TLS Support - Hosted Exchange

I have client that we currently provide hosted exchange mailboxes via the messagestream service.

My client has frequent contact with financial organisations such as banks & brokers and today we received a request from one of the banks as they would like to setup a scan and email service using TLS (Transport Layer Security) which enables secure email traffic between servers / domains, ensuring that documents cannot be intercepted in transit.

To set up an agreement with TLS  the bank needs to capture certain details from messagestream (IP’ address, Servers, certificate provider and details, etc), and similar information would be provided from the bank.

I have spoken with messagestream support who advised all Email on their Platform is automatically sent as TLS as standard on first pass; if the recipient rejects the TLS they downgrade to SSL and retry the delivery. The issue i have is that messagestream have advised that no additional configuration of rules would be supported from their side however they have provided IP addresses of their mail servers as well as certificate names.

Because TLS is already setup on messagestream servers is it possible for the secure transit of email traffic to work without the configuration details to be supplied by the bank.

I am just after some extra info if possible and wanted to know if anybody else has ever run into this issue when using hosting providers.

Daniel BertoloneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
probably the best is to show independent validation on the TLS implemented and not flawed with recent vulnerabilities (such as 'Heartbleed') from use of vulnerable Openssl version and package in the server etc.  May want to poll provider on verifying using CheckTLS online services - some good use case for validation secure TLS transfer

Health and security checks and scan can help if reports can be shared out as compliance to standards and best industry practice such as ISO 27001/2, SSAE 16 SOC 2, PCI DSS, NSS Lab, ICSA certified reports etc. E.g some shared by Cloud Security Alliance guidance for your info
Simon Butler (Sembee)ConsultantCommented:
The most you are going to be able to do is pass the information over to the bank and ask them if it is enough.

Almost certainly what they want though is mandatory TLS (TLS only - if it fails, the message fails), which your provider cannot do. At the moment they will be using opportunist TLS (if you support TLS, so do we, but if you don't, we can use plain SMTP).
If the bank wants mandatory TLS and the provider cannot do it, then you are faced with either changing provider or not being able to work with the bank in that way.

If this was on prem, then I would have it configured in less than 10 minutes.

btanExec ConsultantCommented:
proposition is that normally email security gateway uses mandatory TLS as its default encryption method as compared to opportunistic TLS is used for other Email Security functions. Simply if we summarise them in short, it is mainly to do with delivery 'resiliency'

Opportunistic TLS-If the TLS "handshake" fails, the data transfer is made via plain text, rather than encrypted text
Mandatory TLS- If the handshake fails during the connection attempt, the connection is terminated and no transfer occurs. The message is placed in a delayed messages queue for a later delivery attempt

If delay is alright compared to security, meaning higher SLA to ensure this I doubt the provider can ensure that 100%, but if they have another backup such as IPSEC/PPTP VPN link between the two mail servers (or equivalent) in the email routing and ensure that any packets going between them are fully encrypted - minimally it is just saving grace though we cannot fully control the client ...

in CheckTLS shared, it provides two "Assure TLS" tests though it may not be as comprehensive but attempt to 'break' the so called mandatory TLS is tried

Makes sure that the receiver will ONLY accept an email if it is sent securely. It makes sure the receiver will NOT accept an unprotected email.

Note: this test is only useful for sites that have setup "Require TLS" to receive email from one or more domains. You should add "" in your list of "Require TLS" domains before running the test.

Makes sure that the sender will ONLY send an email if can be sent securely.

Note: this test is only useful for sites that have setup "Require TLS" to send mail to one or more domains. You should add "" to your list of "Require TLS" domains before running the test.
Daniel BertoloneAuthor Commented:
Thanks for the tips guys. I am currently in discussion with Messagestream to see if they can meet my clients demands.

If they come back to me and say that it cannot be done in their enviroment is there no other way I could achieve a similar result via the use of an ssl certificate in outlook?
btanExec ConsultantCommented:
I was thinking to have some sort of logging enabled in the MS servers or observe exchange send/receive connecter log. It shows the TLS handshake. But it can be too noisy and hard to confirm

...maybe can just type Starttls in Telnet command and you will get the "220 2.0.0 Ready to start TLS" which can prove TLS is enabled. An example between GMail's SMTP server below issuing EHLO (instead of HELO), you will see that the SMTP server responds with the set of SMTP extensions that it supports. Hopefully, that expected "TLS" will be listed and be slightly convincing

SERVER: at your service
SERVER: 250-SIZE 35882577
SERVER: 220 2.0.0 Ready to start TLS
<negotiation begins here...>

.... do note that we can not use STARTTLS unless we have a secure connection with the server. simple SMTP library and telnet do not support STARTTLS

...another is check the logs but if you want to check end to end delivery, send a message from one domain to another and then check the message header, it should show you if TLS was used at each hop. For checking the email head e.g. Exchange 2007 with TLS enabled. Some email headers can have

 "Received: from x.x.COM ( by ( with Microsoft SMTP Server (TLS) id; Thu, 24 Feb 2011  09:32:27 -0500.

You will notice the (TLS) message in the header. some info below on implementing secure SMTP messaging between Exchange 2007 servers

Probably to see if MS can assist in above if online check is not palatable

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.