Opportunistic TLS

Posted on March 21st, 2009 webmaster 5 comments          Print

We had to upgrade our mail gateway/anti-spam software on Sunday because one of our vendors requires us to use encryption when exchanging emails with them.  The easiest solution is to use opportunistic TLS, where the server will always try to connect to the other server using the TLS protocol.  If the other server supports TLS, then traffic is encrypted.  If not, then the email is sent using just regular SMTP without encryption.

This is actually the first time I’ve even heard of opportunistic TLS, I’m used to seeing S/MIME and PGP when reading about email encryption.  What I like about this is encryption/decryption is done on the server side so the users don’t have to do anything different when sending emails and we don’t have to issue a certificate to each user and manage the keys.

If you’re using Exchange Server 2007, opportunistic TLS is already enabled by default.  You can check this by entering Get-SendConnector “Send Connector Name” | Format-List in the Exchange Management Shell.  Look for the IgnoreStartTLS parameter, if it’s set to false then opportunistic TLS is enabled.

To check whether a server supports TLS, telnet to the server on port 25 and check if the server supports the STARTTLS command, for example:

telnet mail.global.frontbridge.com 25

This server supports TLS

Here’s an example of the header of an email that was delivered with TLS enabled (I modified the IP addresses and names for privacy reasons):

Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.com ([65.55.88.22]) by mail.somedomain.com
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128-SHA) id 06456c96000057da for <jdoe@microsoft.com>;
Mon, 16 Mar 2009 18:05:16 -0500

Exchange 2007 SP1: Message rejected as spam by Content Filtering

Posted on March 11th, 2008 webmaster 3 comments          Print

Error Message:

550 5.7.1 Message rejected as spam by Content Filtering.

One of our users reported that after we applied Service Pack 1 and Update Rollup 1 to Exchange Server 2007, some of the emails that he has scheduled to send daily were getting rejected with the message above.

I guess the integrated anti-spam in Exchange got updated as well.

You can configure Content Filtering in Exchange to bypass specific users or domains.

Open the Exchange Management Shell:

# To check the Content Filter configuration, type in:

Get-ContentFilterConfig

# To set the Bypassed Senders (example):

Set-ContentFilterConfig -BypassedSenders donotspamme@calazan.com, jdoe@abc.com

# To set the Bypassed Sender Domains (example):

Set-ContentFilterConfig -BypassedSenderDomains calazan.com, *.xyz.com

Important Note: BypassedSenders and BypassedSenderDomains are multivalued properties. When you use the Set-ContentFilterConfig cmdlet, it will overwrite the values of those properties. If you just need to add more senders or domains, please follow the example below.

# To add Bypassed Senders:

$x = Get-ContentFilterConfig

$x.BypassedSenders += “jsmith@google.com”, “bhope@yahoo.com”

# To remove Bypassed Senders (can only be done one at a time):

$x = Get-ContentFilterConfig

$x.BypassedSenders -= “jsmith@google.com”

# To empty the list:

Set-ContentFilterConfig -BypassedSenders $null

Exchange Management Tools SP1: Service Remote Registry failed to reach status “Stopped”

Posted on March 10th, 2008 webmaster No comments          Print

Error Message:

Service Remote Registry failed to reach status “Stopped”

I got this error while upgrading the Exchange Management Tools on my Windows XP computer at work to Service Pack 1. I checked the services and the Remote Registry service is stuck at “Stopping” status.

To fix this, simply set the Remote Registry service’s startup type to Manual, reboot your computer, try installing Exchange Server 2007 SP1 Management Tools again and it should now install successfully. The Remote Registry service will automatically start and the startup type will go back to Automatic after the installation.