Clarify outbound TLS setup on Exchange 2003??

  • Thread starter tom12010
  • Start date Views 1,825
Status
Not open for further replies.
T

tom12010

We have an SSL certificate installed in our Exchange 2003 server for

TLS for our domain name.

Receiving TLS email works fine.

We set up a 'TLS Connector' SMTP connector and fed into it all the

mail server IPs with which we want TLS.

One of the sites is not receiving any TLS email from us.

My questions:

1. Do I need a separate SMTP connector for each domain for which we

want outbound TLS?? (Properties, General tab) and in this tab only the

IPs for that specific domain?? Or can I put all the domain IPs here??

2. Within the SMTP connector I should enter only the mail server IPs

and the domains of that domain and not our own domain?? (Properties,

Address Space) Or can I enter all the domain names here??

What else can/should I do to make outbound TLS work properly??

Inbound TLS appears to work...I need to get outbound TLS working

properly and would appreciate more understanding of how the SMTP

connectors must be set up.

Our Default SMTP Connector has no TLS encryption set up on it.

Our 'TLS Connector' has only TLS encryption checked in Advanced,

Outbound Security.

Thank you, Tom
 
P

Peter Durkee

You don't need a separate connector for each domain, you just need to list

each domain under address space for your one TLS connector. Also make sure

the cost for those listed domains is lower than the cost of your default

connector.

-Peter

"tom12010" <tlyczko@gmail.com> wrote in message

news:57cbbc55-3f15-489d-91c3-96ce62fc2790@c3g2000yqd.googlegroups.com...
> We have an SSL certificate installed in our Exchange 2003 server for
> TLS for our domain name.

> Receiving TLS email works fine.

> We set up a 'TLS Connector' SMTP connector and fed into it all the
> mail server IPs with which we want TLS.
> One of the sites is not receiving any TLS email from us.

> My questions:

> 1. Do I need a separate SMTP connector for each domain for which we
> want outbound TLS?? (Properties, General tab) and in this tab only the
> IPs for that specific domain?? Or can I put all the domain IPs here??

> 2. Within the SMTP connector I should enter only the mail server IPs
> and the domains of that domain and not our own domain?? (Properties,
> Address Space) Or can I enter all the domain names here??

> What else can/should I do to make outbound TLS work properly??

> Inbound TLS appears to work...I need to get outbound TLS working
> properly and would appreciate more understanding of how the SMTP
> connectors must be set up.

> Our Default SMTP Connector has no TLS encryption set up on it.
> Our 'TLS Connector' has only TLS encryption checked in Advanced,
> Outbound Security.

> Thank you, Tom
>
 
R

Rich Matheisen [MVP]

On Wed, 25 Nov 2009 12:58:29 -0800 (PST), tom12010 <tlyczko@gmail.com
wrote:


> We have an SSL certificate installed in our Exchange 2003 server for
> TLS for our domain name.

> Receiving TLS email works fine.


Are they receiving the email in non-TLS sessions from your server? Or

is the email just remaining on your server for some reason?


> We set up a 'TLS Connector' SMTP connector and fed into it all the
> mail server IPs with which we want TLS.
> One of the sites is not receiving any TLS email from us.

> My questions:

> 1. Do I need a separate SMTP connector for each domain for which we
> want outbound TLS?? (Properties, General tab) and in this tab only the
> IPs for that specific domain?? Or can I put all the domain IPs here??


No need for multiple SMTP Connectors. You can add all the domains to

the Address Space tab on just one of them.



> 2. Within the SMTP connector I should enter only the mail server IPs
> and the domains of that domain and not our own domain?? (Properties,
> Address Space) Or can I enter all the domain names here??


Where? On the "Address Space" tab? Just the domain names. The

connector should be using DNS to locate the target MX for the domain.


> What else can/should I do to make outbound TLS work properly??


It's working properly. You may have it misconfigured, or you may have

misunderstood how it works, though.


> Inbound TLS appears to work...I need to get outbound TLS working
> properly and would appreciate more understanding of how the SMTP
> connectors must be set up.

