Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Messaging Software > Exchange 2000 / 2003
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Enable TLS On Exchange 2003 With Specific Customers

Enable TLS On Exchange 2003 With Specific Customers

this thread has 15 replies and has been viewed 29432 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 11th November 2008, 06:39
TokyoBrit TokyoBrit is offline
Casual
It's not a coincidence
 
 Join Date: Nov 2008
  6 month star 12 month star
 Location: Tokyo, Japan
 Posts: 82
 Reputation: TokyoBrit is on a distinguished road (16)
Question Enable TLS On Exchange 2003 With Specific Customers

I've had to do a lot of self-taught Exchange administration over the years, but I'm stumped with this last request.

We've been asked by a customer to enable TLS between us and them for secure email communications.

I read through MS KB articles 829721 and 823019, as well as posts on the Exchange Team Blog, searched these Forums, and trundled off down the many nooks and crannies that embedded links take me.

The end result being that I think I understand the basics but am having trouble getting my head around the implementation.

For starters, the customer doesn't use Exchange as their email system. Not sure what they have really, but they say it does support TLS, and considering their size, I would tend to believe they know what they are saying.

Second, we only have a single Exchange box. No Front-End/Back-End stuff. It's just a straight forward dual-homed server sitting behind our firewall.

So... Assuming these steps are a given:

1) Add a new public IP address.
2) Change the default SMTP VS to use just the old IP address.
3) Create a new SMTP VS to use the new IP address.
4) Buy a certificate from a reputable CA and install it on the new SMTP VS.
5) Setup the new SMTP VS properties for TLS.
6) Create a new SMTP Connector, using the new SMTP VS as the bridgehead.
7) Add the customer email domain to the new SMTP Connector.

This brings up several questions:

1) Do I need a seperate public IP address for every customer who wants TLS?
2) What changes need to be made in our ISP DNS for A and MX records?
3) Do I really need to open port 465, or will TLS work through 25 as usual?
4) Are there other changes to ensure that secure emails get to our mailboxes?

Any help or direction would be appreciated. Thanks.
  #2  
Old 11th November 2008, 18:02
v-2nas's Avatar
v-2nas v-2nas is offline
Member
Someone to look up to
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: Singapore
 Posts: 722
  Send a message via MSN to v-2nas
 Reputation: v-2nas will become famous soon enough (80)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

Hare Krsna,

So my buddy this what you need to do to enable TLS between ur server and their.

Lets first discuss sending part.

Create an smpt connector.
Name it (of course you need to do it)
Add a Bridgehead Server (This will be smtp virtual server WITHOUT certificate)
Put a smarthost i.e. ip address of the remote domain
Address space, remote email domain, set whatever cost you want
Now here is the trick
To send email securily you just need to do this

In the advance properties of SMTP connector
Outbound Security > Put a check in Use TLS Encryption.
That's it done for sending TLS based email

Now to receive a secure email
Create Two SMTP VS
each one will have unquie ip address and port 25
one of them will have certificate installed from a Trusted CA
Now do this
Telnet Local_IP_address 25 (do it for both ip address)
ehlo

now check if you have startTLS verb listed (ideally you would have startTLS verb listed on both but just in case it's different then let me know)

Assuming you are not using second NIC. You will be able to receive TLS based email.

Let me know if it doesn't work.

With Regards
Navdeep

Reputation is Earned not Asked for.
  #3  
Old 12th November 2008, 03:34
TokyoBrit TokyoBrit is offline
Casual
It's not a coincidence
 
 Join Date: Nov 2008
  6 month star 12 month star
 Location: Tokyo, Japan
 Posts: 82
 Reputation: TokyoBrit is on a distinguished road (16)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

Thanks for the reply Navdeep, but... I wonder.

The step about setting the smarthost to their email server doesn't make sense to me at the moment.

I've used the smart-host setting on numerous IIS SMTP servers to point to our real Exchange Server, so that our web apps can send emails to customers employees.

But that requires that our Exchange Server allows relaying from the IIS servers. Wouldn't our customer have to set their email server in a similiar manner?

Also, I still have 2 SMTP VS's, each with a unique public IP address. What do I do about setting the public DNS? Do I have to have 2 MX records, 1 for each IP address? Do I give them different priorities?

