0

I am hoping to get a couple ideas regarding an issue we have come across.

Exchange 2007 server was setup and has a FQDN of servername.domain.local which is obviously a local domain name.

The server needs to be configured for TLS with the appropriate public facing FQDN.

I have generated a new self signed certificate for the public domain using the Exchange Management Console.

The problem is, if you change the FQDN from the local to the public on the receive connector 250 STARTTLS is disabled. If you Change it back to the local TLS is enabled, but the the SMTP banner no longer matches the public facing domain name.

I don't want to pick one out of the two, I would like both. How can I configure the FQDN on the receive connector to be the public facing domain name and still have TLS active?

Thank you for any assistance in this.

Sabyre
  • 43
  • 1
  • 5

2 Answers2

0

You need to create a second receive connector.

The reason the setting changes is because the server's real name has to be on the FQDN of the receive connector when Exchange Authentication is enabled. It isn't recommended to change the configuration of the Default Receive connector, other than enabling anonymous authentication.

However, if you are going to use a self signed certificate, you may as well issue it for the server's real name. It is still going to fail any certificate tests.

The FQDN on the Receive Connector makes no difference to TLS inbound in my experience. What the remote server is looking for is the certificate to match the host that it is connecting to.

If your MX record is mail.example.com then the SSL certificate would need to be mail.example.com. My receive connectors are all the server's real name, and I receive TLS emails all day.

Sembee
  • 2,884
  • 1
  • 8
  • 11
0

I was able to resolve this by simply re-issuing the certificate as advised here: http://www.msexchange.org/articles-tutorials/exchange-server-2007/management-administration/managing... Figure: 10.

New-ExchangeCertificate -FriendlyName "DSI Exchange Cert" -SubjectName "cn=mail.itdsi.com" -DomainName mail.itdsi.com,MAGBAL,MAGBAL.dsi.local,autodiscover.itdsi.com -PrivateKeyExportable:$True | Enable-ExchangeCertificate -Services POP,IMAP,IIS,SMTP

Use: Get-ExchangeCertificate | f1 to list current certs. Remove any unnecessary.

TLS is employed when a proper certificate is found for the FQDN listed in the receive connector.

Sabyre
  • 43
  • 1
  • 5