Solved

Mutual Authenticated TLS encryption on Exchange 2007

Posted on 2015-02-12
6
152 Views
Last Modified: 2015-02-13
I have worked with Exchange Server for a number of years but have very limited experience with implementing email encryption.  I was recently assigned a project for a client regarding a request to setup Mutual Authenticated TLS encryption for a large number of companies that they do business with and I have been researching the subject.  I have a couple of questions that I was hoping you may be able to answer or provide some additional resources that clarify the procedure for me.

The client is currently running SBS 2008 with Exchange Server 2007.  A TLS Certficate has already been purchased and installed and I have confirmed that it is working properly through testsender@CheckTLS.com   The list they provided has 190 companies that need to configured for Mutual Auth TLS and I am confused as to what steps I need to implement at this point.

I have been reviewing two technet articles:

https://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx  This article applies to Exchange Server 2010 but I believe the configuration would be similar for Exchange 2007 as this article keeps coming up when I select links from articles discussing Exchange 2007.  Or am I mistaken?

https://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx This article applies to Exchange Server 2007 but I am confused about the differences between the two articles - namely the Exchange 2010 article appears to refer to using only cmdlet commands and the Exchange 2007 document refers to using SMTP Connector wizard.

Besides trying to figure out which set of instructions I should be following, I have a several addition questions:

Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?

Is there a way to add all the required domains at one time or do I need to add each one via a separate command?

Will the new connectors only enforce the Mutual Auth TLS for the domains I provide?  I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.

Any information you can provide on this subject would be greatly appreciated.  Thank you.
0
Comment
Question by:LauriC
  • 3
  • 3
6 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40606197
Set-TransportConfig -TLSSendDomainSecureList woodgrovebank.com,bankusa.com,example.com,test.com
https://technet.microsoft.com/en-us/library/bb123543%28v=exchg.80%29.aspx
0
 

Author Comment

by:LauriC
ID: 40606216
Thank you for that link.  I did not find that specific article when I found the other two.  

Any comments on the 3 questions that I have regarding the procedure?
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40606231
Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?

Always test again the article shows you the methods and no need to contact the companies if the test works
Is there a way to add all the required domains at one time or do I need to add each one via a separate command?
given in example
Will the new connectors only enforce the Mutual Auth TLS for the domains I provide?  I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.
Yes
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:LauriC
ID: 40608434
I was able to successfully do a test setup on our own server adding the Mutual Auth TLS to the connectors for the client's company's domain  but I ran into an issue with it working on send connector and rejecting their email on the receive connector.  I did more research on the problem and found an article that referenced selecting Partners on the Permission Tab of the receive connector and that seemed to resolve the issue.  I didn't see anything regarding this in the original instructions and am not sure why it was needed.  Do you have any feedback on what that permission setting actually means and why it appeared to be required in order to allow inbound email from them?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40608509
did you
Set-ReceiveConnector Internet -DomainSecureEnabled $true -AuthMechanism TLS

on all edge receive servers?
0
 

Author Comment

by:LauriC
ID: 40608616
It is an SBS Server so there is only one server involved.  There is only one Receive Connector and I used the exact name of it when I issued the command (as opposed to Internet in your example above).  

When I did the settings originally on both Send and Receive connectors, I was able to successfully send email but when they replied back, they received a #550 5.7.1 Client does not have permissions to submit to this server ##

So I undid the settings on the receive connector by entering the Set -TransportConfig -TLSReceiveDomainSecurList with no domains listed.  Then I did a bit more research and found reference to Partner on the Permission Tab on the Receive Connect in regard to and TLS  and Enable Domain Security (Mutual Auth TLS) so I put a checkmark on that in the Permissions Tab and redid the original settings on the receive connector again to include their domain and restarted the MSExchange Transport and everything seemed to start flowing again.  

I now see a green circle with a white check mark on their inbound emails in my Outlook which says Exchange Domain Authenticated E-mail when clicked on   I don't see that on my outbound email though and am not sure if I am supposed to.

Sorry to be asking so many questions on this subject.  I am trying to understand exactly what is needed and how it works before I attempt to do it directly on their server with a number of domains.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now