Als Linux Distribution habe ich ein Ubuntu 16.04.02 LTS verwendet.
Als Zertifikatsanbieter habe ich hierbei Lets‘ Encrpyt verwendet.
Die externe Domäne ist: mail.external.eval
Der interne Exchange ist: exchange.mhdom.eval
Installation NGINX und notwendige komponenten
# apt install nginx nginx-extras
Installation der Let’s Encrypt Komponenten, erstellen und einbinden des Zertifikats
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install certbot
Ausstellen der Zertifikats
# service nginx stop
# certbot certonly --standalone -d [mail.external.eval]
Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for mail.external.eval Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mail.external.eval/fullchain.pem. Your cert will expire on ####-##-##. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Bearbeiten der NGINX Konfiguration
# vi /etc/nginx/conf.d/exchange.conf
server { listen 80; server_name mail.external.eval; return 301 https://$host$request_uri; } server { tcp_nodelay on; listen 443; ssl on; ssl_certificate /etc/letsencrypt/live/mail.external.eval/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mail.external.eval/privkey.pem; ssl_session_timeout 5m; server_name mail.external.eval; location / { return 301 https://mail.external.eval/owa; } proxy_http_version 1.1; proxy_read_timeout 360; proxy_pass_header Date; proxy_pass_header Server; proxy_pass_header Authorization; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_request_headers on; more_set_input_headers 'Authorization: $http_authorization'; proxy_set_header Accept-Encoding ""; more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange.mhdom.eval"'; proxy_buffering off; proxy_set_header Connection "Keep-Alive"; location ~* ^/owa { proxy_pass https://exchange.mhdom.eval; } location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://exchange.mhdom.eval; } location ~* ^/ecp { proxy_pass https://exchange.mhdom.eval; } location ~* ^/rpc { proxy_pass https://exchange.mhdom.eval; } location ~* ^/mapi { proxy_pass https://exchange.mhdom.eval; } location ~* ^/ews { proxy_pass https://srv01.hoelzle.local; } location ~* ^/autodiscover { proxy_pass https://srv01.hoelzle.local; } error_log /var/log/nginx/owa-ssl-error.log; access_log /var/log/nginx/owa-ssl-access.log; }
# vi /etc/nginx/nginx.conf
... http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; client_max_body_size 2000M; # server_names_hash_bucket_size 64; # server_name_in_redirect off; ....
Nun noch den NGINX starten (service nginx start) oder am besten den ganzen Server einmal neu starten (reboot).
Update 24.07.2018
Wenn die Anmeldung von extern nicht möglich ist, muss am IIS auf dem Exchange bei „EWS“ und „MAPI“ die Standardauthentifizierung aktiviert werden: