Re: secure SMTP between backend Exchange servers

---

• From: BGM <BGM@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 2 Sep 2009 16:39:01 -0700

---

At this point we are just going to go to 2010.
--
BGM


"Ed Crowley [MVP]" wrote:

The problem with Exchange 2003 is that TLS isn't opportunistic, in that if
you enable TLS on an SMTP virtual server, it will require TLS for every
connection to it, effectively shutting off traffic from any hosts that don't
talk TLS, which means most of the Internet if your Exchange server faces the
Internet. You can enable TLS on a per-connector basis, but that will help
you only if your two back-end servers are in different routing groups since
servers in the same routing group don't communicate through a connector.

Seriously, the easiest way for you to get what you want is to transition
your organization to Exchange 2007, which supports opportunistic TLS and
enables it by default so servers communicate with each other through
encrypted protocols automatically.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

"BGM" <BGM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:173CFC52-37DD-4F8A-9BE6-481708B7254D@xxxxxxxxxxxxxxxx

I'm being asked to look into securing SMTP traffic between our Exchange
2003
backend servers. I'm a little familiar with IPSec and TLS. Can someone
point
me to a good resource of information on how to implement such solution?
Does
anybody actually do this, as I'm concerned about overhead and
manageability
if we were to deploy such a solution...

--
BGM

.

---

• References:
  • secure SMTP between backend Exchange servers
    • From: BGM
  • Re: secure SMTP between backend Exchange servers
    • From: Ed Crowley [MVP]

• Prev by Date: Moving mailboxs leave stub object - kb940012 does not resolve
• Next by Date: InterOrg Move-mailbox issue from ex2003 to ex2007
• Previous by thread: Re: secure SMTP between backend Exchange servers
• Next by thread: Re: secure SMTP between backend Exchange servers
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ldapclient and eDirectory ... > against Novell eDirectory with TLS for some time now. ... For some reason, when ... it tries to make an unecrypted connection to ... > try to have all our LDAP servers accept only TLS encrypted sessions. ... (comp.unix.solaris) Re: ldapclient and eDirectory ... > against Novell eDirectory with TLS for some time now. ... For some reason, when ... it tries to make an unecrypted connection to ... > try to have all our LDAP servers accept only TLS encrypted sessions. ... (comp.sys.sun.admin) RE: what will happen to outbound TLS connection if receivers cert has expired? ... Not all servers will fail if a certificate is invalid, this is dependant on their configuration. ... Turning off certificate validation would partially defeat the purpose of TLS. ... what will happen to outbound TLS connection if receiver's cert has expired? ... (microsoft.public.exchange2000.general) Re: secure SMTP between backend Exchange servers ... "There are seldom good technological solutions to behavioral problems." ... I have 4 backend 2003 Exchange servers>in ... If I want to use TLS to secure the SMTP ... > then it will be enabled by default between Exchange servers in the same> AD ... (microsoft.public.exchange.misc) Re: secure SMTP between backend Exchange servers ... If I want to use TLS to secure the SMTP ... connection between the 4 servers, ... then it will be enabled by default between Exchange servers in the same AD ... You can enable TLS on a per-connector basis, ... (microsoft.public.exchange.misc)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Exchange  > microsoft.public.exchange.misc  > 2009-09