我在64位Windows Server 2008 R2 VM上交换了2010年版本。 我正在使用启用了IIS和SMTP服务的证书颁发机构的SSL多域证书。 我的目标是在域名checktls.com上设置放心/强制/强制/无所谓的TLS(不投机)。 设置任何发送/接收连接器之前,我做他们的TestReceiver( http://checktls.com/perl/TestReceiver.pl )与所有结果ok和绿色。
接下来,我们做他们的TestSender( http://checktls.com/perl/TestSender.pl ),电子邮件以“您的电子邮件已成功使用TLS安全发送”的自信文本回到“SUCCESSFUL”。
现在用于连接器。 作为交换,我创build了一个名为“CheckTLS”的新的发送连接器,其用途是“Partner”。 地址空间是“checktls.com”,选中“包含所有子域名”(Cost = 1)。 “启用域安全(相互validationTLS)”被选中。
我创build了一个名为“CheckTLS”的新接收连接器,其用途为“Partner”,端口25,远程IP地址为69.61.187.232(CheckTLS的IP地址)。 “传输层安全性(TLS)”和“启用域安全性(相互validationTLS)”是唯一在“validation”选项卡上选中的项目。 权限组有“合作伙伴”和“匿名”检查。
我发出的PowerShell命令…
set-transportconfig -TLSReceiveDomainSecureList checktls.com set-transportconfig -TLSSendDomainSecureList checktls.com 这里是一切都打破的地方
CheckTLS的TestReceivertesting有以下细节…
我的ReceiveSMTPlogin交换看起来像这样…
2014-09-17T18:57:43.290Z,MAIL\CheckTLS,08D1A0B838DEF207,0,10.10.30.9:25,69.61.187.232:56543,+,, 2014-09-17T18:57:43.290Z,MAIL\CheckTLS,08D1A0B838DEF207,1,10.10.30.9:25,69.61.187.232:56543,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions 2014-09-17T18:57:43.290Z,MAIL\CheckTLS,08D1A0B838DEF207,2,10.10.30.9:25,69.61.187.232:56543,>,"220 MAIL.EXAMPLE.COM Microsoft ESMTP MAIL Service ready at Wed, 17 Sep 2014 13:57:42 -0500", 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,3,10.10.30.9:25,69.61.187.232:56543,<,EHLO checktls.com, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,4,10.10.30.9:25,69.61.187.232:56543,>,250-MAIL.EXAMPLE.COM Hello [69.61.187.232], 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,5,10.10.30.9:25,69.61.187.232:56543,>,250-SIZE 10485760, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,6,10.10.30.9:25,69.61.187.232:56543,>,250-PIPELINING, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,7,10.10.30.9:25,69.61.187.232:56543,>,250-DSN, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,8,10.10.30.9:25,69.61.187.232:56543,>,250-ENHANCEDSTATUSCODES, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,9,10.10.30.9:25,69.61.187.232:56543,>,250-STARTTLS, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,10,10.10.30.9:25,69.61.187.232:56543,>,250-AUTH, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,11,10.10.30.9:25,69.61.187.232:56543,>,250-8BITMIME, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,12,10.10.30.9:25,69.61.187.232:56543,>,250-BINARYMIME, 2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,13,10.10.30.9:25,69.61.187.232:56543,>,250 CHUNKING, 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,14,10.10.30.9:25,69.61.187.232:56543,<,STARTTLS, 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,15,10.10.30.9:25,69.61.187.232:56543,>,220 2.0.0 SMTP server ready, 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,16,10.10.30.9:25,69.61.187.232:56543,*,,Sending certificate 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,17,10.10.30.9:25,69.61.187.232:56543,*,"CN=MAIL.EXAMPLE.COM, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",Certificate subject 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,18,10.10.30.9:25,69.61.187.232:56543,*,"CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,19,10.10.30.9:25,69.61.187.232:56543,*,0011001001001001000100,Certificate serial number 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,20,10.10.30.9:25,69.61.187.232:56543,*,000011100011100001110001100,Certificate thumbprint 2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,21,10.10.30.9:25,69.61.187.232:56543,*,MAIL.EXAMPLE.COM;AUTODISCOVER.EXAMPLE.COM;WEBMAIL.EXAMPLE.COM,Certificate alternate names 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,22,10.10.30.9:25,69.61.187.232:56543,<,EHLO checktls.com, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,23,10.10.30.9:25,69.61.187.232:56543,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate' 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,24,10.10.30.9:25,69.61.187.232:56543,>,250-MAIL.EXAMPLE.COM Hello [69.61.187.232], 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,25,10.10.30.9:25,69.61.187.232:56543,>,250-SIZE 10485760, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,26,10.10.30.9:25,69.61.187.232:56543,>,250-PIPELINING, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,27,10.10.30.9:25,69.61.187.232:56543,>,250-DSN, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,28,10.10.30.9:25,69.61.187.232:56543,>,250-ENHANCEDSTATUSCODES, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,29,10.10.30.9:25,69.61.187.232:56543,>,250-AUTH, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,30,10.10.30.9:25,69.61.187.232:56543,>,250-8BITMIME, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,31,10.10.30.9:25,69.61.187.232:56543,>,250-BINARYMIME, 