Announcement

Collapse
No announcement yet.

TLS connection to Partner company

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • TLS connection to Partner company

    Hi,

    I'm wondering if somebody could give me a few pointers on setting up a TLS connection to our partner company for secure email.

    We're using Exchange 2007 and our partner company are on Exchange 2003. They have provided me with an IP address and name of the server we are to point to.

    Do i need to create a new send connector setting the address space to *.partnercomp.com and then specify their email server as the smarthost? Is this then basically saying that everything for our partner company will be directed to their server?

    Do i need to create a new receive connector or will the receive connector we already have set up be sufficient? It currently accepts mail from any server as remote IP addresses is set to 0.0.0.0 255.255.255.255.

    Could anybody help me with this?

    SM

  • #2
    Re: TLS connection to Partner company

    An IP address isn't going to work. They will not have an SSL certificate for the IP address, so the TLS connection will not be established. You need to know what name is on the SSL certificate.
    Otherwise you have it correct - another Send Connector with the relevant information in it.

    As for receive, as long as you have an SSL certificate that is trusted, and matches your MX record, you don't need to do anything. Exchange 2007 support opportunist TLS, so will use TLS where it is available. However on their end they will need to setup an SMTP Connector using a smart host and your public MX record name so that they can enable the option to use TLS as Exchange 2003 doesn't do opportunist TLS, it has to be told.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: TLS connection to Partner company

      Thanks for your reply, Sembee!

      On the send connector, do i need to change the smart host authentication to Basic authentication over TLS? Is this how i specify to use TLS when sending?

      I've just checked our recieve connector and on the general tab, the FQDN specified is mail.mycompany.com. Is this the name that is required on our SSL certificate?

      Thanks

      Matt.

      Comment


      • #4
        Re: TLS connection to Partner company

        Hi,

        I've just realised that as long as TLS is selected on the authentication tab of the receive connector, this then enables opportunistic TLS. Is that correct?

        Comment


        • #5
          Re: TLS connection to Partner company

          Do you not have a commercial SSL certificate already for your Exchange 2007 server?

          I recommend the following URLs on the certificates:

          owa.domain.net (or whatever you are using for OWA)
          autodiscover.domain.net
          servername
          servername.domain.local

          Now, with my setups, I use the same host name for OWA as I do for the MX records. That could be owa.domain.net or mail.domain.net - doesn't really matter.
          If you want to use TLS then to ensure maximum compatibility you really need to use the same name for everything so that the common name in the certificate is the same as your MX records etc.

          Authentication has nothing to do with the use of TLS. TLS is a transport mechanism only.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: TLS connection to Partner company

            Originally posted by Sembee View Post
            I recommend the following URLs on the certificates:

            owa.domain.net (or whatever you are using for OWA)
            autodiscover.domain.net
            servername
            servername.domain.local
            Keep in mind that if you're using a split brain DNS, where you have an internal forward lookup zone that matches your external domain name, you don't need to publish
            servername
            servername.domain.local
            in your SAN certificate.
            Pat Richard
            Exchange MVP
            contributing author "Microsoft Exchange Server 2007: The Complete Reference"

            Comment


            • #7
              Re: TLS connection to Partner company

              Thanks again for the reply!

              This is where i'm at now:

              When exchange was first installed, our budget only allowed us to purchase a normal certificate and not a SAN. Therefore we just entered the OWA URL. When i checked the cert, it was only enabled for Web so i had to re-enable it for SMTP and Web. This now means we have one URL for OWA and for our partner company's TLS connection.

              The recieve connector is now working fine.

              As for the send connector, i've created a new Partner send connector which only allows us to send mail via the DNS MX records. Therefore, on my DNS server, i've created a new forward lookup zone called partnercomp.com and added in a MX record using the details given to me from the partner company.

              Everything seems to be working fine!

              If you think this is wrong, please let me know. This is the first time i've done this so am on a huge learning curve!!

              Matt

              Comment


              • #8
                Re: TLS connection to Partner company

                Originally posted by 58sniper View Post
                Keep in mind that if you're using a split brain DNS, where you have an internal forward lookup zone that matches your external domain name, you don't need to publish
                servername
                servername.domain.local
                in your SAN certificate.
                I disagree.
                Even if I am using a split DNS system I still put the server's real name in the certificate.
                If you are using Unified Messaging you MUST have the server's real name in the certificate, otherwise UM will not accept it.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: TLS connection to Partner company

                  If you set up the partner send connector but don't add the domain to the -TLSSendDomainSecureList, will the mail still be sent but without using TLS?

                  I know for Exchange 2007 systems the mail will still get there because of oportunistic TLS (please correct me if i'm wrong) but am i right in thinking Exchange 2003 won't accept the mail if TLS has been enabled on the connector?

                  Matt

                  Comment


                  • #10
                    Re: TLS connection to Partner company

                    Exchange 2003 is TLS either ON or OFF.
                    If you turn it on then anyone not using TLS will not get the email.
                    If you turn it off then you cannot use TLS at all.

                    Therefore if you want TLS both ways then the recipient will need both an SMTP connector for sending you email and a separate SMTP virtual server for TLS inbound.
                    If they are using a separate SMTP VS then you will need to use a smart host on your Send Connector for them to force the email to go to the SMTP VS with TLS enabled.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: TLS connection to Partner company

                      The TLS connection is working like a charm so i'd like to thank you for your responses to the thread.

                      There is one thing i'm still not sure about. The following line is in the headers of an email recieved from the partner company:

                      Received: from webmail.mycompany.com ([87.85.188.84]) by partnercomp.local over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);

                      now, i'm sure this means TLS is working fine but i haven't had to specify the partner domain in TLSSendDomainSecureList and TLSReceiveDomainSecurelist in the set-transportconfig cmdlet.

                      Is this because the send connector i set up is a Partner send connector?

                      Matt

                      Comment


                      • #12
                        Re: TLS connection to Partner company

                        From memory, yes.
                        I think Exchange tries to use TLS first and then falls back if it fails. TLS support is much better in Exchange 2007, so this behaviour is along the lines that I would expect - but I haven't looked at it for a while so it is from memory. A partner type connector is expected to be a trusted connection.

                        Simon.
                        --
                        Simon Butler
                        Exchange MVP

                        Blog: http://blog.sembee.co.uk/
                        More Exchange Content: http://exchange.sembee.info/
                        Exchange Resources List: http://exbpa.com/
                        In the UK? Hire me: http://www.sembee.co.uk/

                        Sembee is a registered trademark, used here with permission.

                        Comment


                        • #13
                          Re: TLS connection to Partner company

                          that's what i thought regarding the partner connection.

                          So under what circumstances would you need to specify domains in the TLSSendDomainSecureList and TLSReceiveDomainSecurelist?

                          Comment


                          • #14
                            Re: TLS connection to Partner company

                            I can only guess if there is a problem with the TLS communication, something like that. Rather like forcing it to make the connection in that type. It isn't a setting I have had to use in the past.

                            Simon.
                            --
                            Simon Butler
                            Exchange MVP

                            Blog: http://blog.sembee.co.uk/
                            More Exchange Content: http://exchange.sembee.info/
                            Exchange Resources List: http://exbpa.com/
                            In the UK? Hire me: http://www.sembee.co.uk/

                            Sembee is a registered trademark, used here with permission.

                            Comment


                            • #15
                              Re: TLS connection to Partner company

                              Thanks again for your help and advice with this, Simon.

                              Matt

                              Comment

                              Working...
                              X