LauriC
asked on
Mutual Authenticated TLS encryption on Exchange 2007
I have worked with Exchange Server for a number of years but have very limited experience with implementing email encryption. I was recently assigned a project for a client regarding a request to setup Mutual Authenticated TLS encryption for a large number of companies that they do business with and I have been researching the subject. I have a couple of questions that I was hoping you may be able to answer or provide some additional resources that clarify the procedure for me.
The client is currently running SBS 2008 with Exchange Server 2007. A TLS Certficate has already been purchased and installed and I have confirmed that it is working properly through testsender@CheckTLS.com The list they provided has 190 companies that need to configured for Mutual Auth TLS and I am confused as to what steps I need to implement at this point.
I have been reviewing two technet articles:
https://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx This article applies to Exchange Server 2010 but I believe the configuration would be similar for Exchange 2007 as this article keeps coming up when I select links from articles discussing Exchange 2007. Or am I mistaken?
https://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx This article applies to Exchange Server 2007 but I am confused about the differences between the two articles - namely the Exchange 2010 article appears to refer to using only cmdlet commands and the Exchange 2007 document refers to using SMTP Connector wizard.
Besides trying to figure out which set of instructions I should be following, I have a several addition questions:
Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?
Is there a way to add all the required domains at one time or do I need to add each one via a separate command?
Will the new connectors only enforce the Mutual Auth TLS for the domains I provide? I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.
Any information you can provide on this subject would be greatly appreciated. Thank you.
The client is currently running SBS 2008 with Exchange Server 2007. A TLS Certficate has already been purchased and installed and I have confirmed that it is working properly through testsender@CheckTLS.com The list they provided has 190 companies that need to configured for Mutual Auth TLS and I am confused as to what steps I need to implement at this point.
I have been reviewing two technet articles:
https://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx This article applies to Exchange Server 2010 but I believe the configuration would be similar for Exchange 2007 as this article keeps coming up when I select links from articles discussing Exchange 2007. Or am I mistaken?
https://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx This article applies to Exchange Server 2007 but I am confused about the differences between the two articles - namely the Exchange 2010 article appears to refer to using only cmdlet commands and the Exchange 2007 document refers to using SMTP Connector wizard.
Besides trying to figure out which set of instructions I should be following, I have a several addition questions:
Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?
Is there a way to add all the required domains at one time or do I need to add each one via a separate command?
Will the new connectors only enforce the Mutual Auth TLS for the domains I provide? I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.
Any information you can provide on this subject would be greatly appreciated. Thank you.
ASKER
Thank you for that link. I did not find that specific article when I found the other two.
Any comments on the 3 questions that I have regarding the procedure?
Any comments on the 3 questions that I have regarding the procedure?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to successfully do a test setup on our own server adding the Mutual Auth TLS to the connectors for the client's company's domain but I ran into an issue with it working on send connector and rejecting their email on the receive connector. I did more research on the problem and found an article that referenced selecting Partners on the Permission Tab of the receive connector and that seemed to resolve the issue. I didn't see anything regarding this in the original instructions and am not sure why it was needed. Do you have any feedback on what that permission setting actually means and why it appeared to be required in order to allow inbound email from them?
did you
Set-ReceiveConnector Internet -DomainSecureEnabled $true -AuthMechanism TLS
on all edge receive servers?
Set-ReceiveConnector Internet -DomainSecureEnabled $true -AuthMechanism TLS
on all edge receive servers?
ASKER
It is an SBS Server so there is only one server involved. There is only one Receive Connector and I used the exact name of it when I issued the command (as opposed to Internet in your example above).
When I did the settings originally on both Send and Receive connectors, I was able to successfully send email but when they replied back, they received a #550 5.7.1 Client does not have permissions to submit to this server ##
So I undid the settings on the receive connector by entering the Set -TransportConfig -TLSReceiveDomainSecurList
I now see a green circle with a white check mark on their inbound emails in my Outlook which says Exchange Domain Authenticated E-mail when clicked on I don't see that on my outbound email though and am not sure if I am supposed to.
Sorry to be asking so many questions on this subject. I am trying to understand exactly what is needed and how it works before I attempt to do it directly on their server with a number of domains.
When I did the settings originally on both Send and Receive connectors, I was able to successfully send email but when they replied back, they received a #550 5.7.1 Client does not have permissions to submit to this server ##
So I undid the settings on the receive connector by entering the Set -TransportConfig -TLSReceiveDomainSecurList
I now see a green circle with a white check mark on their inbound emails in my Outlook which says Exchange Domain Authenticated E-mail when clicked on I don't see that on my outbound email though and am not sure if I am supposed to.
Sorry to be asking so many questions on this subject. I am trying to understand exactly what is needed and how it works before I attempt to do it directly on their server with a number of domains.
https://technet.microsoft.com/en-us/library/bb123543%28v=exchg.80%29.aspx