Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates.

Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate.

In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector.

We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet:

[PS] C:\> Get-ExchangeCertificate

Thumbprint                               Subject
----------                               -------
241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ...
D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A
960171662EB261162F9C8CBE12E0B75D6F06ABB0 CN=Microsoft Exchange Server Auth Certificate
2690324B827A9F2B75D59104F81CAAA57CDD627B CN=WMSvc-Exchange2013A

[PS] C:\>

The first certificate is the one that should be bound to the receive connector, so we'll save it in a variable:

[PS] C:\> $cert = Get-ExchangeCertificate -Thumbprint "241B864DC82C664FECBA18B8D54987AAFB65B4C2"

In order to configure the certificate on the receive connector, we have to create a special string that contains the issuer and the subject of the certificate:

[PS] C:\> $cert | fl Thumbprint,Issuer,Subject

Thumbprint : 241B864DC82C664FECBA18B8D54987AAFB65B4C2
Issuer     : CN=GeoTrust SSL CA - G3, O=GeoTrust Inc., C=US
Subject    : CN=*.lab.com, OU=IT Services...

[PS] C:\> $tls = "<i>$($cert.Issuer)<s>$($cert.Subject)"
[PS] C:\>

Now that we've got the string, let's configure the receive connector:

[PS] C:\>Set-ReceiveConnector "Exchange2013A\Client Frontend Exchange2013A" -TlsCertificateName $tls

[PS] C:\>

To verify that you've configured the right certificate, all you have to do is to use the "Get-SMTPCertificate" cmdlet of the CPolydorou.Exchange module.

[PS] C:\> Get-SMTPCertificate -Server Exchange2013A -Port 587 | fl *

Subject        : CN=*.lab.com, OU=IT Services...
Issuer         : CN=GeoTrust SSL CA - G3, O=GeoTrust Inc., C=US
ExpirationDate : 10/8/2018 2:59:59 AM
EffectiveDate  : 10/8/2015 3:00:00 AM
Hash           : 241B864DC82C664FECBA18B8D54987AAFB65B4C2
PublicKey      : 3082010A0282010100C59337B0081723CA71F4A0F...
Format         : X509
KeyAlgorithm   : 1.2.840.113549.1.1.1
SerialNumber   : 46D2E3EB1E047FCB27F827C66F642188
Type           : System.Security.Cryptography.X509Certificates.X509Certificate2
Server         : Exchange2013A
Port           : 587

[PS] C:\>

The thumbprint of the certificate from the first command should match the value of the hash attribute above. If it does, your all set!

Popular posts from this blog

Domain Controller Machine Password Reset

Running Multiple NGINX Ingress Controllers in AKS