FYI: Secure-channel TLS from Exchange 2007 to Postfix
- In Exchange 2007 it is possible to configure selected destinations
for "Domain Secured" email, this is approximately equivalent to the
Postfix "secure" setting. There are a few pitfalls:
- One must be careful to only enforce "Domain Security" *outbound*.
The GUI management tools only support enforcing Domain Security
in both directions, this is unwise and breaks mail forwarding,
since mail delivered indirectly from the origin domain will not
have the right client certs and will be refused (in many cases
even the real sending domain won't have suitable client certs).
To enable just the outbound direction one needs to use the
"power shell" interface to manipulated Global Transport settings.
- It is not as easy to configure custom certificate matching rules
per destination. There is no "TLS policy table", rather the
peer certificate must exactly match the nexthop domain. Custom
"connectors" can be used to make explicit nexthop choices as
The process is roughly as follows:
- Create one or more outbound "Connectors" for which "Domain Security"
is enabled (easy via GUI).
- Associate selected domains with a connector as above (easy via GUI).
- Define which domains require outbound "Domain Security", non-obvious
One of our Exchange admins has put together the attached power shell
script which you may find useful.
For Microsoft's instructions, see:
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.