locked
Cannot Send Mail from 2010 Exchange Server to New Exchange 2016 Server RRS feed

  • Question

  • I'm trying to migrate to Exchange 2016 from Exchange 2010. I installed a new 2012 windows server and installed Exchange 2016 on it with no issues and by the book.

    I can send email to any user on the 2010 server with no issue.  I cannot send any email from a user on the 2010 server to one on the 2016 exchange server.

    The Default Frontend Receiver on the Exchange 2016 machine has all default values (in security only Externally Secured, Partners, and Exchange Users are unchecked).

    Scoping is also at default with ALL IP's for port 25.

    My 2010 server produces this in it's queues for those emails:

    HUB VERSION 15 - SMTP Relay in Active Directory Site - Retry - 451 4.4.0Primary target IP address responded with "421 4.4.2 Connection Dropped due to Socket Error.

    I've checked the protocol logs on the Exchange 2016 box and see these:

    2017-03-22T20:19:54.771Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D4714731B2DF15,0,10.200.80.200:717,10.200.80.200:21829,+,,
    2017-03-22T20:19:54.771Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D4714731B2DF15,1,10.200.80.200:717,10.200.80.200:21829,>,"220 WNMail01.wayne.aaa075 Microsoft ESMTP MAIL Service ready at Wed, 22 Mar 2017 16:19:54 -0400",
    2017-03-22T20:19:54.771Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D4714731B2DF15,2,10.200.80.200:717,10.200.80.200:21829,<,EHLO smtp.availability.contoso.com,
    2017-03-22T20:19:54.771Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D4714731B2DF15,3,10.200.80.200:717,10.200.80.200:21829,>,250  WNMail01.wayne.aaa075 Hello [10.200.80.200] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
    2017-03-22T20:19:54.771Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D4714731B2DF15,4,10.200.80.200:717,10.200.80.200:21829,<,QUIT,
    2017-03-22T20:19:54.771Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D4714731B2DF15,5,10.200.80.200:717,10.200.80.200:21829,>,221 2.0.0 Service closing transmission channel,
    2017-03-22T20:19:54.771Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D4714731B2DF15,6,10.200.80.200:717,10.200.80.200:21829,-,,Local
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,0,10.200.80.200:25,143.61.188.203:38819,+,,
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,1,10.200.80.200:25,143.61.188.203:38819,>,"220 WNMail01.wayne.aaa075 Microsoft ESMTP MAIL Service ready at Wed, 22 Mar 2017 16:20:11 -0400",
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,2,10.200.80.200:25,143.61.188.203:38819,<,EHLO AAANJ-MX.wayne.aaa075,
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,3,10.200.80.200:25,143.61.188.203:38819,>,250  WNMail01.wayne.aaa075 Hello [143.61.188.203] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM LOGIN X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,4,10.200.80.200:25,143.61.188.203:38819,<,X-ANONYMOUSTLS,
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,5,10.200.80.200:25,143.61.188.203:38819,>,220 2.0.0 SMTP server ready,
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,6,10.200.80.200:25,143.61.188.203:38819,*, CN=WNMail01 CN=WNMail01 452BFDAA124EB09F4C0F51EA587C2E72 816262535EDC532851D415CB8D02198448F0102B WNMail01;WNMail01.wayne.aaa075,Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,7,10.200.80.200:25,143.61.188.203:38819,*,,TLS negotiation failed with error IllegalMessage
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,8,10.200.80.200:25,143.61.188.203:38819,-,,Local

    This repeats any time a message is sent between users of on different exchange servers.

    Both servers are on premise within the same site.  The firewalls are turned off on the servers and they do not pass through any ASA when they communicate since it's internal.