2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,32,10.10.30.9:25,69.61.187.232:56543,>,250 CHUNKING, 2014-09-17T18:57:43.945Z,MAIL\CheckTLS,08D1A0B838DEF207,33,10.10.30.9:25,69.61.187.232:56543,<,MAIL FROM:<[email protected]>, 2014-09-17T18:57:43.945Z,MAIL\CheckTLS,08D1A0B838DEF207,34,10.10.30.9:25,69.61.187.232:56543,*,Tarpit for '0.00:00:30', 2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,35,10.10.30.9:25,69.61.187.232:56543,>,530 5.7.1 Not authenticated, 2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,36,10.10.30.9:25,69.61.187.232:56543,<,QUIT, 2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,37,10.10.30.9:25,69.61.187.232:56543,>,221 2.0.0 Service closing transmission channel, 2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,38,10.10.30.9:25,69.61.187.232:56543,-,,Local
因为我现在无法从CheckTLS接收任何内容,所以我看不到CheckSendertesting的结果,但是我的交换服务器的SendSMTP日志显示如下…
2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,10,10.10.30.9:63267,69.61.187.246:25,<,220 Ready to start TLS, 2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,11,10.10.30.9:63267,69.61.187.246:25,*,,Sending certificate 2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,12,10.10.30.9:63267,69.61.187.246:25,*,"CN=mail.EXAMPLE.COM, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",Certificate subject 2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,13,10.10.30.9:63267,69.61.187.246:25,*,"CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name 2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,14,10.10.30.9:63267,69.61.187.246:25,*,1110010101010101010101001111,Certificate serial number 2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,15,10.10.30.9:63267,69.61.187.246:25,*,1100101001001010010101001010101010101,Certificate thumbprint 2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,16,10.10.30.9:63267,69.61.187.246:25,*,MAIL.EXAMPLE.COM;AUTODISCOVER.EXAMPLE.COM;WEBMAIL.EXAMPLE.COM,Certificate alternate names 2014-09-17T19:13:00.194Z,CheckTLS,08D1A0B838DEF26D,17,10.10.30.9:63267,69.61.187.246:25,*,,Received certificate 2014-09-17T19:13:00.194Z,CheckTLS,08D1A0B838DEF26D,18,10.10.30.9:63267,69.61.187.246:25,*,11010010010010101010010101001001001,Certificate thumbprint 2014-09-17T19:13:00.194Z,CheckTLS,08D1A0B838DEF26D,19,10.10.30.9:63267,69.61.187.246:25,>,EHLO MAIL.EXAMPLE.COM, 2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,20,10.10.30.9:63267,69.61.187.246:25,<,"250-ts3.checktls.com Hello mail.EXAMPLE.COM [1.2.3.4], pleased to meet you", 2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,21,10.10.30.9:63267,69.61.187.246:25,<,250-ENHANCEDSTATUSCODES, 2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,22,10.10.30.9:63267,69.61.187.246:25,<,250-8BITMIME, 2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,23,10.10.30.9:63267,69.61.187.246:25,<,250 HELP, 2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,24,10.10.30.9:63267,69.61.187.246:25,*,2238593,sending message 2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,25,10.10.30.9:63267,69.61.187.246:25,>,MAIL FROM:<[email protected]>, 2014-09-17T19:13:00.288Z,CheckTLS,08D1A0B838DEF26D,26,10.10.30.9:63267,69.61.187.246:25,<,250 Ok - mail from [email protected], 2014-09-17T19:13:00.288Z,CheckTLS,08D1A0B838DEF26D,27,10.10.30.9:63267,69.61.187.246:25,>,RCPT TO:<[email protected]>, 2014-09-17T19:13:00.350Z,CheckTLS,08D1A0B838DEF26D,28,10.10.30.9:63267,69.61.187.246:25,<,250 Ok - recipient [email protected], 2014-09-17T19:13:00.350Z,CheckTLS,08D1A0B838DEF26D,29,10.10.30.9:63267,69.61.187.246:25,>,DATA, 2014-09-17T19:13:00.397Z,CheckTLS,08D1A0B838DEF26D,30,10.10.30.9:63267,69.61.187.246:25,<,354 Send data. End with CRLF.CRLF, 2014-09-17T19:13:00.537Z,CheckTLS,08D1A0B838DEF26D,31,10.10.30.9:63267,69.61.187.246:25,<,250 Ok, 2014-09-17T19:13:00.553Z,CheckTLS,08D1A0B838DEF26D,32,10.10.30.9:63267,69.61.187.246:25,>,QUIT, 2014-09-17T19:13:00.600Z,CheckTLS,08D1A0B838DEF26D,33,10.10.30.9:63267,69.61.187.246:25,<,221 ts3.checktls.com closing connection, 2014-09-17T19:13:00.600Z,CheckTLS,08D1A0B838DEF26D,34,10.10.30.9:63267,69.61.187.246:25,-,,Local
作为交换的事件查看器显示事件ID 11017(MSExchangeTransport),并且由于未提供传输层安全性(TLS)证书,因此连接器“CheckTLS”上来自域安全域“CheckTLS.com”的消息未能通过身份validation。 CheckTLS.com的pipe理员来解决问题,或从域安全列表中删除域。
我有一个Sonicwall NSA 2400防火墙,因为我已经阅读了一些TLS思科防火墙与TLSstream量有关的问题。 在Sonicwall日志中没有看到任何内容,表明这是问题所在。
抱歉信息的轰炸,但我在我的智慧结束试图正确地得到这个设置。 任何build议,我可以去下一个将不胜感激。 一旦我用CheckTLS正常工作,计划就是和实际的业务合作伙伴build立起来,但是首先我需要把所有的鸭子连在一起。
非常感谢你。
我有这个相同的问题,并在这里find了解决办法(第一个答案): http : //community.spiceworks.com/topic/266218-exchange-2010-forcedtls-email-stuck-during-routing-phase
它涉及取消选中相互validationTLS并将其设置为仅用于encryption – 否则您需要来自合作伙伴域的证书。 希望这可以帮助。