Loading ...
Sorry, an error occurred while loading the content.

FYI: Secure-channel TLS from Exchange 2007 to Postfix

Expand Messages
  • Victor Duchovni
    In Exchange 2007 it is possible to configure selected destinations for Domain Secured email, this is approximately equivalent to the Postfix secure
    Message 1 of 1 , Dec 27, 2008
    • 0 Attachment
      In Exchange 2007 it is possible to configure selected destinations
      for "Domain Secured" email, this is approximately equivalent to the
      Postfix "secure" setting. There are a few pitfalls:

      - One must be careful to only enforce "Domain Security" *outbound*.
      The GUI management tools only support enforcing Domain Security
      in both directions, this is unwise and breaks mail forwarding,
      since mail delivered indirectly from the origin domain will not
      have the right client certs and will be refused (in many cases
      even the real sending domain won't have suitable client certs).

      To enable just the outbound direction one needs to use the
      "power shell" interface to manipulated Global Transport settings.

      - It is not as easy to configure custom certificate matching rules
      per destination. There is no "TLS policy table", rather the
      peer certificate must exactly match the nexthop domain. Custom
      "connectors" can be used to make explicit nexthop choices as
      necessary.

      The process is roughly as follows:

      - Create one or more outbound "Connectors" for which "Domain Security"
      is enabled (easy via GUI).

      - Associate selected domains with a connector as above (easy via GUI).

      - Define which domains require outbound "Domain Security", non-obvious
      power-shell scripting.

      One of our Exchange admins has put together the attached power shell
      script which you may find useful.

      For Microsoft's instructions, see:

      http://technet.microsoft.com/en-us/library/bb266978.aspx#ConfigOutbound

      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    Your message has been successfully submitted and would be delivered to recipients shortly.