    Help


    • Edited by Lascarius Wednesday, March 22, 2017 8:54 PM
    Wednesday, March 22, 2017 8:30 PM

Answers

  • Issue has been resolved.  Prior department made changes to the SCHANNEL registry keys and that led to failed negotiation from the 2010 server.  The extra keys were backed up and deleted to what should be default and communication now works.  I still need to scan and make sure PCI is met.
    • Marked as answer by Lascarius Thursday, March 23, 2017 4:26 PM
    Thursday, March 23, 2017 4:26 PM

All replies

  • Hi,

    Given the error message below:

    --------------------------------------------------------

    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,6,10.200.80.200:25,143.61.188.203:38819,*, CN=WNMail01 CN=WNMail01 452BFDAA124EB09F4C0F51EA587C2E72 816262535EDC532851D415CB8D02198448F0102B WNMail01;WNMail01.wayne.aaa075,Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,7,10.200.80.200:25,143.61.188.203:38819,*,,TLS negotiation failed with error IllegalMessage
    2017-03-22T20:20:11.746Z,WNMAIL01\Default Frontend WNMAIL01,08D4714731B2DF18,8,10.200.80.200:25,143.61.188.203:38819,-,,Local

    -------------------------------------------------------

    After exchange the cert the error “TLS negotiation failed with error IllegalMessage” occurred, it’s recommended to re-assign the original self-signed certificate to the SMTP service via the command as following: (you can use the command: Get-ExchangeCertificate | FL to get the information needed)

    Enable-ExchangeCertificate -Thumbprint <self-signed> -Services SMTP

    If it doesn’t work, please post out the results of the following command:

    Get-ExchangeCertificate | FL *(on Exchange server 2016)

    Get-ReceiveConnector | FL name, fqdn, objectClass (on Exchange server 2016)

    Get-SendConnector | FL name, fqdn, objectClass(on Exchange server 2010)

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Jason.Chao Thursday, March 23, 2017 2:45 AM
    Thursday, March 23, 2017 2:45 AM
  • I liked where you were going with that.  I was pretty hopeful but it didn't work.  I tried setting it as you described.  I rebooted the server and services to make sure certificate was being used and then checked the protocol logs and got same issue.

    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,0,10.200.80.200:25,143.61.188.203:57070,+,,
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,1,10.200.80.200:25,143.61.188.203:57070,>,"220 WNMail01.wayne.aaa075 Microsoft ESMTP MAIL Service ready at Thu, 23 Mar 2017 10:15:37 -0400",
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,2,10.200.80.200:25,143.61.188.203:57070,<,EHLO AAANJ-MX.wayne.aaa075,
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,3,10.200.80.200:25,143.61.188.203:57070,>,250  WNMail01.wayne.aaa075 Hello [143.61.188.203] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,4,10.200.80.200:25,143.61.188.203:57070,<,X-ANONYMOUSTLS,
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,5,10.200.80.200:25,143.61.188.203:57070,>,220 2.0.0 SMTP server ready,
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,6,10.200.80.200:25,143.61.188.203:57070,*, CN=WNMail01 CN=WNMail01 452BFDAA124EB09F4C0F51EA587C2E72 816262535EDC532851D415CB8D02198448F0102B WNMail01;WNMail01.wayne.aaa075,Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,7,10.200.80.200:25,143.61.188.203:57070,*,,TLS negotiation failed with error IllegalMessage
    2017-03-23T14:15:37.939Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE43,8,10.200.80.200:25,143.61.188.203:57070,-,,Local
    2017-03-23T14:15:38.642Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE44,0,127.0.0.1:25,127.0.0.1:7116,+,,
    2017-03-23T14:15:38.642Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE44,1,127.0.0.1:25,127.0.0.1:7116,>,"220 WNMail01.wayne.aaa075 Microsoft ESMTP MAIL Service ready at Thu, 23 Mar 2017 10:15:38 -0400",
    2017-03-23T14:15:38.642Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE44,2,127.0.0.1:25,127.0.0.1:7116,<,EHLO,
    2017-03-23T14:15:38.642Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE44,3,127.0.0.1:25,127.0.0.1:7116,>,250  WNMail01.wayne.aaa075 Hello [127.0.0.1] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
    2017-03-23T14:15:38.642Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE44,4,127.0.0.1:25,127.0.0.1:7116,<,QUIT,
    2017-03-23T14:15:38.642Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE44,5,127.0.0.1:25,127.0.0.1:7116,>,221 2.0.0 Service closing transmission channel,
    2017-03-23T14:15:38.642Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE44,6,127.0.0.1:25,127.0.0.1:7116,-,,Local
    2017-03-23T14:15:56.754Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE45,0,10.200.80.200:25,10.200.80.200:7143,+,,
    2017-03-23T14:15:56.754Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE45,1,10.200.80.200:25,10.200.80.200:7143,>,"220 WNMail01.wayne.aaa075 Microsoft ESMTP MAIL Service ready at Thu, 23 Mar 2017 10:15:56 -0400",
    2017-03-23T14:15:56.754Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE45,2,10.200.80.200:25,10.200.80.200:7143,<,EHLO smtp.availability.contoso.com,
    2017-03-23T14:15:56.754Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE45,3,10.200.80.200:25,10.200.80.200:7143,>,250  WNMail01.wayne.aaa075 Hello [10.200.80.200] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
    2017-03-23T14:15:56.754Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE45,4,10.200.80.200:25,10.200.80.200:7143,<,QUIT,
    2017-03-23T14:15:56.754Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE45,5,10.200.80.200:25,10.200.80.200:7143,>,221 2.0.0 Service closing transmission channel,
    2017-03-23T14:15:56.754Z,WNMAIL01\Default Frontend WNMAIL01,08D471F67E88DE45,6,10.200.80.200:25,10.200.80.200:7143,-,,Local
    2017-03-23T14:16:04.707Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D471F67E88DE46,0,10.200.80.200:717,10.200.80.200:7145,+,,
    2017-03-23T14:16:04.707Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D471F67E88DE46,1,10.200.80.200:717,10.200.80.200:7145,>,"220 WNMail01.wayne.aaa075 Microsoft ESMTP MAIL Service ready at Thu, 23 Mar 2017 10:16:03 -0400",
    2017-03-23T14:16:04.707Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D471F67E88DE46,2,10.200.80.200:717,10.200.80.200:7145,<,EHLO smtp.availability.contoso.com,
    2017-03-23T14:16:04.707Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D471F67E88DE46,3,10.200.80.200:717,10.200.80.200:7145,>,250  WNMail01.wayne.aaa075 Hello [10.200.80.200] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
    2017-03-23T14:16:04.707Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D471F67E88DE46,4,10.200.80.200:717,10.200.80.200:7145,<,QUIT,
    2017-03-23T14:16:04.707Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D471F67E88DE46,5,10.200.80.200:717,10.200.80.200:7145,>,221 2.0.0 Service closing transmission channel,
    2017-03-23T14:16:04.707Z,WNMAIL01\Outbound Proxy Frontend WNMAIL01,08D471F67E88DE46,6,10.200.80.200:717,10.200.80.200:7145,-,,Local

    It's funny the clock on these logs is not the same time as my device.  I thought that would be an issue but I'm guessing it stays on EDT.  These protocol logs are being pulled from the Exchange 2016 server:  Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

    Here's the new info you asked for:



    VERBOSE: Connected to WNMail01.wayne.aaa075.
    [PS] C:\Windows\system32>Get-ExchangeCertificate | fl *

