Certificate Questions for Exchange 2010

Our current exchange 2003 organization is managing 3 companies email domains, A.com, B.com and C.com. All of their MX records are pointed to same IP address and handled by a 3rd party Anti-Virus & Anti-SPAM engine (Smart Host) then forwarded to our exchange 2003 mailbox server (server name - EXCH01).

Currently, all users from these 3 companies are sharing the same network infrastructure), they all log on to the same AD forest called “internal.A.com”. All users are using outlook (2003 to 2013) on windows platform to access their company emails.

All users from these 3 companies are using “webmail.A.com” this external host name to do the ActiveSync & webmail access with our front-end Exchange 2003 server (Server name – EXCH02). On this server, we purchased and installed a single name SSL certificate.

We have just installed an Exchange 2010 server with CA, HT and MB roles (Server name – EXCH2010) on the network, and we are going to purchase the SAN SSL certificate for the exchange 2010 server.

From cost effective & privacy point of view, management team prefer to buy a distinct public domain name for example called “myemailaccess.com”, and use “mail.myemailaccess.com” external host name to provide OWA, ActiveSync, Outlook Anywhere, Exchange Web service, and TLS SMTP service access for all 3 companies.

According to the requirement above, I have listed the host name we might need to put on Exchange 2010 SSL certificate Request:

 Outlook Web App is on the Intranet: “exch2010.internal.A.com”

Outlook Web App is on the Internet: “mail.myemailaccess.com”

Exchange Active Sync is enabled: “mail.myemailaccess.com”

Exchange Web Service is enabled: “mail.myemailaccess.com”

Outlook Anywhere is enabled: “mail.myemailaccess.com”

Autodiscover used on the Internet: “autodiscover.A.com”, “autodiscover.B.com” and “autodiscover.C.com”

Use Mutual TLS to help secure Internet Mail: “mail.myemailaccess.com”

Use Legacy Domain: “Legacy.A.com”, “Legacy.B.com” and “Legacy.C.com”

So here are my questions:

1. Are these host name settings correct for our companies’ scenario?

2. Does Exchange 2010 must to use SSL certificate for secure SMTP communications (is the secured SMTP service compulsory)

3. For the new purchased domain “myemailaccess.com”, do we need specify the mx record and setup the “Postmaster@ myemailaccess.com” mailbox to ease the process of issuing certificate with commercial CA?

Thanks a lot!
LITTLE RealEstateAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You will find here a list of required certificates, but this depends on the services you whish to use:

Here is another one (three parts):

this also could be interesting :)
Simon Butler (Sembee)ConsultantCommented:
Rather than some links, how about a real answer?
The SSL providers will no longer provide SSL certificates for internal names.
Therefore you cannot include the server name.

The solution for that problem is to configure Exchange to use the external host name everywhere, including internally via a split DNS system.
I have instructions on how to do that here: http://semb.ee/hostnames

Next - For secure SMTP traffic flow, you need to have an SSL certificate (the same one you have there) which matches the host name the clients are connecting to. As you are using a third party host, all that matters is the link between those two, so just configure the third party host to send email to the common name on the SSL certificate.

The legacy domain setting is a host name for the Exchange 2003 server. It has nothing to do with the email domains that are being used.
The usual technique is to create a new host name for that (legacy.example.com), include that in the SSL certificate. Then once the SSL request is complete, export and import it in to the old server. Furthermore the usual method is to include the existing OWA host name in the SSL certificate and point that in DNS at the new server. Then let Exchange sort out what needs to be redirected and what can be proxied.

That means you will have three host names in the certificate so far:


The next point is Autodiscover.
Autodiscover is not an optional setting and if you are using Outlook Anywhere you need to cover it.
There are two main options for Autodiscover that are trivial to implement:

Host names.
For each domain you will have
Autodiscover.example.com as an A record pointing to Exchange and will also need to include in the SSL certificate.

SRV records
Each domain would have an SRV record for Autodiscover. http://semb.ee/srv
When using SRV records you must ensure that Autodiscover.example.com does not resolve.

As for your last part about postmaster@ - that all depends on the SSL provider. The one I usually use (GoDaddy or a GoDaddy reseller) uses the WHOIS information rather than any present email address.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LITTLE RealEstateAuthor Commented:
Hi Simon,

Thanks a lot for your answer and sorry for the late reply, there are quite lot amount of information on your web site need to read and understand.

Sorry to be a pain, we just want to double check with you here (just be safe) that we are purchasing the correct certificate:

1. We need to purchase a SAN certificate and use "mail.myemailaccess.com" as the comm name on certificate for all the certificate requirements we needed except the Legacy & Autodiscover functions. this SAN certificate will be imported to the only Exchange 2010 server.

2.we need to add a host name to the SAN certificate from step 1 as "legacy.myemailaccess.com", this SAN certificate will be imported to our front-end exchange 2003 server to support legacy server redirect function.

3. We need to add 3 host name on the SAN certificate from step 1 as “autodiscover.A.com”, “autodiscover.B.com” and “autodiscover.C.com” and import it to the only exchange 2010 server to support the Autodiscover function

4. As the "mail.myemailaccess.com" name will be used internally and externally, we need to setup the "Split" DNS properly.

For the SMTP SSL certificate, We have a 3rd party SMTP gateway (anti-spam & anti-virus solution) to manage the incoming and outgoing SMTP traffic for 3 email domains, it has already enabled Incoming / Outgoing Transport Layer Security at opportunistic TLS level by its own certificate. Our existing Exchange 2003 mailbox server does not use TLS communication with this SMTP gateway. In this case, should we just use the Exchange 2010 self-signed certificate to communicate with this SMTP gateway or it is better to use the commercial CA certificate as well?

And also a side question, your web site also mentioned a single SSL certificate for exchange 2010 is possible. under our company scenario (2 Exchange 2003 Server, 1 Exchange 2010 Server, 3rd Party Smart Host, 3 email domains), should we be better off buying few single name SSL certificates instead of SAN certificate? after all, the single name SSL certificate is quite cheap (around $10 per year).

Thanks for your help again.
Simon Butler (Sembee)ConsultantCommented:
If you wanted to go down the single SSL certificate route, then you would need to have two - one for the live host name and then one for the legacy host name.
It would also depend on all domains that you are using supporting SRV records.
If you can match that, then you could go down the route of using regular SSL certificates.

For SMTP flow, as you are using an appliance, the internal SSL certificate doesn't really matter. As long as the appliance can use it, then it shouldn't be a concern. For most of your senders, the critical bit is the communication between them and your point of entry - which will be your appliance.

LITTLE RealEstateAuthor Commented:
Sembee's answers are worth than 200 points, he is true expert on exchange matters. Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.