Secure Messaging Forum

Choosing email-address from a SAN list

Fri, 20 Nov 2009 18:38:51 Z

I have a MS CA certificate with 3 SAN email addresses for digital signing purposes.
Each time Outlook display "signed by" 1st email address in the SAN list.
Is there a way to specify which SAN email-address Outlook should choose or display as "signed by"?

secure shared mailbox emails

Wed, 25 Nov 2009 14:14:22 Z

Hello everybody

Short form of question - is it possible to have certificates and encrypted email for shared mailbox?

Long form of question.
In our company we use Exchange and outlook with deployed PKI. So everybody has pair of certificates and able to encrypt/decrypt emails.
Apart from this we use shared mailboxes. Some teams has their own shared and sometimes this team might receive encrypted email. As shared mailbox has no certificate this poor people have to ask sender to send the very same email again to personal account. Then is can be decrypted and processed. So, what we need is a ability to create certificate for shared mailbox and publish it in AD. How is it possible?

SSL Cert and Edge Server Question - Exchange 2007

Thu, 19 Nov 2009 22:58:49 Z

I have two questions that are closely related:

1. I issued the New-ExchangeCertificate cmdlet on the Exchange Management Shell in order to generate a key. I am to upload this key to Go Daddy's site in order to have them generate a third party cert for our Exchange environment. After I generated the key I realized that some revisions are necessary. I am to run the command again in order to get a reissued key. The command executes without an error and drops me back at the command prompt. Howerver, a text file is not generated. I would like to have some direction if possible on accomplishing this task. The template provided by Go Daddy is:

New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=Your Country, l=Your Locality/City, s=Your State, o=Your Corporation Name,cn=YourMainDomain.com" -domainname CAS01,CAS01.exchange.corp.contoso.com,exchange.contoso.com,
autodiscover.contoso.com -PrivateKeyExportable $true -path c:\certrequest.txt

Should the cn= my domain name, FQDN for the Exchange OWA (webmail.domainname.com) or the FQSN (exchangeserver.webmail.domainname.com). Further, is the -domainname a required entry?

2. I am using an Edge server in our DMZ for message routing. How should port forwarding be set properly. I am somewhat of a visual learner. If there is a diagram that I could see, that would help me quite a bit.

Thanks in advance for any help you will provide.

Jesse

SAN Certificate

Tue, 03 Nov 2009 11:31:08 Z

We are upgrading to Exchange 2007. We are planning to have Exchange 2007 Mailbox CCR. We would have a NLB for CAS/Hub. We are planning to go for public CA but are confused as to how many certificate should be go for. We would have Outlook AnyWhere, ActiveSync, Outlook Web Access configured. We are going to use ISA 2006 for publishing this services. I would be glad iy you could let me know the no. of certificate we should purchase.

Certificate Server digital signature

Wed, 18 Nov 2009 12:56:24 Z

Hi all,
Is there some certificate authority server which gets integrated with my LDAP server and authenticate the user using that LDAP server, and than taking the attribute for that user from the LDAP server generate an certificate i.e. digital signature *.p12. This not ends my demand, further more the server should also send the certificate (signature) via email to the user

Sharing Encrypted E-mail --sharing S/MIME Certificates?

Fri, 13 Nov 2009 21:52:57 Z

We are a 20 person firm using Microsoft Exchange 2003. One of our clients requires communication via encryption. I am the main person who communicates with this client. Presently, I have a personal S/MIME certificate that must be renewed annually. The problem is that when encrypted e-mails to me are uploaded to our document management system, no other employees of our firm can read the e-mail. I understand that I could forward the e-mail and send it unencrypted, but we would rather preserve the original sender and send date in our document management system.

Can my S/MIME certificate be exported and shared with other employees so that they can encrypt and decrypt e-mails?

Is there an easier way to handle this situation than using an external certificate? We want to avoid having to annually purchase external certificates which must be renewed annually. Can the messages be encrypted/decrypted at the Exchange Server level?

thank you.