> Our Default SMTP Connector has no TLS encryption set up on it.
> Our 'TLS Connector' has only TLS encryption checked in Advanced,
> Outbound Security.


You'll need the "Anonymous access" selected, too. And the domains to

which you send those messages will have to accept anonymous

connections.

-
Rich Matheisen

 
P

Peter Durkee

I always use DNS for routing.

-Peter

"tom12010" <tlyczko@gmail.com> wrote in message

news:a11801b9-791f-45f7-8dcb-69cee5b610da@z41g2000yqz.googlegroups.com...
> I found these KB articles:

> http://support.microsoft.com/kb/829721
> http://support.microsoft.com/kb/329061

> They don't help me verify that outbound TLS works or not...how do I do
> this??

> Also in the General tab for the TLS connector, should I use the DNS to
> route everything or should I list the other companies email server IPs
> in the smart hosts?? Everything I have read says the latter.

> Thank you, Tom
 
T

tom12010

Thank you everyone for answering!!

1. Cost: Is a lower cost a negative number (less than 1) or another

number (greater than 1)?? Or do I give MY smtp server a number greater

than 1??

I just now read elsewhere that I could set the * wildcard SMTP

connector in the Default SMTP connector to be 99. I could set the cost

of domains in the "TLS Connector" to be less than 99 and things would

work properly??

2. I was under the impression that I had to put all the other

companies' mail server domain IPs into the line where it says smart

hosts...I should get rid of this list of IP addresses and *instead*

check the "Use DNS" thing and put all the domains for which we want

TLS into the Address Space, correct??

From what you say, Rich, it appears I should tick the "Use DNS..."

line on the General tab and put all the email domains into the domains

list and not use the smart hosts thing...correct??

Really appreciate people responding to me on a holiday evening...

Thank you, Tom
 
R

Rich Matheisen [MVP]

On Wed, 25 Nov 2009 14:07:47 -0800 (PST), tom12010 <tlyczko@gmail.com
wrote:


> Thank you everyone for answering!!

> 1. Cost: Is a lower cost a negative number (less than 1) or another
> number (greater than 1)?? Or do I give MY smtp server a number greater
> than 1??


Cost is always a positive number. The greater the numer, the greater

the cost. But cost is hardly ever effective in determining message

routing.


> I just now read elsewhere that I could set the * wildcard SMTP
> connector in the Default SMTP connector to be 99. I could set the cost
> of domains in the "TLS Connector" to be less than 99 and things would
> work properly??


If you have a specific domain in a connector's address space then cost

isn't considered at all (unless you have two connectors that have the

same domain in their address spaces and both connectors use local

bridgehead servers on machines other than the one from which the

message was sent).


> 2. I was under the impression that I had to put all the other
> companies' mail server domain IPs into the line where it says smart
> hosts...


Oh, good Lord, no!


> I should get rid of this list of IP addresses and *instead*
> check the "Use DNS" thing and put all the domains for which we want
> TLS into the Address Space, correct??


That's correct.


> From what you say, Rich, it appears I should tick the "Use DNS..."
> line on the General tab and put all the email domains into the domains
> list and not use the smart hosts thing...correct??


You betcha.

-
Rich Matheisen

 
T

tom12010

On Nov 25, 9:36 pm, "Rich Matheisen [MVP]"

<richn...@rmcons.com.NOSPAM.COM> wrote:
> On Wed, 25 Nov 2009 14:07:47 -0800 (PST), tom12010 <tlyc...@gmail.com
> wrote:


Hi Rich,

Thank you for answering!! -- especially the night before Turkey Day!!

Tomorrow I will work on fixing our TLS connector and test it out with

someone.

I'll update this thread too.

Thank for being so helpful, Tom
 
T

tom12010

Update to this thread:

I fixed our TLS connector as Rich suggested above and it worked

correctly with the one company with whom we work that 'enforces' TLS

email, so it should work with our other companies as well. If not,

then it will be individual troubleshooting with whomever has issues

etc. Our TLS connector now only contains domains with whom we want

outbound TLS, and inbound TLS had worked properly before I began this

investigation.

Thank you, Tom
 
Status
Not open for further replies.
Top