By default, Exchange 2007 and higher will use TLS to send and receive email to another server by default, if the other server supports it. This is known as opportunist TLS. This is different to Exchange 2003, which only had the option of on or off.
However if you have an external recipient who has asked you to ensure that all email sent between your servers is using TLS, then you will need to adjust the configuration on both the Send and the Receive Connectors. This is known as Mutual TLS.
SSL Certificates
The use of TLS requires trusted SSL certificates. Therefore ensure that your trusted certificate is being used for SMTP traffic by running get-exchangecertificate and ensuring that "S" (for SMTP) is listed. You should also ensure that the FQDN value on your SEND Connector matches either the common name or one of the additional names on the certificate, and the Receive Connector FQDN is one of the additional names on the certificate.
DO NOT CHANGE THE FQDN on the default connector as that will cause problems with inter-server traffic.
Send Connector Configuration
This guide shows you how to configure a connector you are already using. If you prefer to use a dedicated connector, then go through the new Connector wizard, choosing type "Partner". The default settings are fine, then modify them as per this guide, changing the name as appropriate.
If you are using a Send connector with a smart host configured, then you will have to create a new Send Connector. The setting to require Mutual TLS only works with DNS routing (ie using MX records). As you can only use MX records for this kind of delivery, a single connector for all domains that require TLS can be used.
Step One - Configure the Domains to Use Mutual TLS.
The first thing you have to do is configure the domains that will be used for mutual DNS. This has to be done twice, once for inbound email and again for sending email. This is done using the following EMS commands:
For sending email:
For receiving email:
However each time you run this command, by default it will overwrite the list. Therefore you will either need to maintain a list of domains and add the complete list each time, or use these small scripts from Microsoft:
For the Send Connector:
For the Receive Connector:
Copy the command to notepad and save as a ps1 file. Modify it each time you want to add a domain.
Step Two - Configure the Send Connector to use the List
By default, the Send Connector will not use the list of domains. You need to enable it. To do this, run the following command in EMS:
This command modifies the Send Connector "Outbound Email".
You can also set this through EMC by enabling "Enable Domain Security (Mutual Auth TLS)" on the network tab of the properties of the Receive Connector.
Step Three - Configure the Receive Connector
You can set the Receive Connector to require that the traffic from certain domains is using TLS. However the remote server will also need to be configured to use it.
You can also configure this with Exchange Management Console by selecting the option Enable Domain Security (Mutual Auth TLS) on the Authentication tab under Transport Layer Security (TLS) on the properties of the Send Connector.
Completion
Once complete, restart the Microsoft Exchange Transport Service on all Exchange servers that either send or receive email to the internet.
Smart Hosts for Outbound Email and Third Party Service for inbound Email
If you are using a smart host for outbound email then you will need to use a separate Send Connector. This is because TLS requires direct server to server delivery. If you use a smart host for delivery then you can only be sure that TLS is being used for the initial connection and delivery to the smart host. You will be unable to control that the ongoing connection is being made via TLS.
For inbound email, you will be of a similar situation. If your MX records point to a third party service, then you cannot be sure that they are accepting email over TLS.
In that case you will need to adjust the Receive Connector to allow email traffic from the company that wants to use TLS, and you will have to provide them with the IP address or host name of your Exchange server to use as an alternative to MX record lookup.
References
Exchange 2007: Mutual TLS: http://technet.microsoft.com/en-us/library/bb123543(EXCHG.80).aspx
Exchange 2010: Mutual TLS: http://technet.microsoft.com/en-us/library/bb123543.aspx
Exchange 2007 Home Page - Site Home Page
Last Page Update: 03/10/2011
| More Content from Sembee Ltd. | ||
| Resources on exchange.sembee.info | Other Sites | Sembee Ltd. |
| Microsoft Exchange 2003 | Command Prompt Getting Started Guide | Microsoft Exchange Consultancy |
| Microsoft Exchange 2007 | Login Scripts | Director's Blog |
| Microsoft Exchange 2010 | MS Exchange Resources | |
| Microsoft Outlook | Knowledge Base search | |
| Exchange Networking Tasks | Recovery of MS Office content from Temp Files | |
| Amazon Store | Troubleshoot the Automatic Updates Client | |
| UK ISP Status Pages | ||
| © Sembee Ltd. 1998 - 2011. | ||
| Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned within and is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.
Sembee Ltd. is registered in England and Wales at 33 Scrivens Mead, Thatcham, Berkshire, RG19 4FQ. | ||