« Vodafone Branding - Grrrrr | Main | PowerGui »

Exchange 2007 - Securing SMTP with SSL

One of the projects I'm working on at the moment has a customer with a large POP3 user base. They had recently migrated from another POP3 server to Exchange 2007. The previous system wasn’t secured at all so we moved the users without the security initially with a plan to add SSL security at a later date. We are now at the stage where we wanted to test securing the email traffic with SSL. Adding POP and IMAP went fine, we pushed this through an ISA server back to the CAS server and were able to run secure and non secure in parallel whilst we did our testing.

I couldn’t however get SMTP working. For these users we have set it up so that they connect to the edge server. Exchange 2007 creates a default authenticated SMTP listener on port 587. We were already using port 25 for normal internal email. All our clients were configured to that they had to authenticate with the SMTP server and they were configured to use port 25 for SMTP. During the migration we moved the DNS names of the old SMTP server to Exchange 2007 so there was no re-configuration required from the users. We then set up a firewall rule that mapped port 25 to port 587 on edge. This also would get around the bug where Outlook Express doesn’t like to use any other port other than 25 for secure email.

I loaded an external certificate onto the edge server and assigned it to the SMTP service. Now the SMTP service is a weird on. I'm not going to include screenshots as I don’t want to give the customer away so I will try and describe it best I can. When you do the get-exchangecertifcate command the SMTP service is always bound to the default generated certificate and whatever other certificate you assign it to which is different from the other services like POP or IMAP where they seem quite happy to jump certificates. You can’t remove the SMTP service from the default certificate by specifying none as the service and you can’t remove the default certificate.

The problem I was getting was that the server seemed to always be using the internal certificate when the external clients connected. Users were getting a certificate chain error and if you enabled logging on the receive connector it showed that it was indeed using the internal certificate. I tried and tried but I couldn’t find a way to assign the external certificate to this connector. I ended up placing a call with Microsoft and after 4 days they found a solution. The solution was remarkably simple but not obvious.

The receive connector has a setting where u can specify the FQDN of the exchange server that it responds to clients when they do an EHLO or HELO command. The certificate that Exchange will use it tied into this FQDN. I had not bothered to change this and it was therefore using the internal certificate. As soon as I changed this to the external certificate name everything started to work. I didn’t need to stop any services it just kicked in straight away. Checking the receive logs for that listener I could see that the external certificate was now being used.

Posted by Jon Warburton on December 13, 2007 11:37 AM |

TrackBack

TrackBack URL for this entry:
http://www.jwarburton.com/mt/mt-tb.cgi/131

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)