TLS encryption

GD · Joined: 06 Aug 2007 Posts: 3

I have a question about TLS encryption. The way I understand it, for TLS
encrpyption to work when sending to a particular domain, you need to:
install a certificate on the server, configure a connector to send to the
domain, check 'TLS encryption' in Outbound Security from the Advanced tab of
the connector. Someone was saying that you don't need to install the
certificate for the traffic to be encrypted. Instead, you would only need
to set up the connector and configure the connector to send to the domain,
check 'TLS encryption' in Outbound Security from the Advanced tab of the
connector. I don't know how that could be possible without installing the
certificate. Anybody have information about this? Thanks in advance.

Archived from group: microsoft>public>exchange2000>misc

Leif Pedersen [MVP] · Joined: 05 Aug 2007 Posts: 193

Hi,

Certificates are required.

See http://msexchangeteam.com/archive/2006/10/04/429090.aspx

Leif

"GD" wrote in message @microsoft.com...
>I have a question about TLS encryption. The way I understand it, for TLS
>encrpyption to work when sending to a particular domain, you need to:
>install a certificate on the server, configure a connector to send to the
>domain, check 'TLS encryption' in Outbound Security from the Advanced tab
>of the connector. Someone was saying that you don't need to install the
>certificate for the traffic to be encrypted. Instead, you would only need
>to set up the connector and configure the connector to send to the domain,
>check 'TLS encryption' in Outbound Security from the Advanced tab of the
>connector. I don't know how that could be possible without installing the
>certificate. Anybody have information about this? Thanks in advance.

GD · Joined: 06 Aug 2007 Posts: 3

Thanks. This is how I understand it also. I have heard otherwise from a
vendor based on what is called Opportunistic TLS Encryption. Can you
comment on this specific scenario:

1) Mail server A in domain A has a certificate installed and has TLS
enabled. 2) Mail server B in domain B has TLS selected in the Outbound
Security configuration of an SMTP connector configured for domain A's
address space. I assume, with this configuration, the traffic sent from
clients in domain B to domain A will NOT have encrypted email traffic since
Mail server B does not have a certificate installed . I have heard
otherwise by a vendor. I want to confirm that my assumption is correct.
Can you confirm this?

Also see this information about the TLS process:
http://technet2.microsoft.com/WindowsServer/en/library/c22a4d3d-6335-4b9b-b344-bbae041203b41033.mspx?mfr=true

"Leif Pedersen [MVP]" wrote in message
news:%23xGVh0%23gHHA.4936@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> Certificates are required.
>
> See http://msexchangeteam.com/archive/2006/10/04/429090.aspx
>
> Leif
>
> "GD" wrote in message
> @microsoft.com...
>>I have a question about TLS encryption. The way I understand it, for TLS
>>encrpyption to work when sending to a particular domain, you need to:
>>install a certificate on the server, configure a connector to send to the
>>domain, check 'TLS encryption' in Outbound Security from the Advanced tab
>>of the connector. Someone was saying that you don't need to install the
>>certificate for the traffic to be encrypted. Instead, you would only need
>>to set up the connector and configure the connector to send to the
>>domain, check 'TLS encryption' in Outbound Security from the Advanced tab
>>of the connector. I don't know how that could be possible without
>>installing the certificate. Anybody have information about this? Thanks
>>in advance.
>
>

GD · Joined: 06 Aug 2007 Posts: 3

I set this up in a test environment and I know the answer to this. The
traffic will, in fact, be encrypted.

Basically this means you only need a cert on the server the mail is being
sent to as long as the communication is one-way. I assume that the article
in here requires that certs be installed on both sides for two way
communication.

In a two way communication, I assume the recieving server's certificate is
the one that is always used to encrpyt the traffic.
Does this make sense or do you think I am wrong in my assumption? Thanks
for your help on this.

"GD" wrote in message @microsoft.com...
> Thanks. This is how I understand it also. I have heard otherwise from a
> vendor based on what is called Opportunistic TLS Encryption. Can you
> comment on this specific scenario:
>
> 1) Mail server A in domain A has a certificate installed and has TLS
> enabled. 2) Mail server B in domain B has TLS selected in the Outbound
> Security configuration of an SMTP connector configured for domain A's
> address space. I assume, with this configuration, the traffic sent from
> clients in domain B to domain A will NOT have encrypted email traffic
> since Mail server B does not have a certificate installed . I have heard
> otherwise by a vendor. I want to confirm that my assumption is correct.
> Can you confirm this?
>
> Also see this information about the TLS process:
> http://technet2.microsoft.com/WindowsServer/en/library/c22a4d3d-6335-4b9b-b344-bbae041203b41033.mspx?mfr=true
>
>
> "Leif Pedersen [MVP]" wrote in message
> news:%23xGVh0%23gHHA.4936@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> Certificates are required.
>>
>> See http://msexchangeteam.com/archive/2006/10/04/429090.aspx
>>
>> Leif
>>
>> "GD" wrote in message
>> @microsoft.com...
>>>I have a question about TLS encryption. The way I understand it, for TLS
>>>encrpyption to work when sending to a particular domain, you need to:
>>>install a certificate on the server, configure a connector to send to the
>>>domain, check 'TLS encryption' in Outbound Security from the Advanced tab
>>>of the connector. Someone was saying that you don't need to install the
>>>certificate for the traffic to be encrypted. Instead, you would only
>>>need to set up the connector and configure the connector to send to the
>>>domain, check 'TLS encryption' in Outbound Security from the Advanced tab
>>>of the connector. I don't know how that could be possible without
>>>installing the certificate. Anybody have information about this? Thanks
>>>in advance.
>>
>>
>

Encryption We are in process of evaluating PGP for encryption. Since we already have Exchange 2000 in place I was wondering how could it be configured so that we can enable encryption within organization and is it possible to configure it so that we can enable encry

Enabling Transport Layer Security encryption for outgoing SM Hello Everyone, How do I configure the SMTP connector using TLS for remote delivery to a domain that has an expired certificate. Reason being, my connector keeps rejecting the SSL handshake because the certificate has expired. Thank You Ramon-

Encryption Solution? Hi, Can someone recommend a few encryption solution providers? Thanks

SSL certificate req'd encryption strength... We are looking to purchase an SSL certificate to use for remote OWA access and for only ONE particular user to access his email remotely using IMAP. Our provider quoted me a 256 bit SSL cert. Will this be good enough? There will be very little traffic...

Exchange 2003 mailbox encryption Is there a 3rd party add-on to encrypt the contents of an existing Exchange 2003 mailbox and transparently encrypt any new items, as well as transparently decrypt with an Outlook add-on, using a pre-selected password to encrypt? Basically, having exactly