?
Solved

Mutual Authenticated TLS encryption on Exchange 2007

Posted on 2015-02-12
6
Medium Priority
?
217 Views
Last Modified: 2015-02-13
I have worked with Exchange Server for a number of years but have very limited experience with implementing email encryption.  I was recently assigned a project for a client regarding a request to setup Mutual Authenticated TLS encryption for a large number of companies that they do business with and I have been researching the subject.  I have a couple of questions that I was hoping you may be able to answer or provide some additional resources that clarify the procedure for me.

The client is currently running SBS 2008 with Exchange Server 2007.  A TLS Certficate has already been purchased and installed and I have confirmed that it is working properly through testsender@CheckTLS.com   The list they provided has 190 companies that need to configured for Mutual Auth TLS and I am confused as to what steps I need to implement at this point.

I have been reviewing two technet articles:

https://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx  This article applies to Exchange Server 2010 but I believe the configuration would be similar for Exchange 2007 as this article keeps coming up when I select links from articles discussing Exchange 2007.  Or am I mistaken?

https://technet.microsoft.com/en-us/library/ee428172(v=exchg.80).aspx This article applies to Exchange Server 2007 but I am confused about the differences between the two articles - namely the Exchange 2010 article appears to refer to using only cmdlet commands and the Exchange 2007 document refers to using SMTP Connector wizard.

Besides trying to figure out which set of instructions I should be following, I have a several addition questions:

Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?

Is there a way to add all the required domains at one time or do I need to add each one via a separate command?

Will the new connectors only enforce the Mutual Auth TLS for the domains I provide?  I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.

Any information you can provide on this subject would be greatly appreciated.  Thank you.
0
Comment
Question by:LauriC
  • 3
  • 3
6 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40606197
Set-TransportConfig -TLSSendDomainSecureList woodgrovebank.com,bankusa.com,example.com,test.com
https://technet.microsoft.com/en-us/library/bb123543%28v=exchg.80%29.aspx
0
 

Author Comment

by:LauriC
ID: 40606216
Thank you for that link.  I did not find that specific article when I found the other two.  

Any comments on the 3 questions that I have regarding the procedure?
0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40606231
Should my first step be to contact each of the 190 companies on the list to confirm that they are able to send/receive Mutual Auth TLS on their end before I begin setting up each domain?

Always test again the article shows you the methods and no need to contact the companies if the test works
Is there a way to add all the required domains at one time or do I need to add each one via a separate command?
given in example
Will the new connectors only enforce the Mutual Auth TLS for the domains I provide?  I want to ensure email sent to other domains that can not accept encrypted email are not affected when I add the connectors.
Yes
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:LauriC
ID: 40608434
I was able to successfully do a test setup on our own server adding the Mutual Auth TLS to the connectors for the client's company's domain  but I ran into an issue with it working on send connector and rejecting their email on the receive connector.  I did more research on the problem and found an article that referenced selecting Partners on the Permission Tab of the receive connector and that seemed to resolve the issue.  I didn't see anything regarding this in the original instructions and am not sure why it was needed.  Do you have any feedback on what that permission setting actually means and why it appeared to be required in order to allow inbound email from them?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40608509
did you
Set-ReceiveConnector Internet -DomainSecureEnabled $true -AuthMechanism TLS

on all edge receive servers?
0
 

Author Comment

by:LauriC
ID: 40608616
It is an SBS Server so there is only one server involved.  There is only one Receive Connector and I used the exact name of it when I issued the command (as opposed to Internet in your example above).  

When I did the settings originally on both Send and Receive connectors, I was able to successfully send email but when they replied back, they received a #550 5.7.1 Client does not have permissions to submit to this server ##

So I undid the settings on the receive connector by entering the Set -TransportConfig -TLSReceiveDomainSecurList with no domains listed.  Then I did a bit more research and found reference to Partner on the Permission Tab on the Receive Connect in regard to and TLS  and Enable Domain Security (Mutual Auth TLS) so I put a checkmark on that in the Permissions Tab and redid the original settings on the receive connector again to include their domain and restarted the MSExchange Transport and everything seemed to start flowing again.  

I now see a green circle with a white check mark on their inbound emails in my Outlook which says Exchange Domain Authenticated E-mail when clicked on   I don't see that on my outbound email though and am not sure if I am supposed to.

Sorry to be asking so many questions on this subject.  I am trying to understand exactly what is needed and how it works before I attempt to do it directly on their server with a number of domains.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question