none
Cant connect to SMTP "Receive Connectors" after SSL implementation Exchange 2007 Windows 2008

    Domanda

  • Hello,

     My exchange 2007 hosted on Windows 2008 server, the majority of employees are in the field and check emails via the internet. I recently upgraded to a UCC SSL certificate which implemented and works fine on WWW/IMAP(993)/OWA(can send emails thru OWA). However the old unsecured SMTP(25) service no longer lets users login and connection always times out. same with the once working VPN SMTP(587).

    I would like to be standard conformed and assuming I would want to make a new receive connector for SMTP(465) for SSL, yet would still like the unsecure SMTP(25) to also work for older model smart-phones or email clients.

    It appears the certificate changed, but not on receive connector somehow? I have pasted config logs below if anyone needs them. There is an old cert on there, not sure what it does, but dont want to delete since I dont know what it is.

     

    [PS] C:\Windows\system32>Get-ExchangeCertificate |fl


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {domain.com, www.domain.com, mail.domain.com,
                         smtp.domain.com, autodiscover.domain.com, hostname.domain.local}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                         thority, OU=http://certificates.godaddy.com/repository, O=
                         "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter           : 9/23/2013 6:51:33 PM
    NotBefore          : 9/25/2011 4:41:20 PM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 0460AF747AC16E
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=domain.com, OU=Domain Control Validated, O=domain.com
    Thumbprint         : 0151CCEFC3E38BC2679652CC69BEBD0F6D74EDA4

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-HostName}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-HostName
    NotAfter           : 3/6/2020 5:05:53 PM
    NotBefore          : 3/9/2010 5:05:53 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 5E11398B27F528B45DA515B1ABA026D2
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-HostName
    Thumbprint         : 59CC35760107895F91B3543ECA1F366B4F7D8E0B

    ####

    [Working]

    [PS] C:\Windows\system32>Get-ImapSettings |fl


    ProtocolName                      : IMAP4
    Name                              : 1
    MaxCommandSize                    : 10240
    ShowHiddenFoldersEnabled          : False
    UnencryptedOrTLSBindings          : {:::143, 0.0.0.0:143}
    SSLBindings                       : {:::993, 0.0.0.0:993}
    X509CertificateName               : Domain.com
    Banner                            : The Microsoft Exchange IMAP4 service is rea
                                        dy.
    LoginType                         : PlainTextLogin
    AuthenticatedConnectionTimeout    : 00:30:00
    PreAuthenticatedConnectionTimeout : 00:01:00
    MaxConnections                    : 2000
    MaxConnectionFromSingleIP         : 2000
    MaxConnectionsPerUser             : 16
    MessageRetrievalMimeFormat        : BestBodyFormat
    ProxyTargetPort                   : 143
    CalendarItemRetrievalOption       : iCalendar
    OwaServerUrl                      :
    EnableExactRFC822Size             : False
    AdminDisplayName                  :
    ExchangeVersion                   : 0.1 (8.0.535.0)
    DistinguishedName                 : CN=1,CN=IMAP4,CN=Protocols,CN=HostName
                                        ,CN=Servers,CN=Exchange Administrative Gro
                                        up (FYDIBOHF23SPDLT),CN=Administrative Grou
                                        ps,CN=Company Name,CN=Microsoft Exc
                                        hange,CN=Services,CN=Configuration,DC=domain,DC=local
    Identity                          : HostName\1
    Guid                              : 045e2069-c2bd-49e1-a2dd-f4489fe54e2c
    ObjectCategory                    : Domain.local/Configuration/Schema/ms-Ex
                                        ch-Protocol-Cfg-IMAP-Server
    ObjectClass                       : {top, protocolCfg, protocolCfgIMAP, protoco
                                        lCfgIMAPServer}
    WhenChanged                       : 9/27/2011 7:03:30 PM
    WhenCreated                       : 3/9/2010 7:04:13 PM
    OriginatingServer                 : HostName.domain.local
    IsValid                           : True

     

    ####

    [PS] C:\Windows\system32>Get-ReceiveConnector -server HostName |fl


    AuthMechanism                           : Integrated, BasicAuth, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {*.*.*.4:26, *.*.*.4:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    Fqdn                                    : Hostname
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : unlimited
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : unlimited
    MaxInboundConnectionPercentagePerSource : 100
    MaxHeaderSize                           : 64KB
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 10MB
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 5000
    PermissionGroups                        : AnonymousUsers, ExchangeUsers, Exchan
                                              geServers, ExchangeLegacyServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    Server                                  : HostName
    SizeEnabled                             : EnabledWithoutValue
    TarpitInterval                          : 00:00:05
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Default HostName
    DistinguishedName                       : CN=Default HostName,CN=SMTP Rec
                                              eive Connectors,CN=Protocols,CN=HostName
                          ,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
                          CN=Administrative Groups,CN=Company Name
                          ,CN=Microsoft Exchange,CN=Services
                          ,CN=Configuration,DC=Domain
                                              ,DC=local
    Identity                                : HostName\Default HostName
    Guid                                    : 44d99b7f-9bb2-4781-800e-ccdc35ae5a5f
    ObjectCategory                          : Domain.local/Configuration/Schema
                                              /ms-Exch-Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 9/27/2011 7:40:55 PM
    WhenCreated                             : 3/9/2010 7:01:13 PM
    OriginatingServer                       : HostName.Domain.local
    IsValid                                 : True

