Forum Discussion
Collins_Kouam
Oct 30, 2023Copper Contributor
All messages sent outside my organization are not encrypted
Hi community Experts,
I have an exchange configuration as follows:
. 2 servers (a Mailbox & an Edge Transport) run under windows 2022
. Exchange server 2019 installed on the 2 servers.
I followed the Mircosoft documentation and many other tutorials and videos when setting up these servers.
For internal communication between my 2 servers, their self-signed certificate is used. In addition, I installed a third-party certificated (on both servers) for external cummunications.
NB: I use the same third-party certificate on my 2 servers.
I think I've followed all the steps required to perform Edge-Subscriptions.
My problem is that when I send a message outside my organization, for example to my private Gmail account, the message arrives unencrypted and I can see attached to each message "a red padlock" with information saying that the message has not been encrypted by my organization.
When I check the log files under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Edge\ProtocolLog\SmtpSend, I don't see any START TLS during the EHLO test.
I don't know what to do in such a situation and I'm really hoping to get some advice from you.
Thank you
Collins_kouam.
- Hello community experts,
I'm happy to inform you that I've just solved my problem.
The problem wasn't related to my exchange servers at all, but rather to my Firewall/Router.
There was a rule in my Firewall/Router that prevented my edge transport server from using START TLS.
I hope this may help others in their troubleshooting process.
Thank you all for your answers.
Collins_Kouam
- Collins_KouamCopper ContributorHello community experts,
I'm happy to inform you that I've just solved my problem.
The problem wasn't related to my exchange servers at all, but rather to my Firewall/Router.
There was a rule in my Firewall/Router that prevented my edge transport server from using START TLS.
I hope this may help others in their troubleshooting process.
Thank you all for your answers.
Collins_Kouam - Andres-BohrenSteel Contributor
You need to have a Public Certificate for example edge.domain.tld with a private Key installed on your Exchange Edge Server.Get-SendConnector -Identity YourInternetConnectorName | fl
#Check the Property TlsCertificateName
#Create the Variable on your Edge Server$Cert = Get-ExchangeCertificate -Thumbprint "ThumbPrintOfEdgeCertificate"
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
#You need to set this on the Exchange Server (Not Edge) > will then transferred via EdgeSync
Set-Sendconnecter -Identity "ValueFrom $tlscertificatename" -TlsCertificate $tlscertificatename
Regards
Andres- Collins_KouamCopper ContributorHello Andres Bohren,
Sorry I'm only posting today, I had a few days off.
1. I have a certificate of the form mail.example.com installed on my Mailbox Server and edge transport server with private key.
2. the "TlsCertificateName" property is empty when I execute the command:
Get-SendConnector -Identity YourInternetConnectorName | fl
3. When I execute the following command from my Mailbox server (not edge)
Set-Sendconnecter -Identity "ValueFrom $tlscertificatename" -TlsCertificateName $tlscertificatename
I get a Warning:
WARNING: The command completed successfully but no settings of 'MyInternetConnectorName' have been modified.
When I telnet to remote mail servers on their port 25 from my edge transport server no START TLS, but from my mailbox server I can see the START TLS negotiation.
- Dan_SnapeSteel ContributorEncryption of the actual email message is not something that is done by default, and usually only done when absolutely required. If you are talking encryption of the communications between servers, Exchange by default will use TLS as long as it can be negotiated between the sending and receiving parties. You can force TLS for all communications or just for certain domains by changing or creating connectors and rejecting connections if TLS is not possible. You can confirm TLS is used for communication by looking at the header of the message as per the below:
Received: from SY4AUS01FT012.eop-AUS01.prod.protection.outlook.com
(2603:10c6:10:201:cafe::af) by SY5P282CA0086.outlook.office365.com
(2603:10c6:10:201::7) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.21 via Frontend
Transport;- Collins_KouamCopper Contributor
Hello Dan_Snape,
First of all, thank you for your reply.
I was referring to the encryption of the communication between the servers, not the encryption of the e-mail message itself; sorry for the misunderstanding.
As I said in my first message; when I check the log files under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Edge\ProtocolLog\SmtpSend; I can clearly see that my edge transport server negotiates communication with the other servers without using START TLS, the communication is clear.I also mentioned that I was using the same third-party certificate on both my Mailbox and edge Transport server, could this be the cause of my problem?
On my Mailbox I have associated the IIS IMAP & POP SMTP services with my third-party certificate and on the edge Transport Server only the SMTP service.When I telnet from a server outside my organization to my mail server on port 25, I get:
Telnet mail.example.com
EHLO mail.example.com
250-mail.example.com Hello [XX.XX.XX.XX]
250-SIZE 37748736
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
...Below is the header of a message I sent to my private email:
Received: from mailbox.example.com (192.168.43.1) by mail.example.com (192.168.43.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Mon, 30 Oct 2023 16:57:26 +0100
Received: from mailbox.example.com (10.0.3.223) by mailbox.example.com (10.0.3.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Mon, 30 Oct 2023 16:57:26 +0100
Received: from mailbox.example.com ([10.0.3.223]) by mailbox.example.com ([10.0.3.223]) with mapi id 15.02.1258.027; Mon, 30 Oct 2023 16:57:26 +0100Thank you again
Collins_kouam