http://blogs.technet.com/msonline/archive/2008/10/23/how-to-verify-ms-online-tls-message-delivery.aspxTo secure e-mail message delivery between your on-premise and Online environments first, follow the steps on how to configure your on-premise messaging environment . Next, determine whether Transport Layer Security (TLS) was used during Message Delivery.en-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/msonline/archive/2008/10/23/how-to-verify-ms-online-tls-message-delivery.aspx#3147695Wed, 05 Nov 2008 08:19:45 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3147695joshmaher<p>This is great that TLS will be supported.</p> <p>I am curious though, why won't the MTLS features take effect if a customer has Exchange 2007 on-site? </p> <p>Also for those customer's who want to have private certificates, is there anything on the roadmap to allow private certs between the on-site email system and Exchange Online?</p> http://blogs.technet.com/msonline/archive/2008/10/23/how-to-verify-ms-online-tls-message-delivery.aspx#3158887Mon, 24 Nov 2008 23:50:27 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3158887Ryan J. Phillips<p>Hi Josh, EHS does not require a client (sending server) certificate, so we wouldn't do MTLS. &nbsp;EHS provides it's certificate, which is a commonly used certificate, which is trusted by ALL Windows machines. &nbsp;As a result, the sending server is able to successfully able to establish a TLS connection and deliver the message.</p> <p>When EHS attempts to deliver a message to an On-Premise Messaging server (Coexistence), it will attempt a TLS connection and if enabled on the receiving server AND is using a certificate that can be validated (Not expired, on a CRL and the Common Name matches), then EHS will deliver using TLS.</p> <p>So that end, private certificates cannot be used when receiving mail from an EHS endpoint over TLS.</p> <p>I hope this helps</p> <p>....Ryan</p>