Announcement

Collapse
No announcement yet.

Exchange 2003 TLS Wildcard Certificates

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 TLS Wildcard Certificates

    Hello to all.

    Does anyone know if Exch 23K can support/use wildcard certificates (*.xyz.com)? A little background info:

    We have multiple MX and A records for our domain as we have multiple Internet links

    MX
    mail1.xyz.com 10
    mail2.xyz.com 15

    A
    mail1.xyz.com 10.0.0.1
    mail2.xyz.com 10.0.0.2

    (Examples only)

    I have managed (in our test environment) to configure TLS inbound and outbound but just using one MX record. I'm trialing a wildcard (commercial CA) cert *.xyz.com but the sending SMTP server fails to negotiate TLS, I'm thinking because of a certificate name mismatch.

    Can anyone offer me any advice?

    A secondary option:

    DNS round robin using just one MX record, multiple A records of the same name pointing to different IP addresses:

    MX
    mail1.xyz.com 10

    A
    mail1.xyz.com 10.0.0.1
    mail1.xyz.com 10.0.0.2

    (Examples only)

    Would prefer to use a wildcard certificate thou.

    Many thanks

  • #2
    Re: Exchange 2003 TLS Wildcard Certificates

    Short answer - no.
    Different SMTP clients see the certificate as different things. Some will "know" that * is a wildcard, some will not. For maximum compatibility, you will need to use name specific certificates instead.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Exchange 2003 TLS Wildcard Certificates

      Thanks Simon.

      We have moved on slightly and now using a SAN/UCC certificate.

      Do you think this is more widely accepted or we still need specific common named certs for each of our MX records even though they all point to the same SMTP server?

      Cheers,

      Andy

      Comment


      • #4
        Re: Exchange 2003 TLS Wildcard Certificates

        If you want to use TLS on all of the domains that you host, then you need to change the MX record host name to the same one for all of them. When a remote server is connecting it will be looking for the certificate to be issued to the same host name that it is connecting to.

        While some servers will support the additional names, not all will, therefore for maximum compatibility you should only use the common name on the certificate.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Exchange 2003 TLS Wildcard Certificates

          Thank you for the advice, most appreciated.

          Andy

          Comment

          Working...
          X