asked on
Secure mail with partners
we have an exchange 2013 deployment. there is a requirement to have secure mail transfer to-and-from our sister company. we have a cisco mail gateway appliance. I am aware that you can create send/receive connectors at both the ends using certificates and can have secure mail delivery. but considering that there is a mail gateway in the middle, do we still make connectors on exchange or will the secure connection will be at the mail gateway level. I am not sure what is the setup on the other side but I have been asked to propose all options for secure mail delivery and I want to be informed about the components on my side when I talk or coordinate with the admins on the other side. will the secure connection initiate and terminate on the exchange servers or at the mail gateway is my question.
ExchangeEmail ProtocolsOutlook
Last Comment
Aamer-
I assume you are using an Cisco IronPort Email Security Appliance (ESA). If so take a look at the User Guide, which is downloadable from Cisco Support. I don't know what version you're on but for 9-7 chapter 24 covers this really well. It explains how to install the certificate with links to further readon on each step Page: 24-2. On 24-11 there's information about destination controls you can use to force TLS for a given domain. Off the top of my head I'm not sure how to require TLS for the partners traffic to you. At the moment I take that on faith based on their request to implement TLS.
Any connector modification you make in Exchange will effect the connection between Exchange and your ESA, but more than likely have no effect on the ultimate connection to your partner.
Any connector modification you make in Exchange will effect the connection between Exchange and your ESA, but more than likely have no effect on the ultimate connection to your partner.
ASKER
thanks for the prompt reply
do I need to create any connectors in exchange with the address space of the destination domain or is it enough to configure TLS on the gateway
do I need to create any connectors in exchange with the address space of the destination domain or is it enough to configure TLS on the gateway
Is Exchange sending directly to the internet or using the Cisco appliance as a smart host?
ASKER
it is using cisco appliance as a smart host. the connection between the exchange and the mail server is already tls
ASKER
sorry the connection between the exchange server and the cisco appliance is already TLS
If Exchange and the appliance are already using TLS for all traffic, then you don't need to do anything in Exchange. Just continue to use the configuration you have. The mutual TLS will be done by the two devices that are public - so your appliance and the remote side.
Simon.
Simon.
ASKER
as an additional end-end security is it recommended to enable s/mime by issuing certificates to users. the tls will encrypt the channel and the s/mime will encrypt the email itself. can they both coexist. you really saved me from hours of research, thanks a lot
ASKER
no matter what appliance that is being used on the other side, as long as the appliance on the other side is enabled for TLS, that should be ok right
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks a lot
Therefore your best option is to speak to Cisco.
The way I have done it with other products is setup the appliance to accept all email from Exchange using mutual TLS, so everything is secure to the gateway, then configure each domain as required to use mutual TLS on the gateway appliance.
At the other end they do something similar, requiring mutual TLS with your appliance.
The other way round it is to bypass the gateway for those specific domains. Easily done for outbound traffic, inbound is a lot more involved and requires more cooperation from the other side.
Simon.