Friday, 4 September 2015

SMTP TLS Certificate Requirements

When setting up TLS, the certificate that is used by the SMTP service needs to meet a few requirements. If you read RFC 3207, it states the below:

The decision of whether or not to believe the authenticity of the
   other party in a TLS negotiation is a local matter.  However, some
   general rules for the decisions are:

   -  A SMTP client would probably only want to authenticate an SMTP
      server whose server certificate has a domain name that is the
      domain name that the client thought it was connecting to.
   -  A publicly-referenced  SMTP server would probably want to accept
      any verifiable certificate from an SMTP client, and would possibly
      want to put distinguishing information about the certificate in
      the Received header of messages that were relayed or submitted
      from the client.


Microsoft best practices are below:
  • The fully qualified Internet domain name of the server   This may be different from the internal FQDN that is used between Edge Transport servers and Hub Transport servers and should match the A record that is published on the Internet (public) DNS server. This name should be entered as a CN in the SubjectName parameter of the New-ExchangeCertificate cmdlet.
  • All the accepted domain names of the organization   Use the IncludeAcceptedDomains parameter of the New-ExchangeCertificatecmdlet to populate the Subject Alternative Name for the resulting certificate.
  • The FQDN for the connector if it isn't covered by either of the previous items   Use the DomainName parameter of the New-ExchangeCertificate cmdlet to populate the Subject Alternative Name for the resulting certificate.
In order to ensure that we pass the checktls.com and testconnectivity.microsoft.com tests for TLS, we have used the below:
  • Use a certificate from a trusted public CA e.g. GoDaddy
  • Ensure that the certificate names include the MX records (if your MX records are mx1.contoso.com and mx2.contoso.com then ensure that each SMTP server has this name on the certificate that it is using)
  • Set the FQDN of the SMTP server to be the same as the MX record name.

No comments:

Post a Comment