Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-13
The selection of an inbound STARTTLS certificate occurs in the following scenarios:
- Simple Mail Transfer Protocol (SMTP) hosts request Transport
Layer Security (TLS) with Edge Transport servers. The host that
requests TLS with the Edge Transport server may be any other SMTP
host. This also describes the Domain Security scenario. For more
information about Domain Security, see Planning for Domain
- SMTP clients, such as
Microsoft Outlook Express, request TLS with Hub
- Internet-facing Hub Transport servers request TLS with an Edge
When an SMTP session is established, the receiving server initiates a certificate selection process to determine which certificate to use in the TLS negotiation. The sending server also performs a certificate selection process. For more information about that process, see Selection of Outbound Anonymous TLS Certificates.
This topic describes the certificate selection process for inbound STARTTLS. All the steps described in this topic are performed on the receiving server. The following figure shows the steps of this process.
- When the SMTP session is established, Microsoft Exchange
calls a process to load the certificates.
- In the load certificate function, the Receive connector to
which the session is connected is checked to see whether the
AuthMechanism property is set to a value of
TLS. You can set the AuthMechanism property on the Receive connector by using the Set-ReceiveConnector cmdlet. You can also set the AuthMechanism property to TLS by selecting Transport Security Layer (TLS) on the Authentication tab of a given Receive connector.
If TLS is not enabled as an authentication mechanism, the server does not advertise X-STARTTLS as an option to the sending server and no certificate is loaded. If TLS is enabled as an authentication mechanism, the certificate selection process continues to the next step.
- The certificate selection process retrieves the fully qualified
domain name (FQDN) value from the Receive connector configuration.
If the FQDN value on the Receive connector is
null, the server’s physical FQDN is retrieved.
- The certificate selection process searches the local computer
certificate store for certificates that match the FQDN. If a
certificate is not found, the server does not advertise X-STARTTLS,
no certificate is loaded, and Event ID 12014 is logged in
the Application log.
- The certificate selection process searches for all certificates
in the certificate store that have a matching FQDN. From this list,
the certificate selection process identifies a list of eligible
certificates. Eligible certificates must meet the following
- The certificate is an X.509 version 3 or a later version
- The certificate has an associated private key.
- The Subject or Subject Alternate Name fields contain the FQDN
that was retrieved in step 3.
- The certificate is enabled for Secure Sockets Layer (SSL)/TLS
use. Specifically, the SMTP service has been enabled for this
certificate by using the Enable-ExchangeCertificate
- The certificate is an X.509 version 3 or a later version certificate.
- If no eligible certificates are found after these checks, the
server does not advertise X-STARTTLS, no certificate is loaded, and
Event ID 12014 is logged in the Application log.
- From the eligible certificates, the best certificate is
selected based on the following sequence:
- Sort eligible certificates by most recent Valid from
date. Valid from is a Version 1 field on the
- The first valid public key infrastructure (PKI) certificate
that is found in this list is used.
- If no valid PKI certificates are found, the first self-signed
certificate is used.
- Sort eligible certificates by most recent Valid from date. Valid from is a Version 1 field on the certificate.
- The certificate is checked to see whether it has expired. The
Valid to field in the certificate properties is compared to
the current date and time. If the certificate has not expired,
STARTTLS is advertised. If the certificate has expired,
Event ID 12016 is logged in the Application log, but
STARTTLS is still advertised.
For More Information
For more information about how certificates are selected for other TLS scenarios, see the following topics: