2

The higher ups have recently asked about this as I'm sure there are compliance issues that need to be addressed. I was under the assumption that Exchange uses opportunistic TLS or StartTLS to try to encrypt all outbound emails and falls back to unencrypted transport.

Is this the case with newer versions of Exchange? How reliable is this and how often is StartTLS employed by other mail servers?

If this method for encrypting mail traffic cannot be used reliably what are some other alternatives on the server side of things?

jmreicha
  • 791
  • 1
  • 16
  • 29
  • Would this be a requirement for *all* outbound mail, or only messages to a few specific domains? – 1.618 Dec 13 '12 at 20:17
  • I would like to know for both scenarios, just for my own curiosity, but the requirement at this point would only be for a number of specific domains. – jmreicha Dec 13 '12 at 20:27

2 Answers2

1

Assuming you already have a cert installed,

  1. Create an additional Send Connector
  2. specify the domains that require TLS in the Address Space section of the send connector
  3. check the "Enable Domain Security (Mutual Auth TLS)" checkbox in the Network section of the new Send Connector

That checkbox ensures that TLS must be supported on the remote end, or sending will fail.

1.618
  • 669
  • 1
  • 4
  • 17
0

If you provided a certificate and assigned it to the SMTP role on your hub transport or edge transport servers, Exchange will try to opportunistically encrypt incoming and outgoing SMTP connections.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • This will work as long as the other mail server has this on as well, correct? I am wondering how often this is the case? – jmreicha Dec 13 '12 at 20:58
  • Correct. This is becoming more common since the major products (like Exchange) are coming with TLS enabled by default. – longneck Dec 13 '12 at 21:02