Page 1 of 1

Smarthost with TLS

Posted: 06 Jun 2019 10:02
by MattS
We've (and more unfortunately I) just inherited an Exchange 2003!! server that worse still has spent it's life directly connected to the internet though, at least sat behind an old Sonicwall firewall. I've just spun up a new pfSense firewall to replace the firewall and am about to do the same with an efa (3.0.2.6) instance to handle incoming anti-spam and av duties until we can migrate it/replace it with something more current.

One of their complaints is that they've had to send emails to a couple of their important partners from a Gmail account as anything that gets sent from Exchange is rejected as it's not TLS encrypted. Seems a little harsh by the receiving organisations but out of their/my control. It's a long time since I've been anywhere near an Exchange 2003 server but from what I can remember, TLS was an all or nothing thing and it didn't support any kind of opportunistic encryption?

If I also configure efa up as a smarthost for outgoing email from the Exchange box and enable TLS on efa, will that automagically TLS encrypt outbound emails (where it can), even though the original message from Exchange is non-encrypted?

Thanks in advance for any advice.

Matt

Re: Smarthost with TLS

Posted: 06 Jun 2019 18:02
by henk
There are more members as fortunate as you :lol: they should be able to give advise on this one.

I use efa inbound only and, lucky me, no Exchange ;) and I sure like pfsense a lot. :clap:

but, "important partners from a Gmail account"? :shifty: :oops:

Re: Smarthost with TLS

Posted: 06 Jun 2019 20:19
by MattS
The more I look at what they've got/done, the more ill I feel. Their tech guy apparently left 7 years ago and one of the Directors has been doing the "IT stuff" since then. :roll:

Yup, I've only ever used efa for inbound mail too, so this is a step into the unknown though I can probably bodge it with Postfix alone if needed. Love pfSense. Replacement firewall up and running in 20 minutes. 10 minutes later they'd got their first remote access via vpn (though that was mostly for my benefit). I've retired to the hotel bar and trawling through the mess that their IT is, whilst partaking in liquid refreshments.

Yup, vanilla personal Gmail. Not even business Gmail. :doh:

For a company that only ever had a maximum of 15-20 employees, they've got a whole lot of email. 130Gb of mail/s%*t in Exchange public folders alone before any of the mailboxes are taken into account. That's going to be fun trying to migrate those to something else.... :(

Re: Smarthost with TLS

Posted: 06 Jun 2019 22:01
by henk
As "one of the Directors has been doing the "IT stuff" since then", they have "state of the art" hardware?

Everybody can buy a hammer and nails, but that doesn't make them a carpenter :snooty:
( translated from Dutch it looks silly..)


The good news, besides the hotel bar, they use Efa 8-)

When you search this forum with google: site:forum.efa-project.org exchange

among many posts, this one pops up: viewtopic.php?t=2527

When you ever want to migrate to a different mailserver, take a look at imapsync. https://imapsync.lamiral.info/
Works fine and fast.

Re: Smarthost with TLS

Posted: 16 Sep 2019 11:07
by kumarsan
It is helpful information. Thanks for sharing.

Re: Smarthost with TLS

Posted: 20 Sep 2019 06:59
by elfranko
I use Exchange 2010 and then send it to EFA and that box does all the DKIM and TLS - Works OK
Although I have 3 EFA Boxes. 2 to receive email, and one to send it out.
The reason I did it that way was as follows.
Mail was coming from Exchange to the outbound EFA and adding a disclaimer, and signing with DKIM. However the process runs in the wrong order. It signs and then adds the disclaimer. So it then has an incorrect DKIM.
So I send it to an outbound MX to add the disclaimer, forwards it on to another EFA which does the DKIM Magic which delivers it. We are set to use TLS By default, so it delivers pretty much all outbound emails to there destination hosts. We don't have TLS on the internal connections enabled.

Hope this helps

Frank