Re: TLS/SSL in Outlook 2003 and Exchange 2003

Thanks for the reply Ed.

The thing that I can't understand is why it is considered a bad idea to
require TLS on my default virtual smtp server, running on port 25 and ALSO
allowing anonymous access. Agreed, that if anonymous access where disabled,
messageflow from the internet would stop or am I missing something here?
The seconday virtual server will only be created to satisfy the port 465
requirement.
I should perhaps mention that this configuration will be done on two FE's
that are loadbalanced using windows own NLB. Both outgoing and incoming
mails will be routed through the frontends if that makes any difference.

Again - thanks for taking the time to reply


"Ed Crowley [MVP]" <curspice@xxxxxxxxxxxxxx> wrote in message
news:uAWUM8q0GHA.1292@xxxxxxxxxxxxxxxxxxxxxxx
I believe that you can do that if you create an SMTP virtual server that is
used only for this purpose and to which you don't direct any other SMTP
traffic. With one public IP, you're going to have to change the SMTP port
to avoid a conflict with your regular inbound SMTP, but your firewall could
route that traffic to the special SMTP virtual server.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Tobbe" <tobbe(at)_nospam_utbyte.se> wrote in message
news:uVrPMUl0GHA.3476@xxxxxxxxxxxxxxxxxxxxxxx
Hi all.

I'm trying to figure out what my options are when it comes to encrypting
the
SMTP traffic from a client to the server (I.E. users that need to relay).
More specifically I want to make sure that the authentication part is
encrypted, while the message itself might be transferred unprotected.
Encryption of messages will be handled at the client side using
individual
certificates.

In my setup I have the requirement to accept encrypted smtp connections
on
25 and 465. Naturally I also have the requirement to accept normal
anonymous
mail from the internet. The clients that will be used are of a broad
range
of both Outlook 2003 and other linux and mac-based clients. However,
initially my focus has been to figure out my options when it comes to the
Outlook 2003 client.


At the moment I only have one public IP so what I've done is that I've
created two virtual smtp servers that listens on different ports,
installed
a certificate and disabled the integrated authentication and checked the
"require TLS when basic authentication" is used. I've also left anonymous
access allowed to be able to receive incoming mails from the internet.
Relaying is allowed if the users authenticate.


When configuring a Outlook 2003 client, I've set that my outgoing server
requires authentication and set it to use SPA (what exactly is SPA
anyway?
TLS, SSL or something different?). If I try to relay a mail from my
client
with this setup it fails with the error message that I'm not allowed to
relay mails. However, if I also set the checkbox on the clientside that
states that the server requires a secure connection it works fine.

From what I've read that means that the entire conversation, both
authentication and messageflow is encrypted between the client and the
relaying mailserver. My goal is to only encrypt the authentication which
I
thought would be satisfied by my initial setup where I only had checked
the
Authenticate using SPA checkbox.

My main concern is about the non-windows clients and their implementation
of
TLS/SSL. If I'm forced to choose "The server requires an encrypted
connection" to get it to work on a Outlook 2003 client I fear that I will
be
seeing more issues on the mac and linux part of the company.

I'm thankful for any input that might help.

/Tobbe






.