SMTP TLS is the mechanism by which two email servers, when communicating, can automatically negotiate an encrypted channel between them so that the emails transmitted are secured from eavesdroppers. However, how this works is not very clear so in this post I will try to explain how to get it to work between two domains in a setup which is quite common. Even though this guide include Google Apps and Exchange 2010 Hub Transport (no Edge), it could be useful for anyone who want to enable TLS.

  1. Domain 1 is running on-premise Exchange 2010 (SP2+RU3) and they send/receive all e-mail through a 3rd party e-mail spam filtering service which means that their MX-records are pointing to this 3rd party which removes/quarantines all spam/viruses. The Exchange 2010 Hub Transport Receive Connector is configured to receive tcp/25 only from the IP-ranges of this 3rd part and their Exchange Send Connector is configures to route mail through a smart host which is the IP/hostname of the 3rd party service.
  2. Domain 2 is running Google Apps which means… well, Google take care of everything 🙂

Verify TLS for mail gateways

CheckTLS.com offers very useful tests to get this setup working. I also suggest you read this article to figure out if your receiving  partner really supports TLS. You could start with checking the Google Apps domain name which of course should already be fully enabled for TLS. Cert OK often fails, but that only means: “Cert failures do not affect TLS encryption, but may mean the site isn’t who they say they are.

Running the same test for the 3rd party service may fail and if it does, you better ask them why they don’t support TLS.

When you have verified TLS is enabled in both ends, you really don’t have to do anything in this scenario since Exchange 2010 by default use Opportunistic TLS, which means it attempts TLS for all remote connections and if it fails it will use normal non-TLS [Reference]. Also Google Apps by default send via TLS and if the recipient server does not support TLS, it will be sent using non-encrypted SMTP [Reference].

How to force TLS for specific domains in Exchange 2010

But what if your business require you to encrypt all messages to this partner using TLS? Then you can configure a Send Connector to require TLS by setting Set-SendConnector’s parameter -RequireTLS to $true.

For example, maybe you created a custom Send Connector to send e-mails to *.domain2.com:

new-SendConnector -Name ‘TLS’ -Usage ‘Custom’ -AddressSpaces ‘SMTP:*.domain2.com;1’ -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts ‘mailfiltering.3rdpart.com’ -SmartHostAuthMechanism ‘BasicAuth’ -UseExternalDNSServersEnabled $false -AuthenticationCredential (Get-Credential) -SourceTransportServers ‘SRV1′,’SRV2’

Then you can require TLS for that connector:

Set-SendConnector ‘TLS’ -RequireTLS $true

I would suggest you monitor your send connector queue lengths because if Exchange fails to send using TLS for some reason, it will queue up e-mails. And since you’re required to use TLS, I’m sure these e-mails are important so you better know when e-mail flow to this partner stops working…

How to force TLS in Google Apps

In Google Apps, you can also force it if you’re running the Premium edition. More info here.

Verify that e-mail was sent with TLS encryption

Once you have sent your first e-mail, how do you verify that TLS was used to send it? Well, over att LuxSci there’s an excellent article on the topic so I suggest you read that. In my case, the e-mail header on the receiving side included “TLS”:

Received: from smtp1.supplier.net (outgoingsmtp.domain.com. [82.54.112.220])
by mx.google.com with ESMTPS id sq3si46516565lab.41.2012.03.03.01.44.06
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 03 Jul 2012 01:32:05 -0700 (PDT)

If you want to verify which Send Connector that was used to send an e-mail:

Get-MessageTrackingLog -Resultsize Unlimited -Start 2012-07-09 -End 2012-07-10 | where {$_.Sender -eq “sender@domain.com” -and $_.EventID -eq “SEND”} | fl Sender,{$_.Recipients},Timestamp,ConnectorId

Please comment if you have a specific TLS scenario that you want us to write an article about.

Thanks for my friends over at Online Partner for helping out. They’re Google Apps Premier Reseller so if you need a Google Apps partner to help your business, make sure to contact them (and make sure to mention Sysadmin Lab so they will buy me beer next time I see them :)).