How to use TLS certificate on MS Exchange 2007?

[R.Madhvan]

Well I am having SAN Certificate by using owa.mycompany.com and autodiscover.mycompany.com.I have installed Certificate on Exchange 2007 CAS Server and ISA Servers. I was looking to enable TLS Communication for SMTP Traffic. I have added mail.mycompnay.com to SAN Name and certificate as well. in case I am using wildcard Certificate and I assign SMTP Service to certificate then will it get enabled? mx record name should be same as that of Common Name or it should be included as SAN Name on your certificate in this particular manner TLS should work. This certificate should be public Certificate. I am having Edge Server on DMZ and TLS should receiver emails which are coming from out side.

[Gania]

As far as I know Exchange 2007 supposed to create self-signed TLS certificate which can be used for security purposed between Hub servers and organization. You will not require to generate TLS by using internal CA. if you do the same the security would simply turned on for hus servers. The combination of TLS and Kerberos would allow you to get authenticated and encrypted channel. This particular thing is considered as Exchange server authentication mechanism.

You will not be able to make use of DomainSecure(Mutual TLS) until and unless both partners are using Exchange 2007. When you are trying to send an email outside Exchange would simply try to match remote domain against of domain name for the certificate which has been located at remote side. It would get occur after TLS negotiation . additionally certificate supposed to chained to trusted root. As you are going to receiving an email partner of yours should client certificate which should have subject name which should be matching with the sender domain. In this particular situation chain validation should be applicable. MTLS can be used for authenticate as well as encrypt your channel.

Let me know whether the thing which I have mentioned over here was useful to you or not.

[Abhiroopa]

It is no needed to import certificate for source server to target server if you are looking to configure TLS. You should be owner of certificate so that you can configure Exchange server. if you are using Exchange 2007 then you will need to generate certificate and enable the same for SMTP. After that you have to setup domain which would sent secured email by making use of set-TransportConfig command. Lastly you will need to configure Send Connector and Receive connector.

Code:

Set-TransportConfig -TLSSendDomainSecureList Contoso.com, set-TransportConfig -TLSReceiveDomainSecureList Contoso.com
Set-SendConnector Internet -DomainSecureEnabled:$True, Set-ReceiveConnector Inbound -DomainSecureEnabled:$True -AuthMechanism TLS

You must enforce authethcation mechanism as TLS does not supposed to implement it on inbound connection. you can implement TLS for Contoso.com because of below mentioned results.

Contoso.com supposed to mentioned into Set-TransportConfig cmdlet on TLSReceiveDomainSecureList parameter.

On Receive Connector DomainSecureEnabled parameter should be set to True.
Rest of the sender which are not listed on TLSReceiveDomainSecureList parameter in Set-TransportConfig cmdlet are going to use TLS if it has been supported on sending system.

[Bontu]

As far as cryptographic terms are concerned certificate and related private key are generated by making use of New-ExchangeCertificate cmdlet and it is well known as TLS keys. New-ExchangeCertificate cmdlet allows you to mentioned metadata regarding certificate. By means of that you will be able to make use of same certificate for different kind of services. Before you request for a certificate or you are going to create certificate for exchange then you should make use of TLS. I let you know that metadata is used for certificates for SSL and TLS services. This particular metadata terms is referred as fields into resulting certificate. In order to view computer certificates you should simply use Get-ExchangeCertificate cmdlet into Exchange Management Shell. Also you should use Certificate Manager snap-in from Microsoft Management Console

[GALIENA]

Following are then basic steps to generate and use TLS certificate over here.

• First of all you should generate or request to get a certificate
• Import certificate on EDGE server or Hub transport server
• After that you have to enable certificate for SMTP service.
• After that you have to mentioned desire domain which you wanted to send domain secured email
  
• Finally you have to configure send connector.