Securing attachments in Exchange

Tue, 10 Nov 2009 07:03:14 Z

Hello

We are currently running in Exchange 2003 SP2 and Exchange 2007 SP1 mixed mode. We have several Exchange 2003 Admin/routing groups. All clients are Outlook 2007.

I would like to look into a system where third parties can send us secure attachments (e.g. containing confidential data) but at the same time, I do not want this to affect other third parties sending us attachments, nor have to implement this across the board of our Exchange 2003/2007 org, only one country actually needs to have this.

Does anyone have any recommendations?

OWA Exchange 2007 over HTTPS question

Thu, 20 Sep 2007 21:15:28 Z

How can I set up my server so that the secure certificate is valid? Do i need to register something?

Outlook anywhere - machine certificates for auth

Fri, 16 Oct 2009 13:50:46 Z

We have a customer who are looking for a secure way of deploying Outlook anywhere.
To be able to connect to Outlook anywhere they will also use machine certificates for auth.

It this possible?

Morten

Two-factor authentication for Outlook Anywhere?

Wed, 15 Apr 2009 20:08:24 Z

Are there any two factor authentication options for Outlook anywhere when using Exchange 2003 and Outlook 2007? All users will have their domain username and pasword, but for external access we need a second authentication method.

We can issue certificates to computers or users. However, my Google searches didn't come up with any hits on how to make Outlook Anywhere work with certificates/smart cards.

I know IIS has a many-to-one certificate mapping feature, but it wasn't clear if that would work. For example, it wants you to input an account which the many-to-one mapping uses.

Our requirement is to only accept Outlook Anywhere connections from computers which have corporate issued user certificates. If ISA 2006 helps at all, we can throw that into the mix. But I'd prefer a solution that only relies on IIS configuration changes.

Clients will be Windows XP SP3 or Windows 7 beta.

Thanks!

Encrpyted emails

Tue, 03 Nov 2009 14:32:09 Z

I have a need to send encrypted emails and attachments. I currently use Exchange 2003 for my domain and I understand the use of public and private keys withing the domain. What I am trying to do is send an encrypted email to clients that currently do not have keys to open the emails. Is there a way to send them a key, without someone intercepting it, so they can then open the email? The client list may vary so I don't want to just send a key to everyone.
Thanks

Avoid fake email accounts

Wed, 14 Oct 2009 17:05:56 Z

Hello, I have configured MS Exchange 2007. I have just noticed that by doint telnet my.mail.server.com 25, anybody can connects to my mail server and send emails from fake accounts (say EMAIL GONE) to real accounts of my organization.

The question is, how can avoid this? does it have to do with Anonymous connection?

Thanks in advance,

John

Receiving Encrypted Email

Wed, 14 Oct 2009 06:16:17 Z

Hello,
I have a friend that runs a business and runs Exchange Server 2003. When his accountant sends him email it is unencrypted, which concerns him. What solution exists that will enable the business owner to receive encrypted emails from his accountant? As the accountant does not run exchange server, I am unsure as to how to approach this problem.

Thank You

Confused with SSL and Certificate Authority

Mon, 02 Nov 2009 02:37:12 Z

I am vague about how SSL and certificate authority works. Windows Server 2003 has a built in CA it looks like, but people are saying to buy a 3rd party CA.

Will the built in CA only work for internal users of the network?

I've been trying to get SSL to work for our OWA, but it seems like SSL will only work for our internal users and not our external users. I've enabled our sonicwall all WAN to specifically the ip address of the LAN exchange server. Could this be a certificate problem? When connected from outside, the website just displays:

Unable to connect

Firefox can't establish a connection to the server at email.domain.com


    *   The site could be temporarily unavailable or too busy. Try again in a few
          moments.

    *   If you are unable to load any pages, check your computer's network
          connection.

    *   If your computer or network is protected by a firewall or proxy, make sure
          that Firefox is permitted to access the Web.

Configuring SSL for OWA

Mon, 19 Oct 2009 21:58:38 Z

I am trying to configure SSL for OWA.

I am able to access my OWA within my network (intranet)
How ever when I am on another ISP I cannot access the secure website.

What could be the cause of this?
Please help,

Thank you

E-mail block Internet

Tue, 27 Oct 2009 05:02:45 Z

Hi

help, I have the following issue:

I want to block some users, not send mail outside and just do it internally.
On the other Part, I have send mail users that if they internally and externally.

Greetings

Thanks

Encryption Email Outlook 2007

Tue, 20 Oct 2009 16:28:50 Z

Hi!

I want to know if i am doing something wrong.

I'm creating a free certificate in
http://www.trustcenter.de/en/products/tc_internet_id.htm
Configuring the MIME certificate on Microsoft Outlook 2007, I try to send an
email encrypted no signed and the client can open the email even if i havend
sent the messager with the sign. Why is this happening? Am I missing
something?

I'm following theses steps:

http://www.globalsign.com/support/personal-certificate/per_outlook07.html

Best regards,

Futurist

Is it possible to off-load security to separate appliance (DataPower) and implement last-mile security to EWS?

Thu, 22 Oct 2009 19:38:06 Z

The scenario is as follows: company policy says all web services get secured via DataPower appliance (XML accelerator that can manage certificates, Basic auth, logging, auditing, XSLT, etc). Would like to use EWS with certain system mailboxes (not regular users) to process emails programmatically. My client program therefore would need to send SOAP message to DataPower, which then sends to EWS. Exchange server must reject direct EWS requests not coming from DataPower. Can this be done? Specific instructions would be most appreciated.

- dave

TLS

Mon, 19 Oct 2009 16:15:05 Z

Hi, I need to implement TLS for a specific client. We already SSL implemented on our Exchange 2007 Frond End Servers. Will there be any clash between these two certificates and how can I implement TLS if there is no problem implementing that.

Thanks in advance..

Navneet

Windows 2003 R2 Certificate Template

Tue, 06 Oct 2009 19:06:45 Z

Hi,
I want to make a certificate template that will give me the option Type of Certificate Needed and from there I can select Client or server certificate. I created a duplicate certificate but it doesn't show me that option. Is there an additional step I need to add this option to my current Template?
Thanks
Scott

Skier

Securing Activesynch mobile devices on Exchange Server 2007

Mon, 28 Sep 2009 08:18:43 Z

Hi All,

Here's my configuration, MS Exchange Server 2007 SP1 on my Windows Server 2003 box, I've deployed

CAS Client Access Server role
MBX Mailbox Role
HT Hub Transport Role

all into single box and have successfully enabled the OWA feature + UCC SSL Certificate, Activesynch going fine on both Windows Mobile PDA and iPhone too.

However, I begin to concerns regarding the security of the email that is downloaded into the mobile devices, is there any way to make it more secure ?

Any suggestion and comments will be greatly appreciated.

Thanks.

/* Windows Infrastructure Support Engineer */

Solution for encryption

Mon, 28 Sep 2009 19:19:12 Z

Hello,

we would like to encrypt all local/intern emails on our Echange Server 2007. At the moment i have only found S/Mime as solution. Is there another solution beside S/Mime?

Best Regards
Florian

Unable to delete e-mails from OWA, Access denied message appears

Mon, 28 Sep 2009 05:45:14 Z

I am unable to delete e-mails from my outlook web Access. I gives Access denied message when i try to delete the message.
i am using Exchange 2003 with windows 2003 and outlook 2003 client.
Can any body help me???

Outlook 2007 Sending reported error 0x800CCC80

Fri, 25 Sep 2009 10:53:13 Z

1. Outlook Express 6.0: setting require authentication for outgoing SMTP. IMSS (Trend micro) can accept and relay to another mail sever. working OK.

2. Outlook 2007: setting require authentication for outgoing SMTP. IMSS (Trend micro) can not accept.
Error message: Sending reported error 0x800CCC80 'None of the authentication methods supported by this client are supported by your server.'

