Sunday, September 13, 2009

Disable TLS In Exchange 2007

Out of a few reasons you will may once be in need to disable TLS encryption which is offered by default in Exchange 2007.Your first way may take you to the Hub-Transport Server's Send Connector.Under the Network tab you will find the options how mails are sent through this connector.Wether mails are routed using MX records or gateways/smart hosts, the option to enable TLS is cleared but TLS is still enabled.

Note: If you use smart
hosts you will need to click "Change" next to "Smart Host Authentification" to see the authentification method.


TLS encryption is offered by default in Exchange 2007.If the recieving host is capable for
TLS it will agree with this offer and the traffic between Exchange and the recieving host will be TLS encrypted.To turn of offering TLS we will need to open an Exchange Managment Shell.First we will need to get an overview of the relevant Sent Connector parameters.To get the Format List type :

Get-SendConnector |fl



Focus on "Identity" an memorize the name of your SendConnector.You will need to enter it after typing the command coming next.Now check the "IgnoreSTARTTLS" parameter.When TLS is enabled it will be on False.



To set it on True use the commandlet
below :

Set-SendConnector -IgnoreSTARTTLS: $true


After pressing enter you will be promptet for the SendConnector's Identity (remember the
Identity name you have memorized and type it in).Now the "IgnoreStartTLS" parameter will be set to True.

Note: Depending on your environment these settings should be applicable with the
"RequireTLS" parameter.I can imagine if RequireTLS is set to true , it will not work as the recieving hosts will not answer TLS and Exchange drops the connection because the "RequireTLS" condition was not accomplished.


After "IgnoreSTARTTLS" is set to True the TransportService needs to be restarted :


Restart-service msexchangetransport


You can send a test mail now and check (for example in the logs of your smart host or
gateway) if you get a Recieved CLR (which means it has not been sent TLS encrypted - otherwise you will get something like Recieved TLS )

To enable TLS just set the IgnoreSTARTTLS parameter to False again.




Normally you do not want to disable TLS , i was in this situation because we have done some tests in our environment.I hope it helps if someone is in need of this as well and spares some time of investigation.


Bookmark and Share


1 comments:

WebBanshee said...

Thanx marry.

Post a Comment