Solved

StartTLS Certificate has: "has an nonvalid digital signature"

Posted on 2010-08-16
6
2,137 Views
Last Modified: 2013-11-30
Subject System
This problem regards a small private domain hosted by 2 WS'03r2x64StdEd DC's with SP2 and current updates.  One DC is hosting Exchange 2007 Standard Edition SP3.  The Hub Transport is Internet Facing thru a gateway-router/NAT/aDSL-modem to an ISP (AT&T) for Internet and personal-mailbox services as afforded by AT&T and the hosting platform is multi-homed; 2 NIC's.  The domain build aspects are sound.  Exchange receives ISP mail via a mapiLab POP3 Connector (MPC); it works fine.

Problem/Objective
I'm trying to send all Internet destined email to the said AT&T service as a Smarthost.  In pursuing this, I have configured a SMTP/SendConnector and created a Self-Signed Certificate to negotiate Start TLS as is initiated by our ISP (AT&T) when the ISP receives the SMTP mail we send.  Currently, the sent msgs never reach their destination and i suspect that they hang in the submit queue (i could test this).  I was hoping that a Self-Signed Certificate would be suffice for these SSL/TLS negotiations.  In contrast, i've considered buying a 3rd party Certificate for this purpose or trying one of those as are enumerated within the Local-Store; i.e. CA>3rd Party Root Certification Authorities>Certificates.  -I'm trying to refrain from buying a certificate that i don't absolutely need.

Current Resolve
One problem is that the Self-Signed Certificate i created, imported, and enabled (for SMTP) is invalid; i.e. "This certificate has an nonvalid digital signature." (I'm currently working on this.)  In summary, i'm wondering which of the following efforts would work for my objective:

repairing or rebuilding my invalid self-signed Certificate,
using one of my CA>3rd Party Root Certification Authorities>Certificates certficates,
procuring a Certificate specifically for this AT&T service.

Here's the command line i used to create the Certificate Request that has the invalid signature; note the Parameter Set:

New-ExchangeCertificate -DomainName smtp.att.yahoo.com, sbcGlobal.net, PrivDomName.local -FriendlyName “AT&T Start TLS” -GenerateRequest:$True -Keysize 1024 -PrivateKeyExportable:$true -SubjectName "DC=sbcGlobal, DC=net, O=ATTacccountOwnerName, C=US, CN=smtp-sbc.mail.yahoo.com, CN=smtp.sbc.mail.fy4.b.yahoo.com, CN=host.PrivDomName.local, CN=PrivDomName.local" -path "E:\Certificates\Requests\AT&T StartTLS.req.txt"

Here's the most significant part of the corresponding 12014 Application Event Description:

Microsoft Exchange could not find a certificate that contains the domain name sbcGlobal.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet via AT&T with a FQDN parameter of sbcGlobal.net.

So, how/where do i need specify sbcGlobal.net in my parameter set; e.g. CN=<>?  But where?

Any help on this would be greatly appreciated!!!

Plea
Any help/advise on any of this would be much appreciated.

Thanks!
0
Comment
Question by:GlennXS
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:changlinn
ID: 33451908
ok for starters a complex question like this and you are only offering 250 points, seems a bit tight...

But I will answer as it breaks down to be pretty easy. Firstly you can't uses smtps using ssl/tls unless you certificate is trusted by the recieving mail server in this case AT&T. Secondly why are you using smtps to go to at&t why not just use smtp and get rid of ssl/tls as AT&T are more than likely going to forward it on to the final recieving mail server using standard un-encrypted smtp. Are you even sure at&t supports ssl/tls on their smtp server?

Some simple tests; open up a command prompt on your hub transport server and type the below
telnet mailhost.worldnet.att.net 465
; if that connects then their mailserver is listening on smtps and you will need a certificate from an online Certifying Authority like verisign, thawte, entrust, godaddy, etc.
if it doesn't work try the below
telnet mailhost.worldnet.att.net 25
; if that works, good just use plain old smtp in your smart host.
0
 

Author Comment

by:GlennXS
ID: 33452131
I'm new to EE and their point system. Don't really have feel for what the impact of "points" is on my end; i'll get into it though.

It's a simple virtue that drove me in this pursuit: For the 4 or 5 several years, i've been using Outlook Express to access my personal mail from AT&T while configured for port 465, smtp.att.yahoo.com, & SSL enabled.  I never bought any certificates for this and it just works; it's working now!   Respectively, I just thought i could use my native Windows Domain resources; e.g. Exchange, my Root CA, for any needed accommodations once i acquired the knowledge to do such.  At least, spawn a SSL Cert from one of those within CA>3rd Party Root Certification Authorities>Certificates of the Local Store.

When i posted this issue, i also thought i could use New-ExchangeCertificate to build the SSL Cert; without any 3rd party purchase. The Ms documentation is ambiguous about this distinction; i.e. can or can't (to me).
I'm now mostly convinced that New-ExchangeCertificate is only for generating the requests that i would solicit to those 3rd party SSL Cert folks.  Digesting what u wrote reaffirms this to me.  I did the TelNet test for SSL(465) and know that TLS is initiated. I didn't try to do a port 25 test; good idea, -I'll give it a whirl.

Could u clarify the purpose of those certs within CA>3rd Party Root Certification Authorities>Certificates repository (of the Local Store)?  i.e. Would any of these suffice for my SSL/TLS needs or is my only solution from the 3rd Party Public vendor?
Much thanks for gracious advise!
-Glenn
0
 

Author Comment

by:GlennXS
ID: 33452205
I reached in pocket and found some more points ...

Could u advise on the 12014 issue; as noted in my post.  Specifically, dialog from the Help & Support link; as is within the Description of this 12014 Event, clearly states that the FQDN as specified within subject Connector must appear as a member of CertificateDomains; when u view the output of Get-ExchangeCertificate |FL.  (-I'm experiencing this issue.)   That Ms dialog also goes on to say (in so many words) that this can be corrected by using New-ExchangeCertificate and specifying the correct parameter set.  I must have tried 20 variations and have not been able to get sbcGlobal.net to appear as a CertificateDomains member.  What am i doing wrong?
0
 
LVL 2

Accepted Solution

by:
changlinn earned 300 total points
ID: 33452458
ok so the Average simple question on here goes for 500 points, just an FYI, you may not get as many knowledgeable people with 300.

I will try though I have never setup smtps in exchange 2007, I did once a long time ago at a previous job on 2003.
From what you have said, it looks like AT&T do support smtps on smtp.att.yahoo.com, which is fair enough. Not a huge boon for you but I'll continue. SMTPS is only really secure if it relays all the way to the users mail server with SMTP-TLS (I tend to just say smtps), which is highly unlikely at this stage. Most corporates still use SMTP by default.

From the scenario you described with outlook on your machine, it is slightly different, outlook works in that regard like your web-browser does when it views an SSL site, it has access to the root certificates and can see that the certificate from smtp.att.yahoo.com is signed by one of them. Outlook doesn't actually present a certificate to auth itself at this stage it just like ssl (another TLS) verifies the server it is connecting to is valid.

There is a good guide to so smtp-tls here with 2003 and 2007 though; http://www.arrowmail.co.uk/howto/smrthost.aspx
0
 

Author Closing Comment

by:GlennXS
ID: 33641815
It was a workaround to my objective
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
question related to SHA-1 2 68
How is Voltage secure HIPPA mail secure? 6 54
email not reaching a mydomain.com from partner.com 3 18
md5 password 3 62
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question