    AuthMechanism                           : Tls, Integrated, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {*.*.*.4:587}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    Fqdn                                    : HostName
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 600
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 64KB
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 10MB
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : True
    EnableAuthGSSAPI                        : True
    Server                                  : HostName
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client HostName
    DistinguishedName                       : CN=Client HostName,CN=SMTP Rece
                                              ive Connectors,CN=Protocols,CN=HostName,CN=Servers,CN=Exchange Admin
                                              istrative Group (FYDIBOHF23SPDLT),CN=
                                              Administrative Groups,CN=Company Name,CN=Microsoft Exchange,CN=Ser
                                              vices,CN=Configuration,DC=Domain,
                                              DC=local
    Identity                                : HostName\Client HostName
    Guid                                    : 5ccee6e2-19f6-4de5-ab37-70c085389a46
    ObjectCategory                          : Domain.local/Configuration/Schema
                                              /ms-Exch-Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 9/27/2011 8:45:10 PM
    WhenCreated                             : 3/9/2010 7:01:13 PM
    OriginatingServer                       : HostName.Domain.local
    IsValid                                 : True

     

    ####

     


    • Modificato Ubuntub0x mercoledì 28 settembre 2011 19:17
    mercoledì 28 settembre 2011 18:39

Tutte le risposte

  • More researching shows > Event Viewer > Windows Logs > Applications > Event ID 12014 > Microsoft Exchange could not find a certificate that contains the domain name [Hostname] in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector [Client HostName] with a FQDN parameter of HostName. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

     

    Now the question is, do I need to change the Hub Transport name, or UCC SSL cert name, I set the SSL cert UCC SANS name as smtp.domain.com and  hostname.domain.local, I didnt add one for [Hostname] however the receive connectors only let me set the FQDN as hostname.

    Or how would I change the Hub Transport to smtp.domain.com, and would that somehow adversely affect the OWA sending e-mails?

    mercoledì 28 settembre 2011 19:43
  • Hi Ubuntub0x,

    Please try to resolve the Event 12014 first:

    Troubleshooting Event ID 12014 in Exchange 2007/2010

    http://www.mikepfeiffer.net/2010/04/troubleshooting-event-id-12014-in-exchange-20072010/

    Frank Wang

    venerdì 30 settembre 2011 08:00
  • Hello Frank,

     Thank you for the reply, and the submitted URL. I checked the website and all my cert and services appear to be correct, the above link didn't appear to resolve my issue. I went ahead and generated a new local certificate for exchange however still no resolution to my issue. still cant connect to smtp services, and still receiving the same error 12014.

    Because of the 12014 error logs, I'm thinking that I need to change the SAN of hostname.domain.local to just hostname for it to work? Any other ideas or links for this error. I'm running out of ideas on troubleshooting.

     

    Logs:

    [PS] C:\Windows\system32>Get-ExchangeCertificate | fl CertificateDomains


    CertificateDomains : {hostname.domain.local, hostname}

    CertificateDomains : {domain.com, www.domain.com, mail.domain.com,
                         smtp.domain.com, autodiscover.domain.com,
                         hostname.domain.local}



    [PS] C:\Windows\system32>Get-SendConnector | fl fqdn


    Fqdn : smtp.domain.com



    [PS] C:\Windows\system32>Get-ReceiveConnector | fl fqdn


    Fqdn : HOSTNAME.domain.local

    Fqdn : HOSTNAME.domain.local

    Fqdn : hostname.domain.local



    [PS] C:\Windows\system32>Get-ExchangeCertificate | fl thumbprint, services


    Thumbprint : 993008779F7EE2DEFE6B06A44684E88B21B*
    Services   : SMTP

    Thumbprint : 0151CCEFC3E38BC2679652CC69BEBD0F6D7*
    Services   : IMAP, POP, IIS, SMTP

     

    venerdì 30 settembre 2011 15:09
  • Not sure if this is also part of the issue, but noticed when I remote desktop connect to the server by IP address I receive a error stating the certificate doesnt match the hostname, yet when I do an nslookup of the IP address I get the correct hostname, and when I connect RDP via the hostname I get no error message.
    venerdì 30 settembre 2011 17:07
  • Ok progress made, turns out I think you need a self-signed cert for local internal exchange to work.

    http://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx#CreatingImportingandEnablingCertificates

    I did these commands to resolve the 12014 error:

    New-ExchangeCertificate -DomainName "server1.fourthcoffee.com", "server1" -Services "SMTP"
    Get-ExchangeCertificate |fl
    Enable-ExchangeCertificate <thumbprint>

     

    venerdì 30 settembre 2011 18:42
  • There are no more errors in the Application/System logs, On a Whim I tried setting the e-mail client out-going to mail.domain.com and it worked sending out an email, now smtp.domain.com works somehow afterwards, but only the unsecured credentials on port 25 are working for emails correctly.

