Solved

Exchange 2007 SSL Problem with Domain Name

Posted on 2011-03-04
26
824 Views
Last Modified: 2012-05-11
Hey everyone.  Here is my situation.  I have inherited supporting a network where they named the internal domain the name of aaa.com.  I have an exchange 2007 server on this internal domain that I am trying to install an SSL cert on.  The machine name is computer.aaa.com.  Here is the problem.  The brilliant minds that created this internal domain, named it a domain we do not own!  Therefore, I can't get a cert validated and approved on aaa.com.  We don't own it!!  

The external domain name is something totally different yyy.com.  We own that and I am able to get an SSL to secure those names.  The problem is I am getting this error in my event log constantly.

Microsoft Exchange could not find a certificate that contains the domain name mail.yyy.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.yyy.com. If the connector's FQDN is not specified, the computer's FQDN (computername.aaa.com) is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

The problem is that my email is heading out the door with my internal computer domain name computername.aaa.com.  That fails every time on Reverse DNS checks.  

I can't get an SSL to match our internal domain name.  I really, really, really can't rename the internal domain, so I have to find a way to make this work.   Can anyone offer any suggestions that I can try?
0
Comment
Question by:kevingibbs1
  • 14
  • 7
  • 5
26 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041161
Therefore, I can't get a cert validated and approved on aaa.com.  We don't own it!!  
>> you dont need to own the internal domain name.

As long as you own the external domain name - you can get the certificate generated in the name of

mail.yyy.com
computername.aaa.com
autodiscover.yyy.com

Can you copy paste the full error with EventID
0
 

Author Comment

by:kevingibbs1
ID: 35041204
The event log entry is...
Log Name:      Application
Source:        MSExchangeTransport
Date:          3/4/2011 7:16:13 PM
Event ID:      12014
Task Category: TransportService
Computer:      computer.aaa.com
Description:
Microsoft Exchange could not find a certificate that contains the domain name mail.yyy.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.yyy.com. If the connector's FQDN is not specified, the computer's FQDN (computername.aaa.com) is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I have to be the authorized contact on the domain to be able to approve any certs on it right?  How can I authorize a cert on a domainname that I don't own?

I'll be straight with you man.  This is my first time ssl'ing an exchange server, so I may be missing some simple stuff here.  
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 250 total points
ID: 35041219
Are you using TLS with any external domain (some companies / partners want you to submit emails in TLS only) ?
If not - then you can practically ignore that error.

But for consistency's sake:
a) Are you using a Third Party SSL from GoDaddy etc. or a self-signed.
b) You need to re-key the certificate. and add the computername.yyy.com
Here is the go daddy help page for re-keying.
http://help.godaddy.com/article/4976

Let me know who is your certificate provider, you will have to check with them for re-keying.

After re-keying, you need to install the certificate.

This U-bTech tool will come handy.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html
 

thanks
0
 

Author Comment

by:kevingibbs1
ID: 35041238
Sunny, I already did did a rekey with GoDaddy.  I added the computername.yyy.com as an alternate SAN.  The cert got re-keyed just fine, but when I re-installed it.  The new SAN I entered was no where to be found.  I called GoDaddy and asked what the deal is and they said that if we don't own the domain name, I can't use it in the cert.

I mean, am I crazy to say, they have a point.  I mean, I cant exactly add mail.microsoft.com as a SAN on my cert can I.  I'd have to own the domain to validate it, no??
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041255
No error is @ GoDaddy's part.

Tell them computername.aaa.com is an internal domain name -- not AAA.com and you wont be getting free gas on the road with that certificate.

You can technically @ mail.microsoft.com (Why didnt i ever think of that for my test lab.....)

On a serious note, check if the cert is installed properly.

get-exchangecertificate | fl
Compare thumbprint of old and re-keyed.

You can use the u-btech tool above to install the new one if you already re-key'd
0
 

Author Comment

by:kevingibbs1
ID: 35041277
They specifically told me that I would need to rename my domain to aaa.local or something totally different...THAT WE OWNED.  Crazy.  I'm going to give that u-btech you provided a try and see what happens.  Sunny, thanks so much for your help.  I'll let you know what happens!
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041283
Sure.

Domain rename = should be the last option.
And I'd rather take it up with tech support, than go rename the domain. (Too many Dependencies, not sure what it will break etc..., post rename tasks ?)
0
 

Author Comment

by:kevingibbs1
ID: 35041288
Couldn't agree more.  The idea of renaming the domain makes me want to puke!  I'm intrigued by this tool.  Hopefully it will help.  I'll post results later!

0
 

Author Comment

by:kevingibbs1
ID: 35041371
I don't get it!  I recreate the CSR with this tool and I have all my domain names added to it (internal and external).  I drop the new CSR in the re-key tool with Godaddy and it just keep showing my current WRONG domains!  I can't for the life of me get it to display my "new" internally named domains!  Any ideas
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041381
I think you need to check with GoDaddy Support.

PS: After changing did you refresh the screen. It maybe displaying cached data
Try logging out - new browser and check if the changes are reflected.
0
 

Author Comment

by:kevingibbs1
ID: 35041384
Yep, tried all that.  No luck.  Calling them now.
0
 

Author Comment

by:kevingibbs1
ID: 35041636
OK, here is the latest.  Got a hold of godaddy and what I was told is that you can't add a SAN that has a domain on it that you don't own.  Plain and simple.  I tried to add computername.aaa.com.  A domain verification email gets sent to the owner of aaa.com.  Its not me, so I will never get it approved since I don't own the domain.

