| Home | Kaiming |
Network Layout: 3 forests
DNS
new-SendConnector -Name 'To-canoe.com' -Usage 'Internet' -AddressSpaces 'SMTP:canoe.com;1' -DNSRoutingEnabled $true -SourceTransportServers 'WIN20081'
set-SendConnector 'To-canoe.com' -port 26
new-ReceiveConnector -Name 'From-canoe.com' -Usage 'Internet' -Bindings '191.121.0.200:26' -Fqdn 'win20081.work.com' -Server 'WIN20081'
Test-mailflow –targetEmailAddress ctom@canoe.com
Even though the mail sent to ctom@canoe.com, Test-mailflow cmdlet still reports failure status.
DNS
new-SendConnector -Name 'To-work.com' -Usage 'Internet' -AddressSpaces 'SMTP:work.com;1' -DNSRoutingEnabled $true -SourceTransportServers 'WIN20082'
set-SendConnector 'To-work.com' -port 26
new-ReceiveConnector -Name 'From-Work.com' -Usage 'Internet' -Bindings '191.121.111.200:26' -Fqdn 'win20082.canoe.com' -Server 'WIN20082'
telnet win20081.work.com 26
ehlo work.com
mail from:ctom@canoe.com
rcpt to:robin.williams@work.com
data
subject:test mail
Zeeman7.vanarts.com computer has the Certificate Authority installed.
Win20081.work.com computer
http://191.121.14/certsrv
Download a CA certificate, certificate chain, or CRL
Place all certificates in the following store: Trusted Root Certification Authorities. Check "Show physical stores" and select "Local Computer"
New-ExchangeCertificate -GenerateRequest -FriendlyName "Win20081 certificate" -Path c:\win20081cer.p7c -SubjectName "DC=com,DC=work,CN=win20081.work.com" -DomainName win20081.work.com,work.com,win20081
Open c:\win20081cer.p7c in Notepad.exe;
Select all content and copy it;
http://191.121.0.14/certsrv
Request a Certificate
Advanced Certificate Request.
Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renew request by using a base-64-encoded PKCS #7 file.
Zeeman7.vanarts.com
certificate authority and issue the certificate
http://191.121.0.14/cert/srv
View the status of a pending certificate request and download and save it as c:\certnew.p7b.
Import-ExchangeCertificate -Path c:\certnew.p7b | Enable-ExchangeCertificate -Services smtp
I got error: privateKey missing and this certificate cannot be used with Exchange 2007.
Analyzing the error message, I found the following:
When I request a certificate, the http://191.121.0.14/certsrv address is used. However, the certificate of Win20081.work.com has the CRL attribute, which uses the DNS name: http://zeeman7.vanarts.com.
The clients must reach the certificate authority by its DNS name zeeman7.vanarts.com.
So, I create a DNS secondary zone for vanarts.com in Win20081.work.com. And then,
Import-ExchangeCertificate -Path c:\certnew.p7b | Enable-ExchangeCertificate -Services smtp
If the IIS server has enabled the SSL for certsrv virtual directory, you cannot run IMPORT-EXCHANGECertificate. You must turn off the SSL encryption. As shown, the URL for the CRL uses the http://.
Create a secondary zone for vanarts.com in Win20082;
New-ExchangeCertificate -GenerateRequest -FriendlyName "Win20082 certificate" -Path c:\win20082certificate.p7c -SubjectName "DC=com,DC=canoe,CN=win20082.canoe.com" -DomainName win20082.canoe.com,canoe.com,win20082
http://zeeman7.vanarts.com/certsrv
Download the issued certificate and save it as certnew.p7b
Import-ExchangeCertificate -Path c:\certnew.p7b | Enable-ExchangeCertificate -Services smtp
By default, DNS-routed mail flow has no encryption.
First, make sure you can send mail back and forth by DNS-routed delivery.
Users in work.com can send mail to users in canoe.com, visa versa.
