Monday, July 13th, 2009
Filed under: Microsoft Exchange Server, Security, Windows Server — 

Updated: renazonse @ 10:42 am


Exchange 2007 SSL Certificate Installation

Unlike Exchange 2003, by default Exchange 2007 is automatically configured with a self-singed certificate and is enabled for SSL upon installation. This certificate is a requirement for Exchange to work properly in most aspects and you’re better off replacing the self generated cert with a cert for a trusted certificate authority. These certificates used to be extremely expensive and these days you can get them dirt cheap in comparison from a CA like Godaddy or Digicert.

With the integration of the Exchange Management Shell, the cert request, installation and activation process is easily accomplished in only a few steps. I should also mention that with the introduction of Exchange 2007 there are new requirements for the certificates used. Subject Alternative Name (SAN) certificates are multi-domain certificates that allow more than one FQDN. 2007 has the need to use multiple domain names in a single cert for internal and external users; as well as, the autodiscover domain name. Having a single cert for all these names streamlines and simplifies the process of installing the certificates.

    Generating the Certificate Request

  • Open the Exchange Management Shell
  • Type New-ExchangeCertificate -GenerateRequest -DomainName mail.company.com, autodiscover.company.com, servername, servername.company.local -Friendlyname mail.company.com -PrivateKeyExportable:$true -Path c:\certreq.txt
  • After you hit enter the thumbprint of the cert will be generated and displayed.
  • Use the generated certreq.txt when prompted at your chosen CA
  • Once you’ve acquired your certificate save it to c:\mail.company.com.cer
  • Again from the Exchange Management Shell type Import-ExchangeCertificate –Path c:\mail.company.com.cer | Enable-ExchangeCertificate –Services “POP, IMAP, IIS, SMTP”
  • After you hit enter your new cert will be enabled for the services listed in the command. To verify the successful installation use this command Get-ExchangeCertificate | FL

This process can be done with a self generated cert as long as that cert has been manually installed and trusted by the clients. To get more information on configuring a self signed cert so your server doesn’t drive you crazy with password prompts view this article.

If you’re getting random password prompts to your users it’s likely your certificate is configured incorrectly or is missing a FQDN that’s needed for the clients to successfully authenticate over SSL.

Friday, June 12th, 2009
Filed under: DNS, Microsoft Exchange Server, Windows Server — 

Updated: renazonse @ 3:14 am


Sending Email from Exchange Using DNS instead of SmartHosts

Sending email from a smarthost or your ISP’s outgoing SMTP server can often lack the necessary capabilities required to host a quality mail server. It’s too often I’ve seen an ISP completely change the ports it uses, lock down access from your server, just plain suck at sending mail to certain domains or even take forever to deliver the message to the recipient. If you experience any of these issues you’ll probably be better off switching to the DNS/MX method of sending mail. Here’s the process:

    Exchange 2003

  • Exchange System Manager
  • Connectors
  • SMTP Connector
  • right click and go to Properties of your SMTP Connector
  • select “use DNS to route each address space on this connector”
  • select OK
  • restart the Simple Mail Transfer Protocol service (SMTP)
    Exchange 2007

  • Exchange Management Console
  • Organization Configuration
  • Hub Transport
  • Send Connectors
  • right click and go to Properties of your send connector
  • Network Tab
  • select “Use domain name system (DNS) “MX” records to route mail automatically”
  • select OK
  • restart the Exchange Transport service