In Exchange 2007 it is possible to configure selected destinations for "Domain Secured" email, this is approximately equivalent to the Postfix "secure" setting. There are a few pitfalls:
- One must be careful to only enforce "Domain Security" *outbound*. The GUI management tools only support enforcing Domain Security in both directions, this is unwise and breaks mail forwarding, since mail delivered indirectly from the origin domain will not have the right client certs and will be refused (in many cases even the real sending domain won't have suitable client certs). To enable just the outbound direction one needs to use the "power shell" interface to manipulated Global Transport settings. - It is not as easy to configure custom certificate matching rules per destination. There is no "TLS policy table", rather the peer certificate must exactly match the nexthop domain. Custom "connectors" can be used to make explicit nexthop choices as necessary. The process is roughly as follows: - Create one or more outbound "Connectors" for which "Domain Security" is enabled (easy via GUI). - Associate selected domains with a connector as above (easy via GUI). - Define which domains require outbound "Domain Security", non-obvious power-shell scripting. One of our Exchange admins has put together the attached power shell script which you may find useful. For Microsoft's instructions, see: http://technet.microsoft.com/en-us/library/bb266978.aspx#ConfigOutbound -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
param( [Microsoft.Exchange.Data.SmtpDomain] $domain = $(throw "Need a domain name (i.e. example.com)"), [switch] $add, # add specified domains [switch] $remove, # remove specified domains [switch] $send, # update TLSSendDomainSecureList [switch] $receive # update TLSReceiveDomainSecureList ) if ($add -and $remove) { write-error "Specify either -add or -remove, not both" exit } if (-not ($send -or $receive)) { write-error "Specify the domain secure list type (-send and/or -receive)" exit } # Update the Send Domain Secure list if ($send) { # current list of domains $doms = @( (Get-TransportConfig).TLSSendDomainSecureList ) # add $domain to the current list and make it unique if ($add) { $doms += $domain $doms = $doms | sort-object -unique } # remove the current domain by filtering it out in where-object {} if ($remove) { $doms = $doms | where-object { "$_" -ne $domain } } # if $doms is empty (i.e. last domain removed from the list), set # the domain secure list value to $null, otherwise @($doms) if ($doms.count -eq 0 -or -not $doms) { Set-TransportConfig -TLSSendDomainSecureList $null } else { Set-TransportConfig -TLSSendDomainSecureList @($doms) } } # Update the Receive Domain Secure list if ($receive) { # current list of domains $doms = @( (Get-TransportConfig).TLSReceiveDomainSecureList ) # add $domain to the current list and make it unique if ($add) { $doms += $domain $doms = $doms | sort-object -unique } # remove the current domain by filtering it out in where-object {} if ($remove) { $doms = $doms | where-object { "$_" -ne $domain } } # if $doms is empty (i.e. last domain removed from the list), set # the domain secure list value to $null, otherwise @($doms) if ($doms.count -eq 0 -or -not $doms) { Set-TransportConfig -TLSReceiveDomainSecureList $null } else { Set-TransportConfig -TLSReceiveDomainSecureList @($doms) } } # output our new view of the Send/Receive domain secure list Get-TransportConfig | format-list TLS*Domain*