So, they said all I have to do is add a SAN with just the local computer name NOT including the domain portion.  I did that and the new cert re-generated just fine.  I imported it and all looks great.  

Only problem is, I am still getting my damn server name in the headers of emails I send out..still causing reverse DNS failures.  I just can't seem to get my FQDN of my actual public facing mail server (mail.blahblah.com) to show in the headers.  I've changed my FQDN in my Send Connector, but to no avail.  It just still keeps using my damn server name.  

Here is an event log entry.  Same as above only now it is focused on the internal mail server's name.

Log Name:      Application
Source:        MSExchangeTransport
Date:          3/4/2011 10:35:25 PM
Event ID:      12014
Task Category: TransportService
Description:
Microsoft Exchange could not find a certificate that contains the domain name servername.aaa.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVERNAME with a FQDN parameter of servername.aaa.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Any ideas???  Thanks for all your help!  BTW, I love the SSL Tool you shared!
0
 

Author Comment

by:kevingibbs1
ID: 35041660
OK, I just ran this command to hide the headers from outgoing mail.  Not sure if that is going to cause me more problems or what, but I thought I would give it a try.  Thoughts?
http://exchangeshare.wordpress.com/2008/05/26/how-to-remove-header-from-outgoing-mails-in-exchange-2007/
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041685
I will think about this over the weekend and let you know.
I am still not in favor of domain rename.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35041930
Sorry sunny, i don't agree this time ;)

Check out my guide here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_3575-Choosing-the-correct-domain-name.html

If you have used an internal domain name of microsoft.com for example that is the domain name, the computername.microsoft.com is the HOST name.

Therefore requesting a SAN entry of computername.microsoft.com will fail because it will request authorisation from the registered contact at Microsot.com.

That said, the error you are seeing in the event log is related to TLS and unless you are using TLS can safely be ignored.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35043289
Thanks for dropping in demazter :)

I agree @ TLS error
0
 

Author Comment

by:kevingibbs1
ID: 35043583
Wow.  That guide nailed my problem to a T!  Thanks Dez!  That is precisely my problem as we do not own our internal domain name!  Ugh!!  So, I can't get an SSL to secure computername.aaa.com.  

So, this comes full circle to my problem.  My outgoing emails keep showing my internal exchange server name  in the headers and not my actual mail."domain i own".com.  I have changed the FQDN in my send connector, but I continue to see my internal server name in the headers.  It is causing me to get errors like this below from some recipients.

sale-kykrw-2228747919@craigslist.org
mxi7p.craigslist.org #554 5.7.1 Client host rejected: rDNS/DNS_validation_failed._Please_setup_matching_DNS_and_rDNS_records

Original message headers:

Received: from internalserver.internaldomainname.com ([::1]) by internalserver.internaldomainname.com ([::1]) with mapi; Tue,
 22 Feb 2011 16:20:52 -0500
From: Matthew Doe <matthew@domain_we_own.com>
To: "sale-kykrw-2228747919@craigslist.org"
        <sale-kykrw-2228747919@craigslist.org>
Date: Tue, 22 Feb 2011 16:20:50 -0500

Now, I would assume you would tell me that I need to contact my ISP and make sure RDNS is setup.  I assure you, it is.  I can run any RDNS checker and comes back clean.  I believe it is the bolded line above showing my internal server and  ::1 as the IP that is killing me.  Any ideas how to fix.

Thanks you both so much for your time and help!
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 250 total points
ID: 35044077
Change the FQDN on the Send Connector to mail.external.domain name, makecsure you have an A record that matches the name you use, and that the rDNS is also matching.

See here for more exact details: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html

Of course to completely resolve your issue you need to rename your internal domain, which is not supported with Exchange 2007.

0
 

Author Comment

by:kevingibbs1
ID: 35044139
Dezmaster thanks!  As always your articles are spot on!  Here's the deal.   I had already changed my send connector's FQDN long ago.  Its been right for a while.  However, you mention I should also change my receive connector as well.  I checked it, and it is displaying my internal server name.  However, when I attempted to change it to the correct mail.domain.com name.  I got this.....

The following error(s) occurred while saving changes:

set-receiveconnector
Failed
Error:
When the AuthMechanism parameter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "servername.internaldomainname.com", the NetBIOS name of the transport server "servername", or $null.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35044310
>> I should also change my receive connector as well.  I checked it, and it is displaying my internal server name.  However, when I attempted to change it to the correct mail.domain.com name.  I got this.....

If you only have 1 exchange server then on the permissions tab uncheck exchange servers and then you will be able to change this.

If you have more than 1 exchange server then ignore this step.
0
 

Author Comment

by:kevingibbs1
ID: 35044376
Dez, tried that and same error came up.  Unchecked, it, applied, OK.  Went back in and changed the FQDN, but same error came up.  Do I need to re-start a service or something?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35044490
Under authentication exchange server is not checked?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35044494
On the authentication and permission tabs (the last 2) there will be an exchange server option on both.  Make sure it's unchecked.
0
 

Author Comment

by:kevingibbs1
ID: 35044495
Unchecked. Promise!
0
 

Author Comment

by:kevingibbs1
ID: 35044497
Ahhh, didn't do it on BOTH tabs. I'll try that when I get back home. Thanks!!
0
 

Author Comment

by:kevingibbs1
ID: 35044895
That did it.  You both got me to this solution in a couple different directions.  I thank you both sincerely and feel that it is only fair to split the points.  Sunny, you helped me with the SSL, and Dez, you got me squared away on some DNS and FQDN issues!  Thanks guys!!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now