-
-
Notifications
You must be signed in to change notification settings - Fork 808
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ImportExchange script update Send Connector using Set-SendConnector #1754
Comments
It goes beyond my knowledge of Exchange but I think it would make sense for the script to update the certificate whereever it's required, not just the most common services. If you have an Exchange lab available, would you mind also testing this change while your at it? #1372
Generally it a lot safer to work with certificate thumbprints than with the subject, because multiple certificates can share the same subject. |
@WouterTinus thanks for your work on this great tool and taking the time to respond. Sorry I don't have an exchange lab, I've just been reviewing logs in a production environment. If I get one up and running for this I'll try to include looking at the other issue #1372 I will certainly look at adjusting my current setup to delete old certs as mentioned by @nsumner36 in #1372 as this may be worth trying before the powershell commands I've suggested as the SendConnector only references the cert by fqdn and Issuer so deleting expired certs may force it to use the new one and make this request redundant.
Whilst I agree in principle with your statement about using the thumbrint, we don't have the thumbprint of the old cert and the object returned by Get-SendConnector does not include the thumbprint of the old cert. According the the microsoft documentation for Set-SendConnector the method using -TLSCertificateName I listed above is the correct one to populate the Send-Connector for Exchange. Extract from the documentation I can also see the possibility that more than one connector may share the same certificate as they may be scoped to send to different destinations, but would want to project the same identity. |
Felt brave and FYI ran a manual with cleanup old certifcates in production which resulted in the following anonymised extract from the verbose output Updating Exchange services... I can confirm despite the error the old certificate was removed from the store. I'll try to verify that the Send Connector is actually using the new certificate, or still issues the old cert. |
@WouterTinus took me a little while to track down how to correctly validate which certificate was in use on the send connector as there is no direct link to the thumbprint in the send connector. _Yes. If the Subject and Issuer are the EXACT same, then you just need to confirm in the SMTP protocol logs that the inbound and outbound connections are using that new cert as you have seen. Make sure the chain is good on the new one and then remove the OLD cert via MMC and add the Certificate snap-in and delete it there from the personal store. I like to then restart the transport service after removing the old cert. After that verify via the protocol logs and queue monitoring that things are moving._ Thankfully I already had verbose logging on for the Send Connector. I searched through the logs under "...\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend" It appears that the Exchange Notes for Win-Acme should suggest setting .PARAMETER LeaveOldExchangeCerts to 0 where used on a Hybrid Exchange server as these send connectors are part of the Office 365 configuration
Based on this I think that this request can be closed, unless you wish to consider updating the documentation before doing so. Learnt a lot going through this - Thanks again for the great tool. |
I had a second Exchange server running with script parameters of 1, I updated the script, and Win-Acme to the latest version (well the slightly modified script version). I also ran a new renewal request (deleted the old auto-renewal) and set the parameter to 0. It was unable to delete the old certs from Exchange because of the Office 365 error. Script ./Scripts/ImportExchange.ps1 starting with parameters 'F5622135FB9615C3AEDCBF62090064335BE1DDA0' 'IIS,SMTP,IMAP' 0 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\EfxKDEt0lEyHI-RNI30RzA-40c1561e6e600e7b40a4e57f6e431002e3575eec-temp.pfx' 'ZUjt437iHXiAL4yYn1pLqPJMRYmZFQxDnIr6AwHKfHE=' '[Manual] mail.nbn.org.il @ 2021/2/7 9:25:29'
I had to go and delete the certs using MMC and then they were happily gone from Exchange as well. So I still suspect we need a slight modification to the script. I will see if I can figure out any solution in the script... |
win-acme could send the thumbprint for the previously issued certificate to the script if you include I'd be happy to update the example scripts and/or docs once someone gets to the bottom of this. Also free to do a PR, the website is in a repo here: https://github.com/win-acme/win-acme.github.io |
Note to self to include this in docs:
|
Released in 2.1.20 |
I've had issues on the last couple of scheduled renewals where outbound email flow stopped from our Hybrid Exchange 2016 server used mainly to manage our Office 365 setup, but also configured as an internal SMTP relay to allowed scoped unauthenticated sending from muli-function printers as described in the Microsoft Support article. We have to use this method due to enforced MFA authentication on Office 365.
First I have checked for Win-ACME updates as I had 2.1.8.847 installed, but didn't see anything in the release notes for newer version to indicate this issue. I have subsequently updated my win-acme to latest 2.1.14.996.
I've started troubleshooting and confirmed that the certificate is correctly generated and imported by the ImportExchange.ps1 script and bound to IIS, SMTP and IMAP as recommended in your manual. I could not see any other -services options for the command that would update the required information.
I finally came across this article https://www.pei.com/exchange-mailflow-send-connector/ which descibes exactly the issue that I'm seeing with the Send Connector configured to allow relaying emails from our internal infrastructure to mailboxes in Office 365 using the certificate for TLS.
Another article indicates that MSExchangeTransport service also needs to to be restarted and similar checks and changes are needed on the default receive connector.
Would it be possible (or even desirable) for win-acme to check the Exchange Send and Receive Connectors matching the FQDN of the certificate and update them, or should this be considered as a separate task for admins to create a scheduled task to update this?
I think the poweshell code in your script should be able to identify any send connectors using
$SendConnector = Get-SendConnector | where {$Certifcate.subject -like 'CN='+$_.fqdn}
if the returned value is not null then it can be updated using code adapted from the article I linked
$TLSCertificate = (‘<I>’+$Certificate.issuer+'<S>’+$Certificate.subject) Set-SendConnector -Identity $SendConnector.Identity -TLSCertificateName $TLSCertificate
I shall see if I can find time to do some modification of a copy of the ImportExchange script and further testing, as all looks to be possible with an amended or additional powershell script.
I'd welcome your thoughts.
The text was updated successfully, but these errors were encountered: