none
Exchange2016 更新过证书后无法发外网邮件,收外网邮件可以,内部收发都可以 RRS feed

  • 问题

  • 问题如题:

    之前购买的公网证书,过期后改为AD申请的证书。其他都没有动过,现在内网收发都正常,外网邮箱(客户端和web都不行)一直发送延迟。请问大神可能是什么问题。

    证书信息如下:

    [PS] C:\Windows\system32>Get-ExchangeCertificate | fl *


    PSComputerName       : exchange02.xxx.com
    RunspaceId           : 09286abd-e410-4516-847f-f1a530f6e227
    PSShowComputerName   : False
    EnhancedKeyUsageList : {服务器身份验证 (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {mail.xxx.com, exchange01.xxx.com, AutoDiscover.xxx.com, xxx.com}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcces
                           sRule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {mail.xxx.com, exchange01.xxx.com, AutoDiscover.xxx.com, xxx.com}
    CertificateRequest   :
    IisServices          : {IIS://Exchange02/W3SVC/1, IIS://Exchange02/W3SVC/2}
    IsSelfSigned         : False
    KeyIdentifier        : 678B14040D42926F53EBB6E9382EB694A9AF87CC
    RootCAType           : Enterprise
    Services             : IMAP, POP, IIS, SMTP
    Status               : Valid
    SubjectKeyIdentifier : 678B14040D42926F53EBB6E9382EB694A9AF87CC
    PrivateKeyExportable : True
    PublicKeySize        : 2048
    Identity             : Exchange02.xxx.com\EB9600EF57C459933AAD9B61B8ECCB7D961E2492
    ServicesStringForm   : IP.WS..
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptograph
                           y.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : mail
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 2020/8/14 14:47:59
    NotBefore            : 2018/8/15 14:47:59
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 5, 204, 48, 130, 4, 180, 160, 3, 2, 1, 2, 2, 19, 90...}
    SerialNumber         : 5A000000115916CCC4FC52F010000000000011
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : EB9600EF57C459933AAD9B61B8ECCB7D961E2492
    Version              : 3
    Handle               : 133874282368
    Issuer               : CN=xxx-AD01-CA, DC=xxx, DC=com
    Subject              : CN=mail.xxx.com, OU=IT, O=杭州XX, L=hz, S=zj, C=CN

    PSComputerName       : exchange02.xxx.com
    RunspaceId           : 09286abd-e410-4516-847f-f1a530f6e227
    PSShowComputerName   : False
    EnhancedKeyUsageList : {服务器身份验证 (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {Federation}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcces
                           sRule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {Federation}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 0CEE8F86D8773616DC35E81249590E5272B5BC2A
    RootCAType           : None
    Services             : SMTP, Federation
    Status               : Valid
    SubjectKeyIdentifier : AF8A22483ADF4049B6AC311E5269FBD5
    PrivateKeyExportable : True
    PublicKeySize        : 2048
    Identity             : Exchange02.xxx.com\2F63354048EB8DD8963D61E957A402F4F58DCC83
    ServicesStringForm   : ....SF.
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptograph
                           y.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : Exchange Delegation Federation
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 2022/6/5 15:38:10
    NotBefore            : 2017/6/5 15:38:10
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 27, 48, 130, 2, 3, 160, 3, 2, 1, 2, 2, 16, 32...}
    SerialNumber         : 2072C6A232A952B7403FC392047CA086
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 2F63354048EB8DD8963D61E957A402F4F58DCC83
    Version              : 3
    Handle               : 133874281856
    Issuer               : CN=Federation
    Subject              : CN=Federation

    PSComputerName       : exchange02.xxx.com
    RunspaceId           : 09286abd-e410-4516-847f-f1a530f6e227
    PSShowComputerName   : False
    EnhancedKeyUsageList : {服务器身份验证 (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {Exchange02, Exchange02.xxx.com}
    SendAsTrustedIssuer  : False
    AccessRules          :
    CertificateDomains   : {Exchange02, Exchange02.xxx.com}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 8890ABEEBA39754E0DDDFD669EA9122F2311FDF0
    RootCAType           : Registry
    Services             : SMTP
    Status               : Valid
    SubjectKeyIdentifier :
    PrivateKeyExportable : False
    PublicKeySize        : 2048
    Identity             : Exchange02.xxx.com\2A2CE0C0E60FF3BC41CB801DC6E510E94F1B9D96
    ServicesStringForm   : ....S..
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptograph
                           y.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 2022/5/26 1:16:49
    NotBefore            : 2017/5/26 1:16:49
    HasPrivateKey        : True
    PrivateKey           :
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 26, 48, 130, 2, 2, 160, 3, 2, 1, 2, 2, 16, 31...}
    SerialNumber         : 1F3AD1322DCEB9B94B42AAC09D694811
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 2A2CE0C0E60FF3BC41CB801DC6E510E94F1B9D96
    Version              : 3
    Handle               : 133874276224
    Issuer               : CN=Exchange02
    Subject              : CN=Exchange02

    PSComputerName       : exchange02.xxx.com
    RunspaceId           : 09286abd-e410-4516-847f-f1a530f6e227
    PSShowComputerName   : False
    EnhancedKeyUsageList : {服务器身份验证 (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {WMSvc-EXCHANGE02}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcces
                           sRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKe
                           yAccessRule}
    CertificateDomains   : {WMSvc-EXCHANGE02}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 2F779B89AFCF0684AB7BA82F2A69B12FBA29A749
    RootCAType           : Registry
    Services             : None
    Status               : Valid
    SubjectKeyIdentifier :
    PrivateKeyExportable : True
    PublicKeySize        : 2048
    Identity             : Exchange02.xxx.com\FDAA42E39F8D780C05E4EA3DC07A80E047D72C77
    ServicesStringForm   : .......
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : WMSVC
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 2027/5/23 10:53:07
    NotBefore            : 2017/5/25 10:53:07
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 2, 231, 48, 130, 1, 207, 160, 3, 2, 1, 2, 2, 16, 66...}
    SerialNumber         : 42857CA9105080A24F2CC02E2CBF006F
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : FDAA42E39F8D780C05E4EA3DC07A80E047D72C77
    Version              : 3
    Handle               : 133874282240
    Issuer               : CN=WMSvc-EXCHANGE02
    Subject              : CN=WMSvc-EXCHANGE02

    PSComputerName       : exchange02.xxx.com
    RunspaceId           : 09286abd-e410-4516-847f-f1a530f6e227
    PSShowComputerName   : False
    EnhancedKeyUsageList : {服务器身份验证 (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {Microsoft Exchange Server Auth Certificate}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcces
                           sRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKe
                           yAccessRule}
    CertificateDomains   : {}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 58EA16CE3A0FEC6486FB6E89DFFC7CB215D29146
    RootCAType           : None
    Services             : SMTP
    Status               : Valid
    SubjectKeyIdentifier :
    PrivateKeyExportable : True
    PublicKeySize        : 2048
    Identity             : Exchange02.xxx.com\FE95CFAD4210AF78850F008494627D947DB71D08
    ServicesStringForm   : ....S..
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptograph
                           y.Oid}
    FriendlyName         : Microsoft Exchange Server Auth Certificate
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 2022/4/29 7:55:35
    NotBefore            : 2017/5/25 7:55:35
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 41, 48, 130, 2, 17, 160, 3, 2, 1, 2, 2, 16, 20...}
    SerialNumber         : 14AC5694071A33BA4488311A62F33CC2
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : FE95CFAD4210AF78850F008494627D947DB71D08
    Version              : 3
    Handle               : 133874280320
    Issuer               : CN=Microsoft Exchange Server Auth Certificate
    Subject              : CN=Microsoft Exchange Server Auth Certificate

    延迟发送:

    xxxxxxx@qq.com
    Remote Server returned '400 4.4.7 Message delayed'


    原始邮件头:

    Received: from Exchange02.xxx.com (172.17.0.12) by
     Exchange02.xxx.com (172.17.0.12) with Microsoft SMTP Server (TLS) id
     15.1.225.42; Wed, 15 Aug 2018 23:57:16 +0800
    Received: from Exchange02.xxx.com ([fe80::d135:7741:681a:c5d]) by
     Exchange02.xxx.com ([fe80::d135:7741:681a:c5d%15]) with mapi id
     15.01.0225.041; Wed, 15 Aug 2018 23:57:16 +0800
    From: =?gb2312?B?zfXR7sHW?= <wangyanglin@xxx.com>
    To: "59280730@qq.com" <59280730@qq.com>
    Subject: =?gb2312?B?suLK1NPKvP4=?=
    Thread-Topic: =?gb2312?B?suLK1NPKvP4=?=
    Thread-Index: AQHUNLCjxAdHCtEqfkq1zAdxAiaf2w==
    Date: Wed, 15 Aug 2018 15:57:16 +0000
    Message-ID: <77886931913f44038f5d9b518a0e0c60@xxx.com>
    Accept-Language: zh-CN, en-US
    Content-Language: zh-CN
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    x-originating-ip: [172.17.3.60]
    Content-Type: multipart/alternative;
    boundary="_000_77886931913f44038f5d9b518a0e0c60lvwaninccom_"
    MIME-Version: 1.0


    2018年8月16日 3:51

全部回复

  • 您好,

     

    AD申请的证书您是指您通过内部CA颁发的证书对吗?首先,对于内部CA颁发的证书并不会被所有客户端自动信任,我们可以参考下面的文章:

     

    Digital certificates and encryption in Exchange 2016

    https://docs.microsoft.com/en-us/exchange/architecture/client-access/certificates

     

    The certificate isn't automatically trusted by client computers and mobile devices. The certificate needs to be manually added to the trusted root certificate store on all client computers and devices, but not all mobile devices allow changes to the trusted root certificate store.

     

    对于当前的问题,目前在外部,无论通过Outlook还是OWA,邮箱仍然可以正常登陆对吗?请通过Microsoft remote connectivity Analyzer测试Outlook connectivity以及Outbound SMTP email是否均正常:

     

    https://testconnectivity.microsoft.com/


    Regards,

    Gavin Gao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • 已建议为答案 Gavin-Gao 2018年9月14日 2:13
    2018年8月16日 8:56
  • 您好,

    请问问题解决了吗?

    如果以上建议有用的话,请在空闲的时候标记它为答案。

    此致,

    敬礼

    Gavin Gao


    如果以上回复对您有所帮助,建议您将其“标记为答复”. 如果您对我们的论坛支持有任何的建议,可以通过此邮箱联系我们:tnsf@microsoft.com.

    点击了解更多,或者访问我们的专用论坛,与我们的技术专家一起分享探索 Microsoft Teams.

    2018年8月23日 7:19