Exchange 2007 SSL Problem with Domain Name

Hey everyone.  Here is my situation.  I have inherited supporting a network where they named the internal domain the name of aaa.com.  I have an exchange 2007 server on this internal domain that I am trying to install an SSL cert on.  The machine name is computer.aaa.com.  Here is the problem.  The brilliant minds that created this internal domain, named it a domain we do not own!  Therefore, I can't get a cert validated and approved on aaa.com.  We don't own it!!  

The external domain name is something totally different yyy.com.  We own that and I am able to get an SSL to secure those names.  The problem is I am getting this error in my event log constantly.

Microsoft Exchange could not find a certificate that contains the domain name mail.yyy.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.yyy.com. If the connector's FQDN is not specified, the computer's FQDN (computername.aaa.com) is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

The problem is that my email is heading out the door with my internal computer domain name computername.aaa.com.  That fails every time on Reverse DNS checks.  

I can't get an SSL to match our internal domain name.  I really, really, really can't rename the internal domain, so I have to find a way to make this work.   Can anyone offer any suggestions that I can try?
kevingibbs1Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Glen KnightConnect With a Mentor Commented:
Change the FQDN on the Send Connector to mail.external.domain name, makecsure you have an A record that matches the name you use, and that the rDNS is also matching.

See here for more exact details: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html

Of course to completely resolve your issue you need to rename your internal domain, which is not supported with Exchange 2007.

0
 
sunnyc7Commented:
Therefore, I can't get a cert validated and approved on aaa.com.  We don't own it!!  
>> you dont need to own the internal domain name.

As long as you own the external domain name - you can get the certificate generated in the name of

mail.yyy.com
computername.aaa.com
autodiscover.yyy.com

Can you copy paste the full error with EventID
0
 
kevingibbs1Author Commented:
The event log entry is...
Log Name:      Application
Source:        MSExchangeTransport
Date:          3/4/2011 7:16:13 PM
Event ID:      12014
Task Category: TransportService
Computer:      computer.aaa.com
Description:
Microsoft Exchange could not find a certificate that contains the domain name mail.yyy.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.yyy.com. If the connector's FQDN is not specified, the computer's FQDN (computername.aaa.com) is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I have to be the authorized contact on the domain to be able to approve any certs on it right?  How can I authorize a cert on a domainname that I don't own?

I'll be straight with you man.  This is my first time ssl'ing an exchange server, so I may be missing some simple stuff here.  
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
sunnyc7Connect With a Mentor Commented:
Are you using TLS with any external domain (some companies / partners want you to submit emails in TLS only) ?
If not - then you can practically ignore that error.

But for consistency's sake:
a) Are you using a Third Party SSL from GoDaddy etc. or a self-signed.
b) You need to re-key the certificate. and add the computername.yyy.com
Here is the go daddy help page for re-keying.
http://help.godaddy.com/article/4976

Let me know who is your certificate provider, you will have to check with them for re-keying.

After re-keying, you need to install the certificate.

This U-bTech tool will come handy.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html
 

thanks
0
 
kevingibbs1Author Commented:
Sunny, I already did did a rekey with GoDaddy.  I added the computername.yyy.com as an alternate SAN.  The cert got re-keyed just fine, but when I re-installed it.  The new SAN I entered was no where to be found.  I called GoDaddy and asked what the deal is and they said that if we don't own the domain name, I can't use it in the cert.

I mean, am I crazy to say, they have a point.  I mean, I cant exactly add mail.microsoft.com as a SAN on my cert can I.  I'd have to own the domain to validate it, no??
0
 
sunnyc7Commented:
No error is @ GoDaddy's part.

Tell them computername.aaa.com is an internal domain name -- not AAA.com and you wont be getting free gas on the road with that certificate.

You can technically @ mail.microsoft.com (Why didnt i ever think of that for my test lab.....)

On a serious note, check if the cert is installed properly.

get-exchangecertificate | fl
Compare thumbprint of old and re-keyed.

You can use the u-btech tool above to install the new one if you already re-key'd
0
 
kevingibbs1Author Commented:
They specifically told me that I would need to rename my domain to aaa.local or something totally different...THAT WE OWNED.  Crazy.  I'm going to give that u-btech you provided a try and see what happens.  Sunny, thanks so much for your help.  I'll let you know what happens!
0
 
sunnyc7Commented:
Sure.

Domain rename = should be the last option.
And I'd rather take it up with tech support, than go rename the domain. (Too many Dependencies, not sure what it will break etc..., post rename tasks ?)
0
 
kevingibbs1Author Commented:
Couldn't agree more.  The idea of renaming the domain makes me want to puke!  I'm intrigued by this tool.  Hopefully it will help.  I'll post results later!

0
 
kevingibbs1Author Commented:
I don't get it!  I recreate the CSR with this tool and I have all my domain names added to it (internal and external).  I drop the new CSR in the re-key tool with Godaddy and it just keep showing my current WRONG domains!  I can't for the life of me get it to display my "new" internally named domains!  Any ideas
0
 
sunnyc7Commented:
I think you need to check with GoDaddy Support.

PS: After changing did you refresh the screen. It maybe displaying cached data
Try logging out - new browser and check if the changes are reflected.
0
 
kevingibbs1Author Commented:
Yep, tried all that.  No luck.  Calling them now.
0
 
kevingibbs1Author Commented:
OK, here is the latest.  Got a hold of godaddy and what I was told is that you can't add a SAN that has a domain on it that you don't own.  Plain and simple.  I tried to add computername.aaa.com.  A domain verification email gets sent to the owner of aaa.com.  Its not me, so I will never get it approved since I don't own the domain.

So, they said all I have to do is add a SAN with just the local computer name NOT including the domain portion.  I did that and the new cert re-generated just fine.  I imported it and all looks great.  

Only problem is, I am still getting my damn server name in the headers of emails I send out..still causing reverse DNS failures.  I just can't seem to get my FQDN of my actual public facing mail server (mail.blahblah.com) to show in the headers.  I've changed my FQDN in my Send Connector, but to no avail.  It just still keeps using my damn server name.  

Here is an event log entry.  Same as above only now it is focused on the internal mail server's name.

Log Name:      Application
Source:        MSExchangeTransport
Date:          3/4/2011 10:35:25 PM
Event ID:      12014
Task Category: TransportService
Description:
Microsoft Exchange could not find a certificate that contains the domain name servername.aaa.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVERNAME with a FQDN parameter of servername.aaa.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Any ideas???  Thanks for all your help!  BTW, I love the SSL Tool you shared!
0
 
kevingibbs1Author Commented:
OK, I just ran this command to hide the headers from outgoing mail.  Not sure if that is going to cause me more problems or what, but I thought I would give it a try.  Thoughts?
http://exchangeshare.wordpress.com/2008/05/26/how-to-remove-header-from-outgoing-mails-in-exchange-2007/
0
 
sunnyc7Commented:
I will think about this over the weekend and let you know.
I am still not in favor of domain rename.
0
 
Glen KnightCommented:
Sorry sunny, i don't agree this time ;)

Check out my guide here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_3575-Choosing-the-correct-domain-name.html

If you have used an internal domain name of microsoft.com for example that is the domain name, the computername.microsoft.com is the HOST name.

Therefore requesting a SAN entry of computername.microsoft.com will fail because it will request authorisation from the registered contact at Microsot.com.

That said, the error you are seeing in the event log is related to TLS and unless you are using TLS can safely be ignored.
0
 
sunnyc7Commented:
Thanks for dropping in demazter :)

I agree @ TLS error
0
 
kevingibbs1Author Commented:
Wow.  That guide nailed my problem to a T!  Thanks Dez!  That is precisely my problem as we do not own our internal domain name!  Ugh!!  So, I can't get an SSL to secure computername.aaa.com.  

So, this comes full circle to my problem.  My outgoing emails keep showing my internal exchange server name  in the headers and not my actual mail."domain i own".com.  I have changed the FQDN in my send connector, but I continue to see my internal server name in the headers.  It is causing me to get errors like this below from some recipients.

sale-kykrw-2228747919@craigslist.org
mxi7p.craigslist.org #554 5.7.1 Client host rejected: rDNS/DNS_validation_failed._Please_setup_matching_DNS_and_rDNS_records

Original message headers:

Received: from internalserver.internaldomainname.com ([::1]) by internalserver.internaldomainname.com ([::1]) with mapi; Tue,
 22 Feb 2011 16:20:52 -0500
From: Matthew Doe <matthew@domain_we_own.com>
To: "sale-kykrw-2228747919@craigslist.org"
        <sale-kykrw-2228747919@craigslist.org>
Date: Tue, 22 Feb 2011 16:20:50 -0500

Now, I would assume you would tell me that I need to contact my ISP and make sure RDNS is setup.  I assure you, it is.  I can run any RDNS checker and comes back clean.  I believe it is the bolded line above showing my internal server and  ::1 as the IP that is killing me.  Any ideas how to fix.

Thanks you both so much for your time and help!
0
 
kevingibbs1Author Commented:
Dezmaster thanks!  As always your articles are spot on!  Here's the deal.   I had already changed my send connector's FQDN long ago.  Its been right for a while.  However, you mention I should also change my receive connector as well.  I checked it, and it is displaying my internal server name.  However, when I attempted to change it to the correct mail.domain.com name.  I got this.....

The following error(s) occurred while saving changes:

set-receiveconnector
Failed
Error:
When the AuthMechanism parameter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "servername.internaldomainname.com", the NetBIOS name of the transport server "servername", or $null.
0
 
Glen KnightCommented:
>> I should also change my receive connector as well.  I checked it, and it is displaying my internal server name.  However, when I attempted to change it to the correct mail.domain.com name.  I got this.....

If you only have 1 exchange server then on the permissions tab uncheck exchange servers and then you will be able to change this.

If you have more than 1 exchange server then ignore this step.
0
 
kevingibbs1Author Commented:
Dez, tried that and same error came up.  Unchecked, it, applied, OK.  Went back in and changed the FQDN, but same error came up.  Do I need to re-start a service or something?
0
 
Glen KnightCommented:
Under authentication exchange server is not checked?
0
 
Glen KnightCommented:
On the authentication and permission tabs (the last 2) there will be an exchange server option on both.  Make sure it's unchecked.
0
 
kevingibbs1Author Commented:
Unchecked. Promise!
0
 
kevingibbs1Author Commented:
Ahhh, didn't do it on BOTH tabs. I'll try that when I get back home. Thanks!!
0
 
kevingibbs1Author Commented:
That did it.  You both got me to this solution in a couple different directions.  I thank you both sincerely and feel that it is only fair to split the points.  Sunny, you helped me with the SSL, and Dez, you got me squared away on some DNS and FQDN issues!  Thanks guys!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.