Forum Discussion

Collins_Kouam's avatar
Collins_Kouam
Copper Contributor
Oct 30, 2023

All messages sent outside my organization are not encrypted

Hi community Experts, 

 

I have an exchange configuration as follows:
. 2 servers (a Mailbox & an Edge Transport) run under windows 2022
. Exchange server 2019 installed on the 2 servers.

I followed the Mircosoft documentation and many other tutorials and videos when setting up these servers.

For internal communication between my 2 servers, their self-signed certificate is used. In addition, I installed a third-party certificated (on both servers) for external cummunications.
NB: I use the same third-party certificate on my 2 servers.

I think I've followed all the steps required to perform Edge-Subscriptions.

My problem is that when I send a message outside my organization, for example to my private Gmail account, the message arrives unencrypted and I can see attached to each message "a red padlock" with information saying that the message has not been encrypted by my organization.

 

When I check the log files under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Edge\ProtocolLog\SmtpSend, I don't see any START TLS during the EHLO test. 

 

I don't know what to do in such a situation and I'm really hoping to get some advice from you.

Thank you
Collins_kouam. 

 

 

  • Hello community experts,

    I'm happy to inform you that I've just solved my problem.
    The problem wasn't related to my exchange servers at all, but rather to my Firewall/Router.

    There was a rule in my Firewall/Router that prevented my edge transport server from using START TLS.
    I hope this may help others in their troubleshooting process.

    Thank you all for your answers.
    Collins_Kouam
  • Collins_Kouam's avatar
    Collins_Kouam
    Copper Contributor
    Hello community experts,

    I'm happy to inform you that I've just solved my problem.
    The problem wasn't related to my exchange servers at all, but rather to my Firewall/Router.

    There was a rule in my Firewall/Router that prevented my edge transport server from using START TLS.
    I hope this may help others in their troubleshooting process.

    Thank you all for your answers.
    Collins_Kouam
  • Andres-Bohren's avatar
    Andres-Bohren
    Steel Contributor

    HI Collins_Kouam 


    You need to have a Public Certificate for example edge.domain.tld with a private Key installed on your Exchange Edge Server.

    Get-SendConnector -Identity YourInternetConnectorName | fl
    #Check the Property TlsCertificateName

    #Create the Variable on your Edge Server

    $Cert = Get-ExchangeCertificate -Thumbprint "ThumbPrintOfEdgeCertificate"
    $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

    #You need to set this on the Exchange Server (Not Edge) > will then transferred via EdgeSync
    Set-Sendconnecter -Identity "ValueFrom $tlscertificatename" -TlsCertificate $tlscertificatename

    Regards
    Andres

    • Collins_Kouam's avatar
      Collins_Kouam
      Copper Contributor
      Hello Andres Bohren,

      Sorry I'm only posting today, I had a few days off.

      1. I have a certificate of the form mail.example.com installed on my Mailbox Server and edge transport server with private key.

      2. the "TlsCertificateName" property is empty when I execute the command:
      Get-SendConnector -Identity YourInternetConnectorName | fl

      3. When I execute the following command from my Mailbox server (not edge)

      Set-Sendconnecter -Identity "ValueFrom $tlscertificatename" -TlsCertificateName $tlscertificatename

      I get a Warning:

      WARNING: The command completed successfully but no settings of 'MyInternetConnectorName' have been modified.

      When I telnet to remote mail servers on their port 25 from my edge transport server no START TLS, but from my mailbox server I can see the START TLS negotiation.
  • Dan_Snape's avatar
    Dan_Snape
    Steel Contributor
    Encryption of the actual email message is not something that is done by default, and usually only done when absolutely required. If you are talking encryption of the communications between servers, Exchange by default will use TLS as long as it can be negotiated between the sending and receiving parties. You can force TLS for all communications or just for certain domains by changing or creating connectors and rejecting connections if TLS is not possible. You can confirm TLS is used for communication by looking at the header of the message as per the below:
    Received: from SY4AUS01FT012.eop-AUS01.prod.protection.outlook.com
    (2603:10c6:10:201:cafe::af) by SY5P282CA0086.outlook.office365.com
    (2603:10c6:10:201::7) with Microsoft SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.21 via Frontend
    Transport;
    • Collins_Kouam's avatar
      Collins_Kouam
      Copper Contributor

      Hello Dan_Snape,  

       

      First of all, thank you for your reply.
      I was referring to the encryption of the communication between the servers, not the encryption of the e-mail message itself; sorry for the misunderstanding.
      As I said in my first message; when I check the log files under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Edge\ProtocolLog\SmtpSend; I can clearly see that my edge transport server negotiates communication with the other servers without using START TLS, the communication is clear.

      I also mentioned that I was using the same third-party certificate on both my Mailbox and edge Transport server, could this be the cause of my problem?
      On my Mailbox I have associated the IIS IMAP & POP SMTP services with my third-party certificate and on the edge Transport Server only the SMTP service.

      When I telnet from a server outside my organization to my mail server on port 25, I get:

      Telnet mail.example.com

      EHLO mail.example.com
      250-mail.example.com Hello [XX.XX.XX.XX]
      250-SIZE 37748736
      250-DSN
      250-ENHANCEDSTATUSCODES
      250-STARTTLS
      250-X-ANONYMOUSTLS
      ...

      Below is the header of a message I sent to my private email:

       

      Received: from mailbox.example.com (192.168.43.1) by mail.example.com (192.168.43.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Mon, 30 Oct 2023 16:57:26 +0100
      Received: from mailbox.example.com (10.0.3.223) by mailbox.example.com (10.0.3.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Mon, 30 Oct 2023 16:57:26 +0100
      Received: from mailbox.example.com ([10.0.3.223]) by mailbox.example.com ([10.0.3.223]) with mapi id 15.02.1258.027; Mon, 30 Oct 2023 16:57:26 +0100

       

      Thank you again

      Collins_kouam

Resources