Cant connect to SMTP "Receive Connectors" after SSL implementation Exchange 2007 Windows 2008
-
mercoledì 28 settembre 2011 18:39
Hello,
My exchange 2007 hosted on Windows 2008 server, the majority of employees are in the field and check emails via the internet. I recently upgraded to a UCC SSL certificate which implemented and works fine on WWW/IMAP(993)/OWA(can send emails thru OWA). However the old unsecured SMTP(25) service no longer lets users login and connection always times out. same with the once working VPN SMTP(587).
I would like to be standard conformed and assuming I would want to make a new receive connector for SMTP(465) for SSL, yet would still like the unsecure SMTP(25) to also work for older model smart-phones or email clients.
It appears the certificate changed, but not on receive connector somehow? I have pasted config logs below if anyone needs them. There is an old cert on there, not sure what it does, but dont want to delete since I dont know what it is.[PS] C:\Windows\system32>Get-ExchangeCertificate |fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain.com, www.domain.com, mail.domain.com,
smtp.domain.com, autodiscover.domain.com, hostname.domain.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
thority, OU=http://certificates.godaddy.com/repository, O=
"GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 9/23/2013 6:51:33 PM
NotBefore : 9/25/2011 4:41:20 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 0460AF747AC16E
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=domain.com, OU=Domain Control Validated, O=domain.com
Thumbprint : 0151CCEFC3E38BC2679652CC69BEBD0F6D74EDA4
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-HostName}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-HostName
NotAfter : 3/6/2020 5:05:53 PM
NotBefore : 3/9/2010 5:05:53 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 5E11398B27F528B45DA515B1ABA026D2
Services : None
Status : Valid
Subject : CN=WMSvc-HostName
Thumbprint : 59CC35760107895F91B3543ECA1F366B4F7D8E0B####
[Working]
[PS] C:\Windows\system32>Get-ImapSettings |fl
ProtocolName : IMAP4
Name : 1
MaxCommandSize : 10240
ShowHiddenFoldersEnabled : False
UnencryptedOrTLSBindings : {:::143, 0.0.0.0:143}
SSLBindings : {:::993, 0.0.0.0:993}
X509CertificateName : Domain.com
Banner : The Microsoft Exchange IMAP4 service is rea
dy.
LoginType : PlainTextLogin
AuthenticatedConnectionTimeout : 00:30:00
PreAuthenticatedConnectionTimeout : 00:01:00
MaxConnections : 2000
MaxConnectionFromSingleIP : 2000
MaxConnectionsPerUser : 16
MessageRetrievalMimeFormat : BestBodyFormat
ProxyTargetPort : 143
CalendarItemRetrievalOption : iCalendar
OwaServerUrl :
EnableExactRFC822Size : False
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=1,CN=IMAP4,CN=Protocols,CN=HostName
,CN=Servers,CN=Exchange Administrative Gro
up (FYDIBOHF23SPDLT),CN=Administrative Grou
ps,CN=Company Name,CN=Microsoft Exc
hange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity : HostName\1
Guid : 045e2069-c2bd-49e1-a2dd-f4489fe54e2c
ObjectCategory : Domain.local/Configuration/Schema/ms-Ex
ch-Protocol-Cfg-IMAP-Server
ObjectClass : {top, protocolCfg, protocolCfgIMAP, protoco
lCfgIMAPServer}
WhenChanged : 9/27/2011 7:03:30 PM
WhenCreated : 3/9/2010 7:04:13 PM
OriginatingServer : HostName.domain.local
IsValid : True####
[PS] C:\Windows\system32>Get-ReceiveConnector -server HostName |fl
AuthMechanism : Integrated, BasicAuth, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {*.*.*.4:26, *.*.*.4:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
Fqdn : Hostname
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : unlimited
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize : 64KB
MaxHopCount : 30
MaxLocalHopCount : 8
MaxLogonFailures : 3
MaxMessageSize : 10MB
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : AnonymousUsers, ExchangeUsers, Exchan
geServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
Server : HostName
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default HostName
DistinguishedName : CN=Default HostName,CN=SMTP Rec
eive Connectors,CN=Protocols,CN=HostName
,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,CN=Company Name
,CN=Microsoft Exchange,CN=Services
,CN=Configuration,DC=Domain
,DC=local
Identity : HostName\Default HostName
Guid : 44d99b7f-9bb2-4781-800e-ccdc35ae5a5f
ObjectCategory : Domain.local/Configuration/Schema
/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 9/27/2011 7:40:55 PM
WhenCreated : 3/9/2010 7:01:13 PM
OriginatingServer : HostName.Domain.local
IsValid : True
AuthMechanism : Tls, Integrated, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {*.*.*.4:587}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
