Announcement

Collapse
No announcement yet.

Enable TLS On Exchange 2003 With Specific Customers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enable TLS On Exchange 2003 With Specific Customers

    I've had to do a lot of self-taught Exchange administration over the years, but I'm stumped with this last request.

    We've been asked by a customer to enable TLS between us and them for secure email communications.

    I read through MS KB articles 829721 and 823019, as well as posts on the Exchange Team Blog, searched these Forums, and trundled off down the many nooks and crannies that embedded links take me.

    The end result being that I think I understand the basics but am having trouble getting my head around the implementation.

    For starters, the customer doesn't use Exchange as their email system. Not sure what they have really, but they say it does support TLS, and considering their size, I would tend to believe they know what they are saying.

    Second, we only have a single Exchange box. No Front-End/Back-End stuff. It's just a straight forward dual-homed server sitting behind our firewall.

    So... Assuming these steps are a given:

    1) Add a new public IP address.
    2) Change the default SMTP VS to use just the old IP address.
    3) Create a new SMTP VS to use the new IP address.
    4) Buy a certificate from a reputable CA and install it on the new SMTP VS.
    5) Setup the new SMTP VS properties for TLS.
    6) Create a new SMTP Connector, using the new SMTP VS as the bridgehead.
    7) Add the customer email domain to the new SMTP Connector.

    This brings up several questions:

    1) Do I need a seperate public IP address for every customer who wants TLS?
    2) What changes need to be made in our ISP DNS for A and MX records?
    3) Do I really need to open port 465, or will TLS work through 25 as usual?
    4) Are there other changes to ensure that secure emails get to our mailboxes?

    Any help or direction would be appreciated. Thanks.

  • #2
    Re: Enable TLS On Exchange 2003 With Specific Customers

    Hare Krsna,

    So my buddy this what you need to do to enable TLS between ur server and their.

    Lets first discuss sending part.

    Create an smpt connector.
    Name it (of course you need to do it)
    Add a Bridgehead Server (This will be smtp virtual server WITHOUT certificate)
    Put a smarthost i.e. ip address of the remote domain
    Address space, remote email domain, set whatever cost you want
    Now here is the trick
    To send email securily you just need to do this

    In the advance properties of SMTP connector
    Outbound Security > Put a check in Use TLS Encryption.
    That's it done for sending TLS based email

    Now to receive a secure email
    Create Two SMTP VS
    each one will have unquie ip address and port 25
    one of them will have certificate installed from a Trusted CA
    Now do this
    Telnet Local_IP_address 25 (do it for both ip address)
    ehlo

    now check if you have startTLS verb listed (ideally you would have startTLS verb listed on both but just in case it's different then let me know)

    Assuming you are not using second NIC. You will be able to receive TLS based email.

    Let me know if it doesn't work.

    With Regards
    Navdeep

    Reputation is Earned not Asked for.
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: Enable TLS On Exchange 2003 With Specific Customers

      Thanks for the reply Navdeep, but... I wonder.

      The step about setting the smarthost to their email server doesn't make sense to me at the moment.

      I've used the smart-host setting on numerous IIS SMTP servers to point to our real Exchange Server, so that our web apps can send emails to customers employees.

      But that requires that our Exchange Server allows relaying from the IIS servers. Wouldn't our customer have to set their email server in a similiar manner?

      Also, I still have 2 SMTP VS's, each with a unique public IP address. What do I do about setting the public DNS? Do I have to have 2 MX records, 1 for each IP address? Do I give them different priorities?
      Last edited by TokyoBrit; 12th November 2008, 01:38.

      Comment


      • #4
        Re: Enable TLS On Exchange 2003 With Specific Customers

        The step about setting the smarthost to their email server doesn't make sense to me at the moment.
        > It's simple to understand. Exchange server uses dns server to get the mx record. Now mx record refers to host A or Glue record. Now as you know host A record is nothing but a mapping to an ip address let says microsoft.com has an mx with preference 5. i.e mail.microsoft.com 1.2.3.4 is the ip. Now when u specify smart host on SMTP Connector NOT Default SMTP Virtual Server. It will bypass doing dns lookup and makes a direct connection to the relevant domain because we know where the email is suppose to go. So do u understand now.

        I've used the smart-host setting on numerous IIS SMTP servers to point to our real Exchange Server, so that our web apps can send emails to customers employees.

