Computerworld - In my last column, I explained my experiences setting up Transport Layer Security and how complicated it could get. Unfortunately, I've since discovered that it gets a lot worse.
TLS is a wonderful protocol that can be used to encrypt e-mail between two companies very easily. Most modern e-mail gateway software comes with TLS support built in, but there's a lot involved in setting it up, as I discussed last time . This week, we've been making things more complex by adding antivirus services to the mix.
A strategic decision was made that it would be better to make sure viruses never reach our infrastructure, and Gloucester, England-based MessageLabs Ltd. was chosen as the service provider. Normally, I'm cynical about the abilities of vendors' technical staffs. But after working with MessageLabs, for the first time in years I can say I'm impressed with a vendor.
Ten Minutes to Trouble
I was invited to the initial meeting with MessageLabs as an afterthought. My colleagues thought I didn't need to get involved, but they invited me to be polite. After all, I was dealing with secure e-mail, so they figured I might as well be along at the start to agree that I didn't need to be involved. The meeting would take only 10 minutes, I was told.
Unfortunately, I did need to be involved. I was concerned about one throwaway comment at the end of the MessageLabs people's presentation. They were asked, "How do we ensure that all our e-mail goes through your service?" They answered, "We just change your MX record to point to our servers instead."
Mail exchange, or MX, records are the routing part of the mail service: They tell the world which servers should handle e-mail for a particular domain. By changing our MX record to point to its servers, MessageLabs ensures that all of our mail goes through its servers, where it can be scanned for viruses.
That's a simple and quick solution. But by changing our MX records, MessageLabs is suddenly rerouting all our TLS connections as well, and we've got about 30 of them.
Technically, this shouldn't present a problem. Their servers can do TLS, ours can do TLS, all our clients' servers can do TLS, and so it should just be a matter of making sure it's working on every server. But so far, about 95% of the project time is being spent dealing with the little TLS problems caused by the migration. The antivirus people aren't happy that their project seems to
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
