In Exchange 2007 it is possible to configure selected destinations
for "Domain Secured" email, this is approximately equivalent to the
Postfix "secure" setting. There are a few pitfalls:
- One must be careful to only enforce "Domain Security" *outbound*.
The GUI management tools only support enforcing Domain Security
in both directions, this is unwise and breaks mail forwarding,
since mail delivered indirectly from the origin domain will not
have the right client certs and will be refused (in many cases
even the real sending domain won't have suitable client certs).
To enable just the outbound direction one needs to use the
"power shell" interface to manipulated Global Transport settings.
- It is not as easy to configure custom certificate matching rules
per destination. There is no "TLS policy table", rather the
peer certificate must exactly match the nexthop domain. Custom
"connectors" can be used to make explicit nexthop choices as
necessary.
The process is roughly as follows:
- Create one or more outbound "Connectors" for which "Domain Security"
is enabled (easy via GUI).
- Associate selected domains with a connector as above (easy via GUI).
- Define which domains require outbound "Domain Security", non-obvious
power-shell scripting.
One of our Exchange admins has put together the attached power shell
script which you may find useful.
For Microsoft's instructions, see:
http://technet.microsoft.com/en-us/library/bb266978.aspx#ConfigOutbound
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
param(
[Microsoft.Exchange.Data.SmtpDomain] $domain = $(throw "Need a domain
name (i.e. example.com)"),
[switch] $add, # add specified domains
[switch] $remove, # remove specified domains
[switch] $send, # update TLSSendDomainSecureList
[switch] $receive # update TLSReceiveDomainSecureList
)
if ($add -and $remove) {
write-error "Specify either -add or -remove, not both"
exit
}
if (-not ($send -or $receive)) {
write-error "Specify the domain secure list type (-send and/or
-receive)"
exit
}
# Update the Send Domain Secure list
if ($send) {
# current list of domains
$doms = @( (Get-TransportConfig).TLSSendDomainSecureList )
# add $domain to the current list and make it unique
if ($add) {
$doms += $domain
$doms = $doms | sort-object -unique
}
# remove the current domain by filtering it out in where-object {}
if ($remove) {
$doms = $doms | where-object { "$_" -ne $domain }
}
# if $doms is empty (i.e. last domain removed from the list), set
# the domain secure list value to $null, otherwise @($doms)
if ($doms.count -eq 0 -or -not $doms) {
Set-TransportConfig -TLSSendDomainSecureList $null
} else {
Set-TransportConfig -TLSSendDomainSecureList @($doms)
}
}
# Update the Receive Domain Secure list
if ($receive) {
# current list of domains
$doms = @( (Get-TransportConfig).TLSReceiveDomainSecureList )
# add $domain to the current list and make it unique
if ($add) {
$doms += $domain
$doms = $doms | sort-object -unique
}
# remove the current domain by filtering it out in where-object {}
if ($remove) {
$doms = $doms | where-object { "$_" -ne $domain }
}
# if $doms is empty (i.e. last domain removed from the list), set
# the domain secure list value to $null, otherwise @($doms)
if ($doms.count -eq 0 -or -not $doms) {
Set-TransportConfig -TLSReceiveDomainSecureList $null
} else {
Set-TransportConfig -TLSReceiveDomainSecureList @($doms)
}
}
# output our new view of the Send/Receive domain secure list
Get-TransportConfig | format-list TLS*Domain*
