Microsoft Exchange and Blackberry Server Specialists

Mutual TLS

On This Page

  • Introduction
  • SSL Certificates
  • Send Connector Configuration
  • Receive Connector Configuration
  • Activation of Settings
  • Was TLS Used for Email Transfer?
  • Smart Hosts for Outbound Email and Third Party Service for Inbound Email
  • References


By default, Exchange 2007 and higher will use TLS to send and receive email to another server by default, if the other server supports it. This is known as opportunist TLS. This is different to Exchange 2003, which only had the option of on or off.

However if you have an external recipient who has asked you to ensure that all email sent between your servers is using TLS, then you will need to adjust the configuration on both the Send and the Receive Connectors. This is known as Mutual TLS.

SSL Certificates

The use of TLS requires trusted SSL certificates. Therefore ensure that your trusted certificate is being used for SMTP traffic by running get-exchangecertificate and ensuring that "S" (for SMTP) is listed. You should also ensure that the FQDN value on your SEND Connector matches either the common name or one of the additional names on the certificate, and the Receive Connector FQDN is one of the additional names on the certificate.

DO NOT CHANGE THE FQDN on the default connector as that will cause problems with inter-server traffic.

Send Connector Configuration

This guide shows you how to configure a connector you are already using. If you prefer to use a dedicated connector, then go through the new Connector wizard, choosing type "Partner". The default settings are fine, then modify them as per this guide, changing the name as appropriate.

If you are using a Send connector with a smart host configured, then you will have to create a new Send Connector. The setting to require Mutual TLS only works with DNS routing (ie using MX records). As you can only use MX records for this kind of delivery, a single connector for all domains that require TLS can be used.

Step One - Configure the Domains to Use Mutual TLS.

The first thing you have to do is configure the domains that will be used for mutual DNS. This has to be done twice, once for inbound email and again for sending email. This is done using the following EMS commands:

For sending email:

For receiving email:

However each time you run this command, by default it will overwrite the list. Therefore you will either need to maintain a list of domains and add the complete list each time, or use these small scripts from Microsoft:

For the Send Connector:

For the Receive Connector:

Copy the command to notepad and save as a ps1 file. Modify it each time you want to add a domain.

Step Two - Configure the Send Connector to use the List

By default, the Send Connector will not use the list of domains. You need to enable it. To do this, run the following command in EMS:

This command modifies the Send Connector "Outbound Email".

You can also configure this with Exchange Management Console by selecting the option Enable Domain Security (Mutual Auth TLS) on the Authentication tab under Transport Layer Security (TLS) on the properties of the Send Connector.

Configure the Receive Connector

You can set the Receive Connector to require that the traffic from certain domains is using TLS. However the remote server will also need to be configured to use it.

You can also set this through EMC by enabling "Enable Domain Security (Mutual Auth TLS)" on the network tab of the properties of the Receive Connector.

Activation of Settings

Once complete, restart the Microsoft Exchange Transport Service on all Exchange servers that either send or receive email to the internet to activate the new settings.

Was TLS Used for Email Transfer?

How can you tell if the email was transfered over TLS? If you look at the headers of a message that you have received, you will find a line like this:

Received: from (123.456.78.90) by ( with Microsoft SMTP Server (TLS) id; Wed, 1 Jun 2011 12:22:16 +0100

The TLS in the header indicates that the message transfer was over TLS. It is line where the connection is made from the remote server to your server that is important.

Smart Hosts for Outbound Email and Third Party Service for Inbound Email

If you are using a smart host for outbound email then you will need to use a separate Send Connector. This is because TLS requires direct server to server delivery. If you use a smart host for delivery then you can only be sure that TLS is being used for the initial connection and delivery to the smart host. You will be unable to control that the ongoing connection is being made via TLS.

For inbound email, you will be of a similar situation. If your MX records point to a third party service, then you cannot be sure that they are accepting email over TLS.
In that case you will need to adjust the Receive Connector to allow email traffic from the company that wants to use TLS, and you will have to provide them with the IP address or host name of your Exchange server to use as an alternative to MX record lookup.


Exchange 2007: Mutual TLS:
Exchange 2010: Mutual TLS: