none
MS Exchange Transport Error

    Question

  • Hi Sir's,

    I have a problem regarding exchange server 2007, kindly review and check my problem.

    Microsoft Exchange couldn't find a certificate that contains the domain name mail.maritimeclinic.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Outgoing email with a FQDN parameter of mail.maritimeclinic.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    I already read some of the answer here but I'd still having this problem.

    Thanks in advance!

    Warm Regards,


    Sean Rivera

    Monday, August 05, 2013 10:37 AM

Answers

  • Hi there.

    First you have to make sure that your certificate is valid for exchange follow this step.

    1. On your CAS Server , run > MMC > Files > Add,Remove Snapin > Certificate click add and choose computer account and next next and next.
    2. On Certificate MMC , you expand "Certificates (local Computer)" and then Expand personal . Then goes to cetificates folder. In this folder you will see certificate that install on this CAS.
    3. Looking for the certificate that you install for Exchange Service. If you see the red cross it's mean this certificate invalid for exchange.

    4. If it's not invalid , double click on that certificate and goes to "Certificate path" . If your root certificate has red cross. That's mean you CAS Server doesn't install root certificate yet.
    (Actually it will automatic deploy from root CA if you have).

    If your CAS server don't have root certificate. Just install it on this CAS server.
    (remind that install root certificate by manually is not normal case for member server in AD. you have to fix it).


    Tuesday, August 06, 2013 9:44 AM

All replies

  • Here is my get cert

    [PS] C:\Documents and Settings\Administrator.MCIS>Get-ExchangeCertificate |FL


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mcismail, mcismail.mcis.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=mcismail
    NotAfter           : 8/5/2014 4:43:41 PM
    NotBefore          : 8/5/2013 4:43:41 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : EDD362225018A7954A3A61583E878CAD
    Services           : SMTP
    Status             : Valid
    Subject            : CN=mcismail
    Thumbprint         : ED9927F58A1301C74676CEF4C43087BCFA4FD61C

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mcis-mail, mcis-mail.mcis.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=mcis-mail
    NotAfter           : 4/26/2014 3:26:58 PM
    NotBefore          : 4/26/2013 3:26:58 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : B0740C0BB72161894C25B261ABC5AAB3
    Services           : IMAP, POP, SMTP
    Status             : Valid
    Subject            : CN=mcis-mail
    Thumbprint         : 2C0F01DEF4B679B46E8D733C3B04399B4DE26F50

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mcis-mail, mcis-mail.mcis.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=mcis-mail
    NotAfter           : 4/26/2014 2:17:36 PM
    NotBefore          : 4/26/2013 2:17:36 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : AC22FFDBBD9EA7964AF1DD0FD9B473F5
    Services           : IMAP, POP, SMTP
    Status             : Valid
    Subject            : CN=mcis-mail
    Thumbprint         : E0C62BCBD770FA14ACE1F8C4B9D4DD3D7677C6AE
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mcis-mail, mcis-mail.mcis.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=mcis-mail
    NotAfter           : 4/25/2014 4:50:59 PM
    NotBefore          : 4/25/2013 4:50:59 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 3C3AAE3E9D9337A64F851DD7EAD47B1C
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=mcis-mail
    Thumbprint         : 0439A380353852C6816FB61B76B6AD2A930C9316

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mcismail, mcismail.mcis.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=mcismail
    NotAfter           : 12/27/2013 8:38:22 AM
    NotBefore          : 12/27/2012 8:38:22 AM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : D001198DED84D19F4BDA9CF3742D7AFB
    Services           : SMTP
    Status             : Valid
    Subject            : CN=mcismail
    Thumbprint         : F7FB5A442CB5F10F34FEC38C90B2901E78064EB0

    Monday, August 05, 2013 10:46 AM
  • Hi there.

    First you have to make sure that your certificate is valid for exchange follow this step.

    1. On your CAS Server , run > MMC > Files > Add,Remove Snapin > Certificate click add and choose computer account and next next and next.
    2. On Certificate MMC , you expand "Certificates (local Computer)" and then Expand personal . Then goes to cetificates folder. In this folder you will see certificate that install on this CAS.
    3. Looking for the certificate that you install for Exchange Service. If you see the red cross it's mean this certificate invalid for exchange.

    4. If it's not invalid , double click on that certificate and goes to "Certificate path" . If your root certificate has red cross. That's mean you CAS Server doesn't install root certificate yet.
    (Actually it will automatic deploy from root CA if you have).

    If your CAS server don't have root certificate. Just install it on this CAS server.
    (remind that install root certificate by manually is not normal case for member server in AD. you have to fix it).


    Tuesday, August 06, 2013 9:44 AM
  • Hi Sir,

    I'd think your resolution will only fix Exchange 2013 not 2007.

    My Exchange Server is 2007, and I have this 5 thumbprint, the 3 is for the correct common name which is mcis-mail (with dash), and the 2 incorrect common name which is mcismail (without dash).

    The SMTP service is running trough the 5 common name and thumbprint.

    The problem is the FQDN of the domain name.

    Thanks for the answer and to the others who is willing to help!!

    Godbless.

    Wednesday, August 07, 2013 3:47 AM
  • And where can I find the Client Access Server?

    My domain and mailbox is in different physical server.

    Thank you.

    Wednesday, August 07, 2013 3:51 AM
  • Hi Sir

    All of my certificate is not trusted. what will i do now?

    Wednesday, August 07, 2013 4:08 AM
  • Hi Sean,

    • To find where the CAS role is installed, we can run Get-ClientAccessServer.

     For more information: http://technet.microsoft.com/en-us/library/bb124785(v=EXCHG.80).aspx

    • To make the mcismail’s thumbprint valid, we can run the following command:

      Export-ExchangeCertificate –Thumbprint F7FB5A442CB5F10F34FEC38C90B2901E78064EB0

      Export-ExchangeCertificate –Thumbprint ED9927F58A1301C74676CEF4C43087BCFA4FD61C

    • From your description, the domain name isn’t in a certificate. And  we can validate it by the following steps.

    1.generate a certificate request by running the command:

     New-ExchangeCertificate -DomainName mail.maritimeclinic.net -SubjectName "c=coutry, l=YourLocalityOrCity, s=YourStateOrProvince, o=YourCompanyInc, cn=YourFirstDomain.com" -KeySize 2048  -GenerateRequest:$True -PrivateKeyExportable:$True  -path c:\request.txt

    2. import it: Import-exchangecertificate –path <full path to cert file>

    3.determine the thumbprint of a certificate:

    Get- ExchangeCertificate -DomainName mail.maritimeclinic.net

    4.enable it: Enable-exchangecertificate –services IIS, POP, IMAP, SMTP  –thumbprint <certificate-thumbprint>

    • About the untrusted certificate in the console root, you can try Supawat’s suggestion.

     Here are a similar thread that has been resolved.

     http://social.technet.microsoft.com/Forums/windowsserver/en-US/d68e7667-d66c-4f30-9bb8-b31ef01d42bf/certificate-error-untrusted-certificate

      And you are also welcomed to write a post on our development forum to confirm it.

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=windowsserver

    If you have any issues, please feel free to let me know.

    Best regards

    Monday, August 12, 2013 7:55 AM