使用 checktls.com 设置强制/相互/要求 TLS，发送工作，接收返回 530 5.7.1（未经身份验证）

我在 64 位 Windows Server 2008 R2 VM 上安装了 Exchange 2010。我使用的是来自证书颁发机构的 SSL 多域证书，并且启用了 IIS 和 SMTP 服务。我的目标是使用域 checktls.com 设置有保证/强制/强制/随便你怎么称呼的 TLS（不是机会性的）。在设置任何发送/接收连接器之前，我会执行它们的 TestReceiver（http://checktls.com/perl/TestReceiver.pl) 所有结果均正常且为绿色。

• 已连接到服务器
• 我们可以连接
• 我们可以使用这个服务器
• TLS 是此服务器上的一个选项
• STARTTLS 命令在此服务器上有效
• 连接已转换为 SSL
• （证书数据）
• 证书已验证：确定
• 证书主机名已验证
• TLS 已在此服务器上成功启动
• 发件人无恙
• 收件人确认，电子邮件地址已核实
• 辞职

接下来我做他们的 TestSender (http://checktls.com/perl/TestSender.pl)，电子邮件将返回“成功”，并带有可信的文本“您的电子邮件已使用 TLS 安全成功发送。”

现在来看看连接器。作为交换，我创建了一个名为“CheckTLS”的新发送连接器，其预期用途是“合作伙伴”。地址空间是“checktls.com”，并选中“包括所有子域”（成本 = 1）。“启用域安全（相互认证 TLS）”已选中。

我创建了一个名为“CheckTLS”的新接收连接器，其预期用途是“合作伙伴”，端口为 25，远程 IP 地址为 69.61.187.232（CheckTLS 的 IP 地址）。“身份验证”选项卡上只选中了“传输层安全性 (TLS)”和“启用域安全性（相互认证 TLS）”。权限组已选中“合作伙伴”和“匿名”。

我发出 powershell 命令...

set-transportconfig -TLSReceiveDomainSecureList checktls.com

set-transportconfig -TLSSendDomainSecureList checktls.com

这就是一切都破裂的地方......

CheckTLS 的 TestReceiver 测试具有以下详细信息...

• 已连接到服务器
• 我们可以连接
• 我们可以使用这个服务器
• TLS 是此服务器上的一个选项
• STARTTLS 命令在此服务器上有效
• 连接已转换为 SSL
• （证书数据）
• 证书已验证：确定
• 证书主机名已验证
• TLS 已在此服务器上成功启动
• 读取失败（原因：超时）
• 无法证明电子邮件地址（原因：MAIL FROM 被拒绝）
• 注意：这不会影响 CheckTLS 置信度因素
• 辞职
• 530 5.7.1 未认证

我在交换上的 ReceiveSMTP 日志看起来像这样...

