Encryption Between Exchange Servers

Exchange advanced security is not designed to protect communicationsbetween servers and sites within an organization. Internal protection schemesdepend on the type of connection and the protocols that flow across theconnection. Within a site, all communication between Exchange servers is remoteprocedure call (RPC)-based; the same is true when sites connect using the SiteConnector or Dynamic RAS Connector. RPCs are encrypted on the wire as they passbetween servers, using either a 40-bit algorithm (international systems) or128-bit algorithm (North American systems). Note that 128-bit encryption isavailable only if you're running North American NT 4.0 Service Pack (SP)2 orlater or have installed the NT Encryption Pack.

Servers that connect with RPCs authenticate each other to ensure that awould-be intruder can't introduce a rogue server into an organization to stealdata. Authentication uses standard Windows NT challenge/response handshakesexchanged between servers. If an Exchange server cannot be authenticated, anyrequest to connect to another Exchange server is refused.

Because the Simple Mail Transfer Protocol (SMTP) and X.400 recommendationsdo not incorporate encryption technology, data isn't encrypted as it flowsbetween servers. The ability to specify Mail Transfer Agent (MTA) passwordsaffords some level of protection to sites that connect with X.400 connectors,but SMTP servers don't expect to give a password before they can send messagesto another system.

Given the increasing importance of Internet protocols to Exchange,Microsoft now provides extra security for sites connected with Internet MailServer (IMS) through Extended Simple Mail Transport Protocol (ESMTP) in Exchange5.0. ESMTP allows vendor-specific extensions, and Microsoft uses this feature tosupport 40-bit or 128-bit encryption, much like RPCs. Today, this extensionworks between only Exchange 5.0 (or later) servers­it doesn't encryptconnections between ISM and other SMTP servers, such as Digital's AltaVista MailServer. Cross-vendor encryption for SMTP mail systems will be possible only whenthe industry agrees on a standard. Although the industry is working toward thatstandard, it is unlikely to be finalized in the next year.