Set-ReceiveConnector -id "Win20081\Default Win20081" -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Set-ReceiveConnector -id "Win20082\Default Win20082" -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Get-TransportConfig | fl tls*
TLSReceiveDomainSecureList : {}
TLSSendDomainSecureList : {}
Get-SendConnector to-canoe.com | fl name,add*,port,dnsR*,domain*
Name : To-Canoe.com
AddressSpaces : {smtp:canoe.com;1}
Port : 26
DNSRoutingEnabled : True
DomainSecureEnabled : False
Get-ReceiveConnector from-canoe.com | fl name,bind*,auth*,domain*,per*
Name : From-Canoe.com
Bindings : {191.121.0.200:26}
AuthMechanism : Tls
DomainSecureEnabled : False
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Set-TransportConfig -TLSSendDomainSecureList canoe.com -TLSReceiveDomainSecureList work.com
Set-SendConnector to-canoe.com -DomainSecureEnabled:$true
Set-ReceiveConnector from-canoe.com -DomainSecureEnabled:$true
Get-TransportConfig | fl tls*
TLSReceiveDomainSecureList : {work.com}
TLSSendDomainSecureList : {canoe.com}
Get-TransportConfig | fl tls*
TLSReceiveDomainSecureList : {}
TLSSendDomainSecureList : {}
Get-SendConnector to-work.com | fl name,add*,port,dnsR*,domain*
Name : To-work.com
AddressSpaces : {smtp:work.com;1}
Port : 26
DNSRoutingEnabled : True
DomainSecureEnabled : False
Get-ReceiveConnector from-work.com | fl name,bind*,auth*,domain*,per*
Name : From-work.com
Bindings : {191.121.111.200:26}
AuthMechanism : Tls
DomainSecureEnabled : False
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Set-TransportConfig -TLSSendDomainSecureList work.com -TLSReceiveDomainSecureList canoe.com
Set-SendConnector to-work.com -DomainSecureEnabled:$true
Set-ReceiveConnector from-work.com -DomainSecureEnabled:$true
Get-TransportConfig | fl tls*
TLSReceiveDomainSecureList : {canoe.com}
TLSSendDomainSecureList : {work.com}
Test
Robin.Williams@work.com sends mail to cTom@canoe.com
Received: from win20081.work.com (191.121.0.200) by WIN20082.canoe.com
(191.121.111.200) with Microsoft SMTP Server (TLS) id 8.1.240.5; Fri, 19 Dec
2008 14:39:43 -0800
Received: from Win20081.work.com ([fe80::200:5efe:191.121.0.200]) by
Win20081.work.com ([fe80::200:5efe:191.121.0.200%11]) with mapi; Fri, 19 Dec
2008 14:39:45 -0800
From: Robin Williams <Robin.Williams@work.com>
To: "ctom@canoe.com" <ctom@canoe.com>
Date: Fri, 19 Dec 2008 14:39:29 -0800
Subject: 200
Thread-Topic: 200
Thread-Index: AcliKqfB5gL9NjL6Q6W4hPwOz72JaQ==
Message-ID: <91633E8A18704244AE9A16BC8F0844C41E5ADD4DAF@Win20081.work.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-hashedpuzzle: AUTl AxKs BHQw BUkR ByV+ CBSA DO/m E5yF F2Kd GCLz GgW4
HTtA Hre/ Idm/ IpB2
JJjC;1;YwB0AG8AbQBAAGMAYQBuAG8AZQAuAGMAbwBtAA==;Sosha1_v1;7;{5BED2685-6072-4780-A7C5-C75A183279EB};cgBvAGIAaQBuAC4AdwBpAGwAbABpAGEAbQBzAEAAdwBvAHIAawAuAGMAbwBtAA==;Fri,
19 Dec 2008 22:39:29 GMT;MgAwADAA
x-cr-puzzleid: {5BED2685-6072-4780-A7C5-C75A183279EB}
acceptlanguage: en-US
Content-Type: multipart/alternative;
boundary="_000_91633E8A18704244AE9A16BC8F0844C41E5ADD4DAFWin20081workc_"
MIME-Version: 1.0
Return-Path: Robin.Williams@work.com
When the Usage: partner is specified, DomainSecureEnabled is set.
Remove-SendConnector -id 'to-work.com'
Remove-ReceiveConnector -id 'From-work.com'
new-SendConnector -Name 'to-work.com' -Usage 'Partner' -AddressSpaces 'SMTP:work.com;1' -DNSRoutingEnabled $true -SourceTransportServers 'WIN20082'
set-SendConnector 'To-work.com' -port 26
new-ReceiveConnector -Name 'From-work.com' -Usage 'Partner' -Bindings '191.121.111.200:26' -RemoteIPRanges '191.121.0.200-191.121.0.200' -Server 'WIN20082'
Get-SendConnector to-work.com | fl name,dns*,port,dom*
Name : to-work.com
DNSRoutingEnabled : True
Port : 26
DomainSecureEnabled : True
Get-ReceiveConnector From-work.com | fl name,bind*,doma*
Name : From-work.com
Bindings : {191.121.111.200:26}
DomainSecureEnabled : True
So, you must run the following cmdlet:
Set-TransportConfig -TLSSendDomainSecureList canoe.com -TLSReceiveDomainSecureList work.com
Remove-SendConnector -id 'to-canoe.com'
Remove-ReceiveConnector -id 'From-canoe.com'
new-SendConnector -Name 'to-canoe.com' -Usage 'Partner' -AddressSpaces 'SMTP:canoe.com;1' -DNSRoutingEnabled $true -SourceTransportServers 'WIN20081'
set-SendConnector 'To-canoe.com' -port 26
new-ReceiveConnector -Name 'From-canoe.com' -Usage 'Partner' -Bindings '191.121.0.200:26' -RemoteIPRanges '191.121.111.200-191.121.111.200' -Server 'WIN20081'
Set-TransportConfig -TLSSendDomainSecureList work.com -TLSReceiveDomainSecureList canoe.com
Usage type: Internet, Internal, and Partner are optional. When they are used, the corresponding settings will be set.