Configure Exchange Server with Public TLS

If a business wants to encrypt all of its outbound email traffic, it must set up Public TLS on its Internet-facing connectors. This is a straightforward procedure if your company uses a central mail server, such as an Edge or Hub Transport server. However, the same four-step approach can be applied to any public-facing servers, whether they are part of a single Send and Receive pair, located at different sites connected by public connectors, or both. How to Buy SMTP Service with Crypto.

Step 1 – Make sure the fully qualified domain name (FQDN) is correct. To avoid certificate issues caused by certificate mismatches, it is crucial to double-check that the correct term was used when requesting the certificate. Your connector’s FQDN should match the name you use to register the certificate. You may find your connector’s fully qualified domain name in the connector’s properties. We’ll pretend for now that is the connector’s registered domain.

Step 2 – Make a Certificate Request Making a certificate request file is the first thing to do when getting a certificate. This step must be completed on the server where the certificate will be installed. The certificate can be moved to a new server, but doing so adds unnecessary complexity unless necessary. Launch Exchange Powershell and run the New-ExchangeCertificate command to generate the requested file. The proper order is:

The command is New-ExchangeCertificate, where “fqdn” is the fully qualified domain name of your connector, “TLSCert” is the familiar name for your certificate request, “path” is the filename for your certificate request, and “Subject” is the distinguished name for your certificate.

The whole command for the domain in question would look like this:

Replace with your domain name when using New-ExchangeCertificate. GenerateRequest:$True FriendlyName:ExamplTLSCert Keysize:1024 Path: “c=us, o=Example Corp,” “c:example.req” “privatekeyExportable:$true” “subject name”

You can then contact your preferred Certificate Authority to request the completed certificate. Please pay attention to the subject you use when submitting a request. If the organization specified in the certificate’s “o=” field does not own the domain specified in the “cn=” field, most CAs will reject the certificate request. Please note that while some authorities may only want you to send them the file’s text contents, others may insist on receiving the actual file. If you’re going to get a certificate from your superiors, follow their directions to the letter.

Step 3 – Set up the certificate. After a few days, your preferred CA will send you the finalized certificate file. Using the Import-ExchangeCertificate command is all that’s needed now. First, drop the certificate file anywhere convenient, like the central C: folder. Then, use import-exchange certificate -path “path to certificate” to import the certificate.

The certificate’s “thumbprint” is what the system will report back to you. You’ll need to remember this for the next stage.

Step 4- Put the certificate to use. The next step is telling Exchange to rely on the newly installed certificate on the local machine. The enable-exchange certificate command is used for this. To accomplish this, type enable-exchange certificate -thumbprint “thumbprint” -services SMTP into a command prompt.

Please note that steps 3 and 4 can be combined into a single command line to save time and typing. Then the entire command line would look like this: “path to certificate”: import-exchange certificate -path | “enable-exchange certificate -services”: SMTP

Assuming you have TLS set up on your Exchange system, the next step is to construct three different transmit Connectors on each server that will be used to transmit messages out into the Internet.

The first should be set to “TLS Required” for your most trusted partners, ensuring that all communications between your business and its closest partners/customers are transmitted securely. In addition, ensure that your business partners’ domain names are included in the routing rules for this connector. Set-SendConnector command in Exchange Powershell with the “-RequireTLS:$true” option accomplishes this.

When dealing with a company whose certificate has expired or whose TLS setup is otherwise flawed, you may easily add domains to the routing rules by setting the second send connector to never utilize TLS. The “-IgnoreSTARTTLS:$true” parameter on the Set-SendConnector command in Exchange Powershell accomplishes this.

The final send connector, which uses “opportunistic TLS” to manage most mail domains, will become the “de facto” send connector. Opportunistic TLS is the easiest to set up because it is the standard.

Read Also: The Reason Why Buy Free Mass Site Visitors?