Re: Disable StartTLS on EX2007 Send Connectors
- From: Andy David {MVP} <adavid@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 01 Nov 2008 10:10:14 -0400
On Fri, 31 Oct 2008 21:47:00 -0700, Joe
<Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I would rather not do that. i would like it to match its public domain.
Surely there must be another way to do this.
I notice it only occurs when Exchange makes a connection to another server
that supports TLS.
Well, you could try Oliver's suggestion to remove the certificate from
SMTP services, but honestly, I dont know how that will impact your hub
transport services. Is this your only server?
Is this server accessible from the internet via OWA? Im wondering also
why you are using the self-signed cert.
.
"Andy David {MVP}" wrote:
On Fri, 31 Oct 2008 15:47:01 -0700, Joe
<Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Yes it is the Internet send contector.
And I do have the case in your Link where my external FQDN does not match
the name of the sehlf signed cert. But why does this matter if an Internet
send conector does not starttls? the Event I receive is specifically for this
internet send connector.
I don't want to change the cert name to match the external FQDN, then it
wont match the internal FQDN, then clients get poup messages.
You can however change the FQDN on the send connector however to match
the cert. Would that work for you?
"Andy David {MVP}" wrote:
On Fri, 31 Oct 2008 13:16:02 -0700, Joe
<Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
You are correct, this is exactly what I am talking about.
I get the 12014 events, "Failed to find a cert that matches the domain"
Everytime it hits another server that offers TLS
Nope, thats not happening because of that. I assume this is an
Internet send connector that is sending to external domains anonmously
yes? The Certificate is not loaded in this case.
Now I understand I can fix this by assigning a cert that does match the
domain. There are tons of posts on how to do this.
It doesnt already? Ensure the built-in self cert that Exchange
created is assigned and valid.
But I don't wnat to do it that way. I don't want Exchange to even try to
start TLS.
It wont if this is an internet send connector.
So your suggesting that if I unbind the self cert from the SMTP service,
this will stop happening? I can't think of anything that needs to have this
cert bound to SMTP, can you think of anything I will break by doing that?
Um. no. Dont do that. Look at this and see if it help:
http://technet.microsoft.com/en-us/library/bb510128(EXCHG.80).aspx?ppud=4
If not, more info required as to the type of send connector this is.
Thanks.
"Oliver Moazzezi [MVP]" wrote:
I think he is talking about Opportunistic TLS not 'require TLS' on the Send
Connector, which one delivery to * will try and do..
Exchange 2007 will try TLS when sending by default.
http://technet.microsoft.com/en-us/library/bb430753(EXCHG.80).aspx
Opportunistic TLS In earlier versions of Exchange Server, you had to
configure TLS manually. In addition, you had to install a valid certificate,
suitable for TLS usage, on the server running Exchange Server. In Exchange
2007, Setup creates a self-signed certificate. By default, TLS is enabled.
This enables any sending system to encrypt the inbound Simple Mail Transfer
Protocol (SMTP) session to Microsoft Exchange. By default, Exchange 2007
also tries TLS for all remote connections.
Off the top of my head, I don't know of a way to stop it without removing
the certificate.
Oliver
A internet send connector will not use TLS unless you configure it to
do so.
- References:
- Re: Disable StartTLS on EX2007 Send Connectors
- From: Joe
- Re: Disable StartTLS on EX2007 Send Connectors
- From: Andy David {MVP}
- Re: Disable StartTLS on EX2007 Send Connectors
- From: Joe
- Re: Disable StartTLS on EX2007 Send Connectors
- Prev by Date: Event 478
- Next by Date: Re: Active Sync
- Previous by thread: Re: Disable StartTLS on EX2007 Send Connectors
- Next by thread: Re: Disable StartTLS on EX2007 Send Connectors
- Index(es):
Relevant Pages
|
Loading
