Link to home
Start Free TrialLog in
Avatar of Safeserve
SafeserveFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Smart Host Certificate issue with Exchange 2007

Hi,

We run a (non-Exchange) mail server which several clients send their outbound email via.

We use a wild card certificate on this server to allow us to use the same one for webmail, smtp, etc. with the common smtp. pop. webmail. domain names, etc.

Our current certificate (which has always worked perfectly) runs out this month, and after shopping around we managed to find a rather good deal.

We got hold of  new wildcard certificate, installed it, and all seemed to be working well.  Clients such as Outlook, etc. could all send out and receive using SSL/TLS, the webmail worked over SSL, and all our clients using Exchange 2003 were sending out via TLS perfectly.

However an hour or so later, we noticed that there was one anomaly...  there is a single Exchange 2007 server which sends out via us, and this server was not sending out any mail.

Upon investigation I found the following error logged: -
Source:                 MSExchangeTransport
Category:            MessageSecurity
Event ID:              11005
Description:        Unable to validate the TLS certificate of the smart host for the connector To Internet. The certificate validation error for the certificate is WrongUsage. If the problem persists, contact the administrator of the smart host to resolve the problem.

The smart host of which it speaks is the mail server with the new certificate installed.

I contacted the support team at the certificate provider who directed me here: http://technet.microsoft.com/en-gb/library/bb331963.aspx

However, the only suggestion that page seems to have that is relevant is: "this status message may indicate that the certificate that you are using does not have the correct data in the Enhanced Key Usage field. All certificates that are used for Transport Layer Security (TLS) must contain a Server Authentication object identifier (also known as OID)."

I have checked the certificate, and "Server Authentication" is definitely present in the Enhanced Key Usage field (as one would expect, since presumably it would fail everything else to if it weren't!).

This is the only Exchange 2007 server sending via this server, so I can't be sure if it is an Exchange 2007 issue, or an issue with this specific server, but with my experience if Exchange 2007 I woudl guess the former...

Any help much appreciated!  We have until Wednesday to get the new certificate working for everyone before the old one runs out!

Thanks!
Avatar of Suraj
Suraj
Flag of Australia image

Do you have an edge server?
check if you got basic authentication on the receive connector. -> restart the transport service
----------
1. On your hub server, run the shell command :

Get-ReceiveConnector Default servername | fl * > result.txt

and show me the results plese.....

2. Now also please run this command :

ping <IP address of hub server> -f -l 1472
ping <IP address of hub server> -f -l 973
ping <IP address of hub server> -f -l 576

What is the result for these commands ?
Avatar of Safeserve

ASKER

Hi,

Thanks for the help.

Our server is not an Exchange server, and the client does not have an edge server - it's just a single server installation.

I am assuming when you were talking about the Receive Connector you were wanting to know the details of OUR server (since this is the one doing the receving), so this may be redundant.  However, just in case I have misunderstood I have attached the details you asked for from the client's (i.e. the sending) server (with domain names etc. blanked out).

As for the pings, these all seem to work perfectly...

Thanks again.
result.txt
ASKER CERTIFIED SOLUTION
Avatar of Safeserve
Safeserve
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Safeserve, could you please contact me at mamenard@defensus.ca
I am having the exact same issue. struggling to work it out, ID 27549160.
Would much appreciate your input to help me out.
Thanks.