Kevin,

I may be incorrect, but I believe I read somewhere that internal SMTP is 
encrypted with TLS using internal certs even on machines that have public certs 
installed.  We also have a somewhat similar setup to the one you speak about 
and I was confused when we started getting eventlog errors that internal SMTP 
traffic was now unencrypted because a certificate had expired and I knew the 
public cert had another 2 months.  It turned out I needed to renew that 
internal cert as well, for some reason internal traffic wasn't using the public 
cert.


If you find more detail on this (I know you have James Bondish connections at 
MS) I would love to hear the official word.


-Troy

-----Original Message-----
From: KevinM [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 03, 2008 8:41 AM
To: MS-Exchange Admin Issues
Subject: Which Cert do I Use

Basic Question = When you have 2 SSL certs on a server, and both of them are 
enabled for SMTP. How does Exchange determine which to use?

 

A bit more detailed Question -- I have a SAN cert assigned to SMTP on my EDGE 
server and my HUB server [1] .I also have the default self signed certificate 
installed on both servers. When I add the SAN cert to the server and I add it 
to the SMTP service I'm presented with the option to replace the default; yes 
or no. Either answer I give results in both certificates being assigned to the 
SMTP service. Edge sync will break if the default Cert is the SAN cert. Edge 
sync will work if the SAN cert is not the default.  Outlook SMTP over SSL will 
not ask to verify the cert if both certs are enabled  regardless of which cert 
is the default. 

My question is  -- How does the server / client know which cert to use... and 
What does Default Cert mean to Exchange.

 

 

[1] This is not supported 
http://technet.microsoft.com/en-us/library/cc671171.aspx But works if you pick 
the default cert the right way


 


~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~             http://www.sunbeltsoftware.com/Ninja                ~

Reply via email to