Announcement

Collapse
No announcement yet.

Installing TLS Certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Installing TLS Certificate

    We made a certificate and it has an extention of .crt

    When I go to add it to the virtual server, Exchange prompts me for a .cer

    Are they interchangable?

    Thank you,

    Marc
    Last edited by tnshurtm; 16th December 2006, 13:53.
    Thank you,

    Marc

  • #2
    Re: Installing TLS Certificate

    You created the wrong type of certificate. You should have created a certificate only - without a private key.

    Is this to Exchange email with external sources? If so you should use a commercial certificate that is trusted. A home grown self generated certificate will fail because of trust issues.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Installing TLS Certificate

      So, I am guessing that changing the ext. will not work? I tried that and it installed fine, but I am not getting TLS...or so I am told:

      X-Server-Uuid: E03A4543-49B1-471B-BC52-81502E2AF30E
      Received: from EX03.mbaum.com (MAIL.MBAUM.COM [216.153.205.122]) by
      simsmtp01.cwdir.com (Tumbleweed MailGate) with ESMTP id A770A26C4439;
      Wed, 20 Dec 2006 05:29:41 -0800 (PST)


      I installed the cert through the wizard on my default virtual server and set up an outgoing SMTP connector for the one client that is requiring TLS.

      On the connector I checked TLS Encryption for Outbound Security.

      Help???
      Thank you,

      Marc

      Comment


      • #4
        Re: Installing TLS Certificate

        If the client is asking for TLS for email delivery to them, then they are the ones who need to have the correct certificate. Your certificate is only used for delivery of messages for you.

        Do you have any other SMTP Connectors? If so, what is the cost of that connector? If it is 1 and the cost on the connector for TLS is also 1, then you need to review the costs. The cost for the connector with the unique domain needs to be 1, the other one needs to be 2.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Installing TLS Certificate

          I changed the cost. I had not restarted the virtual server after installing the cert. Do you think that matters? Should I have to restart the whole server?

          Is there any website or someway to test to see if my server is attempting TLS?
          Thank you,

          Marc

          Comment


          • #6
            Re: Installing TLS Certificate

            You do not have to restart anything. However it can take a few minutes before Exchange updates itself with the new configuration and uses it.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Installing TLS Certificate

              I figured as much. The person at the other end told me I should restart the virtual server. (They use Tumbleweed Mailgate).

              Is there any way to test my TLS handshake?

              I am assuming that the default install of the cert is "opportunistic"??

              Thank you very much for your help,

              Marc
              Thank you,

              Marc

              Comment


              • #8
                Re: Installing TLS Certificate

                I have everything set up. Email goes out through my connector fine until I check the TLS required box. Then it hangs and I have seen the following messages:

                "The remote server did not respond to a connection attempt" and
                "The remote SMTP service does not support TLS."

                They say that they are receiving fine from many other domains using TLS.

                They mentioned checking any firewall, but I don't see any deny for TLS on my firewall.
                Thank you,

                Marc

                Comment


                • #9
                  Re: Installing TLS Certificate

                  Ask them whether they are accepting TLS on port 25 or the other port - 465. Most people use port 25 now, but they could be on 465 still.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: Installing TLS Certificate

                    They are using 25.
                    Thank you,

                    Marc

                    Comment


                    • #11
                      Re: Installing TLS Certificate

                      OK, to take out the possibility of my cert being crap, I went and bought one from Verisign.

                      I installed it, and I still have the problem that when I enable it on the connector I get a "The remote server did not respond to a connection attempt."

                      (See attachment)

                      They insist that since they are receiving TLS from other orgs, that it is our problem.

                      They actually said "Call Microsoft"

                      Please Help.....
                      Attached Files
                      Thank you,

                      Marc

                      Comment


                      • #12
                        Re: Installing TLS Certificate

                        Your certificate is only used for inbound email. Outbound email uses their certificate. Can you send email on TLS to them? If not, then something is interfering with the connection. Firewall would be the first place I would look at.

                        Simon.
                        --
                        Simon Butler
                        Exchange MVP

                        Blog: http://blog.sembee.co.uk/
                        More Exchange Content: http://exchange.sembee.info/
                        Exchange Resources List: http://exbpa.com/
                        In the UK? Hire me: http://www.sembee.co.uk/

                        Sembee is a registered trademark, used here with permission.

                        Comment


                        • #13
                          Re: Installing TLS Certificate

                          Update:

                          They wanted to know what IP addr my server was trying to contact when sending to @countrywide.com I maximized logging and found that it was attempting 12.41.194.167. They found this

                          "Interesting, that relay should not be answering, can you try it to 12.164.229.24 and see what response you get."

                          Should I hard code this DNS entry and try this? Is the problem on their end? They still say I should call Microsoft. Should I? I don't think it is a Microsoft problem.

                          I can telnet from my Exchange server into theirs (simmail.cwdir.com). They asked to verify I saw starttls. How can I verify this? It didn't pop up when I telnet'd in.
                          Thank you,

                          Marc

                          Comment


                          • #14
                            Re: Installing TLS Certificate

                            The domain countrywide.com has two MX records.

                            simmail.cwdir.com 10
                            plamail.cwdir.com 20

                            simmail.cwdir.com resolves to 12.164.229.24
                            plamail.cwdir.com resolves to 12.41.194.167

                            For me, plamail.cwdir.com does not allow connections.
                            The other host does.

                            To test it, telnet to port 25 of simmail.cwdir.com

                            telnet simmail.cwdir.com 25
                            You will then get a banner

                            Type

                            ehlo mail.domain.com

                            where mail.domain.com is your server's external name.
                            You should then get back some results, one line of which is STARTTLS.

                            Now, not that I am being picky, but I don't like MX records in the DNS where there is no server responding. It causes problems like this. If they want alternative MX records for backup purposes there are other ways of doing it.

                            What has probably happened is that during your playing around, the DNS lookups have got cached and Exchange is trying to use the higher value MX records.

                            Drop in to a command prompt and type

                            ipconfig /flushdns

                            Then restart the Exchange Routing service. You may find that you have better luck.

                            Another option would be to change the SMTP Connector for this domain to use a smart host and enter their host "simmail.cwdir.com" as the smart host. That would mean all traffic for that domain goes to that host. Shouldn't be a problem unless they change something about their email configuration.
                            You shouldn't have to hard code settings like this, it rather defeats the object of DNS.

                            Simon.
                            --
                            Simon Butler
                            Exchange MVP

                            Blog: http://blog.sembee.co.uk/
                            More Exchange Content: http://exchange.sembee.info/
                            Exchange Resources List: http://exbpa.com/
                            In the UK? Hire me: http://www.sembee.co.uk/

                            Sembee is a registered trademark, used here with permission.

                            Comment


                            • #15
                              Re: Installing TLS Certificate

                              I did the dnsflush, I pointed the connector to simmail and now I get this error:

                              (See attach)

                              And exchange says "The remote SMTP Service does not support TLS."

                              I tried the telnet thing and get the 220 banner and type in ehlo ex03.mbaum.com
                              and get 502 Error Command not implemented. I also tried mail.mbaum.com
                              Attached Files
                              Thank you,

                              Marc

                              Comment

                              Working...
                              X