Category Archives: SSL

Exchange Microsoft Office365 SSL

Exchange: Replacing certificate for Microsoft 365 hybrid connector’s

When certificates needs to be renewed or changed on (on-premise) Exchange server’s, and you have Microsoft 365 hybrid setup though Hybrid Configuration Wizard, a Office 365 connecter is setup as send and receive:

Receive:
Default Frontend xxxx/EXCH01

Send:
Outbound to Office 365
xxxxx send connector

If you try to delete the old certificate, without setting the new cert for the connectors, you will get this in ECP:
“A special Rpc error occurs on server EXCH01: These certificates are tagged with following Send Connectors : Outbound to Office 365. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.”

So we need to move into Powershell and replace it, because it cannot be done through the ECP:

Get the thumprint for the new cert:

Get-ExchangeCertificate

So here it is, the top level cert, it’s a wildcard cert, thus the “*.” in the subject name, sorry for the maskings, this is from a non-lab environment

Copy the thumprint to notepad for next command.

Read the certificate subject and thumprint into a variable:

$cert = Get-ExchangeCertificate -Thumbprint <paste the thumbprint in here from previous command>

$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" - Do not change anything here!

The replace the connectors:

Send Connector –

Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

Receive Connector –

Set-ReceiveConnector "EXCH01\Default Frontend EXCH01" -TlsCertificateName $tlscertificatename

Note: replace the word “EXCH01” with the name of your Exchangeserver like “MY-EXCH01\Default Frontend MY-EXCH01”

Run IISRESET

This is because the old and new certificate have the same “issuer” and “subject”, the set-sendconnector and set-receiveconenctor, cannot thereforem tell the difference, but solution is easy:

Just add another cert on the servers thumbprint to the first script, then run all commands throgh, after that, do the same again, but now with the real cert’s thumprint, and it works ?

Note that if you fail to replace your certificate before it expires (You forgot to), your mailflow between on-prem Excahnge and Exchange Online (365) will stop working and you will see this in the logs:

[Message=451 5.7.3 STARTTLS is required to send mail]

source links:

https://martinsblog.dk/exchange-replacing-certificate-for-microsoft-365-hybrid-connectors/
https://martinsblog.dk/exchange-an-error-occurred-while-using-ssl-configuration-for-endpoint-0-0-0-0444/
https://www.azure365pro.com/replacing-send-connector-certificate/

Exchange Microsoft SSL

Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)

It is assumed you have your SSL wildcard certificate already installed on an Exchange 2010 server.

We use Windows Server 2008 R2 Datacenter x64 in this example.

Open Exchange Management Shell as Administrator and get a list of SSL certificates that are available:

[PS]> Get-ExchangeCertificate

Thumbprint                    Services  Subject
----------                              --------  -------
1F70359DC0BE9CAD58F965A3C110  ...WS.    CN=*.example.com, OU=IT Dep, O=Example Comp...
0F7FF199B11E662621D80700D04F  ....S.    CN=ExampleDC

When you enable the wildcard *.example.com certificate for POP service, you normally get the following error:

PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services POP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

The same applies to IMAP:

[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services IMAP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

Set FQDN for POP service to fix the error:

[PS]> Set-POPSettings -X509CertificateName exchange2010.example.com

Do the same for IMAP service:

[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com

Verify POP settings:

[PS]> Get-POPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}  SecureLogin  exchange2010.example...

Verify IMAP settings:

[PS]> Get-IMAPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}  SecureLogin  exchange2010.example...

Restart POP and IMAP services:

[PS]> Restart-service MSExchangePOP3
[PS]> Restart-service MSExchangeIMAP4

Source link:

https://www.lisenet.com/2014/configure-wildcard-ssl-certificate-for-pop-imap-on-exchange-2010-server/

Exchange Microsoft SSL

Problems with mail flow after changing email certificate

Problems sending email from onpremises to Office 365 accounts in hybrid environment.

 

When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA.

 To check if the issue is related to the certificate part, please manually remove the previously created hybrid connectors both in the on-premises Exchange server and Office 365, re-run the HCW (Hybrid Configuration Wizard) to re-create these connectors using the new certificate, then check if the messages can be delivered.

Security SSL

SSL Server Test

https://www.ssllabs.com/ssltest

Security SSL

ASP.NET application serve pages only over HTTPS?

To Serve all the pages over https add this to the Application_BeginRequest method in your Global.asax file.

 Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
   If Request.IsSecureConnection = False Then
     Dim ub As New UriBuilder(Request.Url)
     ub.Scheme = Uri.UriSchemeHttps
     ub.Port = 443
     Response.Redirect(ub.Uri.ToString, True)
   End If
 End Sub