Article ID: 829721 - View products that this article applies to.
This article contains information about how to enhance the security of Simple Mail Transfer Protocol (SMTP) communication in Microsoft Exchange Server 2003 and in Microsoft Exchange 2000 Server by using the Transport Layer Security (TLS) protocol.
The use of the Transport Layer Security (TLS) protocol over SMTP offers certificate-based authentication and helps provide security-enhanced data transfers by using symmetric encryption keys. In symmetric-key encryption (also known as shared secret), the same key is used to encrypt and to decrypt the message. TLS applies a Hash-based Message Authentication Code (HMAC). HMAC uses a hash algorithm in combination with a shared secret key to help make sure that the data has not been modified during transmission. The shared secret key is appended to the data to be hashed. This helps enhance the security of the hash because both parties must have the same shared secret key to verify that the data is authentic.
An X.509 server certificate is a digital form of identification that is typically issued by a certification authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer. You can help protect communication by increasing the encryption level of the key pair from 40 bits (the default) to 128 bits. The greater the number of bits, the more difficult the item is to decrypt. Because of export restrictions, the 128-bit key strength encryption feature is available only in the United States and Canada.
For more detailed information, visit the following Internet Engineering Task Force (IETF) Web sites and view the following Requests for Comments (RFC):
TLS is designed to help protect outgoing messages, but TLS does not help protect traffic that travels from clients to the server. These clients include Microsoft Outlook Web Access (OWA), POP3, and IMAP4 in particular. To fix this problem, you can enable the use of Secure Sockets Layer (SSL) with Outlook Web Access. You can also suggest that POP3 or IMAP4 users use a client that supports the use of SSL with POP3 and IMAP4 (for example, Microsoft Outlook Express).
How to Require Transport Layer Security Encryption for ClientsTo require TLS encryption for clients, follow these steps:
Enable Transport Layer Security Encryption for a Specific Remote Domain in an Exchange OrganizationTo enable TLS encryption for a specific remote domain in Exchange Server, follow these steps:
(http://support.microsoft.com/kb/329061/ )Exchange Server cannot communicate with non-TLS domains
Enable Transport Layer Security Encryption for All Outgoing SMTP Connections in Exchange ServerTo enable TLS encryption for all outgoing SMTP connections, follow these steps:
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/319278/ )Secure Internet Message Access Protocol client access in Exchange 2000
(http://support.microsoft.com/kb/282835/ )Encrypted e-mail messages go successfully to untrusted recipient but no warning or event appears
(http://support.microsoft.com/kb/823019/ )How to help secure SMTP client message delivery in Exchange 2003
Article ID: 829721 - Last Review: October 25, 2007 - Revision: 3.3