TLS Certificate in Edge Server for Hybrid Mail flow

TLS Certificate plays important role in the mail flow between On promises and Exchange online in Hybrid Setup. If the certificate is not renewed or not updated properly in the On promises Inbound/Outbound servers which are configured in the EOP, You will end of with Mail delivery issues.

On-premises Mail routing will be done by using EDGE Servers which are placed in the DMZ Location for the inbound and outbound mail routing. At Exchange Online Protection(EOP), We need to have connectors created and placed for the mail routing. Please refer the article which talks about the mailflow and SMTP Mail Routing in the EOP.

Here will show you how to import the new certificate in the Exchange Store and how to enable the certificate for the Exchange certificate for the SMTP Service. SMTP Port 25 used for the Mail routing between On-Promsies and EOP.

EOP Always will understand the public certificate which issued by the third party certificates provider like Symantec, Commodo, Geo trust. Hence we need to buy the public certificate for the TLS Mail Routing in the Hybrid Setup. ideally it will costs around $250 Dollars for three years. I always suggest to go for minimum three years for the any public certificate purchase.

Okay, Let’s begin.

Import the certificate in the MMC–Certificates–Computer Store-Personal

Once certificate has been imported with private Keys.Run Get-ExchangeCertificate|select Thumbprint ,Services to check the certificates and the certificates are enabled for the enabled for the SMTP Services.

Run the below command to enable the new certificate to for the SMTP Services,

Enable-ExchangeCertificate -Thumbprint 571C45E942D3ACEFAD6884978972971EDC54F0CA -Services SMTP

After you enabled the new certificate thumbprint to the SMTP Service, You can go ahead and remove the old certificate from the MMC Store. Recommended to export the certificate with private key and store it on safe place before deleting the certificate.

Now you have done the changes, You need to restart the Exchange transport service (MSExchangeTransport) using Services.msc or PowerShell commadlet, Here i am using Powershell to restart the service and use the Test-Servicehealth commandlet check the status of the service

Run the Get-Queue to check whether the mails are getting processed form/to the server.

In the above picture, Queue status Active shows that mails are getting processed without any issues. Hence the new certificate it is working fine for the mail process.

How to test whether it is working:

On-Promises:

Run Get-MessageTrackingLog along with MessageId to track the massage is reaching the destination properly for the inbound/Outbound mail flow.

Exchange online Protection (EOP):

Run the Get-MessageTrace along with the message MessageId to track the message whether it is delivered to the destination for both Inbound/Outbound and run Get-MessageTrace  -FromIP “Onprem EDGE Server IP” to check all the mails are reaching to EOP without any issues and run  Get-MessageTrace  -ToIP “Onprem EDGE Server IP” to check all the mails are reaching to On-Promise Inbound Servers.

#exchangeOnline #ExchangeonlineProtection

Author

Leave a comment

Your email address will not be published. Required fields are marked *