How to Enable Opportunistic TLS on an Exchange 2010 Edge Transport Server

Microsoft has an excellent guide available for configuring Mutual TLS with a trusted partner. However, the same cannot be said for enabling Opportunistic TLS. That’s probably because Opporunistic TLS is generally automatically enabled set up as part of a routine configuration of an Edge Transport server. However, that’s may not have happened in your case and if so, the instructions here will get it enabled for you.

To get an idea if you are currently offering Opportunistic TLS on a mail server, you can use the tools at http://www.checktls.com or do the following:

  1. Run “telnet ServerNameToTest 25” from a command line
  2. Type in “EHLO LOCALHOST”

If “250-STARTTLS” is listed in the response, Opportunistic TLS is offered.

If not, then there are four things that must be done:

  1. Request a signed SSL certificate containing the appropriate Subject Name or Subject Alternative Names
  2. Import the certificate into Exchange
  3. Assign the certificate for use with SMTP
  4. Enable TLS on the Receive Connector

First, you will need to create a certificate request for use with your Exchange server. If you’re unfamiliar with how to do this and you are using Windows Server 2008, you can follow my instructions here:

How to Create a Certificate Request in Windows Server 2008 R2 for Use with Threat Management Gateway 2010

Once you’ve created the certificate request, you can either self-sign it if you a have an internal certificate authority or you can get it signed by a trusted third-party Certificate Authority such as GeoTrust (my preference). Personally, I’m in favor of using a third-party CA for any Internet-facing services… strictly speaking though this is not required for TLS.

While you can create the certificate signing request (CSR) through the Certificates snap-in, you CANNOT use it to actually import the signed certificate from the certificate signing authority. In order to do it, you’ll need to use the Import-ExchangeCertificate cmdlet, which should end up looking something like this:


Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificate.crt -Encoding byte -ReadCount 0)) -PrivateKeyExportable $true -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services SMTP

The “-Services SMTP” tag on the end allows Exchange to use this certificate with SMTP, and more specifically with TLS. Now that the first three steps are done you just have to enable TLS on the Receive connector. To do that, just run the following from the Exchange Management Shell:


Set-ReceiveConnector “ReceiveConnectorName” –DomainSecureEnabled $true –AuthMechanism TLS

Note that while we are enabling Domain Security, it actually wouldn’t be used unless you were setting up mutual TLS with a specific domain. Enabling it now saves you a step later on.

That’s it, at this point if you use http://www.checktls.com to check your configuration. If your MX records don’t yet match up with your Edge Transport, you can go to “Tests – Custom/Private” to test a specific IP.

Would you like to know more? Here are some excellent resources to get a better understanding of TLS in Exchange 2010.

Securing Transport Servers

Understanding TLS Certificates

Using Domain Security: Configuring Mutual TLS

Selection of Inbound STARTTLS Certificates

Import-ExchangeCertificate

Advertisements

One Response to “How to Enable Opportunistic TLS on an Exchange 2010 Edge Transport Server”

  1. This is a good document but I have a question. Whan you say;

    “1.Request a signed SSL certificate containing the appropriate Subject Name or Subject Alternative Names”

    The subject (or Subject Alternative Names) name has to match the FQDN of the receive connector, is that correct or does the machine name has to be in the Subject Alternative Names of the certificate?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s