Exchange and SMTP over TLS

I am looking to setup SMTP over TLS for several clients who all are running Exchange. I am not looking to FORCE TLS at this time but would like:

Exchange to first attempt an SMTP over TLS connection FIRST. If this cannot be negotiated, then fail back to regular SMTP.

My initial searches did not return many good guides on this.

All clients are running either Exchange 2010 or 2013.
LVL 10
Schuyler DorseyAsked:
Who is Participating?
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
The reason you found no guides was because there is nothing you need to do.

Since Exchange 2007, Exchange uses opportunist TLS by default - if TLS can be used then it will use it, only falling back to plain SMTP.

Simon.
0
 
Schuyler DorseyAuthor Commented:
So there is ZERO config required to do this? And thank you!
0
 
Michael OrtegaConnect With a Mentor Sales & Systems EngineerCommented:
Correcto. Exchange 2007 forward is set to use TLS opportunistically. The great thing about it is that if you are emailing people that are also using Exchange 2007 or newer all your messages are sent and received by default over a TLS connection.

If you do want to start forcing TLS you can create a 2nd send connector and only check TLS in the properties. Then scope the connector for which recipient domains you want to force TLS to.

MO
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Schuyler DorseyAuthor Commented:
Also.. does Exchange use START TLS as oppose to SMTPS? If so, does it do this still over port 25? Just trying to make sure I have the correct inbound/outbound ports on the firewall available.

I see that 465 is used for the older SMTPS.
0
 
Michael OrtegaSales & Systems EngineerCommented:
Yes, over port 25 and uses STARTTLS.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
Correction on my previous note above. I was mixing up my receive and send connector configurations. Your receive connector would need to be set to only allow TLS authentication and the senders IP(s) to be set in the network settings of the receive connector.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
The receiving side would essentially need to do the same thing on their end and that would be how you enforce TLS on both sides.

We use 3rd party filters on our systems that do the enforcement for us, so that's where the mixup above came with the send connector. We simply scope our send connector to relay through the filter which then performs the enforcement of TLS.

MO
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.