Hi!

I just tried to configure domain security in Exchange 2013 in a test environment: two messaging organizations, each running a dedicated client access role and a mailbox server role. 

Domain security seems to be configured correctly - recipients running Outlook get that additional icon which says that the email 'was received securely'. In that scenario the mailbox server is sending the mail directly to the recipient domain. So no proxying via the local client access server takes place.

When I try to use the domain local CAS as proxy (Set-SendConnector -FrontendProxyEnabled $true) the mail stays in the mail queue. The LastError on the queue states: '... 451 4.7.3 The admin has temporarily disallowed this secure domain...'. The protocol log of the send connector states: 'Message to secure domain 'dom1.test' on send connector 'Outbound Proxy Internal Send Connector' failed because DomainSecureEnabled was set to false.'

I have no clue where that internal send connector could be configured. Or where the 'Outbound Proxy Internal Send Connector' can be seen.

Or is domain security just supported without using the frontend proxy?

Many thanks in advance!

Greetings,

Nils

Hi Nils ,

Did you configure DomainSecureEnabled to true on that connector?

Please refer to the following article.

Using Domain Security: Configuring Mutual TLS:

http://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx

Hi Wendy,

thanks for your help. On the custom send connector I already set DomainSecureEnabled to $true. There is no other send connector in the whole organization.

I think that the 'Outbound proxy internal send connector' is a hidden connector to route mails through the frontend proxy. I have no clue where to configure that one...

Greetings,

Nils

Hi

Please run Get-sendconnector |fl *domainsecureenabled*  and post the result.

Just to confirm if there is another connector and what's the domainsecureenabled value .

Hi,

there is just one send connector in my test environment and the command deliveres 'DomainSecureEnabled :  True'.

Greetings!

Hi ,

Please check tlsreceivedomainsecurelist  setting.

Similar issue for your reference.

http://forums.msexchange.org/m_1800460080/mpage_1/key_/tm.htm#1800529228

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Hi,

the TLSReceiveDomainSecureList is configured correctly, because domain security works perfect as long the mail does not get routed via CAS. If the FrontEndProxyEnabled on the sendconnector is set to $true (it is a Exchange 2013 environment), domain security does not work anymore.

Greetings,

Nils

Is the Certificate on the Front end CAS server enabled for the SMTP service?  this certificate is the one that will be passed to the other org, not certificates on the Mailbox servers.  This cert will also have to be trusted by the other org.