Exchange and SMTP over TLS

I am looking to setup SMTP over TLS for several clients who all are running Exchange. I am not looking to FORCE TLS at this time but would like:

Exchange to first attempt an SMTP over TLS connection FIRST. If this cannot be negotiated, then fail back to regular SMTP.

My initial searches did not return many good guides on this.

All clients are running either Exchange 2010 or 2013.
LVL 10
Schuyler DorseyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
The reason you found no guides was because there is nothing you need to do.

Since Exchange 2007, Exchange uses opportunist TLS by default - if TLS can be used then it will use it, only falling back to plain SMTP.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Schuyler DorseyAuthor Commented:
So there is ZERO config required to do this? And thank you!
0
Michael OrtegaSales & Systems EngineerCommented:
Correcto. Exchange 2007 forward is set to use TLS opportunistically. The great thing about it is that if you are emailing people that are also using Exchange 2007 or newer all your messages are sent and received by default over a TLS connection.

If you do want to start forcing TLS you can create a 2nd send connector and only check TLS in the properties. Then scope the connector for which recipient domains you want to force TLS to.

MO
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Schuyler DorseyAuthor Commented:
Also.. does Exchange use START TLS as oppose to SMTPS? If so, does it do this still over port 25? Just trying to make sure I have the correct inbound/outbound ports on the firewall available.

I see that 465 is used for the older SMTPS.
0
Michael OrtegaSales & Systems EngineerCommented:
Yes, over port 25 and uses STARTTLS.

MO
0
Michael OrtegaSales & Systems EngineerCommented:
Correction on my previous note above. I was mixing up my receive and send connector configurations. Your receive connector would need to be set to only allow TLS authentication and the senders IP(s) to be set in the network settings of the receive connector.

MO
0
Michael OrtegaSales & Systems EngineerCommented:
The receiving side would essentially need to do the same thing on their end and that would be how you enforce TLS on both sides.

We use 3rd party filters on our systems that do the enforcement for us, so that's where the mixup above came with the send connector. We simply scope our send connector to relay through the filter which then performs the enforcement of TLS.

MO
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.