Tuesday, July 27, 2010

Exchange 2007 / 2010 mail encryption

TLS encryption is the default for Exchange 2007 / 2010. No configuration is required, not even a commercial certificate, because standard TLS encrypts, but doesn't authenticate.

(Exchange 2007 / 2010 install a self-generated SSL certificate at installation that is suitable for encryption. Exchange 2003 and earlier require manual configuration.)

The only requirement for TLS:
a) if Exchange is sending the message, the recipient mail server must respond to the EHLO greeting with a list that includes the verb STARTTLS;
b) if Exchange is receiving the message, the sender must issue the STARTTLS request to negotiate a TLS session

To determine whether the recipient mail server supports TLS:
find the mail server for the target domain
telnet to it and issue an EHLO, then examine the return list for STARTTLS

Scenario: we want to determine whether email exchanged with hud.gov will be encrypted.

a. find the mail server(s) for hud.gov
nslookup
set type=mx
hud.gov
quit

session transcript looks like:
>nslookup
Default Server: ns1.ncgi.com
Address: 192.168.1.375

> set type=mx
> hud.gov
Server: ns1.ncgi.com
Address: 192.168.1.375

Non-authoritative answer:
hud.gov MX preference = 0, mail exchanger = hlanuep001.hud.gov
hud.gov MX preference = 0, mail exchanger = hlanuep002.hud.gov
hud.gov MX preference = 0, mail exchanger = horluep003.hud.gov

hud.gov nameserver = hudgate.hud.gov
hud.gov nameserver = hudgater.hud.gov
hlanuep001.hud.gov internet address = 170.97.200.33
hlanuep002.hud.gov internet address = 170.97.200.34
horluep003.hud.gov internet address = 170.97.202.58
hudgate.hud.gov internet address = 170.97.67.16
hudgater.hud.gov internet address = 170.97.167.16
> exit


b. from the mail server console, telnet and issue EHLO
session transcript:
>telnet hlanuep001.hud.gov 25

220 HLANUEP001.hud.gov ESMTP
EHLO ncgi.com
250-HLANUEP001.hud.gov
250-8BITMIME
250 SIZE 15728640
quit
221 HLANUEP001.hud.gov


Connection to host lost.

so we see that hud.gov doesn’t support encryption (no STARTTLS in the response to EHLO)

Microsoft Corporation, however, does support encryption (returns STARTTLS in the EHLO response)
session transcript
>telnet mail.messaging.microsoft.com 25

220 TX2EHSMHS014.bigfish.com Microsoft ESMTP MAIL Service ready at Wed, 28 Jul 2010 03:10:23 +0000
EHLO ncgi.com
250-TX2EHSMHS014.bigfish.com Hello [1.1.1.1]
250-SIZE 157286400
250-PIPELINING
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
quit
221 2.0.0 Service closing transmission channel


Connection to host lost.


Why always do this from the mail server console? because workstation or other machines may be using public IPs that aren't approved. this is the response trying to telnet to the Air Force Academy's mail server from a PC on a Qwest DSL connection:

>telnet usafamail.usafa.af.mil 25

220 xqpz-fwl-001.usafa.af.mil ESMTP Wed, 28 Jul 2010 02:55:10 GMT


Connection to host lost.

indicating that the mail server dropped the connection because it originated from an address known to be in a problematic block. (The blacklist check at mxtoolbox.com is great for troubleshooting delivery failures due to blacklisting http://mxtoolbox.com/blacklists.aspx )