locked
Major Exchange Issue - Help! RRS feed

  • Question

  • Hi All,

    I had a perfectly working exchange 2016 solution, email working in and out.

    I then added a certificate from an organisation in the UK called CJSM and then added a receive connector and send connector for use with the certificate with the message scope being *.cjsm.net

    Since this all mail flow internal and external has broken and doesn't function.

    Event app log shows:

    Service MSExchangeSubmission.  An exception has been thrown: Microsoft.Exchange.Assistants.TransientMailboxException

       at Microsoft.Exchange.Assistants.Util.TraceAndThrow(Action function, AIException aiException, String nonLocalizedAssistantName)

       at Microsoft.Exchange.Assistants.Util.CatchMeIfYouCan(Boolean translateToPermanentException, Action function, String nonLocalizedAssistantName, ISet`1 permanentExceptions)

       at Microsoft.Exchange.Assistants.Base.CatchMeIfYouCan(Boolean translateToPermanentException, Action function, String nonLocalizedAssistantName, ISet`1 permanentExceptions)

    Event system log:

    An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    Sending an email from OWA says that I don't have permission to perform this action and it keeps landing in Drafts.

    Sending from Outlook the message vanishes.

    Please help me get this working again!

    Wednesday, October 12, 2016 6:12 PM

Answers

  • Hi,

    Based on your description, I know that all client failed to send and receive message after you install new certificate and add connector with this certificate.
    If I mislead your concern, please feel free to let me know.

    To narrow down your issue, I want to confirm:
    1. Which certificate SHA are you used, SHA1 PKI  or SHA2?
    2. How about increase the cost for name scope *.cjsm.net in new connector? 
    3. How about remove TlsCertificateName for new connector?

    You can run below command to check the SHA of Exchange certificate:
    Get-ChildItem -Path cert:\LocalMachine\My\Thumbprint  | Select Subject  -ExpandProperty SignatureAlgorithm | select Subject,FriendlyName

    Exchange 2016 CU2 and later support SHA2 (SHA256, SHA384). If new certificate is not supported in current Exchange version, please re-new certificate and test again. For your reference:
    https://blogs.technet.microsoft.com/rmilne/2016/07/20/exchange-self-signed-sha2-certificates/
    Note: If it's SHA512, please try new certificate with SHA256 or SHA384 for testing.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Monday, October 17, 2016 3:38 PM
    • Marked as answer by Allen_WangJF Sunday, October 23, 2016 12:40 AM
    Thursday, October 13, 2016 8:26 AM

All replies

  • Hi All,

    I had a perfectly working exchange 2016 solution, email working in and out.

    I then added a certificate from an organisation in the UK called CJSM and then added a receive connector and send connector for use with the certificate with the message scope being *.cjsm.net

    Since this all mail flow internal and external has broken and doesn't function.

    Event app log shows:

    Service MSExchangeSubmission.  An exception has been thrown: Microsoft.Exchange.Assistants.TransientMailboxException

       at Microsoft.Exchange.Assistants.Util.TraceAndThrow(Action function, AIException aiException, String nonLocalizedAssistantName)

       at Microsoft.Exchange.Assistants.Util.CatchMeIfYouCan(Boolean translateToPermanentException, Action function, String nonLocalizedAssistantName, ISet`1 permanentExceptions)

       at Microsoft.Exchange.Assistants.Base.CatchMeIfYouCan(Boolean translateToPermanentException, Action function, String nonLocalizedAssistantName, ISet`1 permanentExceptions)

    Event system log:

    An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    Sending an email from OWA says that I don't have permission to perform this action and it keeps landing in Drafts.

    Sending from Outlook the message vanishes.

    Please help me get this working again!

    Are ALL  the Exchange Services running? Especially the transport and Mailbox Transport submission services.


    Blog:    Twitter:   

    Wednesday, October 12, 2016 6:46 PM
  • Hi,

    Based on your description, I know that all client failed to send and receive message after you install new certificate and add connector with this certificate.
    If I mislead your concern, please feel free to let me know.

    To narrow down your issue, I want to confirm:
    1. Which certificate SHA are you used, SHA1 PKI  or SHA2?
    2. How about increase the cost for name scope *.cjsm.net in new connector? 
    3. How about remove TlsCertificateName for new connector?

    You can run below command to check the SHA of Exchange certificate:
    Get-ChildItem -Path cert:\LocalMachine\My\Thumbprint  | Select Subject  -ExpandProperty SignatureAlgorithm | select Subject,FriendlyName

    Exchange 2016 CU2 and later support SHA2 (SHA256, SHA384). If new certificate is not supported in current Exchange version, please re-new certificate and test again. For your reference:
    https://blogs.technet.microsoft.com/rmilne/2016/07/20/exchange-self-signed-sha2-certificates/
    Note: If it's SHA512, please try new certificate with SHA256 or SHA384 for testing.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Monday, October 17, 2016 3:38 PM
    • Marked as answer by Allen_WangJF Sunday, October 23, 2016 12:40 AM
    Thursday, October 13, 2016 8:26 AM
  • It seems to me you have configured TLS authentication and using the new certificate you just installed..

    Mihir Nayak If a post is helpful, please take a second to vote

    Thursday, October 13, 2016 8:42 AM