Fqdn : HostName
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : 600
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 64KB
MaxHopCount : 30
MaxLocalHopCount : 8
MaxLogonFailures : 3
MaxMessageSize : 10MB
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : ExchangeUsers
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : True
EnableAuthGSSAPI : True
Server : HostName
SizeEnabled : Enabled
TarpitInterval : 00:00:05
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Client HostName
DistinguishedName : CN=Client HostName,CN=SMTP Rece
ive Connectors,CN=Protocols,CN=HostName,CN=Servers,CN=Exchange Admin
istrative Group (FYDIBOHF23SPDLT),CN=
Administrative Groups,CN=Company Name,CN=Microsoft Exchange,CN=Ser
vices,CN=Configuration,DC=Domain,
DC=local
Identity : HostName\Client HostName
Guid : 5ccee6e2-19f6-4de5-ab37-70c085389a46
ObjectCategory : Domain.local/Configuration/Schema
/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 9/27/2011 8:45:10 PM
WhenCreated : 3/9/2010 7:01:13 PM
OriginatingServer : HostName.Domain.local
IsValid : True####
- Modificato Ubuntub0x mercoledì 28 settembre 2011 19:17
Tutte le risposte
-
mercoledì 28 settembre 2011 19:43
More researching shows > Event Viewer > Windows Logs > Applications > Event ID 12014 > Microsoft Exchange could not find a certificate that contains the domain name [Hostname] in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector [Client HostName] with a FQDN parameter of HostName. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
Now the question is, do I need to change the Hub Transport name, or UCC SSL cert name, I set the SSL cert UCC SANS name as smtp.domain.com and hostname.domain.local, I didnt add one for [Hostname] however the receive connectors only let me set the FQDN as hostname.
Or how would I change the Hub Transport to smtp.domain.com, and would that somehow adversely affect the OWA sending e-mails?
-
venerdì 30 settembre 2011 08:00Moderatore
Hi Ubuntub0x,
Please try to resolve the Event 12014 first:
Troubleshooting Event ID 12014 in Exchange 2007/2010
http://www.mikepfeiffer.net/2010/04/troubleshooting-event-id-12014-in-exchange-20072010/
Frank Wang
-
venerdì 30 settembre 2011 15:09
Hello Frank,
Thank you for the reply, and the submitted URL. I checked the website and all my cert and services appear to be correct, the above link didn't appear to resolve my issue. I went ahead and generated a new local certificate for exchange however still no resolution to my issue. still cant connect to smtp services, and still receiving the same error 12014.
Because of the 12014 error logs, I'm thinking that I need to change the SAN of hostname.domain.local to just hostname for it to work? Any other ideas or links for this error. I'm running out of ideas on troubleshooting.
Logs:
[PS] C:\Windows\system32>Get-ExchangeCertificate | fl CertificateDomains
CertificateDomains : {hostname.domain.local, hostname}
CertificateDomains : {domain.com, www.domain.com, mail.domain.com,
smtp.domain.com, autodiscover.domain.com,
hostname.domain.local}
[PS] C:\Windows\system32>Get-SendConnector | fl fqdn
Fqdn : smtp.domain.com
[PS] C:\Windows\system32>Get-ReceiveConnector | fl fqdn
Fqdn : HOSTNAME.domain.local
Fqdn : HOSTNAME.domain.local
Fqdn : hostname.domain.local
[PS] C:\Windows\system32>Get-ExchangeCertificate | fl thumbprint, services
Thumbprint : 993008779F7EE2DEFE6B06A44684E88B21B*
Services : SMTP
Thumbprint : 0151CCEFC3E38BC2679652CC69BEBD0F6D7*
Services : IMAP, POP, IIS, SMTP -
venerdì 30 settembre 2011 17:07Not sure if this is also part of the issue, but noticed when I remote desktop connect to the server by IP address I receive a error stating the certificate doesnt match the hostname, yet when I do an nslookup of the IP address I get the correct hostname, and when I connect RDP via the hostname I get no error message.
-
venerdì 30 settembre 2011 18:42
Ok progress made, turns out I think you need a self-signed cert for local internal exchange to work.
http://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx#CreatingImportingandEnablingCertificates
I did these commands to resolve the 12014 error:
New-ExchangeCertificate -DomainName "server1.fourthcoffee.com", "server1" -Services "SMTP"
Get-ExchangeCertificate |fl
Enable-ExchangeCertificate <thumbprint> -
venerdì 30 settembre 2011 19:59
There are no more errors in the Application/System logs, On a Whim I tried setting the e-mail client out-going to mail.domain.com and it worked sending out an email, now smtp.domain.com works somehow afterwards, but only the unsecured credentials on port 25 are working for emails correctly.
