PKI is about mutual trust. If the remote server trusts your CA, then it'll accept the certificate your server presents as part of the STARTTLS command. Likewise, your server needs to trust whatever CA issued the certificate that the remote server presents to your server if it initiates the TLS connection. As Brian says - you can use self-signed certificates if you want - they just need to be trusted at the other end.
Cheers Ken From: Marty Nelson [mailto:[email protected]] Sent: Thursday, 6 August 2009 12:42 AM To: NT System Admin Issues Subject: RE: Encrypt E-mail between two different domains...for free? Can I be the issuing CA, or does it need to be a public one i.e. VeriSign? -Marty From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, August 05, 2009 9:40 AM To: NT System Admin Issues Subject: RE: Encrypt E-mail between two different domains...for free? If the remote server supports TLS, and (with everything PKI) both servers trust the same issuing CA(s), then you have ability to encrypt transmission. Cheers Ken From: Marty Nelson [mailto:[email protected]] Sent: Thursday, 6 August 2009 12:10 AM To: NT System Admin Issues Subject: Encrypt E-mail between two different domains...for free? I've been tasked to see if it's feasible, and from what I've read, Exchange 2007 (which we have) will support it natively with other 07 servers, which from what I understand they do not have. From what I've also read, as long as their server supports TLS it's do-able. Any suggestions would be so helpful you can't even imagine! -Marty ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
