Solved

Outbound Email Not Flowing From Exchange 2007 after TLS Certificate Renewal

Posted on 2011-09-09
18
1,236 Views
Last Modified: 2012-08-13
Hello All,

I have a client with a SBS2008 server, so Exchange 2007 is the email software.  Everything was running fine until a self-signed TLS cert expired and then we rebooted the server for maintenance, the Exchange Transport service would not start.  When the server came back up, everything worked except outbound mail.  Users were getting messages that their outbound emails were delayed on the server.  Server logs showed:
"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <server.domain.local>. The existing certificate for that FQDN has expired."
- (I changed the domain name to protect client anonymity)
- Outbound email uses Postini via Private DNS

I renewed the self signed cert through Exchange Management Shell and I believe that part worked without a problem.  Rebooted the server and I'm still not getting any outbound mail flowing.   Postini reports they see no problem on their end.  

Email is queuing and shows this for all queued messages:
"451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect."

I imagine this is a fairly small thing to fix, but with an angry client with no outbound email, I am finding myself stuck.  Does anyone  have any suggestions here?

Thanks!

Andrew

0
Comment
Question by:AJ524
  • 11
  • 7
18 Comments
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512701
did you remove the old cert in powershell
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512708
get -exchangecertificate | fl
0
 

Author Comment

by:AJ524
ID: 36512732
No. the old cert is still there.  Actually, there were two certs that had expired.  One that was "remote.domain.com" and the other was the fqdn of "sbs.domain.local".  I renewed them both just in case, even though I know we're not using the name "remote" anywhere.  
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512764
when you run get-exchangecertificate I'm guessing there are multi thumbprints there. Is the new cert enabled for IIS
0
 

Author Comment

by:AJ524
ID: 36512786
The new cert is not enabled for IIS, but then again, neither was the old one.  The IIS cert is a 3rd party cert which we purchased so that mobile devices and web browsers wouldn't panic when connecting for remote mail, etc.
0
 

Author Comment

by:AJ524
ID: 36512796
The new cert is set up for IMAP, POP and SMTP
0
 

Author Comment

by:AJ524
ID: 36512849
Quick update... ran the mail flow troubleshooter and it says that Cannot contact the external DNS server.  Postini's outbound email filtering relies on private DNS and a valid TLS cert to complete the connection, so just another sign pointing the cert.
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513176
When the old TLS cert expired did you add the same certificate domains?
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513225
All exchange services are started? services.msc
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:AJ524
ID: 36513228
I renewed both certs by thumbprint like so:
Get-ExchangeCertificate -thumbprint “<thumbprint>” | New-ExchangeCertificate

So it seems to have added the certificate domains automatically, right?

0
 

Author Comment

by:AJ524
ID: 36513237
Yes, all of the exchange services started.   Right now I am going to remove the old certs and see where that gets me.  I know it's something small I'm missing here.
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513274
the send connector is correct and enabled?
0
 
LVL 7

Accepted Solution

by:
JohnGrunwell earned 500 total points
ID: 36513344
0
 

Author Comment

by:AJ524
ID: 36513383
Good detail here.   Made some minor adjustments for security purposes.

[PS] C:\Users\exchadmin\Desktop>Get-ExchangeCertificate -domain "sbs08.pawal
aw.local" | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 5/25/2012 7:51:58 PM
NotBefore          : 5/26/2011 7:51:58 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 42F41AC0000000000009
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=sbs08.domain.local
Thumbprint         : THUMB-PRINT-0F646A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 9/9/2012 11:00:03 AM
NotBefore          : 9/9/2011 11:00:03 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : SERIAL-7FCE15
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : THUMB-PRINT-5943CA

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {remote.domain.com, domain.com, sbs08.domain.local
                     }
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=remote.domain.com
NotAfter           : 9/9/2012 10:58:18 AM
NotBefore          : 9/9/2011 10:58:18 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : SERIAL-7340DE
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.domain.com
Thumbprint         : THUMB-PRINT-4F6CFB

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.domain.com, domain.com, sbs08.domain.local
                     }
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 8/18/2011 5:02:36 PM
NotBefore          : 8/18/2009 5:02:36 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : SERIAL-000005
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=remote.domain.com
Thumbprint         : THUMB-PRINT-674EE6

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 8/18/2011 3:25:26 PM
NotBefore          : 8/18/2009 3:25:26 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : SERIAL-000002
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : THUMB-PRINT-F2280B



[PS] C:\Users\exchadmin\Desktop>
0
 

Author Comment

by:AJ524
ID: 36513641
Reviewing my command line, I spotted this.  This is likely related...

[PS] C:\Users\exchadmin\Desktop>Enable-ExchangeCertificate THUMB-PRINT-4F6CFB
cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services: smtp, pop, imap
WARNING: This certificate will not be used for external TLS connections with an
 FQDN of 'sbs08.domain.local' because the CA-signed certificate with
thumbprint 'THUMB-PRINT-0F646A' takes precedence. The
following connectors match that FQDN: Default sbs08, Reinjection.

Confirm
Overwrite existing default SMTP certificate,
'THUMB-PRINT-5943CA' (expires 9/9/2012 11:00:03 AM), with
 certificate 'THUMB-PRINT-4F6CFB' (expires 9/9/2012
10:58:18 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y
0
 

Assisted Solution

by:AJ524
AJ524 earned 0 total points
ID: 36514642
I solved the problem.  

So it turns out, the cable company had supplied the client with a new commercial cable modem late last night and I was not informed.  The cable company misconfigured the cable-modem with a set of rules usually applied to residential clients, particularly, the blocking of outbound port 25.  

This became apparent to me when I removed the private DNS configuration and tried connecting to recipient mail servers directly using the exchange mail flow test suite and was still unable to connect.  I then did what I should have done from the beginning... open a command line and telnet to one of those recipient mail servers directly.  My connection attempt was blocked and when I then tried connecting to the ISP's own SMTP server, that worked, so the source of my misery was then obvious.  

I called the ISP, explained the problem, they confirmed my suspicion and re-provisioned the cable-modem properly and the mail queue immediately emptied.   Thank you very much for your help, JohnGrunwell.

Andrew
0
 

Author Closing Comment

by:AJ524
ID: 36534809
Short version:  It was the ISP blocking port 25 after setting up a new cable modem the night before.  Wish the client had mentioned that.
0
 

Author Comment

by:AJ524
ID: 36514659
.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now