Setup secure TSL communication

Setup secure (TSL) communication with an external company (Exchange 2003 server)

Task list:
Collect information about the external company
Acquire public certificate for the Exchange server (we can use same as we using for OWA access – but it should be public)
Setup firewall to permit SMTP access to the Exchange server.
Setup a dedicated Virtual SMTP server for communication with the external company.
Setup a SMTP connector to the external company
Test the communication.

Collect information about the external company

We need to collect next information for the task:
The company SMTP Domains (all info and IP addresses here and below will be bogus – only for example): Nobody.com
Inbound IP addresses: mail1.nobody.com – 148.168.1.2; mail2.nobody.com – 148.168.2.2

Setup firewall to permit SMTP access to the Exchange server

It is straight forward thing, for example for PIX:
Create NAT mapping:
static (inside,outside) 146.82.131.230 192.168.1.5 netmask 255.255.255.255
0 0
Create firewall rules:
access-list outside_access_in permit tcp host 148.168.1.2 host 134.82.131.230
eq smtp
access-list outside_access_in permit tcp host 148.168.2.2 host 134.82.131.230
eq smtp

Where 134.82.131.230 public address of your SMTP server (We will create it by Exchange System Manager), and 192.168.1.5 is LAN address.

Setup a dedicated Virtual SMTP server for communication with the external company.





















We need to create just a standard SMTP server here on dedicated IP address (different for default SMTP).




















Here you need to enter your public certificate in, use the “Certificate” Tab.




















Here you can enter your exchange server public name (exactly like in your public certificate).



















Setup a SMTP connector to the external company
If we did not have connectors before, we will need to create two connectors first will pointed to default SMTP Virtual Server and second to Virtual Server (NOBODY) which we created during the project.


















Address space for MAIN connector should be “*” and cost should be higher then for NOBODY:


This connector will route all mail except for nobody.com domain.


















Second connector will looks like this:























And address space (in my case it was 5 different domain names):























Here how to set TLS for sending e-mail to this external domain:


















Test the communication

To test communication we need to be sure an e-mail message has TLS reference in the header, for example:

“Received: from source ([148.168.1.2]) (using TLSv1) by” – for mail from NOBODY company (inbound), and –
Received: from mail.mydomai.com ([146.82.131.230])
by gromsgia01i.nobody.com (8.13.8/8.13.8) with ESMTP id m3FG0WVe026377
(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT)