none
TLS connector

    คำถาม

  • I have a standard Exchange 2013 installation on a Windows Server 2012R2 that is on a VM. I have installed CU20. Have installed a connector to enable TLS connector for secure email from a partner. the connector is ignored. I have applied a Go Daddy certificate to the connector with PowerShell. This connector is ignored and I get a reply from checkTLS.com that the "Default Frontend exchange" is replying. How do I force the new public cert enabled connector to reply. It seems to be ignored completely even though it is more restrictive.
    9 มิถุนายน 2561 18:21

ตอบทั้งหมด

  • I have a standard Exchange 2013 installation on a Windows Server 2012R2 that is on a VM. I have installed CU20. Have installed a connector to enable TLS connector for secure email from a partner. the connector is ignored. I have applied a Go Daddy certificate to the connector with PowerShell. This connector is ignored and I get a reply from checkTLS.com that the "Default Frontend exchange" is replying. How do I force the new public cert enabled connector to reply. It seems to be ignored completely even though it is more restrictive.

    More restrictive how? If the connector is for a partner, how do you configure that? If its by IP of the partner, how it would it possibly work testing from a 3rd party site like CheckTLS? 

    Did you follow

    https://technet.microsoft.com/en-us/library/jj673037(v=exchg.150).aspx

    9 มิถุนายน 2561 19:26
  • You shouldn't have to create a connector to "enable TLS" since opportunistic TLS is employed by the default send connector by default.

    Please post the configuration details of the send connector so that we don't have to guess as to what you've done.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    9 มิถุนายน 2561 21:35
    ผู้ดูแล
  • Thanks for the prompt response, I did follow the instructions in the link. The restriction I presume is more restrictive because of few Ip addresses and the few domain names. I added the IP address for the CheckTLS to the partner IP address on the receive connection and the domain names to the send connector.
    9 มิถุนายน 2561 23:17
  • The partner send connector

    Get-SendConnector -identity "xxxx TLS" | FL

    AddressSpaces                : {SMTP:xxx.co.uk;1, SMTP:xxxxxtls.com;1, SMTP:xxxx.com.hk;1, SMTP:xxxx.com;1}

    AuthenticationCredential     :

    CloudServicesMailEnabled     : False

    Comment                      :

    ConnectedDomains             : {}

    ConnectionInactivityTimeOut  : 00:10:00

    DNSRoutingEnabled            : True

    DomainSecureEnabled          : True

    Enabled                      : True

    ErrorPolicies                : Default

    ForceHELO                    : True

    Fqdn                         : autodiscover.xx-xxxxxxx.co.uk

    FrontendProxyEnabled         : False

    HomeMTA                      : Microsoft MTA

    HomeMtaServerId              : xxxxxxxx2013

    Identity                     : xxxx TLS

    IgnoreSTARTTLS               : False

    IsScopedConnector            : False

    IsSmtpConnector              : True

    MaxMessageSize               : 35 MB (36,700,160 bytes)

    Name                         : xxxx TLS

    Port                         : 25

    ProtocolLoggingLevel         : Verbose

    RequireOorg                  : False

    RequireTLS                   : True

    SmartHostAuthMechanism       : None

    SmartHosts                   : {}

    SmartHostsString             :

    SmtpMaxMessagesPerConnection : 20

    SourceIPAddress              : 0.0.0.0

    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)

    SourceTransportServers       : {xxxxxxxx2013}

    TlsAuthLevel                 :

    TlsCertificateName           : <I>CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona,

                                   C=US<S>CN=mail.xx-yyyyyyyyy.co.uk, OU=Domain Control Validated

    TlsDomain                    :

    UseExternalDNSServersEnabled : False

     


    9 มิถุนายน 2561 23:21
  • Is autodiscover.xx-xxxxxxx.co.uk in the certificate?  Does that Internet host name point to the server's Internet IP address?  The destination addresses of the messages match the names in the AddressSpaces property, correct?

    Have you looked at the SMTP protocol log to verify which connector is being chosen for the messages in question?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    10 มิถุนายน 2561 6:48
    ผู้ดูแล
  • The autodiscover.xx-xxxxxxx.co.uk  is in the certificate. The Internet hostname does point to the certificate they are successfully using RWW & OWA. I am not sure that I understand your meaning "The destination addresses of the messages match the names in the AddressSpaces property, correct?".

    I will take a look at the SMTP log.

    12 มิถุนายน 2561 13:38
  • The SMTP log just confirms that the default (non TLS) receive connector is getting reached by checkTLS and therefore the wrong certificate and domain name (.local) are approached by checkTLS. 

    I created in a test lab an identical scenario with a single exception: there is only one NIC on the Exchange VM. This connected perfectly to checkTLS.

    The question remains what can I do to force the use of the TLS connector by these two domains: the partner and checkTLS.

    12 มิถุนายน 2561 18:37
  • The SMTP log just confirms that the default (non TLS) receive connector is getting reached by checkTLS and therefore the wrong certificate and domain name (.local) are approached by checkTLS. 

    I created in a test lab an identical scenario with a single exception: there is only one NIC on the Exchange VM. This connected perfectly to checkTLS.

    The question remains what can I do to force the use of the TLS connector by these two domains: the partner and checkTLS.


    By remote IP on the TLS receive connector. The remote IP represents the sending servers IPs/IP Range
    12 มิถุนายน 2561 18:54