Category Archives: SBS 2008

Sinergija 2010 q&a 2 – sbs 2008 / sbs 7 – tips and tricks

Here are answers to the questions that we were discusing on my session @ Sinergija 2010

Wsus and port question:

Console crash reasons?

Migration? Check this out:

Backup solutions for SBS 2008 – we had a presentation on Slovenian Small Business Specialists Community SI try this one…


SBS 2008 / Exchange 2007 and TLS…

Everyone that has ever installed SBS 2008 has encountered the wizard that create certificate and remote workplace – by default called (yes, you can chose other prefixes but let say that I like remote becouse it is easy to remember for my users…).
SBS wizards generates a certificate for this hostname and uses it for all services (Outlook web access, Active Sync stuff and also for SMTP receive and send connectors…).
The problem is when you want to rename your SMTP receive and send connectors to match the records in DNS. It is a best practice to have same SMTP greetings as the records in DNS so for example if you have a domain and you have an host record A called and MX record pointed to it is correct and I suggest you to folow this rule to have SMTP greeting or fqdn for SMTP connectors to match

You can rename your connectors however you want by using Exchange management console but you will lose functionality of TLS in SMTP traffic – becouse the certificate does not match fqdn or smtp greeting of a connector that advertise You will also get an error in Event log saying:

Microsoft Exchange could not find a certificate that contains the domain name in the personal store on the local computer…

 Ok, what can we do now?

Well turn on Exchange Management Shell – that is Powershell with modules for Exchange 2007 management – you can find it in star menu… And first of all we want to see current Exchange certificates that are enabled for Exchange services by using cmdlet:

[PS] C:WindowsSystem32>Get-ExchangeCertificate 

and you wil receive something like this:

Thumbprint                                Services   Subject
———-                                ——–   ——-
42F146B12BEF918A6A8FC730F5AA87AC4ACB1CEB  IP..S
817F1311CB72FB70F962EC0FAD2D8FA857F114A4  ….S
4BAAC7906689AFF0129767CF492AAE058B5DF494  ….S      CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9  …..      CN=xxxxxx-xxxxxxxx-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145  …..      CN=WMSvc-WIN-K7KGUV5MQ40
Now we should create a new certificate that we will use for SMTP connectors by using cmdlet:
New-ExchangeCertificate -domainname -PrivateKeyExportable:1
Warning! When you are asked if you want to overwrite certificates chose No!
Overwrite existing default SMTP certificate,
’45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4′ (expires 14.1.2012 22:37:04), with
certificate ’59D62E7850EE4093AFF1EC73E2623D52058C2B35′ (expires 27.1.2015
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is “Y”): N
so we get output:
Thumbprint                                Services   Subject
———-                                ——–   ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35  …..
Great!  If we want to be shure that everything is working correctly and that Exchange SMTP service is using our new certificate we can use cmdlet:

[PS] C:WindowsSystem32>Get-ExchangeCertificate 

[PS] C:WindowsSystem32>

Thumbprint                                Services   Subject
———-                                ——–   ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35  ….S
42F146B12BEF918A6A8FC730F5AA87AC4ACB1CEB  IP..S
817F1311CB72FB70F962EC0FAD2D8FA857F114A4  ….S
4BAAC7906689AFF0129767CF492AAE058B5DF494  ….S      CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9  …..      CN=xxxxxxxxxxx-xxxxxxxxxxxx01-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145  …..      CN=WMSvc-WIN-K7KGUV5MQ40
We can now see that SMTP connectors are using all certificates (S defnies SMTP service).
Ok… How can you test that TLS works?
You can try it by using telnet client and connect to your server:
telnet 25
Exchange should respond something like:
220 Microsoft ESMTP MAIL Service ready at Wed, 27 Jan 2010 17:
12:09 +0100
then you can write:
220 Microsoft ESMTP MAIL Service ready at Wed, 27 Jan 2010 17:
13:07 +0100
250 Hello []
after that enter command:


server should respond:

220 2.0.0 SMTP server ready
Server ready? Super! 🙂
If you did miss something you will receive error from server saying:
500 5.3.3 Unrecognized command
If you get that? Read this tutorial again 🙂
PS. PS. You do not need to restart anything when you apply this commands… No need for restarting Exchange services…
Special thanks to Saso Erdeljanov for some hints about this issue…

Exchange 2007 / 2010 – remove headers

If you are using Windows server 2008 SBS or Exchange 2007 or Exchange 2010 you send with your e-mail also mail headers that (I think) you would not like to “share” with external world:

Received: from ( by
 ( with Microsoft SMTP Server (TLS) id; Wed, 19 May
 2010 13:08:47 +0200
Received: from SRVEXCH01.domain.local ([]) by SRVEXCH01.domain.local
 ([]) with mapi; Wed, 19 May 2010 13:08:02 +0200
From: xxxxx xxxxx xxxxx@xxxxx
To: =?iso-8859-2?Q?xxxxx_xxxxx=E6_=28xxxxx=xxxxx=2Exxxxx=29?=
Return-Receipt-To: xxxxx@xxxxx
Date: Wed, 19 May 2010 13:08:00 +0200
Subject: xxxxx
Thread-Topic: xxxxx
Thread-Index: Acr3Q4r6dSBNnU37R9ypBLYy8PMzcA==
Message-ID: <13204AAD07BCDD4EB69C3367FF1783A9124C065BB2@SRVEXCH01.domain.local>
Accept-Language: sl-SI
Content-Language: en-US
acceptlanguage: sl-SI
Content-Type: multipart/alternative;
MIME-Version: 1.0
Return-Path: xxxxx@xxxxx
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (xxxxx.xxxxx.xxxxx: domain of xxxxx@xxxxx
 designates as permitted sender) receiver=xxxxx.xxxxx.local;;;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.8917.498;SV:3.3.8919.449;SID:SenderIDStatus Pass;

If you want to remove this stuff we need to create a Hub Transport Rule:
Open Microsoft Exchange Console
Navigate to:
Microsoft Exchange Organization Configuration Hub Transport Transport Rules

Right Click and select New Transport Rule and name it “Remove headers” click Next,

chose From users inside or outside the organization and select Inside click Next,chose Remove header and as message header just write: Received twice click Next…


You are done… Headers will not be sent any more to users outside the organization…

Luka (under influence of wonderful NT Konferenca 2010)