STARTTLS, the police, and Exchange 2010

Great investigative journalism (or whatever the correct term is): security research Per Thorsheim does an experiment to see which law-enforcement organizations appear to support TLS encryption for SMTP mail. If you’re wondering why this is relevant, recall that the recent “hack” [I hate using that term since it’s not really a hack as much as it was social engineering] of the FBI-Scotland Yard conference call happened after a member of Anonymous found a conference call invitation in stolen e-mail. That kind of data can have intrinsic value that might make it attractive to an attacker, and using STARTTLS is a conceptually simple way to protect it while in transit.

TLS support in Exchange 2010 has come a long way from the bad old day of Exchange 2003, where you may recall that enabling TLS would cause the SMTP virtual server to refuse to talk to any other SMTP server that wouldn’t accept TLS. Exchange 2007 added support for opportunistic TLS, and Exchange 2010 has it too. Microsoft’s documentation makes clear how to set it up, so I encourage you to stop reading this article and just go do it.


Filed under UC&C

2 responses to “STARTTLS, the police, and Exchange 2010

  1. Hi Paul, and thank your for linking to my blog article on STARTTLS. In fact I’ve done a much larger survey on RFC3207 deployment along with friend/colleague Jan Fredrik Leversund (@KluZz) on Twitter. We published a report on some 380K domains on the Internet, looking at not only deployment, but configuration issues etc. Sadly that report was only in Norwegian, but the results were depressing none the less. Work in progress to do it all over again at a much larger scale.

    Since you are an Exchange MVP, I’d like to make a request:
    Write a blog post showing how you can not only configure opportunistic e-mail encryption on Exchange (2010), but if possible also how to change the type and order of algorithms as well as key lengths to be preferred or forbidden from usage.

    Also info on configuring mandatory STARTTLS for certain domains, partial wildcards (if possible? *.no and *.net as an example?), and any ways of doing specific reporting on STARTTLS inbound/outbound connections?

    Whatever you can contribute; highly appreciated and thanks again!

    Best regards,
    Per Thorsheim

  2. Hello again Paul!

    Any news on your article about RFC3207 support & configuration for Exchange?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.