How to Enable Opportunistic TLS on an Exchange 2010 Edge Transport Server

Microsoft has an excellent guide available for configuring Mutual TLS with a trusted partner. However, the same cannot be said for enabling Opportunistic TLS. That’s probably because Opporunistic TLS is generally automatically enabled set up as part of a routine configuration of an Edge Transport server. However, that’s may not have happened in your case and if so, the instructions here will get it enabled for you.

To get an idea if you are currently offering Opportunistic TLS on a mail server, you can use the tools at or do the following:

  1. Run “telnet ServerNameToTest 25” from a command line
  2. Type in “EHLO LOCALHOST”

If “250-STARTTLS” is listed in the response, Opportunistic TLS is offered.

If not, then there are four things that must be done:

  1. Request a signed SSL certificate containing the appropriate Subject Name or Subject Alternative Names
  2. Import the certificate into Exchange
  3. Assign the certificate for use with SMTP
  4. Enable TLS on the Receive Connector

First, you will need to create a certificate request for use with your Exchange server. If you’re unfamiliar with how to do this and you are using Windows Server 2008, you can follow my instructions here:

How to Create a Certificate Request in Windows Server 2008 R2 for Use with Threat Management Gateway 2010

Once you’ve created the certificate request, you can either self-sign it if you a have an internal certificate authority or you can get it signed by a trusted third-party Certificate Authority such as GeoTrust (my preference). Personally, I’m in favor of using a third-party CA for any Internet-facing services… strictly speaking though this is not required for TLS.

While you can create the certificate signing request (CSR) through the Certificates snap-in, you CANNOT use it to actually import the signed certificate from the certificate signing authority. In order to do it, you’ll need to use the Import-ExchangeCertificate cmdlet, which should end up looking something like this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificate.crt -Encoding byte -ReadCount 0)) -PrivateKeyExportable $true -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services SMTP

The “-Services SMTP” tag on the end allows Exchange to use this certificate with SMTP, and more specifically with TLS. Now that the first three steps are done you just have to enable TLS on the Receive connector. To do that, just run the following from the Exchange Management Shell:

Set-ReceiveConnector “ReceiveConnectorName” –DomainSecureEnabled $true –AuthMechanism TLS

Note that while we are enabling Domain Security, it actually wouldn’t be used unless you were setting up mutual TLS with a specific domain. Enabling it now saves you a step later on.

That’s it, at this point if you use to check your configuration. If your MX records don’t yet match up with your Edge Transport, you can go to “Tests – Custom/Private” to test a specific IP.

Would you like to know more? Here are some excellent resources to get a better understanding of TLS in Exchange 2010.

Securing Transport Servers

Understanding TLS Certificates

Using Domain Security: Configuring Mutual TLS

Selection of Inbound STARTTLS Certificates


About Rebecca Harness

Rebecca Harness is a Business Information Security Officer (BISO) for a publicly-traded, global information solutions company. As BISO, she champions security initiatives and recommends strategies to mitigate risk, facilitating innovation and new product development. She’s also responsible for representing the business unit’s security program in client facing engagements, conferences, and industry forums. Prior to her current role, she was an influential cybersecurity leader for one of the world’s largest transportation providers, known for transforming information security efforts into well-orchestrated programs. There, she developed an innovative methodology for delivering key information security priorities as a service model, leading to quicker adoption enterprise-wide while significantly reducing operational costs. She also led and modernized their global, multi-brand PCI Assessment and other compliance initiatives. In the early 2000’s, Rebecca developed one of St. Louis' leading Managed Services Providers from a startup in a spare bedroom into a mature consulting company with 30+ employees and 150+ clients in the Greater St. Louis Area. Rebecca holds many certifications, including; ISACA Certified Information Systems Auditor (CISA); ISC2 Certified Information Systems Security Professional (CISSP); and GIAC Security Leadership Certified (GSLC). She’s also a proud alumni of Hastings College and a longtime member of the Society of American Magicians.

One Response to “How to Enable Opportunistic TLS on an Exchange 2010 Edge Transport Server”

  1. This is a good document but I have a question. Whan you say;

    “1.Request a signed SSL certificate containing the appropriate Subject Name or Subject Alternative Names”

    The subject (or Subject Alternative Names) name has to match the FQDN of the receive connector, is that correct or does the machine name has to be in the Subject Alternative Names of the certificate?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s