TLS advice 2

[PaulGillespie]

Hi,

I have to set up TLS for secure comms between my company and a client. Having read lots of how to's and guides i still have a couple of questions.

Setup:
SBS2003 192.168.0.2, we connect through a simple firewall device on the network. No proxies or anything like that.

I have set the server NIC to also listen on 192.168.0.3 as per the instructions i have.
A new Virtual server and smtp connector have been setup and i think they are ok again, i have followed instructions.

We receive normal emails on port 25 to the exchange server. Do i have to configure the new TLS virtual server to listen on another port, say 26? If it is to listen on port 25 then how do i configure my firewall? to pass 25 onto both listening IP addresses?

This is the part i'm stuck on, the firewall and port set up side. We only have a single public IP. Do i need another?

Thanks

Paul

 

[ShackDaddy]

The official guides for TLS are confusing and very unclear. It's very easy to end up 2/3rds of the way down the road to implementing a TLS solution that's inappropriate for your environment.

You usually configure your existing SMTP virtual server to accept TLS sessions that are made to it, so that's what happens to inbound port 25 TLS traffic.

You set up the other SMTP Virtual server for OUTBOUND traffic to the client. Because it's outbound, you don't need to worry about passing port 25 to it. It makes a connection to the destination server's default SMTP port, which is also configured to negotiate TLS if an inbound session like the one you are initiating requests to use TLS.

So to recap, the extra SMTP virtual server and IP are just for outbound connections. Don't worry about any firewall changes, unless your firewall is locked down to only allow outbound port 25 traffic from your original server IP.

The reason you are setting up an extra connector and virtual SMTP server is just so that you can handle outbound traffic to your client separately from other outbound traffic. Inbound differentiation is automatically handled by your default SMTP virtual server.

ShackDaddy
Shackelford Consulting

 

[PaulGillespie]

Hi Shackdaddy, thanks for the reply.

I agree, there does not seem to be one definitive guide, it's all a bit vague!

So i reconfigure my default SMTP virtual server to accept TLS, i create a new SMTP connector just for outgoing TLS traffic specific for my client/business partner.

so do i still need to configure my server's NIC to listen on another IP address, i.e. 192.168.0.2 and 192.168.0.3?

And, do i still need to create another Virtual server configured for TLS listening on 192.168.0.3? i thought virtual servers were for inbound connections? If i have the default Virtual server why do i need a second one which appears to be doing nothing?

Sorry if these questions sound silly, im just learning!

Thanks again for your help.

Paul

 

[PaulGillespie]

OK, i've been playing and i think i see why you create a new virtual server, just for manageability really, makes sense to keep it all seperate.

Just tried to set up a test but my other exchange server won't allow me to create a new virtual server, hay ho. I'll restart the server tonight and see what happens.

Cheers

Paul

 

[PaulGillespie]

Well after a couple of problems, i have now got it all working.

If anyone is going down this route and needs advice feel free to ask.

Cheers

Paul

 

[diggyz]

PaulGillespie, I'm wondering if you could lay out the details of how you ended up configuring this as I have to do exactly the same thing. I have exactly the same concerns that you mentioned.

If I don't create second smtp virtual server and I just check all 4 boxes in the authentication tab, will that suffice to allow domains that want to connect to us with TLS to connect, without blocking others from connecting?

In the end did you end up creating a second smtp virtual server listening on a second IP address? If so, did you have to modify any firewall rules to point the TLS required connection attempts to that specific smtp virtual server or does exchange know how to manage the connection attempts and automatically point them to the right smtp virtual server?

Thanks!!

 

[58sniper]

If you enable the certificate for TLS on the existing VS, then you can receive TLS mail without a problem. You'll notice that if you telnet to the server over port 25, the TLS noun is presented in the ehlo response. You only need to create another VS to SEND TLS mail.

If you check the "Requires TLS encryption" box on your default VS, inbound email will stop from all sources except those using TLS.


Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[diggyz]

Thanks so much 58sniper. I actually ended up doing exactly that this afternoon (install the certificate on the default virtual host), and also verified by telnetting. However, I have a few more specific questions that I'm hoping you or someone can help with.

First, if you check the "requires TLS encryption" box, but you leave the other options checked too, won't you be accepting all types of connections? It's very misleading the way the GUI displays it because it seems contradictory. I actually tried checking the "requires TLS encryption" without restarting the SMTP service or SMTP virtual host and I was still able to receive external email. I was able to add the certificate and verify that TLS was available without having to restart the SMTP service, so it seemed at least somewhat plausible that restarting the service wouldn't be necessary after checking the "requires TLS" checkbox in order for the change to take effect. However, from what you're saying it sounds like the reason I was able to still receive external email was probably because the service does, in fact, need to be restarted for that setting to take effect. Either that or I unknowingly was receiving mail from a server that supported TLS, which I think is unlikely but certainly possible.

The next question I have is with regards to sending encrypted mail to a specific remote domain that has TLS enabled. From what I've read it sounds like I need to create a new SMTP connector and in the "address space" field add the remote domain(s) that are accepting TLS mail, and then check the box in the advanced properties to require TLS, correct? For the bridgehead server can I just use my default SMTP virtual server? Or do I need to configure a second SMTP virtual server specifically for that?

Last question, if I were to configure 2 SMTP Virtual hosts as is suggested on many web posts, and each host is listening on a different IP (the server NIC is bound to 2 IPs), and then on one virtual host I check the "requires TLS" field, but on the other virtual host I don't check that box, what will the outcome be? It sounds like in that configuration I'd have to somehow tell my firewall to forward mail from the domains that I'm receiving TLS mail to the IP address of the virtual host that has the checkbox for "requires TLS" checked off. That just doesn't feel right to me that I would have to do that. So... as many web posts suggest to do this, they don't talk about any firewall mods etc. It's not clear then how the correct TLS traffic gets to the correct virtual host and the non-TLS traffic gets to the non-TLS virtual host.

Any thoughts, suggestions, or answers are very much appreciated.

Thanks.

 

[58sniper]

First, if you check the "requires TLS encryption" box, but you leave the other options checked too, won't you be accepting all types of connections?

No - if you REQUIRE TLS, then you'll not accept non-TLS mail.

From what I've read it sounds like I need to create a new SMTP connector and in the "address space" field add the remote domain(s) that are accepting TLS mail, and then check the box in the advanced properties to require TLS, correct?

That sounds correct.

Last question, if I were to configure 2 SMTP Virtual hosts as is suggested on many web posts, and each host is listening on a different IP (the server NIC is bound to 2 IPs), and then on one virtual host I check the "requires TLS" field, but on the other virtual host I don't check that box, what will the outcome be?

That depends on the address space.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[diggyz]

Wow. Thanks for the quick responses. Regarding the last answer. You said " That depends on the address space." I thought you configure the address space on the smtp connector not on the smtp virtual host. Am I missing something? Thanks again so much for the help. It is very appreciated.

 

[ShackDaddy]

You're right, that's on the connector, not the virtual SMTP server.

Here's how I have it set up:

I create a new connector for the remote address space that I want outbound TLS to. I configure the address space for that remote domain, and on the Advanced tab, under Outbound Security, I check the TLS checkbox.

Then on the default SMTP virtual server, I go into the Access tab, under Authentication, and I check the Require TLS box. That only applies to inbound connections that would otherwise use Basic Authentication, and I also have Anonymous authentication enabled, so it doesn't block inbound traffic from regular SMTP connections.

With those two settings, I am able to allow inbound TLS connections and normal SMTP connections, and I'm also able to send all outbound traffic to the remote domain using a connector especially built for TLS.

That's all I do, and I've set it up to work multiple times. If you look at emails either to or from the server from a TLS partner, you can tell by the headers that the mail used TLS.

ShackDaddy
Shackelford Consulting

 

[diggyz]

ShackDaddy, thanks!!! That is exactly what I was looking for. Great answer!! Thanks again.

 

[ShackDaddy]

Pat, I have a question for you here: my solution doesn't include trading certificates with the remote Exchange server. Is this really proper TLS without adding that component, or do the servers encrypt anyway on a default level?

ShackDaddy
Shackelford Consulting

 

[diggyz]

Shack, I know you directed this to Pat, but I can tell you definitively that the servers must have certificates to do encryption. That's how they do the secure key exchange-- without the certs they could not negotiate the encryption protocol and symmetric key.

 

[ShackDaddy]

Well, I just made sure, and the server's I've set up were already configured to use a cert, so that's where the encryption came in.

I'll also point out that there's a setting on the Default SMTP Virtual Server Access tab called "Require Secure Channel," which, if selected, will require all communication on that virtual server to be conducted via TLS, so that's why sometimes a unique VS is created to handle inbound traffic from TLS partners. But I like setting it up the way I described to keep the complexity on the firewall side of things down. Some networks don't have the ability to populate another public IP and get it set up as an alternate mailserver.

ShackDaddy
Shackelford Consulting

 

[diggyz]

By the way, a great resource for learning about cryptography is on

http://www.grc.com/securitynow.htm.

Episode number 34 is what you're looking for with regards to how public key cryptography works, but I'd listen to all the cryptography podcasts chronologically in order to get the full understanding.

 

[PaulGillespie]

Seems like all you questions have been answered but if not let me know and i'll do what i can to help.

 

[58sniper]

ShackDaddy - you don't have to "trade" certs - that should happen automatically when the two negotiate. They should both publish the TLS command.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[ShackDaddy]

That's what seemed to be happening, and I wanted to make sure that there wasn't something additional that one can do to formalize the encryption. Seemed a little too easy sometimes.

ShackDaddy
Shackelford Consulting