Solved

Enabling TLS for a company that uses Exchange 2010 hybrid environment O365 and spam gateway[Symantec BrightMail 10.0.2] to route inbound outbound emails

Posted on 2015-01-03
9
569 Views
Last Modified: 2015-01-05
Hi Experts,

I opened another blog with same question, but it seems like nobody is able to provide a full feedback in all steps required from exchange server and from Symantec Spam Gateway to enable TLS for a single domain.

http://www.experts-exchange.com/Networking/Protocols/Email/Q_25118415.html

As per link above, I have almost same identical infrastructure. All inbound/outbound email goes to Symantec BrightMail spam gateway[through send connector] and we also have another send connector to Office 365.

Should I create send connectors in the exchange server to use TLS for a single domain?

Should I setup a new domain in the spam gateway to force TLS for a single company?

Can someone please indicate all steps required from both exchange and Symantec BrightMail 10.0.2?

I am a little confused here with the Symantec appliance and O365. I do not want to enable TLS for the entire organization, only for emails sent to a specific partner

Please see links below, and let me know your thought

http://www.symantec.com/business/support/index?page=content&id=TECH96523
http://www.symantec.com/connect/forums/ok-guys-how-do-you-enforce-tls-brightmail
http://www.symantec.com/business/support/index?page=content&id=HOWTO58876
http://www.symantec.com/connect/forums/tls-encrypted-smtp-connection
http://www.symantec.com/business/support/index?page=content&id=TECH91365
http://www.symantec.com/business/support/index?page=content&id=TECH96523
0
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 41

Expert Comment

by:Vasil Michev (MVP)
ID: 40529534
If all inbound/outbound mails are hitting the spam appliance first, and you want to only enforce TLS for specific domain, you should do it on the appliance level. Nothing should be needed on O365 side.

For the sake of completeness, you can enforce TLS in O365 using these two methods:

 - use an inbound/outbound connector: http://technet.microsoft.com/en-us/library/dn751021(v=exchg.150).aspx
 - use a simple transport rule with the "recipient domain is" condition and the "require TLS" action

The first method is generally more secure, as you can require the other side to have a valid publicly trusted certificate with the said domain added as SAN/CN, but it's a bit more difficult to configure. The second method is easier to configure, gives you a lot of flexibility when combined with out actions/exceptions/conditions, but will work against any certificate (even self-signed).
0
 

Author Comment

by:Jerry Seinfield
ID: 40529721
Vasil, are you saying that I need to perform a transport rule on the Symantec BrightMail spam gateway appliance?

Did you read all symantec links posted above?

If everything has to be done on the spam gateway, can you please write down all steps?
0
 

Author Comment

by:Jerry Seinfield
ID: 40529805
Anyone?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 41

Expert Comment

by:Vasil Michev (MVP)
ID: 40529966
Sorry, I'm not an expert on BrightMail, but the first article you linked seems to contain the instructions you need.
0
 

Author Comment

by:Jerry Seinfield
ID: 40530308
Thanks Vasil,

With that being said, everything should be done on the Symantec appliance and the instructions would be below?


TLS for delivery to specific domains:
You may enable TLS for delivery of mail on a per-domain basis.
Select the Protocols tab.
Select Domains under the SMTP sidebar on the left hand side of the page.
Either select the Add button to add a new domain or select a domain and click the Edit button to change an existing domain.
Select the Delivery tab.
In the TLS Encryption box, Check the box for Optional delivery encryption
Select either Attempt TLS encryption or one of the two Require TLS options. Note: If either of the Require TLS encryption options are chosen and the remote mail system does not support TLS, the messages will bounce for that system.
Select Save to commit the changes.

What about the certificates? Should I use a public CA? can you please elaborate this? Where the certificate should be generated? Would it be generated on the Symantec Appliance or from a external or internal PKI CA?

Does anybody from Antivirus team has any thoughts?
0
 
LVL 41

Expert Comment

by:Vasil Michev (MVP)
ID: 40530374
Self signed will do, but the most secure way is to use a valid publicly trusted certificate with the domain name added as SAN/CN.
0
 

Author Comment

by:Jerry Seinfield
ID: 40530650
Vasil, so basically you are saying that the public certificate should be a SSL SAN certificate with the domain name of both companies?

Should we exchange the cert across companies?
If so, I guess the cert should be imported onto the Symantec Appliance Gateway?
0
 

Author Comment

by:Jerry Seinfield
ID: 40530752
Can someone else from the AV team provide with your thoughts?
0
 
LVL 41

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
ID: 40531050
Um, no. It's preferable to have publicly trusted one, but self signed will do as well. If using publicly trusted one, you can restrict the TLS configuration to check specifically for that domain name present in the SAN/CN.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Mailbox Delegation List 46 128
global cyber attack of may 2017 2 60
Office 365 and disappearing Public Folders... 2 34
Active Directory Powershell Script 9 41
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This Experts Exchange lesson shows how to use VBA to loop through rows in Excel.  In order to sort, filter, and use database features, there needs to be a value in each column for every row. When data arrives with values missing, code to copy values…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question