Transport Layer Security takes you toward 100 percent security for your email
Because the SMTP standard sends email without using encryption or authentication, every message you send is exposed to view. Client-side solutions such as Secure MIME (S/MIME) or pretty good privacy (PGP) can solve this problem, but they require your users' involvement. A better place to focus your security efforts is on securing SMTP traffic. If you can secure SMTP, you'll go a long way toward providing 100 percent security for mail traffic that originates or terminates at one of your servers.
Microsoft Exchange Server offers several tools for securing email traffic. One way to secure SMTP is to require the use of Secure Sockets Layer (SSL) for SMTP connections. However, that approach raises a problem. By default, all SMTP servers use port 25. But if you use SSL on port 25, non-SSL servers won't be able to connect through that port. And if you use a nonstandard port number, other servers won't be able to find your servers.
You can work around this problem. The STARTTLS verb (part of the Extended SMTP—ESMTP—command set) lets an SMTP client and server negotiate the use of Transport Layer Security (TLS) for an SMTP connection. Each end of the connection can choose to authenticate the other, or the TLS connection can be used purely for privacy. Either way, this approach offers three important advantages.
- It doesn't interfere with other servers and clients. Clients that support STARTTLS can use it; those that don't can continue to use unencrypted SMTP.
- It's opportunistic. When you enable the use of TLS with SMTP, your server automatically requests TLS when communicating with other servers, and it accepts TLS connections when requested. Assuming the other server completes the negotiation process, mail flow is automatically protected. (You'll generally need to tell your users to enable SSL/TLS in their Internet mail clients, though.)
- TLS-encrypting the SMTP stream also protects message headers, giving you an additional degree of protection against traffic analysis, which can tell network intruders who you're communicating with, and how often.
You must remember one important caveat, however: TLS doesn't protect messages from end to end. In other words, it doesn't protect messages that are in storage or traveling from client to server (unless the client also supports TLS). TLS protects the message only as it passes between two servers that both support TLS.
Requesting an SSL Certificate
Before you can begin to use TLS with SMTP, you must obtain and install a certificate for your SMTP server. If you've already set up your own certificate authority (CA), you'll find that requesting an SSL certificate is quite simple; if not, you'll need to save the certificate request to a file and deliver it to your preferred CA. (For a detailed explanation of how to set up and use the Microsoft CA or how to use an external CA for your public key infrastructure—PKI—see the Certificate Services topic in Windows Server Help.) I assume that you have access to a CA of some sort and want to request and install an SSL certificate for use with Microsoft Outlook Web Access (OWA), IMAP, POP, or SMTP.
The basic mechanics of certificate issuance are the same for all these protocols, although I deal with only SMTP here. You initiate the certificate request process from Exchange System Manager (ESM). In ESM's treeview pane, navigate to your server, then to Protocols. Select SMTP, then right-click the virtual server and select Properties. On the Access tab, you'll see the Certificate button, which is enabled whenever you run ESM on an Exchange server. Because the private key associated with the certificate is generated on the local machine, generating a certificate from your administrative workstation doesn't make sense.
You can use Internet Services Manager (ISM) 5.0 to request a certificate for use with OWA. However, using ESM to request POP and IMAP certificates is easier because you can request them from the virtual server Properties dialog box, so that's what we do here. To request a certificate, simply click Certificate.
Getting a Certificate
When you click Certificate on a server that doesn't have a certificate for the specified protocol, ESM launches the IIS Certificate Wizard. The wizard will look familiar if you've ever used Microsoft IIS to request an SSL certificate. To request a certificate for Exchange to use, you must have administrative privileges on the Exchange server and the account you use must have permission to request the certificate from the CA.
After clearing the welcome screen, you need to specify what you want to do. If you're requesting a certificate for a virtual server that doesn't currently have one, your choices are to attach an existing certificate to the virtual server, import a backed-up certificate, or request a new certificate. If you're modifying an existing certificate, the wizard asks you to choose between renewing the certificate, removing it from the virtual server, and requesting a new one. Let's assume that you want to request a new certificate. After you click Create a new certificate, the process works as follows:
- The Delayed Or Immediate Request page lets you choose to use a remote procedure call (RPC) to send the request directly to an online CA or to save the request in Public-Key Cryptography Standards (PKCS) #10 format—the standard format used to request certificates. If you're using your own internal CA and the CA is online, select Send the request immediately to an online certification authority and click Next. If you're using an external CA or if your internal CA is offline, select Prepare the request now, but send it later, then click Next to generate a PKCS #10 file that you can send to the CA later.
