We have had some requests to talk more about the process to implement TLS between two Exchange organizations. Here it is! The following walk-through should help you do this. Note that those instructions apply to Exchange Server 2000/2003. We will follow up with Exchange Server 2007 functionality at the later time.

1. Overview

If you require secure SMTP mail communication between two separate Exchange Organizations, you can use Transport Layer Security (TLS) to accomplish this requirement.

Note: Some of these steps are summarized, and will refer to existing documentation where applicable; this document can be used for Exchange 2000, and/or Exchange 2003. Or to configure Exchange 200x, to support TLS for a third party SMTP Server.

In order to secure mail flow using TLS, you will need to add an additional IP address, SMTP Virtual Server, and SMTP Connector, on each of the Bridgehead servers for each of Exchange 200x Organizations, between which you wish to have secured mail flow. This will also require that certificates be installed on these new SMTP Virtual Servers. Ideally you would want to make sure that no other connectors are configured between the other Exchange 200x Organization, to prevent unsecured mail flow between them.

Note: Each of the steps outlined below, will need to be followed on each Bridgehead Server for which you require secured mail flow.

2. TLS enabling process

Configuring an Additional IP Address

It is common to configure additional IP addresses for a given physical interface card to allow for IP-based virtual servers such as Web Servers or SMTP Virtual Servers. For this implementation, add a second or additional IP address to each of the Exchange Servers that will serve as the Secure SMTP Connector Bridgeheads in each of Exchange Organizations, between which you require secured mail flow.
To configure additional IP addresses for a given interface:

  1. Log on to the Exchange server computer by using an administrative-level account.
  2. Right-click My Network Places, and then click Properties.
  3. Right-click the interface that you want to configure, and then click Properties
  4. The driver and protocols support on this interface are displayed. Click Internet Protocol (TCP/IP), and then click Properties.
  5. Click Advanced to open the Advanced Properties window.
  6. Click IP Settings.
  7. Click Add under IP addresses, and then type the additional IP address and subnet mask.
  8. Click OK to accept the advanced TCP/IP settings.
  9. Click OK to accept these TCP/IP settings.
  10. Click OK to accept the properties for the interface.

The new settings that you have configured are available immediately.

Configuring the Default SMTP Virtual Server

First we need to configure the Default SMTP Virtual Server to listen on the main IP address.

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Right-click the Default SMTP Virtual Server object, and then click Properties.
  4. On the General tab, for IP address, select the primary IP address from the drop-down list.

Creating and Configuring the Secure SMTP Virtual Server

Add a new SMTP Virtual Server, (suggested name "Secure SMTP VS") that will serve as the Secure SMTP Connector Bridgehead, and configure this Secure SMTP VS to listen on the secondary IP address added in the "Configuring an Additional IP Address" section of this document.

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Right-click SMTP, point to New, and then click SMTP Virtual Server.
  4. In the Name box, type the name of the virtual server (suggest Secure SMTP VS), and then click Next.
  5. Select the IP address that you want to use (suggest using the additional IP address that was added in the "Configuring an Additional IP Address" section of this document, and then click Finish.

Configuring the Secure SMTP VS to use a certificate

To configure the Secure SMTP VS to use a certificate follow the steps below in conjunction with the appropriate How to use Certificates with...article at the end of this document:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Right-click the Secure SMTP VS, and then click Properties.
  4. Click the Access tab, and then click Certificate to set up new key certificates and to manage key certificates that are installed for the SMTP virtual server. See the appropriate article for more details on using certificates with Virtual Servers in Exchange Server:

Set TLS encryption levels for the Secure SMTP Virtual Server

To configure the Secure SMTP VS to require inbound TLS Encryption follow these steps:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Right-click the Secure SMTP VS, and then click Properties.
  4. Click the Access tab, and then click Authentication.
  5. Click to select the Requires TLS encryption check box.
  6. Click OK, then click OK again.

Note: Under the Access tab on the Secure SMTP VS properties, Communication button, there is additional level of security that can be enabled, "Require Secure channel", this will require TLS communication between any and all SMTP communication to or from the Secure SMTP VS even between SMTP Virtual Servers on the same Exchange server, and would require a certificate be installed on the Default SMTP VS, as well as any other SMTP Virtual Servers within the same Exchange 200x Organization.

Creating and Configuring the Secure SMTP Connector

Create a new SMTP Connector and configure it as follows:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manger.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), then expand Routing Groups, and then expand the routing group that you want to use as the originator of the connection.
  3. Right-click Connectors, point to New, and then click SMTP Connectors.
  4. In the Properties dialog box, click the General tab.
  5. In the Name box, type a descriptive name for the connector (suggested name Secure SMTP Connector).
  6. Also on the General tab, click Forward all mail through this connector to the following smart hosts, and then type the IP address of the remote Bridgehead Server through which you want to route the secure mail flow to the other Routing Group. Enclose the address in square brackets, for example [192.168.1.51].
  7. Also on the General tab, click Add, under the Local bridgeheads settings dialog box, and select the Secure SMTP VS that was created in the "Creating and Configuring the Secure SMTP Virtual Server" section of this document, and then click OK.
  8. Click the Address Space tab, and then click Add.
  9. Select SMTP, then click OK.
  10. Type the SMTP Address Space of the remote Exchange 200x Organization with which you require secure SMTP mail flow, then click OK
  11. Click the Advanced tab, Click the Outbound Security button, and check the TLS Encryption check box.
  12. Click OK, then click OK again.

Note: On the Delivery Tab of the Secure SMTP VS, Outbound Security button, has a TLS encryption checkbox, it is not recommended to enable this setting. If this is enabled, it will force TLS encryption between the Secure SMTP VS and other Exchange/SMTP Servers within the same Exchange Organization, and could cause mail flow from the remote Exchange Organization with which you require secure SMTP mail flow to get stuck in the queue.

To verify that the SMTP Traffic is encrypted, start a Network Monitor capture on one of the Secure SMTP Bridgehead Servers, and then initiate an SMTP mail message from a client on one side of the secured mail flow environment once the mail is delivered, stop the capture, and then examine the packets that were sent. Note that all SMTP packets between the Secure SMTP Bridgehead Servers with a destination of port 25 (0019h) are encrypted.

Additional Reading

823024 How to Use Certificates with Virtual Servers in Exchange Server 2003

319574 How to: Use Certificates with Virtual Servers in Exchange 2000 Server

829721 How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server

823019 How to help secure SMTP client message delivery in Exchange 2003

822941 How to use SMTP connectors to connect routing groups in Exchange 2003

314961 How to install and to configure SMTP Connectors in Exchange 2000 Server

Hope this was helpful!!

- Clifton Hughes