Exchange Online 如何使用 TLS 保護電子郵件連線How Exchange Online uses TLS to secure email connections

瞭解 Exchange Online 和 Microsoft 365 如何使用 (TLS) 和轉寄機密 (FS) 的傳輸層安全性,以保護電子郵件通訊。Learn how Exchange Online and Microsoft 365 use Transport Layer Security (TLS) and Forward Secrecy (FS) to secure email communications. 同時提供 Microsoft 為 Exchange Online 所發行之憑證的相關資訊。Also provides information about the certificate issued by Microsoft for Exchange Online.

Microsoft 365 和 Exchange Online 的 TLS 基本常識TLS basics for Microsoft 365 and Exchange Online

TLS 之前的傳輸層安全性 (TLS) 和 SSL 是密碼編譯通訊協定,該協定使用安全性憑證來加密電腦之間的連線以保護透過網路進行的通訊。Transport Layer Security (TLS), and SSL that came before TLS, are cryptographic protocols that secure communication over a network by using security certificates to encrypt a connection between computers. TLS 取代了安全通訊端層 (SSL),且往往被稱為 SSL 3.1。TLS supersedes Secure Sockets Layer (SSL) and is often referred to as SSL 3.1. 針對 Exchange Online,我們使用 TLS 來加密 Exchange 伺服器與 Exchange 伺服器之間的連線,以及與您的內部部署 Exchange 伺服器或收件者的郵件伺服器等其他伺服器之間的連接。For Exchange Online, we use TLS to encrypt the connections between our Exchange servers and the connections between our Exchange servers and other servers such as your on-premises Exchange servers or your recipients' mail servers. 一旦連線經過加密,所有透過該連線傳送的資料將會透過加密通道傳送。Once the connection is encrypted, all data sent through that connection is sent through the encrypted channel. 不過,若轉寄透過 TLS 加密連線所傳送的郵件,該郵件則不一定會加密。However, if you forward a message that was sent through a TLS-encrypted connection, that message isn't necessarily encrypted. 這是因為在簡單的字詞中,TLS 不會加密郵件,只是連接。This is because, in simple terms, TLS doesn't encrypt the message, just the connection.

如果您想要加密郵件,便需要使用能加密郵件內容的加密技術,如 Office 郵件加密之類的技術。If you want to encrypt the message you need to use an encryption technology that encrypts the message contents, for example, something like Office Message Encryption. 如需 Office 365 郵件加密選項的相關資訊,請參閱 Email encryption in Office 365Office 365 Message Encryption (OME)See Email encryption in Office 365 and Office 365 Message Encryption (OME) for information on message encryption options in Office 365.

當您想要在 Microsoft 與您的內部部署組織或其他組織(例如合作夥伴)之間設定安全通道時,建議使用 TLS。We recommend using TLS in situations where you want to set up a secure channel of correspondence between Microsoft and your on-premises organization or another organization, such as a partner. Exchange Online 一律會先嘗試使用 TLS 來保護您的電子郵件,但如果另一方沒有提供 TLS 安全性,則無法一律如此進行。Exchange Online always attempts to use TLS first to secure your email but cannot always do this if the other party does not offer TLS security. 繼續閱讀若要瞭解如何使用 連接器 將所有郵件安全傳送至內部部署伺服器或重要的合作夥伴。Keep reading to find out how you can secure all mail to your on-premises servers or important partners by using connectors.

若要為我們的客戶提供一流的加密,Microsoft 已棄用 (TLS) 版本1.0 和1.1 的 office 365office 365 GCC中的傳輸層安全性。To provide the best-in-class encryption to our customers, Microsoft has deprecated Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365 and Office 365 GCC. 不過,您可以繼續使用沒有任何 TLS 的未加密 SMPT 連接。However, you can continue to use an unencrypted SMPT connection without any TLS. 建議您不要在未加密的情況下進行電子郵件傳輸。We don't recommend email transmission without any encryption.

Exchange Online 如何在 Exchange Online 客戶之間使用 TLSHow Exchange Online uses TLS between Exchange Online customers

Exchange Online 伺服器一律會使用 TLS 1.2 加密連往資料中心內其他 Exchange Online 伺服器的連線。Exchange Online servers always encrypt connections to other Exchange Online servers in our datacenters with TLS 1.2. 當您將郵件傳送給組織內的收件者時,會透過使用 TLS 加密的連線來傳送郵件。When you send mail to a recipient that is within your organization, that email is automatically sent over a connection that is encrypted using TLS. 此外,您傳送給其他客戶的所有電子郵件,都會透過使用 TLS 加密的連線來傳送,並使用轉寄機密加以保護。Also, all email that you send to other customers is sent over connections that are encrypted using TLS and are secured using Forward Secrecy.

