Exchange Online 如何使用 TLS 保护电子邮件连接How Exchange Online uses TLS to secure email connections

了解 Exchange Online 和 Microsoft 365 如何使用传输层安全性(TLS)和转发保密(FS)来保护电子邮件通信。Learn how Exchange Online and Microsoft 365 use Transport Layer Security (TLS) and Forward Secrecy (FS) to secure email communications. 此外,还提供了 Microsoft 为 Exchange Online 颁发的证书的相关信息。Also provides information about the certificate issued by Microsoft for Exchange Online.

适用于 Microsoft 365 和 Exchange Online 的 TLS 基础知识TLS basics for Microsoft 365 and Exchange Online

传输层安全性 (TLS) 和 TLS 之前的 SSL 都是一种加密协议,通过使用安全证书加密计算机之间的连接来保护网络通信的安全。Transport Layer Security (TLS), and SSL that came before TLS, are cryptographic protocols that secure communication over a network by using security certificates to encrypt a connection between computers. TLS 取代了安全套接字层 (SSL),并常被称为 SSL 3.1。TLS supersedes Secure Sockets Layer (SSL) and is often referred to as SSL 3.1. 对于 Exchange Online,我们使用 TLS 来加密 Exchange 服务器与 Exchange 服务器和其他服务器(如内部部署 Exchange 服务器或收件人的邮件服务器)之间的连接。For Exchange Online, we use TLS to encrypt the connections between our Exchange servers and the connections between our Exchange servers and other servers such as your on-premises Exchange servers or your recipients' mail servers. 加密连接后,所有通过该连接发送的数据都将通过加密通道进行发送。Once the connection is encrypted, all data sent through that connection is sent through the encrypted channel. 然而,如果你要转发通过 TLS 加密的连接发送的邮件,则该邮件不一定是加密的。However, if you forward a message that was sent through a TLS-encrypted connection, that message isn't necessarily encrypted. 这是因为,在简单的术语中,TLS 不会对邮件进行加密,而只是连接。This is because, in simple terms, TLS doesn't encrypt the message, just the connection.

如果您想要加密邮件,您需要使用一种加密技术对邮件内容进行加密,例如 Office 邮件加密。If you want to encrypt the message you need to use an encryption technology that encrypts the message contents, for example, something like Office Message Encryption. 有关 Office 365 中邮件加密选项的信息,请参阅 Email encryption in Office 365Office 365 Message Encryption (OME)See Email encryption in Office 365 and Office 365 Message Encryption (OME) for information on message encryption options in Office 365.

如果您想要在 Microsoft 与您的内部部署组织或其他组织(如合作伙伴)之间设置安全通道的通信,我们建议使用 TLS。We recommend using TLS in situations where you want to set up a secure channel of correspondence between Microsoft and your on-premises organization or another organization, such as a partner. Exchange Online 始终尝试首先使用 TLS 保护您的电子邮件,但如果另一方没有提供 TLS 安全,则无法始终这么做。Exchange Online always attempts to use TLS first to secure your email but cannot always do this if the other party does not offer TLS security. 请继续阅读,了解如何使用连接器保护对本地服务器或重要合作伙伴的所有邮件。Keep reading to find out how you can secure all mail to your on-premises servers or important partners by using connectors.

Exchange Online 如何在 Exchange Online 客户之间使用 TLSHow Exchange Online uses TLS between Exchange Online customers

Exchange Online 服务器始终通过 TLS 1.2 加密到我们数据中心其他 Exchange Online 服务器的连接。Exchange Online servers always encrypt connections to other Exchange Online servers in our datacenters with TLS 1.2. 当您将邮件发送到组织内的某个收件人时,将通过使用 TLS 加密的连接自动发送该电子邮件。When you send mail to a recipient that is within your organization, that email is automatically sent over a connection that is encrypted using TLS. 此外,发送给其他客户的所有电子邮件都通过使用 TLS 加密的连接进行发送,并使用 "向前保密" 进行保护。Also, all email that you send to other customers is sent over connections that are encrypted using TLS and are secured using Forward Secrecy.

Microsoft 365 如何在 Microsoft 365 与外部的受信任合作伙伴之间使用 TLSHow Microsoft 365 uses TLS between Microsoft 365 and external, trusted partners

默认情况下,Exchange Online 始终使用操作 TLS。By default, Exchange Online always uses opportunistic TLS. 这意味着 Exchange Online 会始终尝试首先通过最安全的 TLS 版本加密连接,而后沿着 TLS 密码列表一直往下,直到找到一个双方都同意的版本进行加密。This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. 除非您已配置 Exchange Online 以确保仅通过安全连接发送到该收件人的邮件,否则,如果收件人组织不支持 TLS 加密,则邮件将以未加密的形式发送。Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections, then by default the message will be sent unencrypted if the recipient organization doesn't support TLS encryption. 操作 TLS 对于多数企业已够用。Opportunistic TLS is sufficient for most businesses. 但是,对于具有合规性要求(如医疗、银行或政府组织)的企业,可以将 Exchange Online 配置为需要或强制 TLS。However, for business that have compliance requirements such as medical, banking, or government organizations, you can configure Exchange Online to require, or force, TLS. 有关说明,请参阅在 Office 365 中使用连接器配置邮件流For instructions, see Configure mail flow using connectors in Office 365.

如果您决定在您的组织和受信任合作伙伴组织之间配置 TLS,Exchange Online 可以使用强制 TLS 创建受信任的通信通道。If you decide to configure TLS between your organization and a trusted partner organization, Exchange Online can use forced TLS to create trusted channels of communication. “强制 TLS”要求您的合作伙伴组织使用安全证书对 Exchange Online 进行身份验证,以便向您发送邮件。Forced TLS requires your partner organization to authenticate to Exchange Online with a security certificate in order to send mail to you. 若要这么做,您的合作伙伴将需要管理其自己的证书。Your partner will need to manage their own certificates in order to do this. 在 Exchange Online 中,我们使用连接器来保护您在收到收件人的电子邮件提供程序之前从未经授权的访问中发送的邮件。In Exchange Online, we use connectors to protect messages that you send from unauthorized access before they arrive at the recipient's email provider. 有关使用连接器配置邮件流的信息,请参阅在 Office 365 中使用连接器配置邮件流For information on using connectors to configure mail flow, see Configure mail flow using connectors in Office 365.

TLS 和混合 Exchange Server 部署TLS and hybrid Exchange Server deployments

如果您正在管理混合 Exchange 部署,则内部部署 Exchange 服务器需要使用安全证书向 Microsoft 365 进行身份验证,以便将邮件发送到其邮箱仅位于 Office 365 中的收件人。If you are managing a hybrid Exchange deployment, your on-premises Exchange server needs to authenticate to Microsoft 365 using a security certificate in order to send mail to recipients whose mailboxes are only in Office 365. 因此,您需要为本地 Exchange 服务器管理自己的安全证书。As a result, you need to manage your own security certificates for your on-premises Exchange servers. 您还必须以安全的方式存储并维护这些服务器证书。You must also securely store and maintain these server certificates. 有关在混合部署中管理证书的详细信息,请参阅混合部署的证书要求For more information about managing certificates in hybrid deployments, see Certificate requirements for hybrid deployments.

如何在 Office 365 中为 Exchange Online 设置强制 TLSHow to set up forced TLS for Exchange Online in Office 365

对于 Exchange Online 客户,为了启用强制 TLS 以保护所有您发送和接收的电子邮件,您需要设置多个要求 TLS 的连接器。For Exchange Online customers, in order for forced TLS to work to secure all of your sent and received email, you need to set up more than one connector that requires TLS. 其中一个连接器适用于发送至您的用户邮箱的电子邮件,另一个连接器适用于来自您的用户邮箱的电子邮件。You'll need one connector for email sent to your user mailboxes and another connector for email sent from your user mailboxes. 在 Office 365 中的 Exchange 管理中心内创建这些连接器。Create these connectors in the Exchange admin center in Office 365. 有关说明,请参阅在 Office 365 中使用连接器配置邮件流For instructions, see Configure mail flow using connectors in Office 365.

Exchange Online 的 TLS 证书信息TLS certificate information for Exchange Online

下表中介绍了 Exchange Online 所用的证书信息。The certificate information used by Exchange Online is described in the following table. 如果您的业务合作伙伴在其电子邮件服务器上设置强制 TLS,则您需要将此信息提供给他们。If your business partner is setting up forced TLS on their email server, you will need to provide this information to them. 请注意,出于安全考虑,我们的证书会随时更改。Be aware that for security reasons, our certificates do change from time to time. 我们已推出了对我们的数据中心内的证书的更新。We have rolled out an update to our certificate within our datacenters. 新证书在2018年9月3日有效。The new certificate is valid from September 3, 2018.