2014-09-17T18:57:43.290Z,MAIL\CheckTLS,08D1A0B838DEF207,0,10.10.30.9:25,69.61.187.232:56543,+,,
2014-09-17T18:57:43.290Z,MAIL\CheckTLS,08D1A0B838DEF207,1,10.10.30.9:25,69.61.187.232:56543,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-09-17T18:57:43.290Z,MAIL\CheckTLS,08D1A0B838DEF207,2,10.10.30.9:25,69.61.187.232:56543,>,"220 MAIL.EXAMPLE.COM Microsoft ESMTP MAIL Service ready at Wed, 17 Sep 2014 13:57:42 -0500",
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,3,10.10.30.9:25,69.61.187.232:56543,<,EHLO checktls.com,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,4,10.10.30.9:25,69.61.187.232:56543,>,250-MAIL.EXAMPLE.COM Hello [69.61.187.232],
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,5,10.10.30.9:25,69.61.187.232:56543,>,250-SIZE 10485760,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,6,10.10.30.9:25,69.61.187.232:56543,>,250-PIPELINING,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,7,10.10.30.9:25,69.61.187.232:56543,>,250-DSN,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,8,10.10.30.9:25,69.61.187.232:56543,>,250-ENHANCEDSTATUSCODES,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,9,10.10.30.9:25,69.61.187.232:56543,>,250-STARTTLS,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,10,10.10.30.9:25,69.61.187.232:56543,>,250-AUTH,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,11,10.10.30.9:25,69.61.187.232:56543,>,250-8BITMIME,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,12,10.10.30.9:25,69.61.187.232:56543,>,250-BINARYMIME,
2014-09-17T18:57:43.337Z,MAIL\CheckTLS,08D1A0B838DEF207,13,10.10.30.9:25,69.61.187.232:56543,>,250 CHUNKING,
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,14,10.10.30.9:25,69.61.187.232:56543,<,STARTTLS,
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,15,10.10.30.9:25,69.61.187.232:56543,>,220 2.0.0 SMTP server ready,
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,16,10.10.30.9:25,69.61.187.232:56543,*,,Sending certificate
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,17,10.10.30.9:25,69.61.187.232:56543,*,"CN=MAIL.EXAMPLE.COM, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",Certificate subject
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,18,10.10.30.9:25,69.61.187.232:56543,*,"CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,19,10.10.30.9:25,69.61.187.232:56543,*,0011001001001001000100,Certificate serial number
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,20,10.10.30.9:25,69.61.187.232:56543,*,000011100011100001110001100,Certificate thumbprint
2014-09-17T18:57:43.384Z,MAIL\CheckTLS,08D1A0B838DEF207,21,10.10.30.9:25,69.61.187.232:56543,*,MAIL.EXAMPLE.COM;AUTODISCOVER.EXAMPLE.COM;WEBMAIL.EXAMPLE.COM,Certificate alternate names
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,22,10.10.30.9:25,69.61.187.232:56543,<,EHLO checktls.com,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,23,10.10.30.9:25,69.61.187.232:56543,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,24,10.10.30.9:25,69.61.187.232:56543,>,250-MAIL.EXAMPLE.COM Hello [69.61.187.232],
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,25,10.10.30.9:25,69.61.187.232:56543,>,250-SIZE 10485760,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,26,10.10.30.9:25,69.61.187.232:56543,>,250-PIPELINING,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,27,10.10.30.9:25,69.61.187.232:56543,>,250-DSN,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,28,10.10.30.9:25,69.61.187.232:56543,>,250-ENHANCEDSTATUSCODES,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,29,10.10.30.9:25,69.61.187.232:56543,>,250-AUTH,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,30,10.10.30.9:25,69.61.187.232:56543,>,250-8BITMIME,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,31,10.10.30.9:25,69.61.187.232:56543,>,250-BINARYMIME,
2014-09-17T18:57:43.883Z,MAIL\CheckTLS,08D1A0B838DEF207,32,10.10.30.9:25,69.61.187.232:56543,>,250 CHUNKING,
2014-09-17T18:57:43.945Z,MAIL\CheckTLS,08D1A0B838DEF207,33,10.10.30.9:25,69.61.187.232:56543,<,MAIL FROM:<[email protected]>,
2014-09-17T18:57:43.945Z,MAIL\CheckTLS,08D1A0B838DEF207,34,10.10.30.9:25,69.61.187.232:56543,*,Tarpit for '0.00:00:30',
2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,35,10.10.30.9:25,69.61.187.232:56543,>,530 5.7.1 Not authenticated,
2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,36,10.10.30.9:25,69.61.187.232:56543,<,QUIT,
2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,37,10.10.30.9:25,69.61.187.232:56543,>,221 2.0.0 Service closing transmission channel,
2014-09-17T18:58:13.959Z,MAIL\CheckTLS,08D1A0B838DEF207,38,10.10.30.9:25,69.61.187.232:56543,-,,Local

因为我现在无法从 CheckTLS 接收任何内容，所以我看不到他们的 CheckSender 测试的结果，但我的 Exchange 服务器的 SendSMTP 日志显示以下内容...

2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,10,10.10.30.9:63267,69.61.187.246:25,<,220 Ready to start TLS,
2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,11,10.10.30.9:63267,69.61.187.246:25,*,,Sending certificate
2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,12,10.10.30.9:63267,69.61.187.246:25,*,"CN=mail.EXAMPLE.COM, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",Certificate subject
2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,13,10.10.30.9:63267,69.61.187.246:25,*,"CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name
2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,14,10.10.30.9:63267,69.61.187.246:25,*,1110010101010101010101001111,Certificate serial number
2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,15,10.10.30.9:63267,69.61.187.246:25,*,1100101001001010010101001010101010101,Certificate thumbprint
2014-09-17T19:13:00.085Z,CheckTLS,08D1A0B838DEF26D,16,10.10.30.9:63267,69.61.187.246:25,*,MAIL.EXAMPLE.COM;AUTODISCOVER.EXAMPLE.COM;WEBMAIL.EXAMPLE.COM,Certificate alternate names
2014-09-17T19:13:00.194Z,CheckTLS,08D1A0B838DEF26D,17,10.10.30.9:63267,69.61.187.246:25,*,,Received certificate
2014-09-17T19:13:00.194Z,CheckTLS,08D1A0B838DEF26D,18,10.10.30.9:63267,69.61.187.246:25,*,11010010010010101010010101001001001,Certificate thumbprint
2014-09-17T19:13:00.194Z,CheckTLS,08D1A0B838DEF26D,19,10.10.30.9:63267,69.61.187.246:25,>,EHLO MAIL.EXAMPLE.COM,
2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,20,10.10.30.9:63267,69.61.187.246:25,<,"250-ts3.checktls.com Hello mail.EXAMPLE.COM [1.2.3.4], pleased to meet you",
2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,21,10.10.30.9:63267,69.61.187.246:25,<,250-ENHANCEDSTATUSCODES,
2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,22,10.10.30.9:63267,69.61.187.246:25,<,250-8BITMIME,
2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,23,10.10.30.9:63267,69.61.187.246:25,<,250 HELP,
2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,24,10.10.30.9:63267,69.61.187.246:25,*,2238593,sending message
2014-09-17T19:13:00.241Z,CheckTLS,08D1A0B838DEF26D,25,10.10.30.9:63267,69.61.187.246:25,>,MAIL FROM:<[email protected]>,
2014-09-17T19:13:00.288Z,CheckTLS,08D1A0B838DEF26D,26,10.10.30.9:63267,69.61.187.246:25,<,250 Ok - mail from [email protected],
2014-09-17T19:13:00.288Z,CheckTLS,08D1A0B838DEF26D,27,10.10.30.9:63267,69.61.187.246:25,>,RCPT TO:<[email protected]>,
2014-09-17T19:13:00.350Z,CheckTLS,08D1A0B838DEF26D,28,10.10.30.9:63267,69.61.187.246:25,<,250 Ok - recipient [email protected],
2014-09-17T19:13:00.350Z,CheckTLS,08D1A0B838DEF26D,29,10.10.30.9:63267,69.61.187.246:25,>,DATA,
2014-09-17T19:13:00.397Z,CheckTLS,08D1A0B838DEF26D,30,10.10.30.9:63267,69.61.187.246:25,<,354 Send data.  End with CRLF.CRLF,
2014-09-17T19:13:00.537Z,CheckTLS,08D1A0B838DEF26D,31,10.10.30.9:63267,69.61.187.246:25,<,250 Ok,
2014-09-17T19:13:00.553Z,CheckTLS,08D1A0B838DEF26D,32,10.10.30.9:63267,69.61.187.246:25,>,QUIT,
2014-09-17T19:13:00.600Z,CheckTLS,08D1A0B838DEF26D,33,10.10.30.9:63267,69.61.187.246:25,<,221 ts3.checktls.com closing connection,
2014-09-17T19:13:00.600Z,CheckTLS,08D1A0B838DEF26D,34,10.10.30.9:63267,69.61.187.246:25,-,,Local

Exchange 中的事件查看器显示事件 ID 11017 (MSExchangeTransport)，并显示消息“由于未提供传输层安全性 (TLS) 证书，来自连接器‘CheckTLS’上的域安全域‘CheckTLS.com’的消息无法通过身份验证。请联系 CheckTLS.com 的管理员以解决问题，或从域安全列表中删除该域。”

我有一台 Sonicwall NSA 2400 防火墙，因为我读到过 Cisco 防火墙在处理 TLS 流量时出现一些 TLS 问题。我在 Sonicwall 日志中没有看到任何迹象表明这是问题所在。

抱歉信息太多，但我已经想尽办法尝试正确设置。任何关于下一步的建议都将不胜感激。一旦我让它与 CheckTLS 正常工作，计划就是与实际业务合作伙伴一起设置它，但首先我需要做好一切准备。

非常感谢你。