Friday, August 20, 2010

Step 4 – Setup an Internet Connector with TLS Disabled

Both Exchange 2007 and Exchange 2010 use Transport Layer Security (TLS) by default to encrypt mail traffic with any other host that supports it, whether that host is internal or external to the organization. This is good thing as SMTP, or mail traffic, uses a clear text protocol that is easily deciphered by anyone looking at traffic at any point in between a sender and a receiver. The last thing any organization wants is a sensitive email being captured and published.
TLS, like SSL, uses a certificate provided by a Certificate Authority such as an internal Certificate Authority or a public authority like Verisign or Thawte to encrypt the messages between any two mail hosts that support encryption. Unfortunately, Internal Certificate Authorities are not effective at securing traffic across the Internet. It is not because they are any less secure; it is because they are not trusted by all organizations on the Internet, unless of course your Internal Certificate Authority happens to be one of the major root authorities (not very likely).
One big mistake that a lot of organizations have made is the assumption that just because they aren't worried about their email while it is in transit they can skip this step. Unfortunately doing so will cause delivery problems with many organizations that do support TLS on their mail systems. This is because Exchange 2007 and 2010 are both configured to use TLS with an internal, self-signed certificate by default. Most organizations supporting TLS on their mail system will drop mail that comes with an incorrectly signed or untrusted certificate. This is because the security system cannot validate the messages authenticity. It is the mail system equivalent of the certificate error messages that appear on some websites only since the Exchange system runs as a service, there is no user interface available to ask someone to intervene.
If you are in an organization that does not wish to secure their mail system with a certificate from a public CA, no problem; you simply need to disable TLS on the primary Internet Send Connector. This is done from the Exchange Powershell using the Set-SendConnector commandlet with the "-IgnoreSTARTTLS:$true" parameter . This would need to be done on all Internet connectors.
For organizations that do wish to secure their mail in transit, I will dedicate a full article to that topic. One thing you will want to do in the meantime is to setup a send connector with TLS disabled. With this approach, you can simply add domain names to the routing rules for the TLS disabled connector when you have a partner that has misconfigured their TLS settings and re-establish mail flow. That will give you enough time to contact the partner and work through the TLS configuration issues.

No comments:

Post a Comment