    IMAP is still working fine on SSL/TLS setup with auth method: NTLM

    It seems like exchange or microsoft is trying to default the emails in-coming/out-going mail addresses to both be as mail.domain.com instead of different names for in-coming/out-going services. If this is true should I change > Organization Configuration > Hub Transport > Send Connectors > Out Bound SMTP > smtp.domain.com to mail.domain.com?

    For the SMTP 587/465 ports it only appears to be supporting Connection Security: STARTTLS with Authentication Method: NTLM.

    Looking at my logs the SMTP 587 has RequireTLS $True and EnableAuthGSSAPI $True, the SMTP 465 does not, yet they both are acting the same way..

    How do I  set it for connection security SSL/TLS on exchange?

    ### Logs ###

    [PS] C:\Windows\system32>Get-ReceiveConnector -server hostname |fl

    AuthMechanism                           : Integrated, BasicAuth, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {*.*.*.4:26, *.*.*.4:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    Fqdn                                    : hostname.domain.local
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : unlimited
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : unlimited
    MaxInboundConnectionPercentagePerSource : 100
    MaxHeaderSize                           : 64KB
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 10MB
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 5000
    PermissionGroups                        : AnonymousUsers, ExchangeUsers, Exchan
                                              geServers, ExchangeLegacyServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    Server                                  : hostname
    SizeEnabled                             : EnabledWithoutValue
    TarpitInterval                          : 00:00:05
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Default hostname
    DistinguishedName                       : CN=Default hostname,CN=SMTP Rec
                                              eive Connectors,CN=Protocols,CN=Hostname
                         ,CN=Servers,CN=Exchange Admi
                                              nistrative Group (FYDIBOHF23SPDLT),CN
                                              =Administrative Groups,CN=Company Name
                          ,CN=Microsoft Exchange,CN=Se
                                              rvices,CN=Configuration,DC=domain
                                              ,DC=local
    Identity                                : hostname\Default hostname
    Guid                                    : 44d99b7f-9bb2-4781-800e-ccdc35ae5a5f
    ObjectCategory                          : domain.local/Configuration/Schema
                                              /ms-Exch-Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 9/30/2011 2:56:32 PM
    WhenCreated                             : 3/9/2010 7:01:13 PM
    OriginatingServer                       : DC-Hostname.domain.local
    IsValid                                 : True

    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuth
                                              RequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {*.*.*.4:587}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    Fqdn                                    : hostname.domain.local
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 600
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 64KB
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 10MB
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : AnonymousUsers, ExchangeUsers, Exchan
                                              geServers, ExchangeLegacyServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : True
    EnableAuthGSSAPI                        : True
    Server                                  : hostname
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client hostname
    DistinguishedName                       : CN=Client hostname,CN=SMTP Rece
                                              ive Connectors,CN=Protocols,CN=Hostname
                          ,CN=Servers,CN=Exchange Admin
                                              istrative Group (FYDIBOHF23SPDLT),CN=
                                              Administrative Groups,CN=Company Name
                         ,CN=Microsoft Exchange,CN=Ser
                                              vices,CN=Configuration,DC=domain,
                                              DC=local
    Identity                                : hostname\Client hostname
    Guid                                    : 5ccee6e2-19f6-4de5-ab37-70c085389a46
    ObjectCategory                          : domain.local/Configuration/Schema
                                              /ms-Exch-Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 9/30/2011 3:07:49 PM
    WhenCreated                             : 3/9/2010 7:01:13 PM
    OriginatingServer                       : DC-Hostname.domain.local
    IsValid                                 : True

    AuthMechanism                           : Tls, Integrated, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {*.*.*.4:465}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    Fqdn                                    : hostname.domain.local
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : unlimited
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 64KB
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 10MB
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    Server                                  : hostname
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : SSMTP
    DistinguishedName                       : CN=SSMTP,CN=SMTP Receive Connectors,C
                                              N=Protocols,CN=hostname,CN=Serv
                                              ers,CN=Exchange Administrative Group
                                              (FYDIBO*T),CN=Administrative G
                                              roups,CN=Company Name,CN=Micr
                                              osoft Exchange,CN=Services,CN=Configu
                                              ration,DC=domain,DC=local
    Identity                                : hostname\SSMTP
    Guid                                    : 5a4322b4-c02a-42f4-ad61-e5fd3511c52b
    ObjectCategory                          : domain.local/Configuration/Schema
                                              /ms-Exch-Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 9/30/2011 3:41:27 PM
    WhenCreated                             : 9/28/2011 4:31:55 PM
    OriginatingServer                       : DC-Hostname.domain.local
    IsValid                                 : True


    • Modificato Ubuntub0x venerdì 30 settembre 2011 20:31
    venerdì 30 settembre 2011 19:59