Force TLS for certain Domains in Exchange 2010 SP3

Hello,
    Is there a way to force TLS for some domains and leave it as opportunistic for the rest of the email? We already use TLS, and just need to enforce it's use to certain companies that require it.
JesusFreak42Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StuartTechnical Architect - CloudCommented:
I was also looking for this, I managed to enforce this but not by using a smart host. The traffic had to be routed via DNS. Here is the command i used

New-SendConnector -Name 'TLS Enforced' -Usage 'Custom' -AddressSpaces 'SMTP:domain.com;1' -IsScopedConnector $false -DNSRoutingEnabled $true -DomainSecureEnabled $true -Identity 'TLS Enforced'' -SmartHostAuthMechanism 'None' -UseExternalDNSServersEnabled $false -SourceTransportServers 'Exchsvr1','Exchsvr2',Exchsvr3'

You cannot enable DomainSecured if your routing though a smarthost, I would love for someone to be able to prove this wrong however!
JesusFreak42Author Commented:
Sory for my ignorance, but what is a smarthost?
Amish SanghrajkaCommented:
Hi,

When you say you want to force TLS for some domains, are these the domains you are receiving from or domains included in your network? What I mean to say is are you receiving emails from abc@ABC.com or is this regarding emails sent to abc@ABC.com?

Kind regards,
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

JesusFreak42Author Commented:
1) These are domains we are sending and receiving from.
2) They are outside our domain. There are basically 4 other companies that have been purchased by a company. We are one of those companies. So, therefore, we need to enable TLS between our company and the others, but we are all in separate environments.
StuartTechnical Architect - CloudCommented:
A smart host is basically a device that relays your emails they often perform some sort of filtering service aswell, this could be an internal appliance eg ironport or a cloud based service eg message labs
Amish SanghrajkaCommented:
Hi,

It appears that what you need is to set up mutual TLS. Unfortunately this is not a simple solution but luckily there is a step-by-step TechNet article. The downside is that this will have to be set up on each of the environments.

TechNet Link: https://technet.microsoft.com/en-us/library/bb123543.aspx 

Hopefully this can explain what needs to be done.

Kind regards,
Amish.
StuartTechnical Architect - CloudCommented:
This presumes you have an Edge Exchange Server...
JesusFreak42Author Commented:
We just have a single exchange server. So I think your first suggestion should work.

As far as smarthosts go. MXLogic, for instance, would be considered a smarthost.
StuartTechnical Architect - CloudCommented:
Ok so mail your not route though this in the config I posted it would rely on DNS to route externally. It would also only force TLS outbound
Amish SanghrajkaCommented:
Ah yes, sorry my oversight there. I missed that in the pre-reqs. In that case Stuart's recommendation with regards to outbound TLS is correct.
Amish SanghrajkaCommented:
If you want to enforce TLS on inbound mail you should be able to do so by creating a new receive connector, setting the authentication to TLS only and adding the IP addresses for the other companies into scoping. This assumes that the other companies all have static IP addresses.
JesusFreak42Author Commented:
Stuart,
     So that would force TLS outbound, which is what I really need. Our incoming email is routed through MXlogic inbound so we need to call them.
StuartTechnical Architect - CloudCommented:
Your smart host should be able to do it all for you inbound & outbound but some providers charge extra for this. I would ask, it would save you a headache!
JesusFreak42Author Commented:
Do I need to set UseExternalDNSServersEnabled $false  to true?
JesusFreak42Author Commented:
Here's what I am getting
Capture.PNG
JesusFreak42Author Commented:
Ok. Now what? Look at the picture below.
Capture.PNG
StuartTechnical Architect - CloudCommented:
Sorry that needs to be set to true!
StuartTechnical Architect - CloudCommented:
It looks like I had a major brain malfunction! Set to true and miss out the -identity 'TLS Enforced'

Let me know how you get on

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JesusFreak42Author Commented:
Thanks for all the help. This final bit took care of it. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.