on the Authentication tab, or by using the Exchange management shell. In both cases, you have the option to select to use TLS opportunistically (the default) or MutualAuth TLS, which requires TLS to be enabled on both ends and will reject email that is not encrypted.

Here's a link to some Technet info on TLS if you want more info:

http://technet.microsoft.com/en-us/library/ee428172(v=EXCHG.80).aspx
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question