You are correct all internal Server to Server traffic is encrypted via SSL by default, not that you cannot break this, but it is there by default.
I am looking, and asking around. I just got an answer back from some PSS contacts already; they said " I will ask around but I know if anyone here knows that one, you might try the product group" What is odd to me with this is that when I test SMTP over SSL via Outlook it works without error no matter what Cert if the default. But when I remove the SAN cert and only have the self signed cert installed Outlook tossed up an error that the cert is not trusted. Add to that I see no where in the command line where it says which cert is the default. I might look at the ADSI object and see if the order that they are listed there changes. I love crazy questions that make you scratch your head. -----Original Message----- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 8:49 AM To: MS-Exchange Admin Issues Subject: RE: Which Cert do I Use Kevin, I may be incorrect, but I believe I read somewhere that internal SMTP is encrypted with TLS using internal certs even on machines that have public certs installed. We also have a somewhat similar setup to the one you speak about and I was confused when we started getting eventlog errors that internal SMTP traffic was now unencrypted because a certificate had expired and I knew the public cert had another 2 months. It turned out I needed to renew that internal cert as well, for some reason internal traffic wasn't using the public cert. If you find more detail on this (I know you have James Bondish connections at MS) I would love to hear the official word. -Troy -----Original Message----- From: KevinM [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 8:41 AM To: MS-Exchange Admin Issues Subject: Which Cert do I Use Basic Question = When you have 2 SSL certs on a server, and both of them are enabled for SMTP. How does Exchange determine which to use? A bit more detailed Question -- I have a SAN cert assigned to SMTP on my EDGE server and my HUB server [1] .I also have the default self signed certificate installed on both servers. When I add the SAN cert to the server and I add it to the SMTP service I'm presented with the option to replace the default; yes or no. Either answer I give results in both certificates being assigned to the SMTP service. Edge sync will break if the default Cert is the SAN cert. Edge sync will work if the SAN cert is not the default. Outlook SMTP over SSL will not ask to verify the cert if both certs are enabled regardless of which cert is the default. My question is -- How does the server / client know which cert to use... and What does Default Cert mean to Exchange. [1] This is not supported http://technet.microsoft.com/en-us/library/cc671171.aspx But works if you pick the default cert the right way ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
