How to verify TLS configuration on Exchange Server 2010 Edge Transport
-
mercredi 20 juin 2012 17:37
Dear Fellows,
How can we verify TLS configuration being done on Edge Transport Server for the Domains configured?
We have attempted to configure TLS for one of our client as part of migration from exchange 2003 to exchange 2010.previously TLS was configured for a list of domains on a SMTP gateway. Now we have replaced that SMTP gateway with Edge Transport Server.
That Exchange 2010 organization is authorized for multiple domains. but they want to configure TLS authentications for one of the domain only (lets say mail.xyz.com. We have requested and configured a public certificate (with subject name of mail.xyz.com domain only) and enabled for SMTP.
We have configured same list of domains for both inbound and outbound Domain security (TLSReceiveDomainSecureList and TLSSendDomainSecureList). and have created a send connector with mutual TLS enabled. as well as on the default receive connector.
Any help/suggestion would be appreciated.
Thanks.
Junaid Ahmed
Toutes les réponses
-
mercredi 20 juin 2012 20:06
look in the message header on received mail. you should see different information from a normal mail and a mail received from one of the domains you require TLS from.
Lasse Pettersson http://anewmessagehasarrived.blogspot.com
-
mercredi 20 juin 2012 20:40
Dear Lasse,
Thank you for the response. But what should be the troubleshooting steps if we are not able to receive any mail from all of the domains configured as TLS Secured Domains?
Even the protocol log is not showing any failure and success.
Telnet to the server shows following response. It doesn't contain 250-STARTTLS
220 mail.domain.com OK
ehlo mail.domain.com
250-mail.domain.com Hello [172.xx.xx.xx]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH
250-X-EXPS NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XSHADOWThanks.
Junaid Ahmed
- Modifié J.Ahmed mercredi 20 juin 2012 20:40
-
mercredi 20 juin 2012 20:53
It is the sending server that shoudl submit a starttls command. but this will only happen if your server advertise it can handle TLS which the response you post here don't do. probably because some certificate missmatch. This should be showing in the application eventlog.
Turn up diagnostic logging for MSExchangetransport should also give you some more clues why stuff is failing.
Lasse Pettersson http://anewmessagehasarrived.blogspot.com
- Marqué comme réponse J.Ahmed mercredi 27 juin 2012 13:26
-
lundi 25 juin 2012 03:19Hi Junaid,
There is a good article for you about how to configure the domain security for exchange 2010:
Exchange 2010 Domain Security
Per your information, I would not suggest that you configure the MTLS on the default receiving connector, please create a new one for the specific needs.
If you still have confused points, pelase feel free let us know.
Regards!Gavin
TechNet Community Support
-
mercredi 27 juin 2012 13:25
Dear Lasse,
Thank you for the idea. Yes the issue highlighted above was a certificate mismatch issue and it was also giving alerts in event viewer.
But unfortunately and sorry to tell that during all this troubleshooting course we discovered that Partner requires and offers Encryption only (no certificate authentication was required). This all happened due to miscommunications and misconceptions along the project :)
So configuring TLSAuth from "
CertificateValidation" to "EncryptionOnly" on send connector resolved the issue.Turning on the protocol level log on connectors help a lot as well.
Thank you.
Junaid Ahmed
- Modifié J.Ahmed mercredi 27 juin 2012 13:26
.png)