- The wizard prompts you for a name and a key length for your certificate, as Figure 1 shows. Although Windows 2000 supports 512-bit keys, they are too short to be secure; always choose a key length of at least 1024 bits. Click Next.
- The wizard asks you to identify your organization and organizational unit (OU). These attributes are encoded into the issued certificate, so getting them right is important—the information you enter here is permanent. You have to type the information, so be sure you spell everything correctly. When you're satisfied with your entries, click Next.
- The wizard next asks for your site's common name (CN). The CN should be your server's Fully Qualified Domain Name (FQDN) as it will appear on the Internet. For example, if your SMTP server is exch-smtp-sea-1.fabrikam.corp and it has the external DNS name mail1.fabrikam.com, you'd enter mail1.fabrikam.com on this wizard page. If your machine's CN changes, you'll need to get a new certificate. Be sure to enter the correct DNS name—if you get it wrong (e.g., if the actual FQDN and the one in the certificate don't match), client applications such as Microsoft Internet Explorer (IE) will complain that the certificate is bad.
- The Geographical Information page asks you to pick the country (or region), the state (or province), and the city that you want in the certificate attributes. These entries aren't checked for validity, so be sure that what you enter here is what you want your certificate to say.
Up to this point, the procedure is the same whether you request a certificate from an online or offline CA. After you provide your geographic information, an online request prompts you to select the CA you want to use from a list of CAs visible to the requestor. (If the CA you want to use isn't listed, you can't submit a certificate to it.) Select a CA, then click Next. You'll see a summary screen of the parameters you've requested for your certificate; clicking Next again sends the request. When the request is successful, the certificate is installed automatically and you can begin configuring TLS.
Using a Third-Party CA
If you selected Prepare the request now, but send it later to submit a certificate to a CA outside your network or to a standalone CA that isn't integrated with Active Directory (AD), your submission process will be a bit different. After you provide geographic information, the wizard lets you choose where to save the request file. The request file is a plaintext, base-64encoded PKCS #10 request. After saving the file, you need to submit it to your CA, typically through a Web-based interface. The details of the interface depend on the CA; for example, the interfaces for Thawte, VeriSign, and Comodo's InstantSSL look and behave somewhat differently from one another. Most vendors' Web sites prominently feature a set of instructions for submitting a request.
Microsoft's CA can also accept PKCS #10 requests through its Web interface. Let's walk through the process of using this CA to request and install a certificate.
- On your Exchange server, open IE and navigate to http://yourCA/certsrv, where yourCA is your CA's NetBIOS or DNS name. You should see the CA Welcome page. Select Request a certificate and click Next.
- The Choose Request Type page, which Figure 2 shows, asks you to select a request type. Because you want a certificate for a virtual server and you already have a saved request, select Advanced request and click Next. (The User certificate request list is for those who are requesting an end-user certificate.)
- The Advanced Certificate Requests page gives you three choices: submit a new request by using the CA's forms interface, submit a precreated PKCS #10 request, or request a certificate for a smart-card user. Because you want to use your existing certificate request, select Submit a certificate request using a base64 encoded pkcs #10 file or a renewal request using a base64 encoded pkcs #7 file, then click Next.
- The Submit A Saved Request page, which Figure 3, page 83, shows, is where you submit your request for processing. Use Notepad to open the PKCS #10 file on the machine on which your browser is running. Copy the file's contents and paste them into the Saved Request text box. (If you've configured the certificate server as a trusted site, you can use the Browse link to find and upload the request file.) Click Submit, and the system sends the request to the CA for processing.
You're not finished yet. As the Submission Confirmation page tells you, you need to return to the CA to check the status of the request and retrieve the issued certificate. (Depending on whether you're using an enterprise or standalone CA, the CA might automatically issue the certificate or require administrator intervention. For information about the difference between enterprise and standalone CAs, see the Certificate Services documentation in Windows Server Help.) To do so, return to the CA Welcome page at http://servername/certsrv, where servername is the name of your server. Select Check on a pending certificate, then click Next. The CA lists all known pending requests. Select yours, then click Next.
