Unlike Exchange 2003, by default Exchange 2007 is automatically configured with a self-singed certificate and is enabled for SSL upon installation. This certificate is a requirement for Exchange to work properly in most aspects and you’re better off replacing the self generated cert with a cert for a trusted certificate authority. These certificates used to be extremely expensive and these days you can get them dirt cheap in comparison from a CA like Godaddy or Digicert.
With the integration of the Exchange Management Shell, the cert request, installation and activation process is easily accomplished in only a few steps. I should also mention that with the introduction of Exchange 2007 there are new requirements for the certificates used. Subject Alternative Name (SAN) certificates are multi-domain certificates that allow more than one FQDN. 2007 has the need to use multiple domain names in a single cert for internal and external users; as well as, the autodiscover domain name. Having a single cert for all these names streamlines and simplifies the process of installing the certificates.
Generating the Certificate Request
- Open the Exchange Management Shell
- Type New-ExchangeCertificate -GenerateRequest -DomainName mail.company.com, autodiscover.company.com, servername, servername.company.local -Friendlyname mail.company.com -PrivateKeyExportable:$true -Path c:\certreq.txt
- After you hit enter the thumbprint of the cert will be generated and displayed.
- Use the generated certreq.txt when prompted at your chosen CA
- Once you’ve acquired your certificate save it to c:\mail.company.com.cer
- Again from the Exchange Management Shell type Import-ExchangeCertificate –Path c:\mail.company.com.cer | Enable-ExchangeCertificate –Services “POP, IMAP, IIS, SMTP”
- After you hit enter your new cert will be enabled for the services listed in the command. To verify the successful installation use this command Get-ExchangeCertificate | FL
This process can be done with a self generated cert as long as that cert has been manually installed and trusted by the clients. To get more information on configuring a self signed cert so your server doesn’t drive you crazy with password prompts view this article.
If you’re getting random password prompts to your users it’s likely your certificate is configured incorrectly or is missing a FQDN that’s needed for the clients to successfully authenticate over SSL.
There’s several methods of locking down your Microsoft Exchange Server to prevent viruses, bots, spammers, etc… from using your server to send its mail. If you’re already in a situation where your outbound queue is locked in a state of retry with thousands of messages waiting to be sent that you didn’t send then it’s obvious that your setup isn’t locked up sufficiently enough. If your stuck or want to prevent ever getting stuck here’s the process of elimination and prevention that’s nearly eliminated 99.9% of viruses and 100% secured my Exchange servers from the outside.
Blacklisted?
FIrst things first. If you’re blacklisted your server isn’t going to be able to send much mail even if it’s been cleaned and completely secured. If you’re blacklisted you need to find which lists your mail server’s IP is on. MX Toolbox has always worked for me. Follow the links on the blacklists your attached to and get an idea of what you need to do to get off the lists. If you’re server is still hosed then you just need to note where your listed and what you need to do to get off the lists. Then, you get your server cleaned up and functional before requested to be removed from the lists. If you get removed from the lists and your server isn’t clean you’ll get re-blacklisted and it’s going to be harder to get off the next time.
If you can, a filtering service is key
If email has become mission critical for your company and you don’t have the luxury of wasting time tracking down the culprit before you get your server functional I recommend immediately signing up for a hosted spam and virus filtering service. This will be a nearly instant fix that will allow your server to start working while you find the cause of the problem (Don’t drag your feet on finding the solution since this is not the primary resolution). Companies like Appriver and Google’s Postini provide a phenomenal level protection by filtering all your mail at the domain level before it ever reaches your server. This allows you to block all incoming mail traffic on SMTP port 25 with the exception of the filtering servers that will relay the email to your server once it’s filtered. Other plusses to a services like these are eliminating as much as 85% of the overall email that comes to your domain filling up your information store and a major reduction of viruses that reach the server. I know some larger companies or corporations with extreme security concerns cannot implement services like this due to regulatory issues but if you can it’s a big help.
Once your spam filtering service is setup if you don’t have a firewall capable allowing only the traffic from the speicific IP’s of your filtering hosts servers you can do basically the same thing from within the Exchange Management Console. (more…)
