TLS Support - Hosted Exchange

Posted on 2014-07-15
Last Modified: 2014-08-10
I have client that we currently provide hosted exchange mailboxes via the messagestream service.

My client has frequent contact with financial organisations such as banks & brokers and today we received a request from one of the banks as they would like to setup a scan and email service using TLS (Transport Layer Security) which enables secure email traffic between servers / domains, ensuring that documents cannot be intercepted in transit.

To set up an agreement with TLS  the bank needs to capture certain details from messagestream (IP’ address, Servers, certificate provider and details, etc), and similar information would be provided from the bank.

I have spoken with messagestream support who advised all Email on their Platform is automatically sent as TLS as standard on first pass; if the recipient rejects the TLS they downgrade to SSL and retry the delivery. The issue i have is that messagestream have advised that no additional configuration of rules would be supported from their side however they have provided IP addresses of their mail servers as well as certificate names.

Because TLS is already setup on messagestream servers is it possible for the secure transit of email traffic to work without the configuration details to be supplied by the bank.

I am just after some extra info if possible and wanted to know if anybody else has ever run into this issue when using hosting providers.

Question by:Daniel Bertolone
    LVL 60

    Expert Comment

    probably the best is to show independent validation on the TLS implemented and not flawed with recent vulnerabilities (such as 'Heartbleed') from use of vulnerable Openssl version and package in the server etc.  May want to poll provider on verifying using CheckTLS online services - some good use case for validation secure TLS transfer

    Health and security checks and scan can help if reports can be shared out as compliance to standards and best industry practice such as ISO 27001/2, SSAE 16 SOC 2, PCI DSS, NSS Lab, ICSA certified reports etc. E.g some shared by Cloud Security Alliance guidance for your info
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    The most you are going to be able to do is pass the information over to the bank and ask them if it is enough.

    Almost certainly what they want though is mandatory TLS (TLS only - if it fails, the message fails), which your provider cannot do. At the moment they will be using opportunist TLS (if you support TLS, so do we, but if you don't, we can use plain SMTP).
    If the bank wants mandatory TLS and the provider cannot do it, then you are faced with either changing provider or not being able to work with the bank in that way.

    If this was on prem, then I would have it configured in less than 10 minutes.

    LVL 60

    Expert Comment

    proposition is that normally email security gateway uses mandatory TLS as its default encryption method as compared to opportunistic TLS is used for other Email Security functions. Simply if we summarise them in short, it is mainly to do with delivery 'resiliency'

    Opportunistic TLS-If the TLS "handshake" fails, the data transfer is made via plain text, rather than encrypted text
    Mandatory TLS- If the handshake fails during the connection attempt, the connection is terminated and no transfer occurs. The message is placed in a delayed messages queue for a later delivery attempt

    If delay is alright compared to security, meaning higher SLA to ensure this I doubt the provider can ensure that 100%, but if they have another backup such as IPSEC/PPTP VPN link between the two mail servers (or equivalent) in the email routing and ensure that any packets going between them are fully encrypted - minimally it is just saving grace though we cannot fully control the client ...

    in CheckTLS shared, it provides two "Assure TLS" tests though it may not be as comprehensive but attempt to 'break' the so called mandatory TLS is tried

    Makes sure that the receiver will ONLY accept an email if it is sent securely. It makes sure the receiver will NOT accept an unprotected email.

    Note: this test is only useful for sites that have setup "Require TLS" to receive email from one or more domains. You should add "" in your list of "Require TLS" domains before running the test.

    Makes sure that the sender will ONLY send an email if can be sent securely.

    Note: this test is only useful for sites that have setup "Require TLS" to send mail to one or more domains. You should add "" to your list of "Require TLS" domains before running the test.

    Author Comment

    by:Daniel Bertolone
    Thanks for the tips guys. I am currently in discussion with Messagestream to see if they can meet my clients demands.

    If they come back to me and say that it cannot be done in their enviroment is there no other way I could achieve a similar result via the use of an ssl certificate in outlook?
    LVL 60

    Accepted Solution

    I was thinking to have some sort of logging enabled in the MS servers or observe exchange send/receive connecter log. It shows the TLS handshake. But it can be too noisy and hard to confirm

    ...maybe can just type Starttls in Telnet command and you will get the "220 2.0.0 Ready to start TLS" which can prove TLS is enabled. An example between GMail's SMTP server below issuing EHLO (instead of HELO), you will see that the SMTP server responds with the set of SMTP extensions that it supports. Hopefully, that expected "TLS" will be listed and be slightly convincing

    SERVER: at your service
    SERVER: 250-SIZE 35882577
    SERVER: 220 2.0.0 Ready to start TLS
    <negotiation begins here...>

    .... do note that we can not use STARTTLS unless we have a secure connection with the server. simple SMTP library and telnet do not support STARTTLS

    ...another is check the logs but if you want to check end to end delivery, send a message from one domain to another and then check the message header, it should show you if TLS was used at each hop. For checking the email head e.g. Exchange 2007 with TLS enabled. Some email headers can have

     "Received: from x.x.COM ( by ( with Microsoft SMTP Server (TLS) id; Thu, 24 Feb 2011  09:32:27 -0500.

    You will notice the (TLS) message in the header. some info below on implementing secure SMTP messaging between Exchange 2007 servers

    Probably to see if MS can assist in above if online check is not palatable

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now