I am trying to setup TLS between our domain and a customer's domain. We send our email through a smarthost (MessageLabs) and do not wish to setup separate firewall rules to go around the smarthost. The setup appears a bit confusing - for example what is the username and password we use to authenticate, or am I setting this up the wrong way? Is there a step by step guide to do this? Also, is the opportunistic TLS good enough and does the customer have to have Exchange 2007 for this to work as well? Thanks.

If you're sending mail through MessageLabs, then it has to communicate with both your Exchange server and your customer's server via TLS.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Can you give a little more thorough explanation of how this works? Thanks.

You send your email to Message Labs over TLS, then Message Labs sends it to the recipient, also via TLS. You need to speak to Message Labs support to see if they are able to offer this kind of service. Of course from a security perspective this doesn't help one bit as you have no way of guaranteeing that the email is secure throughout, including through Message Labs system. The only way to do that would be to send email directly between the two sites, but you have said that you don't want to change your firewall. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi, How troubleshoot is going on? Gen Lin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

I work for MessageLabs and you have two options: Opportunistic TLS - MessageLabs towers accept opportunistic TLS and will attempt to deliver to the third party via TLS but will fall back to SMTP in the event that a TLS session cannot be established so as Simon says you cannot guarantee the end to end encryption. Enforced TLS - This is a guaranteed service i.e. email will only be delivered between you and the third party via TLS. This needs to be ordered and configured by MessageLabs in conjunction with yourselves and the third party. Hope this helps, John