Please help.

Best Regards,
JaiDDJai

RPC over HTTPS

Mon, 31 Aug 2009 19:43:56 Z

RPC over HTTPS is not working. My setup is a s follows: ISA ver 2006 in DMZ, one Exchange 2003 back end server and one Exchange 2003 front end server, both version 6.5 (build 7638.2 Service Pack 2. I believe RPC over HTTPS works internally since when I run outlook.exe /rpcdiag, it shows https protocol rather than TCP at least for most of the items displayed there. Also, OWA and active sync for Mobile phones work fine externally. I think there is something missing/misconfigured on the ISA server but I'm not sure what.
Thank you.

Exchange 2007 Outlook Anywhere problem Optionen

Thu, 24 Sep 2009 18:03:35 Z

Hy folks,
our Outlook Anywhere suddenly stopped working last night.
If I start Outlook I get the credentials dialog as normal, but
everytime I enter (the correct) credentials it just pops up again and
Outlook doesn't connect. OWA works fine though.

Here is our configuration:
Windows EBS (Essential Business Server) 2008, Exchange 2007 SP2 on
Windows Server 2008, published via TMG MBE (which is, as far as I
know, basically a ISA 2006 with some enhanced features), single AD
domain.
We work with an self signed cert (we already ordered one from EnTrust
but this will take a few days), which worked fine for us until
yesterday (I don't think we have cert issues though).

What catches my eye:
If I got that right, I am supposed to see a blank page if I open the
URL "https://owa.mydomain.com/rpc" from a browser, right? Internally
(from our LAN) this works fine, I get a blank page. From the www I
have to enter my credentials and than I get an IE error page saying:

Technical Information (for support personnel)
Error Code 64: Host not available
Background: The connection to the Web server was lost.

I tried a lot and my eyes are already wet from all the reading in the
newsgroups, maybe one of you can help out.

Thanks in advance,
Michael

How to request certificates from CA?

Tue, 22 Sep 2009 22:18:05 Z

Hi,

I have a client/server application in which one server (A) supports multiple clients. We need to implement certificate-based authentication. I have installed a CA on another server (B). How do I request/install a certificate for the server and clients? Do I have to send the request from the machine and account where I am going to install them? In other words, how can I request a server/client certificate on behalf of another machine?

Thanks!

Event 12014 MSExchangeTransport errors

Tue, 25 Aug 2009 21:44:01 Z

Hello,

We are seeing tons of these events in the Application Log of our Edge Server. When I run get-Exchangecertificate | fl, the status says "invalid." In conjunction with these events, we also see Warnings for Event ID: 12015 MSExchangeTransport (Transport certificate expired). Please assist. Thank you.

Exchange 2007 encryption - outlook anywhere users

Fri, 18 Sep 2009 13:41:04 Z

Hi Frank,

maybe you could provide some input on this. I have been able to set up the CA on one of our DC's. i can request certificates fine and send encrypted emails from the desktops on our LAN. the problem i am having is with the laptops. all the laptops are set to use RPC over HTTPS regardless if they are in the office or are mobile. these users cannot send encrypted emails they get a error stating "Microsoft Office Outlook had problems encrypting this message because the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities". To me this would suggest a problem with the receiving PC...but the only time this message appears is when sending from a laptop set up to use RPC over HTTPS.

Here is how i have things set up right now:

- exchange server internal FQDN: exchange.internal.local
- all desktops are configured to connect to exchange VIA it's internal FQDN.

- outlook anywhere URL: https://exchange.external.com
- all laptops are configured to have outlook connect to https://exchange.external.com but have the exchange server name as exchange.internal.local.

- CA server is on the same domain it's FQDN is: CA1.internal.local
- CA server is not accessible externally
- CA server's common name for issuing certificates is CA1

I think i know what the problem is but i'd like to hear what you think.
Thanks
Colin

4 hours 3 minutes agoFrank.Wang

Vote As Helpful

Hi Colin,

I'm afraid I don't very understand this one:
all laptops are configured to have outlook connect to https://exchange.external.com but have the exchange server name as exchange.internal.local.

Could you test the Outlook Anywhere in your company's domain? Just choose the "on fast networks,connect using http first.." in "exchange proxy settings" in Outlook.

By the way , could you ask a new question about Outlook Anywhere in Forus? Just copy last post to the new one.
It can be seen more continuing. Other people also can search forum more efficiently. Thanks.

Digital ID's in exchange 2007

Tue, 15 Sep 2009 20:52:57 Z

Hi all,

I have been asked to give our users the ability to digitally sign/encrypt messages when sending to other users in our exchange organization. Every thing im seeing on the net suggests you need to use a 3rd party solution. We already have an SSL cert installed on the exchange server. Is there a way i can use this certificate to create digital ID's???

thanks
Colin

Outlook 2003 RPC over HTTPS

Wed, 16 Sep 2009 17:34:32 Z

Hi All,

For the past 9 months i have been running RPC over HTTPS on exchange 2007 without any problems (after getting it to work initially which was a severe pain in the...). I have users connecting with both outlook 03 and 07. Just this morning, the outlook 03 users cannot connect to the exchange server VIA RPC over HTTPS. the outlook 07 users are still working fine.

Anyone have any ideas as to why?
Here is a piece of the IIS logs that show on of our users using outlook 03 trying to connect.

2009-09-16 17:13:40 W3SVC1 10.10.3.3 RPC_IN_DATA /rpc/rpcproxy.dll fqdn.server.local:6002 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 64
2009-09-16 17:13:40 W3SVC1 10.10.3.3 RPC_OUT_DATA /rpc/rpcproxy.dll fqdn.server.local:6002 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 64
2009-09-16 17:13:40 W3SVC1 10.10.3.3 RPC_IN_DATA /rpc/rpcproxy.dll fqdn.server.local:6004 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 0
2009-09-16 17:13:40 W3SVC1 10.10.3.3 RPC_OUT_DATA /rpc/rpcproxy.dll fqdn.server.local:6004 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 0
2009-09-16 17:13:40 W3SVC1 10.10.3.3 RPC_IN_DATA /rpc/rpcproxy.dll fqdn.server.local:593 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 0
2009-09-16 17:13:40 W3SVC1 10.10.3.3 RPC_OUT_DATA /rpc/rpcproxy.dll fqdn.server.local:593 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 0
2009-09-16 17:13:41 W3SVC1 10.10.3.3 RPC_IN_DATA /rpc/rpcproxy.dll fqdn.server.local:6002 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 64
2009-09-16 17:13:41 W3SVC1 10.10.3.3 RPC_OUT_DATA /rpc/rpcproxy.dll fqdn.server.local:6002 443 domain.local\adminuser 70.49.27.43 MSRPC 200 0 0
2009-09-16 17:13:41 W3SVC1 10.10.3.3 RPC_IN_DATA /rpc/rpcproxy.dll fqdn.server.local:6002 443

Ideas??

Thanks
Colin

UPDATE: turns out the 2007 clients are having the same issue now.

Excange 2007 Event ID 12014 Error after instlling 2nd Hub Transport server.

Thu, 10 Sep 2009 10:58:37 Z

I installed a second Exchanger Server in our orginization with the Hub, Client Access and Mailbox roles. Since I installed the second sever, I have been getting the following error :-

Event ID 12014

"Microsoft Exchange couldn't find a certificate that contains the domain name "mail.domainname.com"*

         in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP
         verb for any connector with a FQDN parameter of mail.domainname.com.
         Verify the connector configuration and the installed certificates to make sure that there is
         a certificate with a domain name for every connector FQDN."

* the value vairy - mail.hijinxx.com or exchange.hijinxx.com

I ran " get-reciveconnector | FL name, FQDN, ObjectClass " and got this:-

Name : Default EXCHANGE

Fqdn : exchange.hijinxx.com

ObjectClass : {top, msExchSmtpReceiveConnector}

Name : Client EXCHANGE

Fqdn : exchange.iconasset.com

ObjectClass : {top, msExchSmtpReceiveConnector}

Name : Default EXCH1

Fqdn : exch1.iconasset.com

ObjectClass : {top, msExchSmtpReceiveConnector}

Name : Client EXCH1

Fqdn : exch1.iconasset.com

ObjectClass : {top, msExchSmtpReceiveConnector}

I Ran " get-sendconnector | FL name, FQDN, ObjectClass" and got this :-

Name : Internet Send connector for Hinixx

Fqdn : mail.hijinxx.com

ObjectClass : {top, msExchConnector, mailGateway, msExchRoutingSMTPConnector}

I Ran " get-exchangecertificate | FL *" and got this :-

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst

em.Security.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {www.hijinxx.com, autodiscover.hijinxx.com, mail.hijinxx

.com, owa.hijinxx.com}

CertificateRequest :

IisServices : {IIS://exchange/W3SVC/1}

IsSelfSigned : False

KeyIdentifier : 4AE17E5BE79F354050F5C8DBC2225FB8380FB2D6

RootCAType : ThirdParty

Services : IIS

Status : Valid

PrivateKeyExportable : True

Archived : False

Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt

ography.Oid, System.Security.Cryptography.Oid, System.Se

curity.Cryptography.Oid, System.Security.Cryptography.Oi

d, System.Security.Cryptography.Oid}

FriendlyName : www.hijinxx.com

IssuerName : System.Security.Cryptography.X509Certificates.X500Distin

guishedName

NotAfter : 27/11/2009 15:36:49

NotBefore : 26/11/2008 15:36:49

HasPrivateKey : True

PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider

PublicKey : System.Security.Cryptography.X509Certificates.PublicKey

RawData : {48, 130, 3, 147, 48, 130, 2, 252, 160, 3, 2, 1, 2, 2, 3

, 10...}

SerialNumber : 0A3ADF

SubjectName : System.Security.Cryptography.X509Certificates.X500Distin

guishedName

SignatureAlgorithm : System.Security.Cryptography.Oid

Thumbprint : 033E215D88EDA9FF09708D298ED4800DE5A5EBC2

Version : 3

Handle : 487307936

Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US

Subject : CN=www.hijinxx.com, OU=Domain Control Validated - QuickS

SL Premium(R), OU=See www.geotrust.com/resources/cps (c)

08, OU=GT35933476, O=www.hijinxx.com, C=CH

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst

em.Security.AccessControl.CryptoKeyAccessRule, System.Se

curity.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {exchange, exchange.iconasset.com}

CertificateRequest :

IisServices : {}

IsSelfSigned : True

KeyIdentifier : 09136A25E4BF5B347363D4EDB6CE5DC95D768594

RootCAType : None

Services : IMAP, POP, SMTP

Status : Valid

PrivateKeyExportable : False

Archived : False

Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt

ography.Oid, System.Security.Cryptography.Oid, System.Se

curity.Cryptography.Oid}

FriendlyName : Microsoft Exchange

IssuerName : System.Security.Cryptography.X509Certificates.X500Distin

guishedName

NotAfter : 24/11/2009 18:34:48

NotBefore : 24/11/2008 18:34:48

HasPrivateKey : True

PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider

PublicKey : System.Security.Cryptography.X509Certificates.PublicKey

RawData : {48, 130, 3, 18, 48, 130, 1, 250, 160, 3, 2, 1, 2, 2, 16

, 145...}

SerialNumber : 910F43E1C1849EB94EB39EE383F39E9F

SubjectName : System.Security.Cryptography.X509Certificates.X500Distin

guishedName

SignatureAlgorithm : System.Security.Cryptography.Oid

Thumbprint : FC5E40C751DC96565E6D2DDBD2016DA8AFADEA73

Version : 3

Handle : 487308080

Issuer : CN=exchange

Subject : CN=exchange

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst

em.Security.AccessControl.CryptoKeyAccessRule, System.Se

curity.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {exchange, exchange.iconasset.com}

CertificateRequest :

IisServices : {}

IsSelfSigned : True

KeyIdentifier : CBC442EACDF41C78558F3D348E2F39B209C0FC99

RootCAType : None

Services : IMAP, POP, SMTP

Status : Valid

PrivateKeyExportable : False

Archived : False

Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt

ography.Oid, System.Security.Cryptography.Oid, System.Se

curity.Cryptography.Oid}

FriendlyName : Microsoft Exchange

IssuerName : System.Security.Cryptography.X509Certificates.X500Distin

guishedName

NotAfter : 01/10/2009 20:49:13

NotBefore : 01/10/2008 20:49:13

HasPrivateKey : True

PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider

PublicKey : System.Security.Cryptography.X509Certificates.PublicKey

RawData : {48, 130, 3, 18, 48, 130, 1, 250, 160, 3, 2, 1, 2, 2, 16

, 16...}

SerialNumber : 1028BCB0B51E0FBF49C48802C3D88552

SubjectName : System.Security.Cryptography.X509Certificates.X500Distin

guishedName

SignatureAlgorithm : System.Security.Cryptography.Oid

Thumbprint : 022336C8CAD4ACB923B7BE9DC6769CBE3F6A6539

Version : 3

Handle : 475214208

Issuer : CN=exchange

Subject : CN=exchange

What could the problem be? is it comunication between the Hub transport servers, as OWA and Outlook Anywhere work fine?

Implementing TLS to decrypt messages on Exchange Server 2007

Wed, 09 Sep 2009 14:44:40 Z

Hi,

One of the banks that we deal with sends us emails that are encrypted with TLS. When we recieve the email, the actual email (the subject, body, etc.) comes as an attachment (.html). The subject matter is the same for every email which makes it difficult to identify a particular email. When you open the attachment in a browser, it automatically decrypts and you can see the contents of the mail.
The solution that I am looking at is that allows us to see the contents of the email directly in outlook rather than as an attachment. The Technical staff at the Bank told me to implement TLS on my exchange server to resolve it. When I tried to buy a certificate from Thawte they said that it will not help and instead I should use a certificate for the client computer only. That did not help either.
I would really appreciate any help.
Thanks in advance.

Regards, Anshul

Exchagne Certificate problem

Mon, 07 Sep 2009 18:12:32 Z

Dear All,

I have a exchange server which is using internal CA for certificate. Could anyone help me that how can I import the same certificate if certificate problem is there.

thanks
arun

10104 errors on edge server.

Wed, 09 Sep 2009 00:40:44 Z

Hi Everyone,

After re-newing a smpt edge certificate i am getting the folowing errors. This is the process I did on both hub and edge servers.

On EDGE101

New-ExchangeCertificate

Generate new EdgeSubscription on EDGE101

New-EdgeSubscription -filename "C:\Edge101_Sep2009.xml" -CreateInternetSendConnector $true -site "Default-First-Site-Name"

Copy File c:\edge101_sep2009.xml to HUB103

On HUB103

remove the edge subscription from HUB101

remove-edgesubscription -identity edge101.cosmac.com

Create Connector for EDGE101

New-EdgeSubscription -filename "C:\Edge101_Sep2009.xml" -CreateInternetSendConnector $true -site "Default-First-Site-Name"

Start-EdgeSynchronization

To Test Edge

Test-EdgeSynchronization -VerifyRecipient sysadmin@cosmac.com

Event Type: Error
Event Source: MSExchange EdgeSync
Event Category: Synchronization
Event ID: 10104
Date:  9/8/2009
Time:  8:29:08 PM
User:  N/A
Computer: HUB103
Description:
Microsoft Exchange couldn't match certificate when contacting EDGE101.ihostexchange.net. The connection was stopped.

Event Type: Error
Event Source: MSExchange EdgeSync
Event Category: Topology
Event ID: 1024
Date:  9/8/2009
Time:  8:34:09 PM
User:  N/A
Computer: HUB103
Description:
The connection to the ADAM instance of the Edge Transport server failed with exception "The LDAP server is unavailable.". This could be caused by a failure to resolve the Edge Transport server name EDGE101.ihostexchange.net in DNS, a failure when trying to connect to port 50636 on Edge Transport server EDGE101.ihostexchange.net, network connectivity issues, an invalid certificate, or an expired subscription. Verify the configurations of your network and server.

Exchange 2007 Certificate

Tue, 08 Sep 2009 01:54:56 Z

Dear all,

I have exchange server 2007 having internal windows server 2003 CA. Somebody replace my exchange certificate by selfsigned certificate so that we have a problem of accessing mail from outside and PDA also. I have checked with CA then there is my certificate with name of mail.example.com with expiry date 2013.

Can anyone suggest that how can i again restore that certificate?

Exchange 2007 TLS - Can the sending server initiate a STARTTLS? (Must issue a STARTTLS command first)

Fri, 04 Sep 2009 16:45:45 Z

Exchange 2007 TLS - Can the sending server initiate a STARTTLS?
We are trying to setup TLS between 2 organizations server to server. We have Exchange 2007 and the receiving party is using a TLS gateway that expects a STARTTLS sent to it.
From what I can see, my Exchange 2007 send connector is expecting to be offered a 250-STARTTLS from the receiving end.
Is there a way to force my send connector to issue a STARTTLS command first?

No Anonymous Access or Accounts in SSL OWA - Exchange 2003

Thu, 03 Sep 2009 10:53:01 Z

Due to policies, "Anonymous Access" is not an option on the IIS webserver. The Anonymous Accounts IUSR_servername and IWAM_servername must have real passwords defined.

Can i just reset the password for these accounts from AD, and place those same passwords into IIS>ExchWeb (or is this wrong setting for OWA), and assume it will not break Exchange and OWA functionality (and anything else it might hinder)?

I will find out soon, but checking if someone has the answer before I spend the time repeating a known process

Many thanks!

How to disable Exchange 2007 SMTP X-ANONYMOUSTLS encryption?

Wed, 23 Jan 2008 10:53:03 Z

Hi Experts,
We are trying to disable Exchange 2007 TLS encryption for the SMTP traffic between Exchanger 2007 servers.

Based on the step 3 of following document:
If the msExchServerInternalTLSCert attribute cannot be read or if the value is null, Microsoft Exchange does not advertise X-ANONYMOUSTLS and no certificate is loaded.

http://technet.microsoft.com/en-us/library/bb430790.aspx

Don't know if we can disable Exchange 2007 SMTP TLS encryption by changing the msExchServerInternalTLSCert attribute to null on Exchange 2007 servers.
Also, don't know the side effects of chaning the msExchServerInternalTLSCert attribute to null on Exchange 2007 servers.

Appreciate your help!

Thanks!

CT
chuntaihu@yahoo.com

Disable TLS

Mon, 31 Mar 2008 17:20:03 Z

Hi Everyone,

I would like to disable TLS, as I would like to disable the encryption between Hub Transport server for some reason.

1. What is the best approach if I have three Hub Transport servers?

Mailbox Server A using Hub Transport Server A

Mailbox Server B using Hub Transport Server B

Mailbox Server C using Hub Transport Server C

2. Do have have to disable both "Send Connector" and "Receive Connector" on all Hub Transport servers?

3. What about Mailbox Servers, do I have to disable it on all Mailbox servers as well?

4. Is there any security concern?

5. Actually the reason I am doing it is because there is a appliance, "riverbed" to save traffic between servers, however, hub transport encrypted all traffic between servers using TLS. As the result, the appliance cannot decrypt it to save traffic, is there a way to use it with TLS enabled?

6. If not, is there another way to use it more securely?

Thanks