本文檔介紹在升級到15.0版後通過SEG修復Exchange 2013(或更舊)連線問題的步驟。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
將SEG升級到版本15.0後,未在2013年以前的Exchange伺服器之間建立連線。如果從CLI檢查tophosts,可以看到該域被標籤為down(*):
mail.example.com > tophosts
Sort results by:
1. Active Recipients
2. Connections Out
3. Delivered Recipients
4. Hard Bounced Recipients
5. Soft Bounced Events
[1]> 1
Status as of: Sun Sep 03 11:44:11 2023 -03
Hosts marked with '*' were down as of the last delivery attempt.
Active Conn. Deliv. Soft Hard
# Recipient Host Recip. Out Recip. Bounced Bounced
1* example.com 118 0 0 0 507
2* alt.example.com 94 0 226 0 64
3* prod.example.com 89 0 0 0 546
在郵件日誌中,您可以看到由於出現「網路錯誤」原因導致域連線失敗。
Thu Aug 29 08:16:21 2023 Info: Connection Error: DCID 4664840 domain: example.com IP: 192.0.2.10 port: 25 details: [Errno 0] Error interface: 192.0.2.20 reason: network error
在資料包捕獲中,可以看到Exchange伺服器在TLS協商後立即關閉與FIN資料包的連線。
確認Exchange Server的版本是2013或更舊版本,然後可以使用此密碼字串作為解決方法,以允許SEG連線到那些較舊版本的伺服器。這允許郵件在可以將exchange升級到當前支援的版本之前傳遞。
ECDH+aRSA:ECDH+ECDSA:DHE+DSS+AES:AES128:AES256:!SRP:!AESGCM+DH+aRSA:!AESGCM+RSA:!aNULL:!eNULL:!DES:!3DES:!IDEA:!RC2:-IDEA:-aNULL:-EXPORT:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-CCM:!DHE-RSA-AES256-CCM:!ECDHE-ECDSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-RSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-CCM:!ECDHE-ECDSA-AES256-CCM
您可以通過命令列介面(CLI)或Web圖形使用者介面(GUI)輸入此資訊。
在CLI中:
mail.example.com> sslconfig
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
- OTHER_CLIENT_TLSV10 - Edit TLS v1.0 for other client services.
- PEER_CERT_FQDN - Validate peer certificate FQDN compliance for Alert Over TLS, Outbound SMTP, updater and LDAP.
- PEER_CERT_X509 - Validate peer certificate X509 compliance for Alert Over TLS, Outbound SMTP, updater and LDAP.
[]> outbound
Enter the outbound SMTP ssl method you want to use.
1. TLS v1.1
2. TLS v1.2
3. TLS v1.0
[2]>
Enter the outbound SMTP ssl cipher you want to use.
[!aNULL:!eNULL]> ECDH+aRSA:ECDH+ECDSA:DHE+DSS+AES:AES128:AES256:!SRP:!AESGCM+DH+aRSA:!AESGCM+RSA:!aNULL:!eNULL:!DES:!3DES:!IDEA:!RC2:-IDEA:-aNULL:-EXPORT:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-CCM:!DHE-RSA-AES256-CCM:!ECDHE-ECDSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-RSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-CCM:!ECDHE-ECDSA-AES256-CCM
.....
Hit enter until you are back to the default command line.
mail.example.com> commit
在GUI中:
步驟1.在System Administration索引標籤上選擇。
步驟2.選擇SSL Configuration。
步驟3.選擇Edit Settings按鈕。
步驟4.更改出站SMTP SSL密碼以使用本文章中提供的字串。
步驟5. 提交並提交變更。
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
2.0 |
01-Jul-2026
|
重新認證 |
1.0 |
08-Sep-2023
|
初始版本 |