On every Exchange server you need SSL certificates for authentication, validation and encryption purposes. For SMTP you can use the self-signed certificate. Exchange 2010 uses opportunistic TLS, so the self-signed certificate will do in this scenario. If you need to configure domain security (mutual TLS) on Exchange, you need a proper 3rd party SSL certificate for this.
SMTP communication between Office 365 and Exchange in a hybrid scenario is an example of mutual TLS or domain security. A proper 3rd party SSL certificate is needed on your Exchange server.
I was always under the impression that mutual TLS can only use the Common Name of the certificate, which in my scenario is CN=webmail.inframan.nl. After a previous blogpost there was an interesting discussion (see the comments of this particular blogpost) about this, so now it’s time to do some testing.
Originally I had a Digicert SSL certificate with Common Name CN=webmail.inframan.nl, and a Subject Alternative Name entry autodiscover.webmail.com. During the HCW I entered webmail.inframan.nl and selected the proper certificate.
It was time to renew my SSL certificate, so I added an additional SAN entry o365mail.inframan.nl.
Continue reading Exchange 2010 hybrid, SMTP, SSL Certificates and Subject Alternative Names
When configuring an Exchange 2010 hybrid environment a Receive Connector is created on the Exchange 2010 server. This Receive Connector is configured with the FQDN entered in the Hybrid Configuration Wizard (see previous blog post on Exchange 2010 Hybrid) and the source IP addresses of the Microsoft Exchange Online servers. If one of these servers access the Exchange 2010 environment, they end up on the Office 365 Receive Connector (based on the IP address) and the correct SSL certificate is returned. This way mutual TLS is established between Exchange 2010 on-premises and Exchange Online.
It sometimes happens that the wrong certificate is used for SMTP communication between Exchange on-premises and Exchange Online, thus resulting in SMTP mail flow failure between the two.
You can check this in the Exchange Admin Center (EAC) in Exchange Online. Logon to the EAC in Exchange Online, select Mail Flow and click the Connectors tab. You’ll see two connectors. One connector for mail from Exchange 2010 to Exchange Online, and one connector for mail from Exchange Online to Exchange 2010.
Continue reading Exchange 2010 Hybrid cannot establish Mutual TLS wrong certificate is used
During an upgrade of an Exchange 2013 SP1 multi-role server to Exchange 2013 CU8 the upgrade crashed, apparantly on a strange Receive Connector configuration since the following error message was raised:
The values that you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on Receive connector ” SERVER1\Relay Connector SERVER1″. Receive connectors assigned to different Transport roles on a single server must listen on unique local IP address & port bindings.
Continue reading Upgrade to CU8 Fails on Receive Connector misconfiguration