Last edited by TokyoBrit; 12th November 2008 at 03:38..
  #4  
Old 12th November 2008, 16:15
v-2nas's Avatar
v-2nas v-2nas is offline
Member
Someone to look up to
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: Singapore
 Posts: 722
  Send a message via MSN to v-2nas
 Reputation: v-2nas will become famous soon enough (80)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

The step about setting the smarthost to their email server doesn't make sense to me at the moment.
> It's simple to understand. Exchange server uses dns server to get the mx record. Now mx record refers to host A or Glue record. Now as you know host A record is nothing but a mapping to an ip address let says microsoft.com has an mx with preference 5. i.e mail.microsoft.com 1.2.3.4 is the ip. Now when u specify smart host on SMTP Connector NOT Default SMTP Virtual Server. It will bypass doing dns lookup and makes a direct connection to the relevant domain because we know where the email is suppose to go. So do u understand now.

I've used the smart-host setting on numerous IIS SMTP servers to point to our real Exchange Server, so that our web apps can send emails to customers employees.

But that requires that our Exchange Server allows relaying from the IIS servers. Wouldn't our customer have to set their email server in a similiar manner?
> That is relaying off the exchange server where your web apps or similar apps doesn't have any authentication machenism. So you specify the ip address of the server running the application in exchange Default SMTP Virtual Server > Properties > Access > Relay. So you can relay out email off the exchange server.


Also, I still have 2 SMTP VS's, each with a unique public IP address. What do I do about setting the public DNS? Do I have to have 2 MX records, 1 for each IP address? Do I give them different priorities?
> Even if you have a single nic with two ip it will work for you. No need to worry about creating two mx records because you are using a single nic with two ip's.

you have that option if you want
you need two public ip address, two mx records, two nic

However in you case single nic with two ip will do and you don't need to go thru unneccessary things
__________________
Thanks & Regards
v-2nas

MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
Sr. Wintel Eng. (Investment Bank)
Independent IT Consultant and Architect
Blog: http://www.exchadtech.blogspot.com

Show your appreciation for my help by giving reputation points
  #5  
Old 12th November 2008, 19:41
Sembee's Avatar
MVP Sembee Sembee is offline
MVP
MVP
 
 Join Date: Apr 2006
  6 month star 12 month star
 Location: Newbury, UK
 Posts: 6,480
 Reputation: Sembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud of (1116)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

I don't know why it is being suggested to have a second IP address or a second SMTP virtual server, as that is not required at all.
You also don't need to set a smart host unless the recipient needs you to use a separate server than those find in the MX record lookup.

What seems to have happened is that you have confused the client to server configuration requirements with the server to server configuration requirements.

For server to server, the simple fact that you have an SSL certificate on the SMTP virtual server will allow the use of TLS. The originating server just has to ask for it.

For outbound email, configure an SMTP connector and add the domains that need to use TLS to the list, then set the option to use TLS. As long as it is the same server as listed in the MX records then TLS will be used.

Keep it simple to begin with. However you do need to ask the other end if the server is the same as what is on their MX records.

The SSL certificate that you use needs to match your MX record host name as well, otherwise the TLS connection will not be made due to a certificate mismatch.

Simon.
__________________
--
Simon Butler
Exchange MVP

Blog: http://blog.sembee.co.uk/
More Exchange Content: http://exchange.sembee.info/
Exchange Resources List: http://exbpa.com/
In the UK? Hire me: http://www.sembee.co.uk/

Sembee is a registered trademark, used here with permission.
  #6  
Old 13th November 2008, 03:22
TokyoBrit TokyoBrit is offline
Casual
It's not a coincidence
 
 Join Date: Nov 2008
  6 month star 12 month star
 Location: Tokyo, Japan
 Posts: 82
 Reputation: TokyoBrit is on a distinguished road (16)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

I said from the start I was stumped... Now I'm beginning to see why.

Since KISS is a good thing, I went to the Default SMTP VS and added a certificate from our own CA.

Now, I see

"Received from x.y.z (1.2.3.4) by my.company.mail over TLS secured channel with Microsoft SMTPSVC"

in the message headers of numerous emails. Not all, but some, like the mail host used by this site for reply notifications.

I also see the STARTTLS verb when I telnet to our mail server.

Now... Is it truly using TLS, or does it fail to use it because the originating email server doesn't trust our CA?

So... That leaves me with creating a new SMTP Connector, with the domain name of our customer, and checking the TLS Encryption on the Outbound Security dialog?
  #7  
Old 13th November 2008, 12:57
Sembee's Avatar
MVP Sembee Sembee is offline
MVP
MVP
 
 Join Date: Apr 2006
  6 month star 12 month star
 Location: Newbury, UK
 Posts: 6,480
 Reputation: Sembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud ofSembee has much to be proud of (1116)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

Not all servers will use TLS. I would go as far as to say it will be a minority.

Furthermore Exchange 2003 cannot do opportunist TLS. For inbound email, the sending server must ask, for outbound it must be told to using SMTP connectors.

Using your own CA for something public isn't really a good idea. You should use a commercial SSL certificate that is widely trusted. GoDaddy ( http://certificatesforexchange.com/ ) are cheap, another option would be RapidSSL ( http://www.rapidssl.com/ ) who are also a good price.

If TLS has been used then you will see the line in the headers as you have posted.
For outbound email you will have to ask the recipient. You need to know if the recipients of outbound email are using TLS on their regular servers or on specific servers and you have to put another address in.

Simon.
__________________
--
Simon Butler
Exchange MVP

Blog: http://blog.sembee.co.uk/
More Exchange Content: http://exchange.sembee.info/
Exchange Resources List: http://exbpa.com/
In the UK? Hire me: http://www.sembee.co.uk/

Sembee is a registered trademark, used here with permission.

Last edited by Sembee; 17th April 2013 at 21:08.. Reason: URL Correction
  #8  
Old 13th November 2008, 17:05
v-2nas's Avatar
v-2nas v-2nas is offline
Member
Someone to look up to
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: Singapore
 Posts: 722
  Send a message via MSN to v-2nas
 Reputation: v-2nas will become famous soon enough (80)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

Here is how you need to understand this. It's pretty simple... of course after putting 10hrs .. it appears simple now

so to send out TLS or encrypted email you really really don't need certificate

Just an smtp connector with TLS enabled with address space as remote domain.
That's it.

and to receive email over secure channel or tls or encryption

you need to have a certificate assigned to a preferably new smtp virtual server. Theoretically a single smtp virtual server will do however i have seen it fails and we need to create additional virtual server that has certificate installed on it.

You are done. TLS is setup.
__________________
Thanks & Regards
v-2nas

MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
Sr. Wintel Eng. (Investment Bank)
Independent IT Consultant and Architect
Blog: http://www.exchadtech.blogspot.com

Show your appreciation for my help by giving reputation points
  #9  
Old 14th November 2008, 03:19
TokyoBrit TokyoBrit is offline
Casual
It's not a coincidence
 
 Join Date: Nov 2008
  6 month star 12 month star
 Location: Tokyo, Japan
 Posts: 82
 Reputation: TokyoBrit is on a distinguished road (16)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

Thank you for all your comments. They have truely helped.

I had a meeting with the customer yesterday and the topic of TLS was raised.

Since I had something to show them that I wasn't a complete idiot, they've put me in touch with their Exchange and TLS teams. Tickets need to be raised on their side and actioned on.

So it looks like they use Exchange. That'll make things easier.

We've already received a quotation from Verisign, which is the only commerical CA we use, since neither GoDaddy or RapidSSL offer support in Japanese, so we'll be installing a proper certificate shortly.

I only really have one area that I'm still not sure about, and that is if I add a second SMTP Virtual Server on a second public IP address. I guess I will address that when I get to it.
  #10  
Old 14th November 2008, 17:17
v-2nas's Avatar
v-2nas v-2nas is offline
Member
Someone to look up to
 
 Join Date: Jul 2008
  6 month star 12 month star
 Location: Singapore
 Posts: 722
  Send a message via MSN to v-2nas
 Reputation: v-2nas will become famous soon enough (80)
Default Re: Enable TLS On Exchange 2003 With Specific Customers

Thanks for your comments.

let me know when you need further help and post on the forums too and also for benefit for masses in general
__________________
Thanks & Regards
v-2nas

MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
Sr. Wintel Eng. (Investment Bank)
Independent IT Consultant and Architect
Blog: http://www.exchadtech.blogspot.com

Show your appreciation for my help by giving reputation points

Last edited by v-2nas; 15th November 2008 at 01:30.. Reason: For your pleasure too
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Exchange 2003 SP2 Intelligent Messaging Filter- cannot enable r@sovran SBS 2000 / 2003 / 2008 / 2011 2 5th September 2008 16:18
Enable TLS Secure email connections between 2 sites kizzle911 Exchange 2007 / 2010 / 2013 1 4th September 2008 23:07
Forwarding specific emails only in MS Exchange 2003 Sirknight Exchange 2000 / 2003 3 2nd November 2007 17:05
Enable Auditing On Exchange 2003 Imran Exchange 2000 / 2003 1 1st November 2006 08:10
TLS and Exchange 2000 shani Exchange 2000 / 2003 2 3rd May 2006 20:38


All times are GMT +3. The time now is 10:57.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri