I've seen several articles and posts on this topic, but I'm having a hard time getting a definitive answer.
I've recently transitioned from an Exchange 2007 SP1 Server (Setup by my predecessor)to a new Server running Exchange SP3. Previously we were using a Self Signed Certificate, and had the FQDN for HELO/EHLO responses set to the actual machine name. Everything was working, but our users had to remember the server name to connect from outside. I've got an MX record setup on our domain for mail.<domain> to route the mail correctly, however my Self Signed Cert says <machine_name>.<domain>.
Can I generate a Self Signed Cert with the mail.<domain> instead of the default <machine_name>.domain?
If not, do I have to purchase a Public Cert to get that name correctly?
Posts: 6812
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
If your users are accessing from the outside you should get a "proper", i.e. trusted certificate. Any of the providers (i.e. godaddy etc.) will offer you a pretty inexpensive solution so that you can have servername, internal FQDN, external FQDN, autodiscover, autodiscover.FQDN, mail.domain.com, etc. etc. that will meet every need in one cert. Don't bother with the free one, it's pointless. Spend the 50 dollars or so on a decent trusted one with all the names that you'll need as you implement the cooler features.
The main concern is being misidentified as SPAM. I'm thinking if the Cert identifies the server by name instead of Mail, some SPAM services might reject our mail as spam.
Our outside users are just using web-mail, or connecting with mobile devices. I really don't think we'd benefit from having a public certificate, other than not having to explain to our users that they need to click Continue anyway when their browser gives them the Untrusted Cert error.
I got this error in Event Viewer: Microsoft Exchange could not find a certificate that contains the domain name mail.saf.sc.gov in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector To Internet with a FQDN parameter of mail.saf.sc.gov. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
Posts: 6812
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
Your main concern is invalid. Spam is calculated in a lot of ways and the reverse DNS thing is a tiny, largely insignificant part and is actually a source of more stupid false positives. Only a few people rely in it. I regard it as a ridiculous thing in 2011. Back in '98 maybe different but we're not in '98 any more.
Really, spend the money, get the certificate. As you go through life you're going to see nice features in 2007/2010 that you want to implement. Your users are going to talk to their buddies who have devices that automatically configure themselves. They're using home PCs which configure up automatically. You will get pressure to do such a thing. If you spend a tiny amount of money now and get yourself prepared you will save yourself time and effort later.
It's one of those few JFDI type no-brainers that come up in life.
I work for a State Agency with a tight budget. In the private world, we'd pay the $50 and never look back, but in this environment, I'd have to justify the expense.
Since webmail works without easy enough without the public cert, I think I'd have a hard time justifying a $50/yr expense.
I found this article on renewing the self-signed cert:
Posts: 6812
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
If you're so tight on cash then fine, follow that. you can replace it easily enough. Implement your own internal CA and create a multi-name certificate yourself if you want. You'll be ok so long as you never use a machine that isn't domain joined or well managed (i.e. mobile devices where you manually load up the certificate).
Personally I'd find it pretty easy to justify 50 or 100 per hear because I'd work out my hourly rate and I'd work out how many hours per month I would spend taking calls, helping users understand what they need to do etc. etc. It's not just me either. If one user spends 15 minutes with you that's 15 minutes they're not being productive. If they have to wait an extra 5 seconds whilst they click ok or change a URL then that adds up.
Believe me, most people find that the ROI on a certificate is measured in minutes, not hours, days or weeks.
Posts: 6812
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
Ideally it's the middle one so that you can have webmail.domain and autodiscover etc. etc as I said up top but you need to take that decision on your own. We're not able to make that decision for you.
We're currently running Exchange 2007 SP3. It's possible we may upgrade to Exchange 2010 in the future. Would the cert's copy over, or can we get them updated if we change servers?
I wouldn't want to buy 3 years worth if that would commit us to using this Exchange 2007 SP3 server for 3 years.
I discovered this morning that not having a Certificate with the Mail.<domain> FQDN is preventing a TLS connection with one of my partner organizations.
I'm working on getting the public cert purchased, but it may take a while. Can someone help me with the steps to create a self-sigend cert for mail.<domain>?
I was able to get the issue with my TLS Partner resolved by replacing the HELO/EHLO response on my connectors with the machine name rather than the mail alias.
I'm running into some other issues with Certificates. I found this site:
When I run it for mail.saf.sc.gov, it returns the Cert, but complains that the cert says Mail but the machine name is Exchange. I have a DNS record setup for exchange.saf.sc.gov but it doesn't return a certificate at all. I think the 'mail' record was set at a higher priority, so I've made a request to put the 'exchange' record at a higher priority.
Any other ideas on why my exchange.saf.sc.gov FQDN isn't returning the Cert that I get with the alias FQDN, mail.saf.sc.gov?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> Self Signed Certificate for Mail.<domain> 
Self Signed Certificate for Mail.<domain> - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread
