Unlike Exchange 2003, by default Exchange 2007 is automatically configured with a self-singed certificate and is enabled for SSL upon installation. This certificate is a requirement for Exchange to work properly in most aspects and you’re better off replacing the self generated cert with a cert for a trusted certificate authority. These certificates used to be extremely expensive and these days you can get them dirt cheap in comparison from a CA like Godaddy or Digicert.
With the integration of the Exchange Management Shell, the cert request, installation and activation process is easily accomplished in only a few steps. I should also mention that with the introduction of Exchange 2007 there are new requirements for the certificates used. Subject Alternative Name (SAN) certificates are multi-domain certificates that allow more than one FQDN. 2007 has the need to use multiple domain names in a single cert for internal and external users; as well as, the autodiscover domain name. Having a single cert for all these names streamlines and simplifies the process of installing the certificates.
Generating the Certificate Request
- Open the Exchange Management Shell
- Type New-ExchangeCertificate -GenerateRequest -DomainName mail.company.com, autodiscover.company.com, servername, servername.company.local -Friendlyname mail.company.com -PrivateKeyExportable:$true -Path c:\certreq.txt
- After you hit enter the thumbprint of the cert will be generated and displayed.
- Use the generated certreq.txt when prompted at your chosen CA
- Once you’ve acquired your certificate save it to c:\mail.company.com.cer
- Again from the Exchange Management Shell type Import-ExchangeCertificate –Path c:\mail.company.com.cer | Enable-ExchangeCertificate –Services “POP, IMAP, IIS, SMTP”
- After you hit enter your new cert will be enabled for the services listed in the command. To verify the successful installation use this command Get-ExchangeCertificate | FL
This process can be done with a self generated cert as long as that cert has been manually installed and trusted by the clients. To get more information on configuring a self signed cert so your server doesn’t drive you crazy with password prompts view this article.
If you’re getting random password prompts to your users it’s likely your certificate is configured incorrectly or is missing a FQDN that’s needed for the clients to successfully authenticate over SSL.
Sending email from a smarthost or your ISP’s outgoing SMTP server can often lack the necessary capabilities required to host a quality mail server. It’s too often I’ve seen an ISP completely change the ports it uses, lock down access from your server, just plain suck at sending mail to certain domains or even take forever to deliver the message to the recipient. If you experience any of these issues you’ll probably be better off switching to the DNS/MX method of sending mail. Here’s the process:
Exchange 2003
- Exchange System Manager
- Connectors
- SMTP Connector
- right click and go to Properties of your SMTP Connector
- select “use DNS to route each address space on this connector”
- select OK
- restart the Simple Mail Transfer Protocol service (SMTP)
Exchange 2007
- Exchange Management Console
- Organization Configuration
- Hub Transport
- Send Connectors
- right click and go to Properties of your send connector
- Network Tab
- select “Use domain name system (DNS) “MX” records to route mail automatically”
- select OK
- restart the Exchange Transport service
Disabling SMB Signing
Being in the industry of cross platform technologies one of the most common issues that arises in file sharing between a Mac running 10.4 and Windows Server 2003/2008. Domain controllers by default are enabled to “Digitally Sign Communications” always. When this is the case a Mac running Tiger (10.4.x) or below will not be able to authenticate to a Windows server. You’ll receive an error saying something like “server could not be found” when clearly it’s there since it asked you to authenticate. All the hassle is actually an easy fix on both 2003 and 2008. To disable SMB signing do the following.
- Under the file server’s security policy (or domain controller security policy if your file servers are domain controllers)
- expand Window’s Settings
- Security Settings
- Local Policies
- Security Options and find
- Microsoft network client: Digitally sign communications (always) set to disabled
- Microsoft network server: Digitally sign communications (always) set to disabled
Connectivity Using AFP
In Windows 2003 it’s easy enough to install Apple File Sharing from Add/Remove Programs and create Macintosh file shares in addition to your Windows shares. After you have Appletalk installed when you go to create a share Within Computer Management you’ll be given the option to create Apple shares and Windows shares. Once you’ve created your Mac share you may find that when you go to mount your share you receive the same error as you did when trying to mount the share over SMB. There’s an easy fix for this as well.
AFP/Windows Authentication
- right click on My Computer and go to “Manage”
- right click on Shared Folders
- Configure File Server for Macintosh
- under Security “Enable Authentication”
- select “Apple Clear Text or Microsoft”
- click OK
AFP/Windows Read-Only
You’ll discover that once you’re able to authenticate successfully to the server and you have your share mounted that it’s actually read-only. To resolve this:
- right click on My Computer and go to “Manage”
- expand Shared Folders
- select Shares
- in the list of shares find your Mac share
- right click on your mac share and go to properties
- under SFM Volume Security uncheck “This volume is read-only”
- click OK
Now that you’ve adjusted these settings you’ll be able to share files using AFP and SMB from a Windows file server to a Mac.
There’s several methods of locking down your Microsoft Exchange Server to prevent viruses, bots, spammers, etc… from using your server to send its mail. If you’re already in a situation where your outbound queue is locked in a state of retry with thousands of messages waiting to be sent that you didn’t send then it’s obvious that your setup isn’t locked up sufficiently enough. If your stuck or want to prevent ever getting stuck here’s the process of elimination and prevention that’s nearly eliminated 99.9% of viruses and 100% secured my Exchange servers from the outside.
Blacklisted?
FIrst things first. If you’re blacklisted your server isn’t going to be able to send much mail even if it’s been cleaned and completely secured. If you’re blacklisted you need to find which lists your mail server’s IP is on. MX Toolbox has always worked for me. Follow the links on the blacklists your attached to and get an idea of what you need to do to get off the lists. If you’re server is still hosed then you just need to note where your listed and what you need to do to get off the lists. Then, you get your server cleaned up and functional before requested to be removed from the lists. If you get removed from the lists and your server isn’t clean you’ll get re-blacklisted and it’s going to be harder to get off the next time.
If you can, a filtering service is key
If email has become mission critical for your company and you don’t have the luxury of wasting time tracking down the culprit before you get your server functional I recommend immediately signing up for a hosted spam and virus filtering service. This will be a nearly instant fix that will allow your server to start working while you find the cause of the problem (Don’t drag your feet on finding the solution since this is not the primary resolution). Companies like Appriver and Google’s Postini provide a phenomenal level protection by filtering all your mail at the domain level before it ever reaches your server. This allows you to block all incoming mail traffic on SMTP port 25 with the exception of the filtering servers that will relay the email to your server once it’s filtered. Other plusses to a services like these are eliminating as much as 85% of the overall email that comes to your domain filling up your information store and a major reduction of viruses that reach the server. I know some larger companies or corporations with extreme security concerns cannot implement services like this due to regulatory issues but if you can it’s a big help.
Once your spam filtering service is setup if you don’t have a firewall capable allowing only the traffic from the speicific IP’s of your filtering hosts servers you can do basically the same thing from within the Exchange Management Console. (more…)
