S.Y. Paul Lai
Guest
|
 Posted:
Thu Dec 02, 2004 9:21 pm Post subject:
Re: SSL/TLS SMTP |
|
|
You shouldn't require recipient's mailbox server to support TLS.
Just like you shouldn't assume all web servers support HTTPS.
If you wanna encrypt your outgoing mail, you need to obtain
the public key certificate of the recipient and encrypt the
message with it.
You can, however, require your organization's Outlook / Outlook
Express POP/IMAP users to submit SMTP mails using TLS. You
can use the same certificate if the DNS FQDN of the SMTP VS is
the same as the OWA VS and POP3 VS.
To avoid open relay at your SMTP servers, you should separate
the MX SMTP / smarthost SMTP VS from the client submission
SMTP VS. Disable ALL relay (even for authenticated users) at
the MX SMTP / smarthost SMTP VS. Allow relay at a separate
client submission SMTP VS, and require NT authentication with
128 bit TLS. DON'T add / register DNS name to the client
submission VS. Ask the clients to connect using IP address. Setup
an internal CA and issue a server certificate using the IP address as
common name to that VS. Ask the clients to trust the internal CA.
Note: OE6 and Outlook 2002 or earlier can only support Exchange
TLS at TCP port 25. You SHOULDN'T use TCP 465 nor TCP
587 with them.
--
S.Y.Paul Lai
MC(DS)T
"Sage" <Sage@discussions.microsoft.com>
news:0A492B15-27B1-4834-8E2A-5028DB212099@microsoft.com
| Quote: | Hi.
I am trying to setup SSL. I am using same certificate for OWA and POP3,
no
problem. SMTP is a little harder. I do not want incoming SMTP to have
any
restrictions but I want outgoing traffic encrypted. I plan to create 2
virtual servers, one for incoming with no restrictions and one for
outgoing
with TLS required. Will this work? Also can I use the same cert I used
for
OWA and POP for SMTP?
Thanks. |
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in