Exchange 2007 - smtp; 554 Certificate rejected over TLS.
-
Wednesday, January 09, 2013 8:36 PM
I am experiencing a strange problem with TLS between our mail server and one of our suppliers mail servers when recieving email over TLS.
Our supplier has two different domains sitting on the same mail server, so that they can send out in either the english or french domain, depending on which region they are sending mail to.
When the individual uses the french spelling of the domain, we recieve the email. When using the english spelling, this is where things start to get bad.First, the sender of the email will usually recieve the following bounce back message:
Original-Recipient: <my email address>
Action: failed
Diagnostic-Code: smtp; 554 Certificate rejected over TLS.
Remote-MTA: (our mail server IP)This is what happens about 90% of the time, otherwise it gets delivered no problem over TLS.
Getting back to this bounce message; when looking at the internet headers (from their side), I can see that the bounce has come from our mail servers IP address, and not that of our secondary MX record (backup). I have updated our firewall settings to always allow emails from the domain, and have double checked that we are able to start TLS and recieve emails over it on our exchange side.
Since the french domain sits on the same server as the english domain, always working fine over TLS, while the english domain only sometimes gets emails through, I am a bit at a loss as to why it would block one, and not the other.. as the IP is the same.
Any ideas as to what I can check or do next to try to fix this issue?
If you need any more information, or if my explination is lacking, please ask!Thanks
All Replies
-
Thursday, January 10, 2013 2:50 AMOn Wed, 9 Jan 2013 20:36:10 +0000, Novak88 wrote:>>>I am experiencing a strange problem with TLS between our mail server and one of our suppliers mail servers when recieving email over TLS.>>Our supplier has two different domains sitting on the same mail server, so that they can send out in either the english or french domain, depending on which region they are sending mail to. When the individual uses the french spelling of the domain, we recieve the email. When using the english spelling, this is where things start to get bad.>>First, the sender of the email will usually recieve the following bounce back message: Original-Recipient: <my email address> Action: failed Diagnostic-Code: smtp; 554 Certificate rejected over TLS. Remote-MTA: (our mail server IP)>>This is what happens about 90% of the time, otherwise it gets delivered no problem over TLS.>>Getting back to this bounce message; when looking at the internet headers (from their side), I can see that the bounce has come from our mail servers IP address, and not that of our secondary MX record (backup). I have updated our firewall settings to always allow emails from the domain, and have double checked that we are able to start TLS and recieve emails over it on our exchange side.>>Since the french domain sits on the same server as the english domain, always working fine over TLS, while the english domain only sometimes gets emails through, I am a bit at a loss as to why it would block one, and not the other.. as the IP is the same.>>Any ideas as to what I can check or do next to try to fix this issue? If you need any more information, or if my explination is lacking, please ask!It'd be pretty unusual for your server to send a NDR with that statuscode in it. 554 is a fatal error and your server would not haveaccepted the message.Check your server's SMTP Receive protocol log and find that 554 andtext. You shouldn't see anything more, except for a possible RSET andQUIT from the sender after that.If you don't see the 554 in the receive protocol log see if you canfind it in the Send protocol log.You should see some information in the protocol log related to thecertificate(s) in question, too.---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
Thursday, January 10, 2013 3:10 PM
Thanks for the pointer Rich!
I had to enable the logging; I'll get them to try to send a few more mails and see what comes up.
Keep you posted. -
Monday, January 21, 2013 8:29 PM
Alright, I've collected a few days worth of logs and checked them over.
I was notified that the other side was getting another rejection, specifically on Jan 10th/13 at 10:26:12.
I found this in the Recieve logs2013-01-10T15:26:12.635Z,*servername*\Windows SBS Internet Receive *servername*,08CF9.....1,22,192.168.1.2:25,192.168.1.1:44893,-,,Local
I didn't see any of the other info there, just the "Local" entry as seen above.
I'm going to take a look at our firewall and see whats going on with 44893.
Any ideas? -
Monday, January 21, 2013 10:49 PM On Mon, 21 Jan 2013 20:29:48 +0000, Novak88 wrote:>>>Alright, I've collected a few days worth of logs and checked them over. I was notified that the other side was getting another rejection, specifically on Jan 10th/13 at 10:26:12. I found this in the Recieve logs>>2013-01-10T15:26:12.635Z,*servername*\Windows SBS Internet Receive *servername*,08CF9.....1,22,192.168.1.2:25,192.168.1.1:44893,-,,Local>>I didn't see any of the other info there, just the "Local" entry as seen above. I'm going to take a look at our firewall and see whats going on with 44893. Any ideas?You should see your server send "...,>,250-STARTTLS,".The other server should send "...,<,STARTTLS,".You should see "...,*,,Sending certificate" soon after that.Followed by "...,<,EHLO the-other-domain"Then by "...,*,,TlsDomainCapabilities='...."After that the normal SMTP conversation should ensue.If the certificate exchange fails there shold be something in the log.If you see a 12014 event in the application log it should tell you ifthere was a problem finding cert that matched the FAQN in theconnector.---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP- Marked As Answer by Evan LiuModerator Wednesday, January 30, 2013 9:57 AM
.png)