    PSComputerName       : wnmail01.wayne.aaa075
    RunspaceId           : 3cf7dfa4-0277-4c3b-8b15-4e97e8a26cb2
    PSShowComputerName   : False
    EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {WNMail01, WNMail01.wayne.aaa075}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {WNMail01, WNMail01.wayne.aaa075}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 25D8242206C4BC41251F8619968F3E24FCC4CAD2
    RootCAType           : None
    Services             : SMTP
    Status               : Valid
    SubjectKeyIdentifier :
    PrivateKeyExportable : False
    PublicKeySize        : 2048
    Identity             : WNMail01.wayne.aaa075\816262535EDC532851D415CB8D02198448F0102B
    ServicesStringForm   : ....S..
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 3/21/2022 4:02:02 PM
    NotBefore            : 3/21/2017 4:02:02 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 17, 48, 130, 1, 249, 160, 3, 2, 1, 2, 2, 16, 69...}
    SerialNumber         : 452BFDAA124EB09F4C0F51EA587C2E72
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 816262535EDC532851D415CB8D02198448F0102B
    Version              : 3
    Handle               : 1017853035056
    Issuer               : CN=WNMail01
    Subject              : CN=WNMail01
    PSComputerName       : wnmail01.wayne.aaa075
    RunspaceId           : 3cf7dfa4-0277-4c3b-8b15-4e97e8a26cb2
    PSShowComputerName   : False
    EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {Microsoft Exchange Server Auth Certificate}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 1E26A0206C4EDE7CB3388EFF45F4A687DB3AB89F
    RootCAType           : None
    Services             : SMTP
    Status               : Valid
    SubjectKeyIdentifier :
    PrivateKeyExportable : True
    PublicKeySize        : 2048
    Identity             : WNMail01.wayne.aaa075\D4A33856559FB3A3EC254692BC215B9A00CF681D
    ServicesStringForm   : ....S..
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange Server Auth Certificate
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 11/5/2021 5:33:24 PM
    NotBefore            : 12/1/2016 4:33:24 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 41, 48, 130, 2, 17, 160, 3, 2, 1, 2, 2, 16, 84...}
    SerialNumber         : 54C7C32E3C1183984268D5C82A96D850
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : D4A33856559FB3A3EC254692BC215B9A00CF681D
    Version              : 3
    Handle               : 1017853035312
    Issuer               : CN=Microsoft Exchange Server Auth Certificate
    Subject              : CN=Microsoft Exchange Server Auth Certificate
    PSComputerName       : wnmail01.wayne.aaa075
    RunspaceId           : 3cf7dfa4-0277-4c3b-8b15-4e97e8a26cb2
    PSShowComputerName   : False
    EnhancedKeyUsageList : {}
    DnsNameList          : {WNMail01, WNMail01.wayne.aaa075}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {WNMail01, WNMail01.wayne.aaa075}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : F15E1A5F954F1905DBC8CA30028A3A396006B1DA
    RootCAType           : Registry
    Services             : SMTP
    Status               : Valid
    SubjectKeyIdentifier :
    PrivateKeyExportable : False
    PublicKeySize        : 2048
    Identity             : WNMail01.wayne.aaa075\52D663370F69558FD1139B5BACC77EAE617F4DDF
    ServicesStringForm   : ....S..
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 12/1/2021 4:32:25 PM
    NotBefore            : 12/1/2016 4:32:25 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 17, 48, 130, 1, 249, 160, 3, 2, 1, 2, 2, 16, 65...}
    SerialNumber         : 4157888BAC76DBB94B45EA17FD36CFC8
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 52D663370F69558FD1139B5BACC77EAE617F4DDF
    Version              : 3
    Handle               : 1017853043376
    Issuer               : CN=WNMail01
    Subject              : CN=WNMail01
    PSComputerName       : wnmail01.wayne.aaa075
    RunspaceId           : 3cf7dfa4-0277-4c3b-8b15-4e97e8a26cb2
    PSShowComputerName   : False
    EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1)}
    DnsNameList          : {WMSvc-WNMAIL01}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {WMSvc-WNMAIL01}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 01E7D7379803A23AE6D45C083493C6FB7EA7944E
    RootCAType           : Registry
    Services             : None
    Status               : Valid
    SubjectKeyIdentifier :
    PrivateKeyExportable : True
    PublicKeySize        : 2048
    Identity             : WNMail01.wayne.aaa075\3D84B005A19B79C762EDC9DD8D8C2E11FC03CDB3
    ServicesStringForm   : .......
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : WMSVC
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 11/29/2026 3:53:26 PM
    NotBefore            : 12/1/2016 3:53:26 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 2, 227, 48, 130, 1, 203, 160, 3, 2, 1, 2, 2, 16, 121...}
    SerialNumber         : 79CA0ADCB7C45B9045BDE861C3BBB9C1
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 3D84B005A19B79C762EDC9DD8D8C2E11FC03CDB3
    Version              : 3
    Handle               : 1017853041072
    Issuer               : CN=WMSvc-WNMAIL01
    Subject              : CN=WMSvc-WNMAIL01
    PSComputerName       : wnmail01.wayne.aaa075
    RunspaceId           : 3cf7dfa4-0277-4c3b-8b15-4e97e8a26cb2
    PSShowComputerName   : False
    EnhancedKeyUsageList : {Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)}
    DnsNameList          : {*.aaanonj.com, aaanonj.com, mail.aaanonj.com, autodiscover.aaanonj.com,
                           exchange01.aaanonj.com, webmail.aaanonj.com}
    SendAsTrustedIssuer  : False
    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule,
                           System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {*.aaanonj.com, aaanonj.com, mail.aaanonj.com, autodiscover.aaanonj.com,
                           exchange01.aaanonj.com, webmail.aaanonj.com}
    CertificateRequest   :
    IisServices          : {IIS://WNMail01/W3SVC/1, IIS://WNMail01/W3SVC/3}
    IsSelfSigned         : False
    KeyIdentifier        : AEC1D5625034A272B71E4EE8601AA3476411B77F
    RootCAType           : ThirdParty
    Services             : IIS, SMTP
    Status               : Valid
    SubjectKeyIdentifier : AEC1D5625034A272B71E4EE8601AA3476411B77F
    PrivateKeyExportable : True
    PublicKeySize        : 2048
    Identity             : WNMail01.wayne.aaa075\AAA99759DD01C599081E1F8AAF49B7AEAE55F742
    ServicesStringForm   : ...WS..
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid}
    FriendlyName         : Exchange01WC
    IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter             : 9/1/2017 8:00:00 AM
    NotBefore            : 6/27/2016 8:00:00 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 5, 126, 48, 130, 4, 102, 160, 3, 2, 1, 2, 2, 16, 7...}
    SerialNumber         : 0774EEEAEB9EC011226BBF267AA04290
    SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : AAA99759DD01C599081E1F8AAF49B7AEAE55F742
    Version              : 3
    Handle               : 1017853042096
    Issuer               : CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
    Subject              : CN=*.aaanonj.com, O="AAA North Jersey, INC.", L=Wayne, S=New Jersey, C=US


