Hi, A partner organization wants to secure email flow with TLS with us. They send me the result of their testing:
The MTA cannot be validated if the CN subject of the certificate doesn't match the banner of the mail gateway or the rdns entry. To resolve this issue the banner of the mail gateway must be renamed to match the CN subject of the certificate or a new certificate must be installed. MessageLabs cannot configure an Enforced TLS connection if the MTA cannot be validated. We have a 2 node DAG (Exchange 2010 Sp2 UR5) running behind a TMG 2010 server, all outbound/inbound emails are passing through Exchange Online Protection. Where exactly should I rename the banner? Some TechNet posts points to both the FQDN used in Exchange Send and Receive connectors (Property: Specify the FQDN this connector will provide in response to HELO or EHLO). For now the values are serverhostname.corp.acme.local, so I guess I should change it on all send/receive connectors to the same used in our SSL certificate which is webmail.acme.com Confusion comes from the fact we use EOP so I am not sure if changing the FQDN on our Exchange hosts will change anything as all traffic is redirected to EOP servers for outbound/inbound spam inspection. Thank you.
