I'm looking into security of our network and Exchange is one of the points I'm covering. We're running Exchange 2007 SP1. Am I correct in thinking that: Exchange < > external organisation: SMTP over the Internet is not encrypted by default, although we can set up TLS on both sides for this. Hub <> Hub (same org): Uses secure SMTP (via TLS) Exchange mailbox server <> Outlook: MAPI is not encrypted by default Which leads to the questions a) Can we encrypt the MAPI connection between Exchange and Outlook b) How secure is the Hub <> Hub security using TLS

Exchange < > external organisation: Exchange 2007 supports what is known as "opportunistic TLS" so if you install a public certificate on your Exchange server and your server talks directly with another Exchange server that also has a public certificate it will try to encrypt the session. There's no practical way to enforce encryption to Internet servers without cutting yourself off from most of the Internet. Hub <> Hub (same org): Uses secure SMTP (via TLS) -- Correct Exchange mailbox server <> Outlook: MAPI is not encrypted by default -- Actually I believe it is encrypted by default. As to your questions: a) You can force encryption. Elan Shudnow, just another IT guy but a smart one, explains it pretty well in his blog: http://www.shudnow.net/2008/02/10/client-to-server-secure-smtp-connectivity-in-exchange-server-2007/ b) How long is a piece of string? It's pretty secure, IMO. But, seriously, who's sniffing your internal network? Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi, The followling links would be help for you: White Paper: Domain Security in Exchange 2007 http://technet.microsoft.com/en-us/library/bb266978(EXCHG.80).aspx Top 5 Exchange Server 2007 Security Best Practices http://technet.microsoft.com/en-us/library/cc512685.aspx Exchange 2007 Security Guide http://technet.microsoft.com/en-us/library/bb691338(EXCHG.80).aspx Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT