none
Some questions about the SMTP protocol logging

    Question

  • The following is the client 192.168.1.1 sent a message to server 10.0.0.1, and I have some questions about it.

    1,why client said twice EHLO to server? (sequence-number3 and 29)

    2,Is "*Sending certificate"   means  server 10.0.0.1 sends a certificate to client 192.168.1.1?

    ProtocolLog\SmtpSend
    0,,10.0.0.1:25,*,,attempting to connect
    1,192.168.1.1:51037,10.0.0.1:25,+,,
    2,192.168.1.1:51037,10.0.0.1:25,<,"220 WIN-QCLMUOT66QB.ytdaily.local Microsoft ESMTP MAIL Service ready at Mon, 20 Jan 2014 19:04:31 -0800",
    3,192.168.1.1:51037,10.0.0.1:25,>,EHLO WIN-QCLMUOT66QH.book.local,
    4,192.168.1.1:51037,10.0.0.1:25,<,250-WIN-QCLMUOT66QB.ytdaily.local Hello [192.168.1.1],
    5,192.168.1.1:51037,10.0.0.1:25,<,250-SIZE,
    6,192.168.1.1:51037,10.0.0.1:25,<,250-PIPELINING,
    7,192.168.1.1:51037,10.0.0.1:25,<,250-DSN,
    8,192.168.1.1:51037,10.0.0.1:25,<,250-ENHANCEDSTATUSCODES,
    9,192.168.1.1:51037,10.0.0.1:25,<,250-STARTTLS,
    10,192.168.1.1:51037,10.0.0.1:25,<,250-X-ANONYMOUSTLS,
    11,192.168.1.1:51037,10.0.0.1:25,<,250-AUTH NTLM,
    12,192.168.1.1:51037,10.0.0.1:25,<,250-X-EXPS GSSAPI NTLM,
    13,192.168.1.1:51037,10.0.0.1:25,<,250-8BITMIME,
    14,192.168.1.1:51037,10.0.0.1:25,<,250-BINARYMIME,
    15,192.168.1.1:51037,10.0.0.1:25,<,250-CHUNKING,
    16,192.168.1.1:51037,10.0.0.1:25,<,250-XEXCH50,
    17,192.168.1.1:51037,10.0.0.1:25,<,250-XRDST,
    18,192.168.1.1:51037,10.0.0.1:25,<,250 XSHADOW,
    19,192.168.1.1:51037,10.0.0.1:25,>,STARTTLS,
    20,192.168.1.1:51037,10.0.0.1:25,<,220 2.0.0 SMTP server ready,
    21,192.168.1.1:51037,10.0.0.1:25,*,,Sending certificate
    22,192.168.1.1:51037,10.0.0.1:25,*,"CN=book.local, OU=erer, O=er, L=ere, S=erer, C=DZ",Certificate subject
    23,192.168.1.1:51037,10.0.0.1:25,*,"CN=book-WIN-QCLMUOT66QH-CA, DC=book, DC=local",Certificate issuer name
    24,192.168.1.1:51037,10.0.0.1:25,*,610CE823000000000002,Certificate serial number
    25,192.168.1.1:51037,10.0.0.1:25,*,2DEE512F1E85677564AF71F2C9F0DA28671194BC,Certificate thumbprint
    26,192.168.1.1:51037,10.0.0.1:25,*,book.local;win-qclmuot66qh.book.local;mail.book.com;autodiscover.book.local;autodiscover.mail.book.com,Certificate alternate names
    27,192.168.1.1:51037,10.0.0.1:25,*,,Received certificate
    28,192.168.1.1:51037,10.0.0.1:25,*,ADA7892693004F6C59EC66277BD31BC1E6E433DF,Certificate thumbprint
    29,192.168.1.1:51037,10.0.0.1:25,>,EHLO WIN-QCLMUOT66QH.book.local,
    30,192.168.1.1:51037,10.0.0.1:25,<,250-WIN-QCLMUOT66QB.ytdaily.local Hello [192.168.1.1],
    31,192.168.1.1:51037,10.0.0.1:25,<,250-SIZE,
    32,192.168.1.1:51037,10.0.0.1:25,<,250-PIPELINING,
    33,192.168.1.1:51037,10.0.0.1:25,<,250-DSN,
    34,192.168.1.1:51037,10.0.0.1:25,<,250-ENHANCEDSTATUSCODES,
    35,192.168.1.1:51037,10.0.0.1:25,<,250-AUTH NTLM LOGIN,
    36,192.168.1.1:51037,10.0.0.1:25,<,250-X-EXPS GSSAPI NTLM,
    37,192.168.1.1:51037,10.0.0.1:25,<,250-8BITMIME,
    38,192.168.1.1:51037,10.0.0.1:25,<,250-BINARYMIME,
    39,192.168.1.1:51037,10.0.0.1:25,<,250-CHUNKING,
    40,192.168.1.1:51037,10.0.0.1:25,<,250-XEXCH50,
    41,192.168.1.1:51037,10.0.0.1:25,<,250-XRDST,
    42,192.168.1.1:51037,10.0.0.1:25,<,250 XSHADOW,
    43,192.168.1.1:51037,10.0.0.1:25,*,74,sending message
    44,192.168.1.1:51037,10.0.0.1:25,>,MAIL FROM:<abc@mail.book.com> SIZE=3642,
    45,192.168.1.1:51037,10.0.0.1:25,>,RCPT TO:<xyz@ytdaily.com>,
    46,192.168.1.1:51037,10.0.0.1:25,<,250 2.1.0 Sender OK,
    47,192.168.1.1:51037,10.0.0.1:25,<,250 2.1.5 Recipient OK,
    48,192.168.1.1:51037,10.0.0.1:25,>,BDAT 2531 LAST,
    49,192.168.1.1:51037,10.0.0.1:25,<,250 2.6.0 <0A03FB595EC4BF469DA0F91801775696DA2E95@WIN-QCLMUOT66QH.book.local> [InternalId=19] Queued mail for delivery,
    50,192.168.1.1:51037,10.0.0.1:25,>,QUIT,
    51,192.168.1.1:51037,10.0.0.1:25,<,221 2.0.0 Service closing transmission channel,
    52,192.168.1.1:51037,10.0.0.1:25,-,,Local



    Please click the Mark as Answer button if a post solves your problem!



    Wednesday, January 22, 2014 5:24 AM

All replies

  • Hi,

    Here are my answers you can refer to:
    1. The first EHLO is to create control plane connection. It send its certificate to server to authentication itself.  The second EHLO is used to transfer real data based on control tunnel:
    http://blogs.msdn.com/b/akashb/archive/2011/02/26/exchange-2007-transport-error-when-sending-emails-using-tls-0x80040213.aspx
    2. It means the certificate information, which has been mentioned in the SMTP log, is sent for authentication.
    Thanks,

     


    Angela Shi
    TechNet Community Support

    Thursday, January 23, 2014 6:44 AM
  • Hi,

    Here are my answers you can refer to:
    1. The first EHLO is to create control plane connection. It send its certificate to server to authentication itself.  The second EHLO is used to transfer real data based on control tunnel:
    http://blogs.msdn.com/b/akashb/archive/2011/02/26/exchange-2007-transport-error-when-sending-emails-using-tls-0x80040213.aspx
    2. It means the certificate information, which has been mentioned in the SMTP log, is sent for authentication.
    Thanks,

     


    Angela Shi
    TechNet Community Support

    thank you Angela,

    1,"control plane connection" what's that ? the Transport Layer Security connection?

    2,"sending message" and "Received certificate" means client send a certificate to server and also client receive a certificate from server?

    so does it means server needs to authenticate the client ,and also  client needs to authenticate the server?



    Please click the Mark as Answer button if a post solves your problem!


    Thursday, January 23, 2014 9:14 AM