Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Sat, 19 Jul 2008 22:33:08 -0400,    group: microsoft.public.exchange.admin        back       


Re: How should I select these options?    
On Sat, 19 Jul 2008 15:45:00 -0700, John
 wrote:

>Sorry about my confusion.  I did install the certificates on the frontend 
>server's default and second secured SMTP server otherwise they can not send 
>emails to us.  xyz.com can send emails to me but I still can not send emails 
>to them.  I got NDR immediately after I click sending in the outlook from my 
>system administrator, 

Okay, then what do you see when you do this?

telnet <their-smtp-server> 25
EHLO

>> > The following recipient(s) cannot be reached:
>> >
>> >      Partner email address on 7/18/2008 6:38 PM
>> >            The recipient could not be processed because it would violate
>> > the security policy in force
>> >            <my exchangebackendserver.local #5.7.0 smtp;530 5.7.0 Must issue a
>> > STARTTLS command first>

And in your front-end server's SMTP protocol log you see what? Do you
see a connection from the IP address of your 2nd (TLS) SMTP VS to
their SMTP gateway server? What commands were sent and what responses
were received?

>Then later, I installed the certificates on the backend server's SMTP 
>default SMTP server, but still with no luck.  I can not send emails to them.  
>
>> How many SMTP servers they have is of no concern to you. You only have
>> to know that when you send to their domain that you use TLS (and that
>> it goes to the 2nd VS for delivery). Get rid of those smart hosts in
>> your SMTP Connector (and never put them into the SMTP VS).
>
>> >should I put each of their MX record IP in the smart hosts for the secured 
>> >SMTP connector?
>> 
>> Nope. Just their domain name.
>
>you mean on the General tab of second SMTP secure connector, what should I 
>choose a) Forward all mail through this connector to the following smart 
>hosts b) Use DNS to route to each address space on this connector?

You should select "Use DNS . . ." On the "Address Space" tab you
should have "xyz.com".

What, exactly, are your requirements? Do you care if xyz.com sends you
email using TLS? I wouldn't. Leave the responsibility with them to use
TLS. All you have to do is make sure you offer the STARTTLS keyword.

If you don't care, then you really don't need two SMTP Virtual
Servers. You can secure the connection between your server and their
server when /you/ send them mail simply by checking the "TLS
encryption" box on the "Advanced Security..." button on the "Advanced"
tab of the SMTP Connector.

The link below is overly complicated for what I think you really need.
You don't have to use smart hosts to deliver mail to xyz.com. And I
don't think you have to be worried if the sender can't control their
own security needs by /not/ sending mail to you if your server doesn't
offer STARTTLS.
---
Rich Matheisen
MCSE+I, Exchange MVP
date: Sat, 19 Jul 2008 22:33:08 -0400   author:   Rich Matheisen [MVP]

Re: How should I select these options?    
On Sun, 20 Jul 2008 14:46:00 -0700, John
 wrote:
>Basically, I am trying to do is that I want our users to send secured emails 
>to xyz.com.  Also, we should be able to receive the secured emails from 
>xyz.com.
>
>What do you recommend on my settings to make this work?

Install a certificate on the default SMTP virtual server. Create a
SMTP Connector and put xyz.com into it's address space. Check the "TLS
encryption" box on the "Advanced Security..." button on the "Advanced"
tab of the SMTP Connector. Select "Use DNS . . ." method of delivery.
Select the default SMTP Virtula Server as the local bridgehead server.

Your FE server will offer STARTTLS and you'll be able to send mail
over a TLS connection to xyz.com and they'll be ble to send mail over
a TLS connection to you.
---
Rich Matheisen
MCSE+I, Exchange MVP
date: Sun, 20 Jul 2008 20:38:24 -0400   author:   Rich Matheisen [MVP]

Re: How should I select these options?    
On Mon, 21 Jul 2008 07:26:02 -0700, John
 wrote:

>Great thanks, Unfortunately, xyz.com has enforced "require 128 encryption", 
>and if I do not choose "requre channel and 128 bit encryption" on the SMTP 
>virtual server, they can not send emails to us but we can cand emails to 
>them.  If I have them checked, they can send emails to us.  With enforced 
>"requre channel and 128 bit encryption" requirement, what should I change the 
>configs you mentioned?

So, to what domain (or IP address) will you tell them to use when they
send you email? It isn't going to be the IP address of the default
SMTP Virtual Server you use to receive email from just anyone! So
you're back to using that 2nd SMTP Virtual Server to receive email
from them. You can just change your SMTP Connector to use the 2nd SMTP
Virtual Server, and check the boxes to require encryption and 128-bit
encryption.
---
Rich Matheisen
MCSE+I, Exchange MVP
date: Mon, 21 Jul 2008 22:13:16 -0400   author:   Rich Matheisen [MVP]

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us