none
Exchange Server Using Wrong Certificate for TLS?

    Question

  • Hello, all. We use a cloud system by Symantec for email scanning and when looking through the logs for inbound email I see a warning message that indicates that when it is negotiating TLS for SMTP that our Exchange server seems to be selecting a certificate that was issued to it by our internal CA as opposed to the one we purchased that is Externally trusted. In the Exchange console, I have looked through the certificate assignments and all of them say that they are assigned to the SMTP service including the one that I want it to use as well as the ones that I do not want it to use. I don't want to delete the other certificates in case they are in use in some other way as they are all marked as "Valid" but I also only want the one that is externally trusted to be used for encrypting SMTP. Unfortunately, the GUI doesn't allow me to uncheck the SMTP service from the other certificates as it is grayed out. Any thoughts? Thank you in advance for your time!

    Thursday, June 29, 2017 5:58 PM

Answers

  • I created the receive connector and I'm no longer seeing the error so I'm assuming that it worked! I was just wondering if you can confirm the settings that I have and list them in case it's helpful to anyone else.

    I selected internet type.

    For authentication I just have TLS selected

    For permissions I just have Anonymous users

    Scoping I just have the various IP address ranges of the Symantec server clusters for Remote network settings.

    For network adapter bindings I just have the internal IP address assigned to the CAS.

    The FQDN just has the name from the certificate that I wanted to be used for TLS.

    Let me know if you have any further recommendations; otherwise, it seems like it's working as expected.

    Thanks again!

    Monday, July 3, 2017 5:06 PM
  • Hello, all. We use a cloud system by Symantec for email scanning and when looking through the logs for inbound email I see a warning message that indicates that when it is negotiating TLS for SMTP that our Exchange server seems to be selecting a certificate that was issued to it by our internal CA as opposed to the one we purchased that is Externally trusted. In the Exchange console, I have looked through the certificate assignments and all of them say that they are assigned to the SMTP service including the one that I want it to use as well as the ones that I do not want it to use. I don't want to delete the other certificates in case they are in use in some other way as they are all marked as "Valid" but I also only want the one that is externally trusted to be used for encrypting SMTP. Unfortunately, the GUI doesn't allow me to uncheck the SMTP service from the other certificates as it is grayed out. Any thoughts? Thank you in advance for your time!

    What is the FQDN of the receive connector that is used to handle mail from the SMTP service?

    Typically what you do is create a new internet rec conn just for that connector, scope to the remote IP addresses of the gateway and set the FQDN of the connector to match the MX and the cert subject name has that FQDN as well. ( Or wildcard)


    • Edited by Andy DavidMVP Thursday, June 29, 2017 6:19 PM
    • Marked as answer by Scott_42 Thursday, July 6, 2017 5:44 PM
    Thursday, June 29, 2017 6:19 PM
  • Also when I check the FQDN with the -DomainName option, it shows the correct certificate that I want to use and it says it's enabled for SMTP.

    Do you have a dedicated connector for the messages from the internet? That's really the best way to make this work. And verify that the cert you want to use has a subject name for that FQDN ( I assume its enabgled for SMTP already). That's really all you need to.
    • Marked as answer by Scott_42 Thursday, July 6, 2017 5:44 PM
    Thursday, June 29, 2017 8:28 PM
  • Shoot sorry, I forgot to reply to your earlier post. Thank you so much for posting again. You're probably right. I just looked through our receive connectors and they're all using the wrong FQDN that doesn't match the cert I want. I'll get a maintenance window to give this a shot and get back to you when I do but this makes total sense.

    You wont be able to change the FQDN of any default receive connector, so if you don't have a dedicated rec connector for mail from the internet already, you'll need to create it and set the FQDN on that. Good luck. 
    Thursday, June 29, 2017 9:09 PM

All replies

  • Hello, all. We use a cloud system by Symantec for email scanning and when looking through the logs for inbound email I see a warning message that indicates that when it is negotiating TLS for SMTP that our Exchange server seems to be selecting a certificate that was issued to it by our internal CA as opposed to the one we purchased that is Externally trusted. In the Exchange console, I have looked through the certificate assignments and all of them say that they are assigned to the SMTP service including the one that I want it to use as well as the ones that I do not want it to use. I don't want to delete the other certificates in case they are in use in some other way as they are all marked as "Valid" but I also only want the one that is externally trusted to be used for encrypting SMTP. Unfortunately, the GUI doesn't allow me to uncheck the SMTP service from the other certificates as it is grayed out. Any thoughts? Thank you in advance for your time!

    What is the FQDN of the receive connector that is used to handle mail from the SMTP service?

    Typically what you do is create a new internet rec conn just for that connector, scope to the remote IP addresses of the gateway and set the FQDN of the connector to match the MX and the cert subject name has that FQDN as well. ( Or wildcard)


    • Edited by Andy DavidMVP Thursday, June 29, 2017 6:19 PM
    • Marked as answer by Scott_42 Thursday, July 6, 2017 5:44 PM
    Thursday, June 29, 2017 6:19 PM
  • Hi Scott,

    As per your scenario what you can do is to manage it from PowerShell by these commands.

    First you need to get the list of all certificate & certificates Thumb Prints which looks like

    (6758ae0233a72fwwb75b1h0123468912)

    It will be a combination of alphanumeric. Open Exchange PowerShell and type

    Get-ExchangeCertificate -Server Your-CAS-Server-01

    or

    Get-ExchangeCertificate -Server Your-CAS-Server-01 | Format-List *

    or

    Get-ExchangeCertificate -Domain your-actual-external-domain.com

    The last example will show you about which certificate Exchange will select for the domain name.

    From above commands, you will see all certificate thumbprint and you can easily identify which certificate is actual one in which you are interested to associate your Exchange services.

