Announcement

Collapse
No announcement yet.

TLS Encyption

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • TLS Encyption

    Hi all,
    one more question for you guys in my quest to create the perfect exchange installation (yeah, right...):

    I want to force TLS encryption on all incoming mail traffic to exchange's virtual SMTP server.
    in order to do so, I configured the virtual SMTP server to use the same certificate I use to encrypt OWA (can I do that?). I also made sure that the server's FQDN (in SMTP banner) is the one the certificate was issued for.
    the certificate is from a trusted CA (Commodo) and is intended for the following purposes: "ensures the identity of the remote computer" AND "proves your identity to a remote computer".

    when I send an Email from an outside source (Gmail or My corporate mail system) I get the same result: "530 5.7.0 Must issue a STARTTLS command first"
    when I connect to the server by telneting to port 25 I get kicked off right after issuing STARTTLS command (try it yourself: mail.rozanskis.com).

    a good advice will be appreciated...
    Last edited by ronroze; 9th August 2007, 12:27.

  • #2
    Re: TLS Encyption

    You cannot force all inbound email to use TLS if you want to recieve 99% of the email destined for your server. Most of the internet does not use TLS.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: TLS Encyption

      Is it because of compatibility issues?
      if I understand correctly (do I?), nothing needs to be configured on the sender side - it just needs to support the STARTTLS command, which is an RFC.

      Comment


      • #4
        Re: TLS Encyption

        TLS isn't used by most sites for sending email to external hosts. It is used quite a bit for client to server email, but that is mainly to protect the username and password functionality. Email on the internet is not secure.

        On Exchange, if you want to use TLS for sending email you have to specifically enable it. Exchange 2007 has introduced opportunist TLS, where it tries to use TLS but quickly falls back. Older versions cannot do that.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: TLS Encyption

          Just added another connector to our corporate exchange and configured it to use TLS when sending mail to the rozanskis.com domain - works beautifully.
          the "530 5.7.0 Must issue a STARTTLS command first" error seems to be the SMTP version of HTTP's own 403-4 error ("must be viewed over secure channel"), but while 403-4 can be automatically solved using a simple javascript which adds an "S" to "HTTP", there is no way to do so in SMTP.
          oh well, can't have it all...

          thanks Sembee!

          Comment

          Working...
          X