    [PS] C:\Windows\system32>Get-ReceiveConnector | fl name, fqdn, objectclass


    Name        : Default AAANJ-MX
    Fqdn        : AAANJ-MX.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}
    Name        : Client AAANJ-MX
    Fqdn        : AAANJ-MX.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}
    Name        : AnonymousRelay
    Fqdn        : AAANJ-MX.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}
    Name        : Default WNMAIL01
    Fqdn        : WNMail01.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}
    Name        : Client Proxy WNMAIL01
    Fqdn        : WNMail01.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}
    Name        : Default Frontend WNMAIL01
    Fqdn        : WNMail01.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}
    Name        : Outbound Proxy Frontend WNMAIL01
    Fqdn        : WNMail01.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}
    Name        : Client Frontend WNMAIL01
    Fqdn        : WNMail01.wayne.aaa075
    ObjectClass : {top, msExchSmtpReceiveConnector}

    [PS] C:\Windows\system32>



    VERBOSE: Connected to AAANJ-MX.wayne.aaa075.
    [PS] C:\Windows\system32>Get-SendConnector | fl name, fqdn, objectclass

    Name        : Outbound Email
    Fqdn        : mail.aaanonj.com
    ObjectClass : {top, msExchConnector, mailGateway, msExchRoutingSMTPConnector}

    [PS] C:\Windows\system32>

    Thank you for your help in advance.

    Thursday, March 23, 2017 2:30 PM
  • Issue has been resolved.  Prior department made changes to the SCHANNEL registry keys and that led to failed negotiation from the 2010 server.  The extra keys were backed up and deleted to what should be default and communication now works.  I still need to scan and make sure PCI is met.
    • Marked as answer by Lascarius Thursday, March 23, 2017 4:26 PM
    Thursday, March 23, 2017 4:26 PM