OK. Easy. Remove the Ms-Exch-Send-Headers-Routing allow permission for "NT AUTHORITY\Anonymous Logon" from the send connector.
Done. :-) Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 14, 2008 1:23 PM To: MS-Exchange Admin Issues Subject: Re: Exchange 2007 and SSL certs for internal and external use With the fact that application headers like with Exchange will advertise the internal FQDN, it should be retracted. Because without understanding the requirements of the SMTP specification, many Exchange administrators unknowingly set themselves up to fail by not having a valid response in their HELO. I fear this issue will only increase as anti-spam practices become more specific. On Tue, May 13, 2008 at 9:01 PM, Michael B. Smith <[EMAIL PROTECTED]> wrote: > I wouldn't say that it was "retracted", but it is not considered best > practice anymore; no more than empty forest roots; or the presumption that a > domain is a security boundary. > > <http://technet2.microsoft.com/windowsserver/en/library/4bb9f469-df87-4830-9 > 6a8-b28ec71bafa91033.mspx?mfr=true> > > The original guidance is still available at a number of 3rd party sites, but > not on any Microsoft site, as far as I can find. > > However, there are plenty of MSFT whitepapers and KB articles that use > .local as a forest root suffix. I'll raise it on the next Supportability > call with the PG. I don't know if it'll make the cut at this point in the > cycle though. > > In regards to the SBS recommendations, I know just who to talk to. > > Regards, > > Michael B. Smith > MCSE/Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Kevin Miller [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 13, 2008 5:08 PM > To: MS-Exchange Admin Issues > Subject: RE: Exchange 2007 and SSL certs for internal and external use > > I don't that it was ever official Subscribed, or retracted. Michael b., can > you bring this up in the MVP forums and see we can have Nino make a blog > post, or get someone to make one? > > ~Kevinm WLKMMAS > powered by 3Sharp, Always WLKMMAS What is your Zombie Plan? > > > -----Original Message----- > From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 13, 2008 1:03 PM > To: MS-Exchange Admin Issues > Subject: Re: Exchange 2007 and SSL certs for internal and external use > > Not very well though, since it has lingered for years - evn to this > day. Was the an "official" retraction? > > I see .local in my spam filters HELO log all the time. I reject the > sessions. > > > On Tue, May 13, 2008 at 3:18 PM, Kevin Miller <[EMAIL PROTECTED]> wrote: >> >> >> >> >> Somewhere, but we retracted that after a short period of time... >> >> >> >> >> ~Kevinm WLKMMAS >> >> powered by 3Sharp, Always WLKMMAS What is your Zombie Plan? >> >> >> >> >> >> From: Barsodi.John [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, May 13, 2008 11:35 AM >> >> >> To: MS-Exchange Admin Issues >> Subject: RE: Exchange 2007 and SSL certs for internal and external use >> >> >> >> >> >> Wasn't it in early MS guidance for 2000 or perhaps it was 2003, that you > use >> .local? The concept of split DNS was relatively new, if I remember >> correctly. >> >> >> >> >> >> From: Michael B. Smith [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, May 13, 2008 11:26 AM >> To: MS-Exchange Admin Issues >> Subject: RE: Exchange 2007 and SSL certs for internal and external use >> >> >> >> Interestingly, I just installed SBS 2003 R2 for a new customer yesterday, >> and the SBS installation wizard actually suggested .local! I was > surprised. >> >> >> >> Regards, >> >> >> >> Michael B. Smith >> >> MCSE/Exchange MVP >> >> http://TheEssentialExchange.com >> >> >> >> >> From: Don Ely [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, May 13, 2008 11:47 AM >> To: MS-Exchange Admin Issues >> Subject: Re: Exchange 2007 and SSL certs for internal and external use >> >> >> >> Why ".local"? >> >> >> On Tue, May 13, 2008 at 8:43 AM, Oliver Marshall >> <[EMAIL PROTECTED]> wrote: >> >> >> >> We looked at a wildcard cert but that wont work as our internal domain is > a >> .local and externally we are a .com. >> >> >> >> The users connection settings are pre-filled by Outlook 2007. Is this >> editable in AD so that we are able to change the server FQDN they connect >> to? >> >> >> >> >> >> From: Sam Cayze [mailto:[EMAIL PROTECTED] >> Sent: 13 May 2008 16:19 >> >> >> >> To: MS-Exchange Admin Issues >> >> Subject: RE: Exchange 2007 and SSL certs for internal and external use >> >> >> >> >> Another way might be a 'wildcard certificate'. One that handles >> *.domain.com, www.domain.com, domain.com, mail.domain.com, etc. A little >> more spendy though... >> >> >> ________________________________ >> >> >> From: Don Ely [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, May 13, 2008 10:07 AM >> To: MS-Exchange Admin Issues >> Subject: Re: Exchange 2007 and SSL certs for internal and external use >> >> Split DNS >> >> >> On Tue, May 13, 2008 at 7:41 AM, Oliver Marshall >> <[EMAIL PROTECTED]> wrote: >> >> >> >> Hi chaps, >> >> >> >> I have an Exchange 2007 server here on which we have setup an SSL >> certificate (in the name of mail.mydomain.com). This works great for users >> outside using Outlook 2007s Outlook Anywhere feature. However, internal >> users get a warning stating that the SSL cert name doesn't match the > server. >> It's not the biggest issue, but it's...untidy. >> >> >> >> What's the best way to handle this? Obviously I can only attach one SSL > cert >> to the Default site in IIS on the Exchange box and the internal domain >> (mydomain.local) is sufficiently different from the external one >> (mydomain.com) that we can't get an SSL cert to cover both. >> >> >> >> Is there a way to create a new IIS site that still points at the same >> exchange folder structure as the current Default Site but that is set to >> accept a different hostname? That way I could have one site for the > internal >> users hitting blue-server.mydomain.local and one for the external users >> hitting mail.mydomain.com and attach a correct cert to both. >> >> >> >> Can this be done ? >> >> >> >> Olly >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > > > > -- > ME2 > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ > -- ME2 ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
