How To: Configure TLS/SSL Encryption (4239267)

Configure TLS/SSL Encryption

CMN's Mail Connector supports the TLS encryption protocol (SSL 3.1). TLS support requires a valid server certificate, which must be installed on the CMN server, and selected in CMN's Mail Connector Management Console. A new screen has been added to the MC Management Console for this purpose. The Notes and Exchange servers must also be configured for TLS/SSL support.

To enable and configure TLS/SSL encryption with CMN's Mail Connector:

 
1.    Obtain and install a Domino server security certificate.

If you already have a valid certificate for some other security function (for example, for CMN's  Free/Busy Connector), you can use the same certificate to enable TLS in the Mail Connector (and skip ahead to step 2 below). Otherwise, you will need an SSL certificate on a keyring file. This keyring file is exactly the same as one used for other web security functions such as secure web access, and can be obtained the same way. You can obtain a certificate from a reputable Certification Authority (CA),

or you can generate your own self-signed certificate. Your Domino documentation describes both approaches. Here we simply summarize how to accomplish this with a self-signed certificate:

a. In Domino Administrator: Open the Server Certificate Administration database on your server (typically certsrv.nsf), or create one from the template if none exists.

b. Choose the option to Create Key Ring with Self-Certified Certificate, and enter the appropriate field values:

• Key Ring File Name: Choose selfcert.kyr in the Domino root data directory.

• Common Name: The fully qualified host name of your Domino server—for example, domino.company.com.

• Organization: Should match the corresponding entry in your domainregistration.

• State or Province: In the U.S. this is the two-letter postal abbreviationfor your state. Elsewhere, enter the name of the region, province, etc.

• Country: The two-character country code.

c. Click the Create Key Ring with Self-Certified Certificate button.

d. Under Server Configuration: Choose the Current Server Document, and select the Ports tab.

e. On the Ports tab: Select the Internet Ports tab, and enter the appropriate field values:

• SSL Settings: Set the SSL key file name to selfcert.kyr in the Domino root data directory.

• SSL Protocol Version: Negotiated

• Accept SSL site certificates: Yes

• Accept expired SSL certificates: No

f. Under Web: Enable HTTPS and ensure it is set to 443. (With HTTPS enabled, your browser will be able to retrieve the public key and install it into the cert store.)

g. Restart Domino.

h. Test the certificate: On the CMN client computer, point IE to https://domino.company.com (IE should render the page without errors).

Note: The certificate need to be imported to the CMN client computer. Mozilla Firefox browser can be used to access and view the certificate as Internet Explorer and Google Chrome both would not allow an exception to be added. Mozilla Firefox browser will also allowed the certificate to be exported locally. 

2. In CMN's Mail Connector Management Console, on the new TLS Settings screen:

a. Click the Enable TLS radio button.

b. In the Certificate Store drop-down list, select the location in your network where the certificate resides. If the certificate location does not appear in the list, you must copy the certificate to one of the listed locations, using the

Microsoft Certificates Management Console, into a LOCAL-SYSTEM account (not a personal account).

The table on the bottom half of the screen then shows a list of all certificates found in the designated Certificate Store, with the Issuer, the Effective and Expiration Dates, and the certificate Thumbprint.

c. In the table, select the certificate you want to install.

d. Remember to Save Configuration (on the File menu).

3. Configure the Domino Server to enable TLS encryption. (Remember that Domino does not support TLS-level encryption. An attempt to enable TLS on a Domino server will not generate an error, but Domino will negotiate the encryption level down to SSL3.) In Domino Administrator:

a. In the left-hand navigation tree, select Server|Configurations. Then select the server in the list (at the right), and click Edit Configuration.

b. In the Configuration Settings for the selected server, select the Router/SMTP tab, then the Advanced... tab, and then the Commands and Extensions tab.

c. Set the SSL negotiated over TCP/IP port field to either Enabled or Required. This is an important distinction:

• Required: Prevents Domino’s receipt of non-TLS messages. (The required setting disallows non-TLS encrypted messages, which CMN might otherwise transmit if a configuration issue prevents CMN from sending a TLS-encrypted message, in which case it would attempt to send the message as plain text.)

• Enabled: Permits TLS-encrypted messages but does not prevent non-TLS messages.

Even if your server uses Internet Site documents, you must go to the Basics tab and temporarily set Load Internet Configurations From Server\Internet Sites Documents to Disabled. You do not need to save the server document in this state, but disabling Internet Site Documents exposes a form on the Ports/Internet Ports tab.

d. Select the Ports/Internet Ports tab.

Each type of Internet Site has individual settings for SSL on an Internet Site document, but outbound mail routing via SMTP does not. This is where you specify what keyring to use for outbound SMTP TLS. Enter the name of your new keyring file there, then go back to the Basics tab and re-enable Internet Sites if needed. When you go back to the Ports/Internet Ports tab, you will see that the SSL settings portion of the form has been hidden.

e. Set Mail (SMTP Inbound) and Mail (SMTP Outbound) as follows:

SMTP Inbound:

• TCP/IP port number: 25

• TCP/IP port status: Enabled

• Enforce server access settings: No

• SSL port number: 465

• SSL port status: Enabled

SMTP Outbound:

• TCP/IP port number: 25

• TCP/IP port status: Negotiated SSL

• Enforce server access settings: N/A

• SSL port number: 465

• SSL port status: Disabled

If you are not using Internet Site documents: Click Save and Close, and restart the Domino server. This step 3 procedure is now complete (skip substeps f and g, and resume at step 4).

If you are using Internet Site documents, continue with step f below.

f. Open the inbound SMTP Site document and configure the Security tab as follows.

TCP Authentication:

• Anonymous: Yes

• Name & password: No

SSL Authentication:

• Anonymous: Yes

• Name & password: No

SSL Options:

• Key ring file name: keyfile.kyr

• Protocol version: Negotiated

• Accept SSL site certificates: No

• Accept expired SSL certificates: Yes

• Check for CRLs: No

• Trust expired CRLs: Yes

• Allow CRL search to fail: Yes

Make sure that the Key ring file name value is correct. If you plan to use authentication, enable the Name & Password options. Otherwise, leave them disabled.

g. Click Save and Close, and restart the Domino server.

4. Configure the Exchange server to require TLS encryption for the receive connector. You can do this either by PowerShell commands or by settings in the Exchange Management Console:

• To enable TLS encryption for the Exchange receive connector by PowerShell:

Get-receiveconnector | set-receiveconnector -requiretls $true

—OR—

• To enable TLS encryption for the Exchange receive connector in the Exchange Management Console:

In Server Configuration | Hub Transport | Properties | Authentication: Mark the checkbox for Transport Layer Security (TLS), and also the checkbox for either Externally Secured (for the default receive connector) or Integrated Windows Authentication (for a client receive connector).

After either method: Restart the Exchange Transport Service.

(To disable TLS encryption for the receive connector by PowerShell, enter the same command substituting $false for $true. To disable it in the Exchange Management Console, unmark the same checkboxes.)

5. Configure the Exchange server to require TLS encryption for the send connector. You can enable/disable TLS encryption for the send connector by PowerShell commands only:

To enable: Get-sendconnector | set-sendconnector -requiretls $true

To disable: Get-sendconnector | set-sendconnector -requiretls $false

And then restart the Exchange Transport Service.

6. Verify that STARTTLS is enabled on the Exchange server (and enable it if necessary):

a. From the CMN client computer, telnet to the Exchange server on port 25, and send ‘EHLO’. If the Exchange reply includes 250-STARTTLS, then STARTTLS is already enabled (skip ahead to step 7).

b. If STARTTLS is not already enabled, enable it with this PowerShell command:

Enable-ExchangeCertificate -thumprint -services:SMTP

And then restart the Exchange server.

7. Check the CMN log to verify that TLS is enabled and working properly. In the detailed log entries you should see an entry like this:

Secured connection from CMN to Destination Exchange server: Cipher Algorithm: Rc4 - Cipher Strength: 128 - Is Authenticated: True – Is Encrypted: True - Is Mutually Authenticated: False - Key Exchange Algorithm: RsaKeyX - Key Exchange Strength: 2048 - Protocol: Tls

For the customer running Domino 9.0.1 FP3 or higher, add the following parameters below from the notes.ini on the servers which will handle the connection from Coexistence Manager for Notes (CMN):