Microsoft 365 如何在 Microsoft 365 與外部的信任合作夥伴之間使用 TLSHow Microsoft 365 uses TLS between Microsoft 365 and external, trusted partners

根據預設,Exchange Online 一律會使用「隨機 TLS」。By default, Exchange Online always uses opportunistic TLS. 這表示 Exchange Online 一律會先嘗試使用最安全的 TLS 版本加密連線,如果無法成功,便在 TLS 加密清單中尋找下一順位的版本,直到找到雙方都能同意的版本。This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. 除非您已設定 Exchange Online,以確保傳送給該收件者的郵件只是透過安全連線來傳送,否則如果收件者組織不支援 TLS 加密,郵件將會以未加密的方式傳送。Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections, then by default the message will be sent unencrypted if the recipient organization doesn't support TLS encryption. 隨機 TLS 對大多數企業而言已足夠。Opportunistic TLS is sufficient for most businesses. 不過,針對具備法規遵從性需求(例如醫療、銀行或政府組織)的企業,您可以將 Exchange Online 設定為需要(或強制) TLS)。However, for business that have compliance requirements such as medical, banking, or government organizations, you can configure Exchange Online to require, or force, TLS. 如需相關指示,請參閱 使用 Office 365 中的連接器設定郵件流程For instructions, see Configure mail flow using connectors in Office 365.

如果您決定在所屬組織與信任的合作夥伴組織之間設定 TLS,Exchange Online 可以使用「強制 TLS」建立信任的通訊通道。If you decide to configure TLS between your organization and a trusted partner organization, Exchange Online can use forced TLS to create trusted channels of communication. 強制 TLS 會要求合作夥伴組織必須使用安全性憑證向 Exchange Online 進行驗證,才能傳送郵件給您。Forced TLS requires your partner organization to authenticate to Exchange Online with a security certificate in order to send mail to you. 您的合作夥伴必須管理自己的憑證,才能執行此動作。Your partner will need to manage their own certificates in order to do this. 在 Exchange Online 中,我們使用連接器來保護您從未經授權的存取傳送到收件者的電子郵件提供者之前所傳送的郵件。In Exchange Online, we use connectors to protect messages that you send from unauthorized access before they arrive at the recipient's email provider. 如需使用連接器來設定郵件流程的詳細資訊,請參閱 使用 Office 365 中的連接器設定郵件流程For information on using connectors to configure mail flow, see Configure mail flow using connectors in Office 365.

TLS 和混合 Exchange Server 部署TLS and hybrid Exchange Server deployments

如果您正在管理混合 Exchange 部署,您的內部部署 Exchange 伺服器必須使用安全性憑證向 Microsoft 365 進行驗證,才能傳送郵件給其信箱只在 Office 365 中的收件者。If you are managing a hybrid Exchange deployment, your on-premises Exchange server needs to authenticate to Microsoft 365 using a security certificate in order to send mail to recipients whose mailboxes are only in Office 365. 因此,您必須為內部部署 Exchange 伺服器管理自己的安全性憑證。As a result, you need to manage your own security certificates for your on-premises Exchange servers. 您也必須安全地儲存和維護這些伺服器憑證。You must also securely store and maintain these server certificates. 如需在混合式部署中管理憑證的詳細資訊,請參閱 混合部署的憑證需求For more information about managing certificates in hybrid deployments, see Certificate requirements for hybrid deployments.

如何在 Office 365 中設定 Exchange Online 的強制 TLSHow to set up forced TLS for Exchange Online in Office 365

Exchange Online 客戶若想要使用強制 TLS 保護所有傳送和接收的電子郵件,需要設定多個需要 TLS 的連接器。For Exchange Online customers, in order for forced TLS to work to secure all of your sent and received email, you need to set up more than one connector that requires TLS. 一個連接器用於傳送給使用者信箱的電子郵件,另一個連接器用於從使用者信箱寄出的電子郵件。You'll need one connector for email sent to your user mailboxes and another connector for email sent from your user mailboxes. 請在 Office 365 中的 Exchange 系統管理中心建立這些連接器。Create these connectors in the Exchange admin center in Office 365. 如需相關指示,請參閱 使用 Office 365 中的連接器設定郵件流程For instructions, see Configure mail flow using connectors in Office 365.

Exchange Online 的 TLS 憑證資訊TLS certificate information for Exchange Online

下表說明 Exchange Online 使用的憑證資訊。The certificate information used by Exchange Online is described in the following table. 如果您的商業夥伴要在其電子郵件伺服器上設定的強制 TLS,您必須提供這項資訊給他們。If your business partner is setting up forced TLS on their email server, you will need to provide this information to them. 請注意,基於安全性考量,我們的憑證會隨時變更。Be aware that for security reasons, our certificates do change from time to time. 我們已推出我們資料中心內憑證的更新。We have rolled out an update to our certificate within our datacenters. 新的憑證從2018年9月3日有效。The new certificate is valid from September 3, 2018.

目前從2018年9月3日有效的憑證資訊Current certificate information valid from September 3, 2018

屬性Attribute Value
憑證授權單位根發行者Certificate authority root issuer
GlobalSign 根 CA – R1GlobalSign Root CA – R1
憑證名稱Certificate name
mail.protection.outlook.commail.protection.outlook.com
組織Organization
Microsoft CorporationMicrosoft Corporation
組織單位Organization unit

憑證金鑰強度Certificate key strength
20482048

已被取代的憑證資訊有效截止2018年9月3日Deprecated certificate information valid until September 3, 2018

為了協助確保順利轉換,我們會繼續提供您參考的舊憑證資訊供您參考,但您現在應該使用目前的憑證資訊。To help ensure a smooth transition, we will continue to provide the old certificate information for your reference for some time, however, you should use the current certificate information from now on.


屬性Attribute Value
憑證授權單位根發行者Certificate authority root issuer
Baltimore CyberTrust RootBaltimore CyberTrust Root
憑證名稱Certificate name
mail.protection.outlook.commail.protection.outlook.com
組織Organization
Microsoft CorporationMicrosoft Corporation
組織單位Organization unit
Microsoft CorporationMicrosoft Corporation
憑證金鑰強度Certificate key strength
20482048

準備新的 Exchange Online 憑證Prepare for the new Exchange Online certificate

新的憑證是由不同的憑證授權單位單位所發出 (CA) 來自 Exchange Online 所使用的先前憑證。The new certificate is issued by a different certificate authority (CA) from the previous certificate used by Exchange Online. 因此,您可能需要執行某些動作,才能使用新的憑證。As a result, you may need to perform some actions in order to use the new certificate.

新的憑證需要在驗證憑證時,連線至新 CA 的端點。The new certificate requires connecting to the endpoints of the new CA as part of validating the certificate. 若失敗,可能會造成郵件流程受到不良影響。Failure to do so can result in mail flow being negatively affected. 如果您使用僅讓郵件伺服器與某些目的地連線的防火牆來保護您的郵件伺服器,您需要檢查您的伺服器是否能夠驗證新的憑證。If you protect your mail servers with firewalls that only let the mail servers connect with certain destinations you need to check if your server is able to validate the new certificate. 若要確認您的伺服器可以使用新的憑證,請完成下列步驟:To confirm that your server can use the new certificate, complete these steps:

  1. 使用 Windows PowerShell 連接至您的本機 Exchange 伺服器,然後執行下列命令:Connect to your local Exchange Server using Windows PowerShell and then run the following command:
    certutil -URL https://crl.globalsign.com/gsorganizationvalsha2g3.crl

  2. 在出現的視窗中,選擇 [ 取得]。On the window that appears, choose Retrieve.

  3. 當公用程式完成檢查時,它會傳回狀態。When the utility completes its check it returns a status. 如果狀態顯示 [確定],則您的郵件伺服器會順利驗證新憑證。If the status displays OK, then your mail server can successfully validate the new certificate. 如果不是,您需要判斷造成連接失敗的原因。If not, you need to determine what is causing the connections to fail. 最可能的情況是,您必須更新防火牆的設定。Most likely, you need to update the settings of a firewall. 需要存取的端點完整清單包括:The full list of endpoints that need to be accessed include:

    • ocsp.globalsign.comocsp.globalsign.com
    • crl.globalsign.comcrl.globalsign.com
    • secure.globalsign.comsecure.globalsign.com

一般來說,您會透過 Windows Update 自動收到您的根憑證更新。Normally, you receive updates to your root certificates automatically through Windows Update. 不過,有些部署有其他的安全性,可防止這些更新自動發生。However some deployments have additional security in place that prevents these updates from occurring automatically. 在這些已鎖定的部署中,Windows Update 無法自動更新根憑證,您必須完成下列步驟,以確保安裝正確的根 CA 憑證:In these locked-down deployments where Windows Update can't automatically update root certificates, you need to ensure that the correct root CA certificate is installed by completing these steps:

  1. 使用 Windows PowerShell 連接至您的本機 Exchange 伺服器,然後執行下列命令:Connect to your local Exchange Server using Windows PowerShell and then run the following command:
    certmgr.msc

  2. 在 [ 受信任的憑證授權單位單位/憑證] 底下,確認新的憑證已列出。Under Trusted Root Certification Authority/Certificates, confirm that the new certificate is listed.

取得 TLS 和 Microsoft 365 的詳細資訊Get more information about TLS and Microsoft 365

如需支援的密碼套件清單,請參閱 技術參考有關加密的詳細資料For a list of supported cipher suites, see Technical reference details about encryption.

為夥伴組織的安全郵件流程設定連接器Set up connectors for secure mail flow with a partner organization

具有增強電子郵件安全性的連接器Connectors with enhanced email security

Microsoft 365 中的加密Encryption in Microsoft 365