Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SBS2003 Exchange SMTP Connector and SSL w/ AT&T/SBC internet

635 views
Skip to first unread message

mrce...@gmail.com

unread,
Aug 8, 2007, 7:50:39 PM8/8/07
to
I posted a message a while back about this.

http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/b0c0f3ec2ee67a7e/a1b2bf472681e8da?lnk=st&q=mrceolla&rnum=18&hl=en#a1b2bf472681e8da

Susan Bradley later posted this about the issue:

http://msmvps.com/blogs/bradley/archive/2007/05/31/using-pop-connector-with-at-amp-t-yahoo.aspx

She addresses the fact that the POP3 connector will no longer work,
but doesn't mention anything about the SMTP connector...although I
think we all know that isn't going to work either.

Well, the August 31st deadline is quickly approching. That's when
they told me they are shutting off the non SSL servers.

Fortunately there are 3rd party, software-only solutions around the
POP3 issue (I purchased MAPILabs Native POP3 Connector), but what
about the SMTP issue.

I know I could use a paid service to forward all my mail through, but
I would be much more interested in a software only solution.

Does anyone have any suggestions or recommendations?

Or better yet, how about MS get w/ the times and upgrade these
connectors?

Thanks for any advice,
Mike

Terence Liu [MSFT]

unread,
Aug 8, 2007, 11:36:58 PM8/8/07
to
Hello Mike,

Thank you for posting here.

According to your description, I understand that you want to enable SSL for
the SMTP connector. If I have misunderstood the problem, please don't
hesitate to let me know.

Based on my research, we can enable TLS for SMTP connector to encrypt the
SMTP traffic.

The use of the Transport Layer Security (TLS) protocol over SMTP offers
certificate-based authentication and helps provide security-enhanced data
transfers by using symmetric encryption keys. In symmetric-key encryption
(also known as shared secret), the same key is used to encrypt and to
decrypt the message. TLS applies a Hash-based Message Authentication Code
(HMAC). HMAC uses a hash algorithm in combination with a shared secret key
to help make sure that the data has not been modified during transmission.
The shared secret key is appended to the data to be hashed. This helps
enhance the security of the hash because both parties must have the same
shared secret key to verify that the data is authentic.

Enable TLS on SMTP connector in SBS:

1. Install an X.509 server certificate on the server.

For more information about X.509 certificates, click the following article
number to view the article in the Microsoft Knowledge Base:
319574 How to use certificates with virtual servers in Exchange 2000 Server

http://support.microsoft.com/kb/319574/

2. Enable TLS on the SMTP connector with smarthost configured. To enable
TLS encryption, right-click the SMTP connector, and then click Properties.
Click the Advanced tab, click Outbound Security, and then click to select
the TLS Encryption check box.

3. Restart SMTP service and Routing Engine service.

See the following article for details:
How to help protect SMTP communication by using the Transport Layer
Security protocol in Exchange Server
http://support.microsoft.com/?id=829721

Additional info on TLS:
================
How to secure Simple Mail Transfer Protocol client message delivery in
Exchange 2000 Server
http://support.microsoft.com/?id=319267

823024 How to Use Certificates with Virtual Servers in Exchange Server 2003
http://support.microsoft.com/?id=823024

329061 Exchange Server cannot communicate with non-TLS domains
http://support.microsoft.com/?id=329061

I hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: mrce...@gmail.com
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: SBS2003 Exchange SMTP Connector and SSL w/ AT&T/SBC internet
| Date: Wed, 08 Aug 2007 16:50:39 -0700
| Organization: http://groups.google.com
| Lines: 30
| Message-ID: <1186617039.7...@x35g2000prf.googlegroups.com>
| NNTP-Posting-Host: 76.201.144.144
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1186617040 4677 127.0.0.1 (8 Aug 2007
23:50:40 GMT)
| X-Complaints-To: groups...@google.com
| NNTP-Posting-Date: Wed, 8 Aug 2007 23:50:40 +0000 (UTC)
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1),gzip(gfe),gzip(gfe)
| Complaints-To: groups...@google.com
| Injection-Info: x35g2000prf.googlegroups.com; posting-host=76.201.144.144;
| posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!news.glorb
.com!postnews.google.com!x35g2000prf.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:55345
| X-Tomcat-NG: microsoft.public.windows.server.sbs

mrce...@gmail.com

unread,
Aug 9, 2007, 4:36:59 PM8/9/07
to
Thanks for your reply, but your suggestion has nothing to do with my
goal. I think you're referring to the wrong connector? I'm talking
of the connector that lets you forward all outbound mail through a
different SMTP server (usually your ISP).

TLS is not SSL last I checked, and I also need to specify a port
number of 995 for the server I'm trying to send through. I don't see
those options anywhere.

These options are all avilable in Outlook...just not in these
connectors.

Please re-read the posts I've linked to so you get a better
understanding of this problem.

Thanks,
Mike

Terence Liu [MSFT]

unread,
Aug 10, 2007, 5:08:51 AM8/10/07
to
Hello Mike,

Thank you for your update.

I have read your original post, and I know your ISP request you to encrypt
the SMTP traffic to it.

I want to explain that:

1. The TLS encryption is used when Exchange server communicate with other
Exchange server when transfer emails via SMTP protocol. TLS should not
related to communication between the Outlook client and the Exchange
server. The SSL encryption is used when clients communicate with Exchange
server when transfer emails via SMTP protocol.

TLS is designed to help protect outgoing messages, but TLS does not help
protect traffic that travels from clients to the server. These clients
include Microsoft Outlook Web Access (OWA), POP3, and IMAP4 in particular.
To fix this problem, you can enable the use of Secure Sockets Layer (SSL)
with Outlook Web Access. You can also suggest that POP3 or IMAP4 users use
a client that supports the use of SSL with POP3 and IMAP4 (for example,
Microsoft Outlook Express).

2. The TLS and the SSL are all used for encryption SMTP traffic, TLS for
server to server, SSL for client to server. Therefore, you will find the
SSL options available in Outlook, but you can only find TLS in SMTP
connector.

3. The connector that let you forward outbound mail to ISP is a SMTP
connector. We can enable TLS but not SSL on the SMTP connector.

I hope the information give you some help.

Best regards,

Terence Liu(MSFT)

Get Secure! - www.microsoft.com/security

| Subject: Re: SBS2003 Exchange SMTP Connector and SSL w/ AT&T/SBC internet
| Date: Thu, 09 Aug 2007 13:36:59 -0700
| Organization: http://groups.google.com
| Lines: 18
| Message-ID: <1186691819.6...@m37g2000prh.googlegroups.com>
| References: <1186617039.7...@x35g2000prf.googlegroups.com>
| <Av$uPaj2H...@TK2MSFTNGHUB02.phx.gbl>
| NNTP-Posting-Host: 69.129.249.38
| Mime-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| X-Trace: posting.google.com 1186691823 26085 127.0.0.1 (9 Aug 2007
20:37:03 GMT)
| X-Complaints-To: groups...@google.com
| NNTP-Posting-Date: Thu, 9 Aug 2007 20:37:03 +0000 (UTC)
| In-Reply-To: <Av$uPaj2H...@TK2MSFTNGHUB02.phx.gbl>


| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET

CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30),gzip(gfe),gzip(gfe)
| Complaints-To: groups...@google.com
| Injection-Info: m37g2000prh.googlegroups.com; posting-host=69.129.249.38;
| posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
| Bytes: 1982
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
m!out02b.usenetserver.com!news.usenetserver.com!in02.usenetserver.com!news.u
senetserver.com!postnews.google.com!m37g2000prh.googlegroups.com!not-for-mai
l
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:55573
| X-Tomcat-NG: microsoft.public.windows.server.sbs

mrce...@gmail.com

unread,
Aug 10, 2007, 10:38:50 AM8/10/07
to
Thanks again, but that still doesn't help my problem. I know what TLS
and SSL are for. My ISP does not use TLS, therefore I can not use
TLS. My ISP expects clients to be using an email program like Outlook
with SSL to send outgoing mail. All of my outgoing mail is going
through the Exchange server. I can not use my Exchange Server as a
SMTP server because I am on a dynamic IP block and my email messages
will get regected as SPAM. Therefore I need to forward all of my
ougoing mail through my ISPs SMTP server. Their SMTP server REQUIRES
SSL...not TLS. In fact, I know of zero ISPs that support TLS between
the end user and their servers.

So are you saying this just isn't possible? And that MS has no plans
to update these connectors to make them useful again?

Thanks,
Mike

Terence Liu [MSFT]

unread,
Aug 13, 2007, 7:14:16 AM8/13/07
to
Hello Mike,

Thank you for kind update.

Based on my further research, we indeed cannot enable SSL for SMTP
connector, we can only enable TLS for it. This is by-design.

Please contact your ISP to confirm that they can only enable SSL on their
mail server.

I understand that this limitation may inconvenience our users and we
apologize for the inconvenience you faced. In our efforts to continue to
improve our products, you are welcome to add your suggestions in
Partnerfeedback newsgroup to make Microsoft products easier and more
powerful to use. Thanks for your understanding.

Submitting suggestions for product enhancement:

Legitimate Wishes fit into the following guidelines:

Enhancement or feature addition to existing Microsoft products
Reproducible problem or bug with current version that needs resolution
Cannot find documentation of feature within the help files
Difficulty using the product
All beta products
Product packaging complaints
Added accessibility feature for a Microsoft product
These can be submitted here:

https://support.microsoft.com/common/survey.aspx?scid=sw;en;1214&showpage=1&
WS=Wish&url=http%3a%2f%2fwww.microsoft.com%2fireland%2fcontact%2f

Thanks for your understanding.

Have a nice day!

Best regards,

Terence Liu(MSFT)

Get Secure! - www.microsoft.com/security

| Date: Fri, 10 Aug 2007 07:38:50 -0700
| Organization: http://groups.google.com
| Lines: 17
| Message-ID: <1186756730.1...@x40g2000prg.googlegroups.com>
| References: <1186617039.7...@x35g2000prf.googlegroups.com>
| <1186691819.6...@m37g2000prh.googlegroups.com>
| <5sKeU4y2...@TK2MSFTNGHUB02.phx.gbl>


| NNTP-Posting-Host: 69.129.249.38
| Mime-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"

| X-Trace: posting.google.com 1186756731 20888 127.0.0.1 (10 Aug 2007
14:38:51 GMT)
| X-Complaints-To: groups...@google.com
| NNTP-Posting-Date: Fri, 10 Aug 2007 14:38:51 +0000 (UTC)
| In-Reply-To: <5sKeU4y2...@TK2MSFTNGHUB02.phx.gbl>


| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30),gzip(gfe),gzip(gfe)
| Complaints-To: groups...@google.com

| Injection-Info: x40g2000prg.googlegroups.com; posting-host=69.129.249.38;
| posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
| Bytes: 2156
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!nx01.iad01
newshosting.com!newshosting.com!216.196.98.140.MISMATCH!border1.nntp.dca.gi
ganews.com!nntp.giganews.com!postnews.google.com!x40g2000prg.googlegroups.co
m!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:55756
| X-Tomcat-NG: microsoft.public.windows.server.sbs

0 new messages