2018年9月3日有效的当前证书信息Current certificate information valid from September 3, 2018

属性Attribute Value
证书颁发机构根颁发者Certificate authority root issuer
GlobalSign 根 CA – R1GlobalSign Root CA – R1
证书名称Certificate name
mail.protection.outlook.commail.protection.outlook.com
组织Organization
Microsoft CorporationMicrosoft Corporation
组织单位Organization unit

证书的密钥长度Certificate key strength
20482048

已弃用证书信息有效期至2018年9月3日Deprecated certificate information valid until September 3, 2018

为了帮助确保顺利转换,我们会在一段时间后继续为你的参考提供旧证书信息,但是,你现在应该使用当前证书信息。To help ensure a smooth transition, we will continue to provide the old certificate information for your reference for some time, however, you should use the current certificate information from now on.


属性Attribute Value
证书颁发机构根颁发者Certificate authority root issuer
Baltimore CyberTrust 根Baltimore CyberTrust Root
证书名称Certificate name
mail.protection.outlook.commail.protection.outlook.com
组织Organization
Microsoft CorporationMicrosoft Corporation
组织单位Organization unit
Microsoft CorporationMicrosoft Corporation
证书的密钥长度Certificate key strength
20482048

准备新的 Exchange Online 证书Prepare for the new Exchange Online certificate

新证书由 Exchange Online 使用的早期证书中的不同证书颁发机构(CA)颁发。The new certificate is issued by a different certificate authority (CA) from the previous certificate used by Exchange Online. 因此,您可能需要执行一些操作,才能使用新证书。As a result, you may need to perform some actions in order to use the new certificate.

在验证证书的过程中,新证书需要连接到新 CA 的终结点。The new certificate requires connecting to the endpoints of the new CA as part of validating the certificate. 如果不这样做,可能会导致邮件流受到负面影响。Failure to do so can result in mail flow being negatively affected. 如果您使用仅让邮件服务器与特定目标连接的防火墙保护邮件服务器,则需要检查您的服务器是否能够验证新证书。If you protect your mail servers with firewalls that only let the mail servers connect with certain destinations you need to check if your server is able to validate the new certificate. 若要确认您的服务器可以使用新证书,请完成以下步骤:To confirm that your server can use the new certificate, complete these steps:

  1. 使用 Windows PowerShell 连接到本地 Exchange 服务器,然后运行以下命令:Connect to your local Exchange Server using Windows PowerShell and then run the following command:
    certutil -URL https://crl.globalsign.com/gsorganizationvalsha2g3.crl
  2. 在出现的窗口中,选择 "检索"。On the window that appears, choose Retrieve.
  3. 当实用程序完成检查后,它将返回状态。When the utility completes its check it returns a status. 如果状态显示为 "确定",则您的邮件服务器可以成功地验证新证书。If the status displays OK, then your mail server can successfully validate the new certificate. 如果不是,则需要确定导致连接失败的原因。If not, you need to determine what is causing the connections to fail. 最可能的情况是,您需要更新防火墙的设置。Most likely, you need to update the settings of a firewall. 需要访问的终结点的完整列表包括:The full list of endpoints that need to be accessed include:
    • ocsp.globalsign.comocsp.globalsign.com
    • crl.globalsign.comcrl.globalsign.com
    • secure.globalsign.comsecure.globalsign.com

通常情况下,会通过 Windows Update 自动接收对根证书的更新。Normally, you receive updates to your root certificates automatically through Windows Update. 但是,某些部署具有可防止这些更新自动发生的附加安全性。However some deployments have additional security in place that prevents these updates from occurring automatically. 在 Windows Update 无法自动更新根证书的这些锁定的部署中,需要通过完成以下步骤来确保安装正确的根 CA 证书:In these locked-down deployments where Windows Update can't automatically update root certificates, you need to ensure that the correct root CA certificate is installed by completing these steps:

  1. 使用 Windows PowerShell 连接到本地 Exchange 服务器,然后运行以下命令:Connect to your local Exchange Server using Windows PowerShell and then run the following command:
    certmgr.msc
  2. 在 "受信任的根证书颁发机构/证书" 下,确认已列出新证书。Under Trusted Root Certification Authority/Certificates, confirm that the new certificate is listed.

获取有关 TLS 和 Microsoft 365 的详细信息Get more information about TLS and Microsoft 365

有关受支持的密码套件的列表,请参阅有关加密的技术参考详细信息For a list of supported cipher suites, see Technical reference details about encryption.

将连接器设置为确保与合作伙伴组织之间实现安全的邮件流Set up connectors for secure mail flow with a partner organization

电子邮件安全性已提高的连接器Connectors with enhanced email security

Microsoft 365 中的加密Encryption in Microsoft 365