Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Outbound Email Not Flowing From Exchange 2007 after TLS Certificate Renewal

Posted on 2011-09-09
18
Medium Priority
?
1,260 Views
Last Modified: 2012-08-13
Hello All,

I have a client with a SBS2008 server, so Exchange 2007 is the email software.  Everything was running fine until a self-signed TLS cert expired and then we rebooted the server for maintenance, the Exchange Transport service would not start.  When the server came back up, everything worked except outbound mail.  Users were getting messages that their outbound emails were delayed on the server.  Server logs showed:
"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <server.domain.local>. The existing certificate for that FQDN has expired."
- (I changed the domain name to protect client anonymity)
- Outbound email uses Postini via Private DNS

I renewed the self signed cert through Exchange Management Shell and I believe that part worked without a problem.  Rebooted the server and I'm still not getting any outbound mail flowing.   Postini reports they see no problem on their end.  

Email is queuing and shows this for all queued messages:
"451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect."

I imagine this is a fairly small thing to fix, but with an angry client with no outbound email, I am finding myself stuck.  Does anyone  have any suggestions here?

Thanks!

Andrew

0
Comment
Question by:AJ524
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
18 Comments
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512701
did you remove the old cert in powershell
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512708
get -exchangecertificate | fl
0
 

Author Comment

by:AJ524
ID: 36512732
No. the old cert is still there.  Actually, there were two certs that had expired.  One that was "remote.domain.com" and the other was the fqdn of "sbs.domain.local".  I renewed them both just in case, even though I know we're not using the name "remote" anywhere.  
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512764
when you run get-exchangecertificate I'm guessing there are multi thumbprints there. Is the new cert enabled for IIS
0
 

Author Comment

by:AJ524
ID: 36512786
The new cert is not enabled for IIS, but then again, neither was the old one.  The IIS cert is a 3rd party cert which we purchased so that mobile devices and web browsers wouldn't panic when connecting for remote mail, etc.
0
 

Author Comment

by:AJ524
ID: 36512796
The new cert is set up for IMAP, POP and SMTP
0
 

Author Comment

by:AJ524
ID: 36512849
Quick update... ran the mail flow troubleshooter and it says that Cannot contact the external DNS server.  Postini's outbound email filtering relies on private DNS and a valid TLS cert to complete the connection, so just another sign pointing the cert.
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513176
When the old TLS cert expired did you add the same certificate domains?
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513225
All exchange services are started? services.msc
0
 

Author Comment

by:AJ524
ID: 36513228
I renewed both certs by thumbprint like so:
Get-ExchangeCertificate -thumbprint “<thumbprint>” | New-ExchangeCertificate

So it seems to have added the certificate domains automatically, right?

0
 

Author Comment

by:AJ524
ID: 36513237
Yes, all of the exchange services started.   Right now I am going to remove the old certs and see where that gets me.  I know it's something small I'm missing here.
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513274
the send connector is correct and enabled?
0
 
LVL 7

Accepted Solution

by:
JohnGrunwell earned 2000 total points
ID: 36513344
0
 

Author Comment

by:AJ524
ID: 36513383
Good detail here.   Made some minor adjustments for security purposes.

[PS] C:\Users\exchadmin\Desktop>Get-ExchangeCertificate -domain "sbs08.pawal
aw.local" | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 5/25/2012 7:51:58 PM
NotBefore          : 5/26/2011 7:51:58 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 42F41AC0000000000009
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=sbs08.domain.local
Thumbprint         : THUMB-PRINT-0F646A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 9/9/2012 11:00:03 AM
NotBefore          : 9/9/2011 11:00:03 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : SERIAL-7FCE15
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : THUMB-PRINT-5943CA

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {remote.domain.com, domain.com, sbs08.domain.local
                     }
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=remote.domain.com
NotAfter           : 9/9/2012 10:58:18 AM
NotBefore          : 9/9/2011 10:58:18 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : SERIAL-7340DE
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.domain.com
Thumbprint         : THUMB-PRINT-4F6CFB

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.domain.com, domain.com, sbs08.domain.local
                     }
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 8/18/2011 5:02:36 PM
NotBefore          : 8/18/2009 5:02:36 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : SERIAL-000005
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=remote.domain.com
Thumbprint         : THUMB-PRINT-674EE6

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 8/18/2011 3:25:26 PM
NotBefore          : 8/18/2009 3:25:26 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : SERIAL-000002
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : THUMB-PRINT-F2280B



[PS] C:\Users\exchadmin\Desktop>
0
 

Author Comment

by:AJ524
ID: 36513641
Reviewing my command line, I spotted this.  This is likely related...

[PS] C:\Users\exchadmin\Desktop>Enable-ExchangeCertificate THUMB-PRINT-4F6CFB
cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services: smtp, pop, imap
WARNING: This certificate will not be used for external TLS connections with an
 FQDN of 'sbs08.domain.local' because the CA-signed certificate with
thumbprint 'THUMB-PRINT-0F646A' takes precedence. The
following connectors match that FQDN: Default sbs08, Reinjection.

Confirm
Overwrite existing default SMTP certificate,
'THUMB-PRINT-5943CA' (expires 9/9/2012 11:00:03 AM), with
 certificate 'THUMB-PRINT-4F6CFB' (expires 9/9/2012
10:58:18 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y
0
 

Assisted Solution

by:AJ524
AJ524 earned 0 total points
ID: 36514642
I solved the problem.  

So it turns out, the cable company had supplied the client with a new commercial cable modem late last night and I was not informed.  The cable company misconfigured the cable-modem with a set of rules usually applied to residential clients, particularly, the blocking of outbound port 25.  

This became apparent to me when I removed the private DNS configuration and tried connecting to recipient mail servers directly using the exchange mail flow test suite and was still unable to connect.  I then did what I should have done from the beginning... open a command line and telnet to one of those recipient mail servers directly.  My connection attempt was blocked and when I then tried connecting to the ISP's own SMTP server, that worked, so the source of my misery was then obvious.  

I called the ISP, explained the problem, they confirmed my suspicion and re-provisioned the cable-modem properly and the mail queue immediately emptied.   Thank you very much for your help, JohnGrunwell.

Andrew
0
 

Author Closing Comment

by:AJ524
ID: 36534809
Short version:  It was the ISP blocking port 25 after setting up a new cable modem the night before.  Wish the client had mentioned that.
0
 

Author Comment

by:AJ524
ID: 36514659
.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question