    Select the right thumbprint and bind it with IIS services.

    Enable-ExchangeCertificate -Thumbprint 33a72fwwb75b1h012346 -Services IIS

    Now you can restart your IIS service by

    iisreset

    This will stop and restart your IIS service then you can verify your certificate from Exchange OWA. 

    To removes a certificate with the specified thumbprint

    Remove-ExchangeCertificate -Thumbprint 33a72fwwb75b1h012346

    Hope this will help you.

    Kindly click "Mark as Answer" on the post that helps you, this can be beneficial to other community members reading this thread.
    Regards.
    H.shakir




    • Edited by H Shakir Thursday, June 29, 2017 6:46 PM
    Thursday, June 29, 2017 6:43 PM
  • AT the bottom of your question you talked about the grayed out check boxes so those checkboxes, Exchange GUI will not allow you to disable or un assign a SSL certificate from a service.

    So when you enable another Certificate for another service from PowerShell it will automatically disable the previous one which you wanted to change not all services.

    Kindly click "Mark as Answer" on the post that helps you, this can be beneficial to other community members reading this thread.

    Regards.

    H.shakir

    • Edited by H Shakir Thursday, June 29, 2017 6:56 PM
    Thursday, June 29, 2017 6:56 PM
  • This sounds like it might be on the right track but it is already working for IIS. I just need to change it for SMTP. I'm assuming this would be a similar process? Thanks!
    Thursday, June 29, 2017 7:18 PM
  • Also when I check the FQDN with the -DomainName option, it shows the correct certificate that I want to use and it says it's enabled for SMTP.
    Thursday, June 29, 2017 7:23 PM
  • On this part--

      when looking through the logs for inbound email I see a warning message 

    can you please tell us where those logs are located ?

    Do you see errors in the Exchange server  >  System Event Log with   

    Schannel -- A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.  

    ?

    Thanks

    Thursday, June 29, 2017 7:37 PM
  • Also when I check the FQDN with the -DomainName option, it shows the correct certificate that I want to use and it says it's enabled for SMTP.

    Do you have a dedicated connector for the messages from the internet? That's really the best way to make this work. And verify that the cert you want to use has a subject name for that FQDN ( I assume its enabgled for SMTP already). That's really all you need to.
    • Marked as answer by Scott_42 Thursday, July 6, 2017 5:44 PM
    Thursday, June 29, 2017 8:28 PM
  • Shoot sorry, I forgot to reply to your earlier post. Thank you so much for posting again. You're probably right. I just looked through our receive connectors and they're all using the wrong FQDN that doesn't match the cert I want. I'll get a maintenance window to give this a shot and get back to you when I do but this makes total sense.
    Thursday, June 29, 2017 8:51 PM
  • Shoot sorry, I forgot to reply to your earlier post. Thank you so much for posting again. You're probably right. I just looked through our receive connectors and they're all using the wrong FQDN that doesn't match the cert I want. I'll get a maintenance window to give this a shot and get back to you when I do but this makes total sense.

    You wont be able to change the FQDN of any default receive connector, so if you don't have a dedicated rec connector for mail from the internet already, you'll need to create it and set the FQDN on that. Good luck. 
    Thursday, June 29, 2017 9:09 PM
  • Thanks for the tip! I'll let you know how it goes.
    Thursday, June 29, 2017 9:24 PM
  • I created the receive connector and I'm no longer seeing the error so I'm assuming that it worked! I was just wondering if you can confirm the settings that I have and list them in case it's helpful to anyone else.

    I selected internet type.

    For authentication I just have TLS selected

    For permissions I just have Anonymous users

    Scoping I just have the various IP address ranges of the Symantec server clusters for Remote network settings.

    For network adapter bindings I just have the internal IP address assigned to the CAS.

    The FQDN just has the name from the certificate that I wanted to be used for TLS.

    Let me know if you have any further recommendations; otherwise, it seems like it's working as expected.

    Thanks again!

    Monday, July 3, 2017 5:06 PM
  • Hi Scott,

    If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. 

    Thanks for your understanding.

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 6, 2017 9:44 AM
    Moderator
  • whats wrong with your internal CA certificate is it SHA1?
    Thursday, July 6, 2017 10:07 AM
  • Thanks for the detailed configuration information.

    If you get an opportunity, can you answer my questions from my June 29 post ?

       Schannel error ?     and    log location ?

    I am seeing something similar,   but want to verify it is the same issue,    before I use your recipe.

    Thanks.

    =====

    Thursday, July 6, 2017 11:39 AM
  • Sorry, to clarify, the logs I was referring to are on a cloud system that scans our inbound email from external sources. It was throwing an error because it was complaining about not trusting our internal CA.

    The only schannel errors I am seeing are 36874, 36888, and occasionally 36887 but the time stamps aren't lining up with the external logs so I'm assuming these errors are unrelated to this instance in particular. Also, the only error code I see is 40 and you said you're getting 46.

    I guess my error code is a handshake error and yours is a "certificate_unknown" according to this article:

    https://blogs.msdn.microsoft.com/kaushal/2012/10/05/ssltls-alert-protocol-the-alert-codes/

    Thursday, July 6, 2017 5:28 PM
  • Nothing wrong with the internal certificate (although it is apparently a SHA-512 - I kind of wonder if that's causing any compatibility issues elsewhere), but the internal CA is not trusted by the external mail scanner so when it was trying to negotiate TLS, the Exchange server was returning the wrong FQDN and thus the untrusted cert.
    Thursday, July 6, 2017 5:43 PM
  • Thanks.

    Might also be of interest---

    Configuring the TLS Certificate Name for Exchange Server Receive Connectors ---

     https://practical365.com/exchange-server/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/

    ========

    Thursday, July 6, 2017 6:29 PM