05-31-2020 08:05 AM
Hi, I am new on ESA. I would like to have more understand the email flow on the SMTP with TLS enabled. The exchange 2010 is currently using port 25. If I would like to change from port 25 to 465, and enable the TLS inbound and outbound, the below is my question.
1. For inbound TLS, is the encryption start from where to where? Is the TLS encryption only happen between ESA and Exchange? Or anything else?
2. For inbound TLS to work, do I need public trusted certificate to work or I can just use the certificate signed by the company CA?
3. Is the exchange required the same certificate chain in order for TLS work? Or I only need to import the signed cert to ESA and enable it?
4. For outbound TLS, is the encryption only happen between exchange and ESA for the dedicated domain? Or it is started from internal sender until the recipient?
5. In order for outbound TLS to work, does sender require the same certificate chain as ESA certificate? Or Exchange? Or all what I need to do is just import the signed certificate into ESA, the rest of the device, i.e Exchange and sender does not required any cert?
I am really appreciate if anyone of you with experience with the TLS configuration may advise me as I could not find the answer for the above questions.
06-03-2020 04:07 AM
Let me try giving you some answers:
1. For inbound TLS, is the encryption start from where to where? Is the TLS encryption only happen between ESA and Exchange? Or anything else?
TLS encryption happens between two TLS enabled devices. For thsi both devices need to be equipped with a SSL certficate, at least self signed better from a trusted CA. You can define on the ESA what kind of certificates you trust (self signed, public, which CA etc) and how to validate them.
2. For inbound TLS to work, do I need public trusted certificate to work or I can just use the certificate signed by the company CA?
Any SSL certificate will work as mentioned in a)
3. Is the exchange required the same certificate chain in order for TLS work? Or I only need to import the signed cert to ESA and enable it?
You can but it is not required. Usually we tend to use our internal CA for internal SMTP enabled devices and a public CA for public facing devices like our boundarzy ESA's in the DMZ.
4. For outbound TLS, is the encryption only happen between exchange and ESA for the dedicated domain? Or it is started from internal sender until the recipient?
This all depends on your mail policies and destination settings. Common practice is to use at least opportunistic TLS for outbound traffic, meaning we attempt TLS first and fall back to non TLS. For identified, critical domains for you, you should create a dedicate destination entry per domain and specify your TLS requirements (like enforced and validated).
5. In order for outbound TLS to work, does sender require the same certificate chain as ESA certificate? Or Exchange? Or all what I need to do is just import the signed certificate into ESA, the rest of the device, i.e Exchange and sender does not required any cert?
If destination uses a public CA issues cert it is very likely that the ESA already has the trusted root for verification. Should this be the case and only then the trusted root of the other party can be imported. We only have one such cases with 700 TLS destinations.
I hope that helps
-Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide