Hi
I have a requirement to secure the traffic from my company domain (CompanyA.co.uk) to another domain (CompanyB.com), and also (obviously) I do not want to disrupt the rest of my company email! I have got tremendously confused researching this today and yesterday.
Currently we have one Exchange 2007 Server which does all our company email. It has one send connector which is specified to send to any address using DNS and the checkbox for 'Enable Mutual Auth TLS' is unticked. It also has two receive connectors, a server connector on port 25 and a client connector on port 587, both receive connectors will accept anonymous connections and neither have the checkbox ticked for TLS. It has been up and running for 5 years now and has worked well.
To secure traffic to one particular domain and leave the rest of my traffic alone I think I need to create a new Send Connector and specify the address space as the domain I would like to send to. Is this correct???
Tech support at GoDaddy (certificate suppliers) have just told me that this is not possible: "When you apply a certificate to your mail server, it will encrypt all outgoing email. It doesn’t allow you to specify a domain you’re sending TO."
Sadly GoDaddy tech support does not support Exchange so they cannot clarify that statement, so i'm just left wondering.....(but i'm hoping they are wrong).
The next step (I think) is to purchase a Standard SSL certificate. This is my certificate request:
New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=uk, l=City, s=County, o=Company Ltd,cn=mail.company.co.uk" -domainname company.co.uk,company.local,autodiscover.company.co.uk,owa1.company.local,owa1 -PrivateKeyExportable $true -path c:\temp\certrequest.txt
I am wondering if all the extra Subject Alternative Names are necessary? (e.g. autodiscover and owa1). - But this is probably a minor point.
Most of all I still can't see how it will work once I get my new certificate.
I have tried creating a new Send Connector and there is nothing in the properties where I can point the new connector at a particular certificate.
I want all mail addressed to CompanyB.com to get sent encrypted using the new certificate I'm about to buy. I want all other mail to just get sent out as it has been before. I know Exchange 2007 can do this.
If anyone can help with the points I'm stuck on I would be grateful.
Note: I have read a lot of articles on this so please don't just send me lots of links - unless they really worked for you. I think a lot of the stuff online is written by exchange experts for other exchange experts. I'm just a sysadmin who dips into exchange as and when needed, therefore I was hoping it would be possible to do this without learning every nuance of the entire Windows PKI infrastructure, especially for such a simple scenario.
I have a requirement to secure the traffic from my company domain (CompanyA.co.uk) to another domain (CompanyB.com), and also (obviously) I do not want to disrupt the rest of my company email! I have got tremendously confused researching this today and yesterday.
Currently we have one Exchange 2007 Server which does all our company email. It has one send connector which is specified to send to any address using DNS and the checkbox for 'Enable Mutual Auth TLS' is unticked. It also has two receive connectors, a server connector on port 25 and a client connector on port 587, both receive connectors will accept anonymous connections and neither have the checkbox ticked for TLS. It has been up and running for 5 years now and has worked well.
To secure traffic to one particular domain and leave the rest of my traffic alone I think I need to create a new Send Connector and specify the address space as the domain I would like to send to. Is this correct???
Tech support at GoDaddy (certificate suppliers) have just told me that this is not possible: "When you apply a certificate to your mail server, it will encrypt all outgoing email. It doesn’t allow you to specify a domain you’re sending TO."
Sadly GoDaddy tech support does not support Exchange so they cannot clarify that statement, so i'm just left wondering.....(but i'm hoping they are wrong).
The next step (I think) is to purchase a Standard SSL certificate. This is my certificate request:
New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=uk, l=City, s=County, o=Company Ltd,cn=mail.company.co.uk" -domainname company.co.uk,company.local,autodiscover.company.co.uk,owa1.company.local,owa1 -PrivateKeyExportable $true -path c:\temp\certrequest.txt
I am wondering if all the extra Subject Alternative Names are necessary? (e.g. autodiscover and owa1). - But this is probably a minor point.
Most of all I still can't see how it will work once I get my new certificate.
I have tried creating a new Send Connector and there is nothing in the properties where I can point the new connector at a particular certificate.
I want all mail addressed to CompanyB.com to get sent encrypted using the new certificate I'm about to buy. I want all other mail to just get sent out as it has been before. I know Exchange 2007 can do this.
If anyone can help with the points I'm stuck on I would be grateful.
Note: I have read a lot of articles on this so please don't just send me lots of links - unless they really worked for you. I think a lot of the stuff online is written by exchange experts for other exchange experts. I'm just a sysadmin who dips into exchange as and when needed, therefore I was hoping it would be possible to do this without learning every nuance of the entire Windows PKI infrastructure, especially for such a simple scenario.
