[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Mutual Authenticated TLS encryption on Exchange 2007

Posted on 2015-02-12
6
Medium Priority
?
207 Views
Last Modified: 2015-02-13
I have worked with Exchange Server for a number of years but have very limited experience with implementing email encryption.  I was recently assigned a project for a client regarding a request to setup Mutual Authenticated TLS encryption for a large number of companies that they do business with and I have been researching the subject.  I have a couple of questions that I was hoping you may be able to answer or provide some additional resources that clarify the procedure for me.

The client is currently running SBS 2008 with Exchange Server 2007.  A TLS Certficate has already been purchased and installed and I have confirmed that it is working properly through testsender@CheckTLS.com   The list they provided has 190 companies that need to configured for Mutual Auth TLS and I am confused as to what steps I need to implement at this point.

I have been reviewing two technet articles:

https://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx  This article applies to Exchange Server 2010 but I believe the configuration would be similar for Exchange 2007 as this article keeps coming up when I select links from articles discussing Exchange 2007.  Or am I mistaken?

https://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx This article applies to Exchange Server 2007 but I am confused about the differences between the two articles - namely the Exchange 2010 article appears to refer to using only cmdlet commands and the Exchange 2007 document refers to using SMTP Connector wizard.

Besides trying to figure out which set of instructions I should be following, I have a several addition questions:

Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?

Is there a way to add all the required domains at one time or do I need to add each one via a separate command?

Will the new connectors only enforce the Mutual Auth TLS for the domains I provide?  I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.

Any information you can provide on this subject would be greatly appreciated.  Thank you.
0
Comment
Question by:LauriC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40606197
Set-TransportConfig -TLSSendDomainSecureList woodgrovebank.com,bankusa.com,example.com,test.com
https://technet.microsoft.com/en-us/library/bb123543%28v=exchg.80%29.aspx
0
 

Author Comment

by:LauriC
ID: 40606216
Thank you for that link.  I did not find that specific article when I found the other two.  

Any comments on the 3 questions that I have regarding the procedure?
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40606231
Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?

Always test again the article shows you the methods and no need to contact the companies if the test works
Is there a way to add all the required domains at one time or do I need to add each one via a separate command?
given in example
Will the new connectors only enforce the Mutual Auth TLS for the domains I provide?  I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.
Yes
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:LauriC
ID: 40608434
I was able to successfully do a test setup on our own server adding the Mutual Auth TLS to the connectors for the client's company's domain  but I ran into an issue with it working on send connector and rejecting their email on the receive connector.  I did more research on the problem and found an article that referenced selecting Partners on the Permission Tab of the receive connector and that seemed to resolve the issue.  I didn't see anything regarding this in the original instructions and am not sure why it was needed.  Do you have any feedback on what that permission setting actually means and why it appeared to be required in order to allow inbound email from them?
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40608509
did you
Set-ReceiveConnector Internet -DomainSecureEnabled $true -AuthMechanism TLS

on all edge receive servers?
0
 

Author Comment

by:LauriC
ID: 40608616
It is an SBS Server so there is only one server involved.  There is only one Receive Connector and I used the exact name of it when I issued the command (as opposed to Internet in your example above).  

When I did the settings originally on both Send and Receive connectors, I was able to successfully send email but when they replied back, they received a #550 5.7.1 Client does not have permissions to submit to this server ##

So I undid the settings on the receive connector by entering the Set -TransportConfig -TLSReceiveDomainSecurList with no domains listed.  Then I did a bit more research and found reference to Partner on the Permission Tab on the Receive Connect in regard to and TLS  and Enable Domain Security (Mutual Auth TLS) so I put a checkmark on that in the Permissions Tab and redid the original settings on the receive connector again to include their domain and restarted the MSExchange Transport and everything seemed to start flowing again.  

I now see a green circle with a white check mark on their inbound emails in my Outlook which says Exchange Domain Authenticated E-mail when clicked on   I don't see that on my outbound email though and am not sure if I am supposed to.

Sorry to be asking so many questions on this subject.  I am trying to understand exactly what is needed and how it works before I attempt to do it directly on their server with a number of domains.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question