What you see then depends on whether the CA has issued your certificate. If it hasn't, the CA Web page tells you that the request is still pending. In that case, you'll need to approve the request (or have it approved). For an explanation of how to use the Microsoft Management Console (MMC) Certificate Services snap-in to approve a request, see the sidebar "Approving Pending Requests." If the CA has issued the certificate, you'll see a page like the one that Figure 4 shows. This page is a little confusing because it offers no clearly labeled "Download my new certificate" link. Click Download CA certificate and save the resulting file on your Exchange server. ESM expects the certificate to be stored in the Distinguished Encoding Rules (DER)encoded format, so be sure to choose that format when you save the certificate.
After you save the certificate, you're ready to associate it with your virtual server. Return to ESM, find the virtual server to which you want to attach the certificate, and open the server's Properties dialog box. On the Access tab, click Certificate to start the IIS Certificate Wizard. This time, the wizard states that a certificate request is pending; select Process the pending request and install the certificate. On the next page, specify the path to the certificate file you just downloaded, and click Next. ESM decodes the certificate and shows you a summary screen so that you can verify that you're installing the right certificate. When you're satisfied, click Next once more, then click Finish to install your certificate. To verify that the certificate is installed, check the status of the Access tab's Communications button—this button is available only when a valid certificate is installed for the virtual server.
With a certificate in place, you can start using it to protect your SMTP traffic. You have three choices: You can force the use of TLS for all outbound mail; you can use TLS for mail to selected domains; or you can force other servers that contact you to use TLS. These options are independent of one another, so you can use them individually or together.
To turn on TLS for all outbound mail on a selected SMTP virtual server, go to the Delivery tab on the SMTP virtual server's Properties page. Click the Outbound Security button to display the Outbound Security dialog box, which Figure 5 shows. Select the TLS encryption check box and click OK. However, be aware that this option effectively restricts Exchange to communicating only with hosts that support TLS. This restriction has the unwelcome side effect of making email messages sent to other hosts sit in delivery queues forever, or until the retry interval expires and the messages are returned with a nondelivery report (NDR).
A better approach is to use SMTP connectors to tailor the use of TLS to specific domains. You're almost certainly better off restricting your outbound TLS use to domains that you know support TLS. (To find out whether a domain supports TLS, telnet to port 25 on the domain's mail server and run the SMTP EHLO command from a command prompt. If the response lists STARTTLS, the domain supports TLS.) The easiest way to tailor the use of TLS is to create SMTP connectors for domains that support TLS, which you do from within ESM's Routing Groups container. When you create the connector (or modify the properties of an existing container), the two crucial steps are to ensure that you've specified the correct domains in the Address Space tab and to ensure that you've turned on TLS on the Advanced tab (click the Advanced tab, click Outbound Security, and select the TLS encryption check box).
Turning on inbound TLS is almost as easy. Go to the Access tab on the virtual server's Properties page, then click Communication in the Secure Communication command group. In the Security dialog box, which Figure 6 shows, you can turn on TLS at its default 40-bit strength or specify the full (and highly recommended) 128-bit version. Be aware that selecting the Require secure channel check box does exactly that: Servers that don't support TLS, or can't successfully negotiate a set of TLS parameters with your server won't be able to deliver mail to you. Be careful about selecting Require secure channel; if the volume of inbound mail subsequently drops, you might need to consider whether improved privacy is worth losing messages.
After you turn on outbound TLS, keep an eye on your server queues. Some systems (primarily those running variants of UNIX Sendmail) will reject TLS connections from systems that use self-signed certificates, whereas others will accept STARTTLS, then won't complete the security negotiation for some other reason. If your server can't successfully negotiate a TLS connection and if it or the other system requires TLS, mail won't flow to that system.
If you see mail backing up to a particular destination system after you turn on TLS, you'll need to find out whether TLS failure is the cause. If it is, you'll need to determine why TLS is failing. Check the SMTP logs and the System and Application event logs for clues. If that doesn't help, contact the remote system's administrator.
If you still can't resolve the problem, you might be able to work around it. Although the Exchange SMTP engine doesn't support domain-specific TLS settings, you can create another SMTP virtual server that doesn't use TLS, then pair it with an SMTP connector. Set the connector's properties to include the domains that you're having trouble communicating with. Because Exchange always prefers a more specific route to a less specific one, mail bound for the specified destinations will be sent over that connector, and your mail will flow again.