        But that requires that our Exchange Server allows relaying from the IIS servers. Wouldn't our customer have to set their email server in a similiar manner?
        > That is relaying off the exchange server where your web apps or similar apps doesn't have any authentication machenism. So you specify the ip address of the server running the application in exchange Default SMTP Virtual Server > Properties > Access > Relay. So you can relay out email off the exchange server.


        Also, I still have 2 SMTP VS's, each with a unique public IP address. What do I do about setting the public DNS? Do I have to have 2 MX records, 1 for each IP address? Do I give them different priorities?
        > Even if you have a single nic with two ip it will work for you. No need to worry about creating two mx records because you are using a single nic with two ip's.

        you have that option if you want
        you need two public ip address, two mx records, two nic

        However in you case single nic with two ip will do and you don't need to go thru unneccessary things
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: Enable TLS On Exchange 2003 With Specific Customers

          I don't know why it is being suggested to have a second IP address or a second SMTP virtual server, as that is not required at all.
          You also don't need to set a smart host unless the recipient needs you to use a separate server than those find in the MX record lookup.

          What seems to have happened is that you have confused the client to server configuration requirements with the server to server configuration requirements.

          For server to server, the simple fact that you have an SSL certificate on the SMTP virtual server will allow the use of TLS. The originating server just has to ask for it.

          For outbound email, configure an SMTP connector and add the domains that need to use TLS to the list, then set the option to use TLS. As long as it is the same server as listed in the MX records then TLS will be used.

          Keep it simple to begin with. However you do need to ask the other end if the server is the same as what is on their MX records.

          The SSL certificate that you use needs to match your MX record host name as well, otherwise the TLS connection will not be made due to a certificate mismatch.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Enable TLS On Exchange 2003 With Specific Customers

            I said from the start I was stumped... Now I'm beginning to see why.

            Since KISS is a good thing, I went to the Default SMTP VS and added a certificate from our own CA.

            Now, I see

            "Received from x.y.z (1.2.3.4) by my.company.mail over TLS secured channel with Microsoft SMTPSVC"

            in the message headers of numerous emails. Not all, but some, like the mail host used by this site for reply notifications.

            I also see the STARTTLS verb when I telnet to our mail server.

            Now... Is it truly using TLS, or does it fail to use it because the originating email server doesn't trust our CA?

            So... That leaves me with creating a new SMTP Connector, with the domain name of our customer, and checking the TLS Encryption on the Outbound Security dialog?

            Comment


            • #7
              Re: Enable TLS On Exchange 2003 With Specific Customers

              Not all servers will use TLS. I would go as far as to say it will be a minority.

              Furthermore Exchange 2003 cannot do opportunist TLS. For inbound email, the sending server must ask, for outbound it must be told to using SMTP connectors.

              Using your own CA for something public isn't really a good idea. You should use a commercial SSL certificate that is widely trusted. GoDaddy ( http://certificatesforexchange.com/ ) are cheap, another option would be RapidSSL ( http://www.rapidssl.com/ ) who are also a good price.

              If TLS has been used then you will see the line in the headers as you have posted.
              For outbound email you will have to ask the recipient. You need to know if the recipients of outbound email are using TLS on their regular servers or on specific servers and you have to put another address in.

              Simon.
              Last edited by Sembee; 17th April 2013, 19:08. Reason: URL Correction
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Enable TLS On Exchange 2003 With Specific Customers

                Here is how you need to understand this. It's pretty simple... of course after putting 10hrs .. it appears simple now

                so to send out TLS or encrypted email you really really don't need certificate

                Just an smtp connector with TLS enabled with address space as remote domain.
                That's it.

                and to receive email over secure channel or tls or encryption

                you need to have a certificate assigned to a preferably new smtp virtual server. Theoretically a single smtp virtual server will do however i have seen it fails and we need to create additional virtual server that has certificate installed on it.

                You are done. TLS is setup.
                Thanks & Regards
                v-2nas

                MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                Sr. Wintel Eng. (Investment Bank)
                Independent IT Consultant and Architect
                Blog: http://www.exchadtech.blogspot.com

                Show your appreciation for my help by giving reputation points

                Comment


                • #9
                  Re: Enable TLS On Exchange 2003 With Specific Customers

                  Thank you for all your comments. They have truely helped.

                  I had a meeting with the customer yesterday and the topic of TLS was raised.

                  Since I had something to show them that I wasn't a complete idiot, they've put me in touch with their Exchange and TLS teams. Tickets need to be raised on their side and actioned on.

                  So it looks like they use Exchange. That'll make things easier.

                  We've already received a quotation from Verisign, which is the only commerical CA we use, since neither GoDaddy or RapidSSL offer support in Japanese, so we'll be installing a proper certificate shortly.

                  I only really have one area that I'm still not sure about, and that is if I add a second SMTP Virtual Server on a second public IP address. I guess I will address that when I get to it.

                  Comment


                  • #10
                    Re: Enable TLS On Exchange 2003 With Specific Customers

                    Thanks for your comments.

                    let me know when you need further help and post on the forums too and also for benefit for masses in general
                    Last edited by v-2nas; 14th November 2008, 23:30. Reason: For your pleasure too
                    Thanks & Regards
                    v-2nas

                    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                    Sr. Wintel Eng. (Investment Bank)
                    Independent IT Consultant and Architect
                    Blog: http://www.exchadtech.blogspot.com

                    Show your appreciation for my help by giving reputation points

                    Comment


                    • #11
                      Re: Enable TLS On Exchange 2003 With Specific Customers

                      It would be nice to keep queries on the forums so everyone can benefit from them.
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: Enable TLS On Exchange 2003 With Specific Customers

                        Originally posted by v-2nas View Post
                        Thanks for your comments.

                        PM me when you need further help and post on the forums too
                        I actively discourage the use of PM for technical enquiries. PM is for messages of a private nature; and on this forum, technical enquiries are to the benefit of all.


                        Tom
                        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                        Anything you say will be misquoted and used against you

                        Comment


                        • #13
                          Re: Enable TLS On Exchange 2003 With Specific Customers

                          Hello

                          This is by you

                          Tom
                          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                          Anything you say will be misquoted and used against you

                          and This is by Andy
                          It would be nice to keep queries on the forums so everyone can benefit from them.


                          So I appreciate andy's feed back and i have fixed the loop hole. I felt in his words that he wanted to be helpful rather than critical and you are totally opposite. Anyways the consciousness is carried along with the words.

                          Thanks to Andy for bring this to my attention.
                          Thanks & Regards
                          v-2nas

                          MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                          Sr. Wintel Eng. (Investment Bank)
                          Independent IT Consultant and Architect
                          Blog: http://www.exchadtech.blogspot.com

                          Show your appreciation for my help by giving reputation points

                          Comment


                          • #14
                            Re: Enable TLS On Exchange 2003 With Specific Customers

                            Originally posted by v-2nas View Post
                            you need to have a certificate assigned to a preferably new smtp virtual server. Theoretically a single smtp virtual server will do however i have seen it fails and we need to create additional virtual server that has certificate installed on it.
                            This is where I am having a problem.

                            If I create a new SMTP VS using a new IP address that has the certificate installed, how do I setup the MX and A records in DNS?

                            Let's take the normal setup:

                            mail.mydomain.com internet address = xxx.xxx.xxx.10
                            mydomain.com MX preference = 10, mail exchanger = mail.mydomain.com

                            Now, I've added the new certificate-installed / TLS-enabled SMTP VS:

                            mail.mydomain.com internet address = xxx.xxx.xxx.10
                            tls.mydomain.com internet address = xxx.xxx.xxx.20
                            mydomain.com MX preference = 10, mail exchanger = mail.mydomain.com
                            mydomain.com MX preference = 10, mail exchanger = tls.mydomain.com

                            As far as I understand it, this will cause remote email servers to connect to one or the other mail server when sending us email, which means that TLS may or may not be used.

                            Seems a bit hit-or-miss. So what am I missing?

                            Comment


                            • #15
                              Re: Enable TLS On Exchange 2003 With Specific Customers

                              I wouldn't set MX records for the TLS enabled server.
                              If you have specific senders who need to send you TLS secured traffic, then you need to tell them what host to use.
                              Exchange 2003 doesn't do opportunist TLS, it is either ON or OFF. If it is ON, then it is ON for all traffic - which will mean all non TLS traffic will be dropped.

                              Simon.
                              --
                              Simon Butler
                              Exchange MVP

                              Blog: http://blog.sembee.co.uk/
                              More Exchange Content: http://exchange.sembee.info/
                              Exchange Resources List: http://exbpa.com/
                              In the UK? Hire me: http://www.sembee.co.uk/

                              Sembee is a registered trademark, used here with permission.

                              Comment

                              Working...
                              X