Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
TLS Pros & Cons
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
TLS Pros & Cons - 14.Nov.2007 10:37:54 PM
|
|
|
sharma.satyajeet
Posts: 60
Joined: 12.Dec.2006
Status: offline
|
Hi Everybody,
In what scenario do we need to use TLS on exchange 2003. What are its Pros & Cons.
|
|
|
|
|
RE: TLS Pros & Cons - 15.Nov.2007 1:47:46 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
TLS is encrytpion for the e-mail transmission while it is going across to another mail server. The other mail server could be across the internet or across your WAN.
Use TLS for example is you are going to allow your remote users to relay mail via your mail server across the internet, as this will encrypt the username and password too for the smtp connection (if you implement this).
If you send sensitive e-mails to your partners on a regular basis use TLS to send e-mail to them as this ensures the e-mail transmission from your smtp server to thier smtp server is encrypted.
Finally use TLS to further protect your ActiveSync, OWA or RPC/HTTPS as opposed to using the weaker SSL.
Pros: the transmission is encrypted and hence a bit more secure, also you get a sort of confirmation especially between partners that the e-mail did come for the partner's server.
Cons: Slight load due to the encryption (but very slight), if you use an Internal CA to get the certificates from you need to give your public root cert to your partner so that they can trust your certs and viice versa.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: TLS Pros & Cons - 16.Nov.2007 10:03:11 PM
|
|
|
sharma.satyajeet
Posts: 60
Joined: 12.Dec.2006
Status: offline
|
Dear Rishi,
1) If we want to enable TLS for only specific domains, is it necessary to enable TLS on my default smtp virtual server or it will be ok if I just enable TLS on SMTP Connector for that remote domains.
2) Suppose If we are using an Internal CA for issuing certificates , what we need to do at the other end. i.e remote domains.
|
|
|
|
|
RE: TLS Pros & Cons - 17.Nov.2007 5:08:46 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Have a look at this site... http://msexchangeteam.com/archive/2006/10/04/429090.aspx (i think the msexchangeteam site is down for the weekend)
Also if you use your own CA you need to send across the Public Root CA Cert to them also so that they can install and trust the cert on their SMTP server.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: TLS Pros & Cons - 3.Dec.2007 1:04:55 PM
|
|
|
sharma.satyajeet
Posts: 60
Joined: 12.Dec.2006
Status: offline
|
Dear All,
I enabled tls on my server and created a new TLS connector for specific remote domains. But my messages are getting stuck in queues and when I click on those queues it gives me the information that the remote server does not support TLS. I confirmed with the administrator of remote domain who said that TLS is enabled on his server, so where is the problem?
Kindly help me to troubleshoot this.I want to setup TLS for some specific domains.
|
|
|
|
|
RE: TLS Pros & Cons - 3.Dec.2007 1:13:43 PM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Do you trust each other's Root CA's and are the certs valid (fqdn resolution, date and trust)
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: TLS Pros & Cons - 3.Dec.2007 2:17:29 PM
|
|
|
sharma.satyajeet
Posts: 60
Joined: 12.Dec.2006
Status: offline
|
How to trust each other's root CA. The Domain administrator of the other domain says that there is no need to trust each others CA. Is he right or wrong?
If he is wrong than what should I show him as a proof that he is wrong?Kindly show me the process of how to trust each others root ca.
|
|
|
|
|
RE: TLS Pros & Cons - 4.Dec.2007 12:52:46 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
If you use your own CA's on both sides than you definately need to trust each other's CA. And it is the public keys you trust which is okay.
If he is worried for any reason ask him to create a SubCA, issue the certs through there and than trust the SubCA.
This link is not specifically for SMTP http://support.microsoft.com/kb/332077 but it also says the same thing... if you use your own CAs than you need to trsut them. This is the first check any system using SSL certs makes (do i trust the cert?)
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: TLS Pros & Cons - 6.Dec.2007 1:34:05 PM
|
|
|
sharma.satyajeet
Posts: 60
Joined: 12.Dec.2006
Status: offline
|
Hi Rishi,
First of all I would like to thank you for all the help you provided me for the implementation of TLS in my organization. Secondly I am happy to tell you that the mail flow through TLS has been started with the remote domains.
The problem which i asked you that the mails are getting stuck in queue through tls connector was not a certificate issue but the issue with the firewall. (Symantec Gateway Security FW). The firewall was blocking our requests through TLS.
This I was able to find out by telnet. I started a telnet session with the remote domain but I got an error stating that security policy disallowed. But I was able to establish a telnet session with a pc with dial-up connection. So I concluded that something i.e the FW is blocking request through TLS.
I called up my FW guy and he then created a packet filter rule to allow encrypted traffic. In this way my problem was resolved. But one question still comes in my mind is that we did not trust each others certificate and still the mail flow continues.
When we should trust each other certificates in TLS?
|
|
|
|
|
RE: TLS Pros & Cons - 6.Dec.2007 3:48:40 PM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
What were the certificates you guys used....from your own CAs or commercial certs.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: TLS Pros & Cons - 7.Dec.2007 8:48:09 PM
|
|
|
sharma.satyajeet
Posts: 60
Joined: 12.Dec.2006
Status: offline
|
Hi Rishi,
We were using our own internal CA and they were using some external CA.
|
|
|
|
|
RE: TLS Pros & Cons - 11.Dec.2007 9:37:38 AM
|
|
|
sharma.satyajeet
Posts: 60
Joined: 12.Dec.2006
Status: offline
|
Hi Rishi,
We have already created one tls virtual server and also one tls connector for that for one domain. Now if we have to create one more tls connector for some other domains and if they require different level of encryption so in that case how we can go about it?
Also how we will come to know that the message has been encrypted?
|
|
|
|
|
RE: TLS Pros & Cons - 17.Jan.2008 11:53:07 AM
|
|
|
cestmoi
Posts: 159
Joined: 14.May2007
Status: offline
|
I can answer your last question: how to double check that the email sessions are encrypted....
You'll probably need to install a sniffer to sniff your Exchange traffic. If you've never used a sniffer before, research first. A free one can be had - called Wire Shark I believe (or formerly known as Ethereal). Unless someone has a better method of confirming (which I'm sure there are and that I'm not aware of).
|
|
|
|
|
RE: TLS Pros & Cons - 18.Jan.2008 8:43:34 AM
|
|
|
Sembee
Posts: 3583
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
If you look in the headers of a message as it was received it will show whether TLS was used. No need to use a packet sniffer.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
