We have had some requests to talk more about the process to implement TLS between two Exchange organizations. Here it is! The following walk-through should help you do this. Note that those instructions apply to Exchange Server 2000/2003. We will follow up with Exchange Server 2007 functionality at the later time.
If you require secure SMTP mail communication between two separate Exchange Organizations, you can use Transport Layer Security (TLS) to accomplish this requirement.
Note: Some of these steps are summarized, and will refer to existing documentation where applicable; this document can be used for Exchange 2000, and/or Exchange 2003. Or to configure Exchange 200x, to support TLS for a third party SMTP Server.
In order to secure mail flow using TLS, you will need to add an additional IP address, SMTP Virtual Server, and SMTP Connector, on each of the Bridgehead servers for each of Exchange 200x Organizations, between which you wish to have secured mail flow. This will also require that certificates be installed on these new SMTP Virtual Servers. Ideally you would want to make sure that no other connectors are configured between the other Exchange 200x Organization, to prevent unsecured mail flow between them.
Note: Each of the steps outlined below, will need to be followed on each Bridgehead Server for which you require secured mail flow.
2. TLS enabling process
Configuring an Additional IP Address
It is common to configure additional IP addresses for a given physical interface card to allow for IP-based virtual servers such as Web Servers or SMTP Virtual Servers. For this implementation, add a second or additional IP address to each of the Exchange Servers that will serve as the Secure SMTP Connector Bridgeheads in each of Exchange Organizations, between which you require secured mail flow.To configure additional IP addresses for a given interface:
The new settings that you have configured are available immediately.
Configuring the Default SMTP Virtual Server
First we need to configure the Default SMTP Virtual Server to listen on the main IP address.
Creating and Configuring the Secure SMTP Virtual Server
Add a new SMTP Virtual Server, (suggested name "Secure SMTP VS") that will serve as the Secure SMTP Connector Bridgehead, and configure this Secure SMTP VS to listen on the secondary IP address added in the "Configuring an Additional IP Address" section of this document.
Configuring the Secure SMTP VS to use a certificate
To configure the Secure SMTP VS to use a certificate follow the steps below in conjunction with the appropriate How to use Certificates with...article at the end of this document:
Set TLS encryption levels for the Secure SMTP Virtual Server
To configure the Secure SMTP VS to require inbound TLS Encryption follow these steps:
Note: Under the Access tab on the Secure SMTP VS properties, Communication button, there is additional level of security that can be enabled, "Require Secure channel", this will require TLS communication between any and all SMTP communication to or from the Secure SMTP VS even between SMTP Virtual Servers on the same Exchange server, and would require a certificate be installed on the Default SMTP VS, as well as any other SMTP Virtual Servers within the same Exchange 200x Organization.
Creating and Configuring the Secure SMTP Connector
Create a new SMTP Connector and configure it as follows:
Note: On the Delivery Tab of the Secure SMTP VS, Outbound Security button, has a TLS encryption checkbox, it is not recommended to enable this setting. If this is enabled, it will force TLS encryption between the Secure SMTP VS and other Exchange/SMTP Servers within the same Exchange Organization, and could cause mail flow from the remote Exchange Organization with which you require secure SMTP mail flow to get stuck in the queue.
To verify that the SMTP Traffic is encrypted, start a Network Monitor capture on one of the Secure SMTP Bridgehead Servers, and then initiate an SMTP mail message from a client on one side of the secured mail flow environment once the mail is delivered, stop the capture, and then examine the packets that were sent. Note that all SMTP packets between the Secure SMTP Bridgehead Servers with a destination of port 25 (0019h) are encrypted.
823024 How to Use Certificates with Virtual Servers in Exchange Server 2003
319574 How to: Use Certificates with Virtual Servers in Exchange 2000 Server
829721 How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server
823019 How to help secure SMTP client message delivery in Exchange 2003
822941 How to use SMTP connectors to connect routing groups in Exchange 2003
314961 How to install and to configure SMTP Connectors in Exchange 2000 Server
Hope this was helpful!!
- Clifton Hughes