IMAP is still working fine on SSL/TLS setup with auth method: NTLM
It seems like exchange or microsoft is trying to default the emails in-coming/out-going mail addresses to both be as mail.domain.com instead of different names for in-coming/out-going services. If this is true should I change > Organization Configuration > Hub Transport > Send Connectors > Out Bound SMTP > smtp.domain.com to mail.domain.com?
For the SMTP 587/465 ports it only appears to be supporting Connection Security: STARTTLS with Authentication Method: NTLM.
Looking at my logs the SMTP 587 has RequireTLS $True and EnableAuthGSSAPI $True, the SMTP 465 does not, yet they both are acting the same way..
How do I set it for connection security SSL/TLS on exchange?
### Logs ###
[PS] C:\Windows\system32>Get-ReceiveConnector -server hostname |fl
AuthMechanism : Integrated, BasicAuth, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {*.*.*.4:26, *.*.*.4:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
Fqdn : hostname.domain.local
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : unlimited
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize : 64KB
MaxHopCount : 30
MaxLocalHopCount : 8
MaxLogonFailures : 3
MaxMessageSize : 10MB
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : AnonymousUsers, ExchangeUsers, Exchan
geServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
Server : hostname
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default hostname
DistinguishedName : CN=Default hostname,CN=SMTP Rec
eive Connectors,CN=Protocols,CN=Hostname
,CN=Servers,CN=Exchange Admi
nistrative Group (FYDIBOHF23SPDLT),CN
=Administrative Groups,CN=Company Name
,CN=Microsoft Exchange,CN=Se
rvices,CN=Configuration,DC=domain
,DC=local
Identity : hostname\Default hostname
Guid : 44d99b7f-9bb2-4781-800e-ccdc35ae5a5f
ObjectCategory : domain.local/Configuration/Schema
/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 9/30/2011 2:56:32 PM
WhenCreated : 3/9/2010 7:01:13 PM
OriginatingServer : DC-Hostname.domain.local
IsValid : True
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuth
RequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {*.*.*.4:587}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
Fqdn : hostname.domain.local
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : 600
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 64KB
MaxHopCount : 30
MaxLocalHopCount : 8
MaxLogonFailures : 3
MaxMessageSize : 10MB
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeUsers, Exchan
geServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : True
EnableAuthGSSAPI : True
Server : hostname
SizeEnabled : Enabled
TarpitInterval : 00:00:05
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Client hostname
DistinguishedName : CN=Client hostname,CN=SMTP Rece
ive Connectors,CN=Protocols,CN=Hostname
,CN=Servers,CN=Exchange Admin
istrative Group (FYDIBOHF23SPDLT),CN=
Administrative Groups,CN=Company Name
,CN=Microsoft Exchange,CN=Ser
vices,CN=Configuration,DC=domain,
DC=local
Identity : hostname\Client hostname
Guid : 5ccee6e2-19f6-4de5-ab37-70c085389a46
ObjectCategory : domain.local/Configuration/Schema
/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 9/30/2011 3:07:49 PM
WhenCreated : 3/9/2010 7:01:13 PM
OriginatingServer : DC-Hostname.domain.local
IsValid : True
AuthMechanism : Tls, Integrated, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {*.*.*.4:465}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
Fqdn : hostname.domain.local
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : unlimited
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 64KB
MaxHopCount : 30
MaxLocalHopCount : 8
MaxLogonFailures : 3
MaxMessageSize : 10MB
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : ExchangeUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
Server : hostname
SizeEnabled : Enabled
TarpitInterval : 00:00:05
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : SSMTP
DistinguishedName : CN=SSMTP,CN=SMTP Receive Connectors,C
N=Protocols,CN=hostname,CN=Serv
ers,CN=Exchange Administrative Group
(FYDIBO*T),CN=Administrative G
roups,CN=Company Name,CN=Micr
osoft Exchange,CN=Services,CN=Configu
ration,DC=domain,DC=local
Identity : hostname\SSMTP
Guid : 5a4322b4-c02a-42f4-ad61-e5fd3511c52b
ObjectCategory : domain.local/Configuration/Schema
/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 9/30/2011 3:41:27 PM
WhenCreated : 9/28/2011 4:31:55 PM
OriginatingServer : DC-Hostname.domain.local
IsValid : True
- Modificato Ubuntub0x venerdì 30 settembre 2011 20:31
.png)
