none
Microsoft Exchange 在本地计算机上的个人存储中找不到包含域名 XXXX的证书。因此,无法为 FQDN 参数为 XXXXX的任何连接器提供 STARTTLS SMTP RRS feed

  • 问题

  • 您好,目前邮件服务器只能发不能收到邮件,在日志信息里看到以下错误提示,请查看:

     

    Microsoft Exchange 在本地计算机上的个人存储中找不到包含域名 able-industries.com.cn 的证书。因此,无法为 FQDN 参数为 able-industries.com.cn 的任何连接器提供 STARTTLS SMTP 谓词。验证连接器配置和已安装的证书,以确保每个连接器 FQDN 均存在包含域名的证书。

     

    下面是使用命令得到的结果:

     

    [PS] C:\Documents and Settings\Administrator>Get-exchangecertificate |  fl *


    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                           curity.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {able-industries, able-industries.able.com}
    CertificateRequest   :
    IisServices          : {IIS://able-industries/W3SVC/1}
    IsSelfSigned         : True
    KeyIdentifier        : 20FF9EC9777256077822A6F559BCB07E4031E9D3
    RootCAType           : None
    Services             : IMAP, POP, IIS, SMTP
    Status               : Valid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Se
                           curity.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 2009-3-11 14:41:22
    NotBefore            : 2008-3-11 14:41:22
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 41, 48, 130, 2, 17, 160, 3, 2, 1, 2, 2, 16,
                            52...}
    SerialNumber         : 34208A00D71F489E4B229789C9C28A4C
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 75705E156F45568F60E961E31A5334779554E027
    Version              : 3
    Handle               : 488159520
    Issuer               : CN=able-industries
    Subject              : CN=able-industries

     

    [PS] C:\Documents and Settings\Administrator>Get-receiveconnector | fl


    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuth
                                              RequireTLS
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {0.0.0.0:587}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    Fqdn                                    : able-industries.com.cn
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 600
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 100
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 64KB
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 3
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 10MB
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    Server                                  : ABLE-INDUSTRIES
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client ABLE-INDUSTRIES
    DistinguishedName                       : CN=Client ABLE-INDUSTRIES,CN=SMTP Rec
                                              eive Connectors,CN=Protocols,CN=ABLE-
                                              INDUSTRIES,CN=Servers,CN=Exchange Adm
                                              inistrative Group (FYDIBOHF23SPDLT),C
                                              N=Administrative Groups,CN=First Orga
                                              nization,CN=Microsoft Exchange,CN=Ser
                                              vices,CN=Configuration,DC=able,DC=com
    Identity                                : ABLE-INDUSTRIES\Client ABLE-INDUSTRIE
                                              S
    Guid                                    : e2e54ca0-9bd4-4374-9913-dcb977c4b7ef
    ObjectCategory                          : able.com/Configuration/Schema/ms-Exch
                                              -Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 2008-4-11 20:08:28
    WhenCreated                             : 2008-3-11 14:41:54
    OriginatingServer                       : able-industries.able.com
    IsValid                                 : True

    AuthMechanism                           : Tls
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {0.0.0.0:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    Fqdn                                    : able-industries.com.cn
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : unlimited
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 100
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 64KB
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 3
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 10MB
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : AnonymousUsers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    Server                                  : ABLE-INDUSTRIES
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Default ABLE-INDUSTRIES
    DistinguishedName                       : CN=Default ABLE-INDUSTRIES,CN=SMTP Re
                                              ceive Connectors,CN=Protocols,CN=ABLE
                                              -INDUSTRIES,CN=Servers,CN=Exchange Ad
                                              ministrative Group (FYDIBOHF23SPDLT),
                                              CN=Administrative Groups,CN=First Org
                                              anization,CN=Microsoft Exchange,CN=Se
                                              rvices,CN=Configuration,DC=able,DC=co
                                              m
    Identity                                : ABLE-INDUSTRIES\Default ABLE-INDUSTRI
                                              ES
    Guid                                    : 6058c83a-e011-4ab5-a315-02d61247e827
    ObjectCategory                          : able.com/Configuration/Schema/ms-Exch
                                              -Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 2008-12-2 16:52:39
    WhenCreated                             : 2008-12-2 16:36:52
    OriginatingServer                       : able-industries.able.com
    IsValid                                 : True

     

    [PS] C:\Documents and Settings\Administrator>Get-sendconnector | fl


    AddressSpaces                : {smtp:*;1}
    AuthenticationCredential     :
    Comment                      :
    ConnectedDomains             : {}
    ConnectionInactivityTimeOut  : 00:10:00
    DNSRoutingEnabled            : True
    DomainSecureEnabled          : False
    Enabled                      : True
    ForceHELO                    : False
    Fqdn                         :
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : ABLE-INDUSTRIES
    Identity                     : to internet mail
    IgnoreSTARTTLS               : False
    IsScopedConnector            : False
    IsSmtpConnector              : True
    LinkedReceiveConnector       :
    MaxMessageSize               : 10MB
    Name                         : to internet mail
    Port                         : 25
    ProtocolLoggingLevel         : Verbose
    RequireTLS                   : False
    SmartHostAuthMechanism       : None
    SmartHosts                   : {}
    SmartHostsString             :
    SourceIPAddress              : 0.0.0.0
    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    SourceTransportServers       : {ABLE-INDUSTRIES}
    UseExternalDNSServersEnabled : True

    AddressSpaces                : {smtp:*.mozart.inet.co.th;1}
    AuthenticationCredential     :
    Comment                      :
    ConnectedDomains             : {}
    ConnectionInactivityTimeOut  : 00:10:00
    DNSRoutingEnabled            : False
    DomainSecureEnabled          : False
    Enabled                      : True
    ForceHELO                    : False
    Fqdn                         :
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : ABLE-INDUSTRIES
    Identity                     : mozart.inet.co.th
    IgnoreSTARTTLS               : False
    IsScopedConnector            : False
    IsSmtpConnector              : True
    LinkedReceiveConnector       :
    MaxMessageSize               : 10MB
    Name                         : mozart.inet.co.th
    Port                         : 25
    ProtocolLoggingLevel         : None
    RequireTLS                   : False
    SmartHostAuthMechanism       : None
    SmartHosts                   : {[203.150.14.107]}
    SmartHostsString             : [203.150.14.107]
    SourceIPAddress              : 0.0.0.0
    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    SourceTransportServers       : {ABLE-INDUSTRIES}
    UseExternalDNSServersEnabled : False

     


    请帮忙解决一下,谢谢!

    2008年12月2日 11:26

答案

  • 您好!

     

    根据你提供的信息:

     

    CertificateDomains   : {able-industries, able-industries.able.com}

    Fqdn                                    : able-industries.com.cn

     

    我发现你当前接收连接器的FQDN在你的CertificateDomains 中没有定义。在这种情况下,我们需要新建一个证书, 该证书应包含连接器正在使用的FQDN(即able-industries.com.cn)。你可以用命令New-ExchangeCertificate来创建该证书。

     

    New-ExchangeCertificate

    http://technet.microsoft.com/zh-cn/library/aa998327.aspx

     

    如果你选择用三方证书,你可以根据以下文档中的方法来生成一个证书请求。

     

    创建 TLS 证书或证书请求

    http://technet.microsoft.com/zh-cn/library/aa998840.aspx

     

    请将新证书应用到IMAP, POP, IIS, SMTP服务,然后检查结果如何。

     

    相关文档:

     

    Exchange 无法从本地存储加载 STARTTLS 证书,因为与连接器 FQDN 上的配置有不匹配

    http://technet.microsoft.com/zh-cn/library/bb217330.aspx

     

    谢谢!

     

    Elvis Wei


     

    2008年12月6日 7:37