• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Set up Enforced TLS for on-prem Exchange 2019

Set up Enforced TLS for on-prem Exchange 2019

April 27, 2020 - by Zsolt Agoston - last edited on January 18, 2021

This guide is for on-premises Exchange deployments. If you are interested in enforced TLS on Office365 tenants, please click HERE

Opportunistic

Exchange - like most modern email systems - has the facility to transfer email messages encrypted. It is to make sure that messages cannot be read by eavesdroppers in transit. The same time it tries to maintain compatibility with older systems and supports unencrypted traffic too, while preferring encryption when possible.

This is what Exchange calls opportunistic TLS encryption: if both of our email server and the other end supports TLS encryption they will transfer messages in an encrypted fashion. If the other end is a legacy system, our mail server will accommodate and send SMTP messages in clear-text format.

In today's world, when GDPR and other regulations require us to exchange only encrypted messages with a partner, we might need to enforce TLS encryption.

Enforce Outbound TLS

Via PowerShell:

New-SendConnector -Name "ForceTLS" -AddressSpaces "opentechtips.com" -Usage custom -RequireTLS:$true -MaxMessageSize 200MB

Or through the WebUI:

Set up Enforced TLS for on-prem Exchange 2019
Set up Enforced TLS for on-prem Exchange 2019

On the WebUI we have to use the "Partner" type as this is the one which enforces TLS. I personally prefer PowerShell where forced TLS can be explicitly specified.

Set up Enforced TLS for on-prem Exchange 2019

If you use smart hosts, you can set it as the next hop. Here we use MX routing.

Set up Enforced TLS for on-prem Exchange 2019
Set up Enforced TLS for on-prem Exchange 2019

Add the mailbox servers that are allowed to use the connector, then click on finish.

Enforce Received TLS

We can also enforce TLS on received emails

# Enforce on all MailBox servers
Set-ReceiveConnector "*\Default Frontend MAIL" -RequireTLS:$true

# Enforce only on the MailBox server called: MAIL
Set-ReceiveConnector "MAIL\Default Frontend MAIL" -RequireTLS:$true

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Opportunistic
  • Enforce Outbound TLS
  • Enforce Received TLS

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}