?
Solved

Outbound Email Not Flowing From Exchange 2007 after TLS Certificate Renewal

Posted on 2011-09-09
18
Medium Priority
?
1,258 Views
Last Modified: 2012-08-13
Hello All,

I have a client with a SBS2008 server, so Exchange 2007 is the email software.  Everything was running fine until a self-signed TLS cert expired and then we rebooted the server for maintenance, the Exchange Transport service would not start.  When the server came back up, everything worked except outbound mail.  Users were getting messages that their outbound emails were delayed on the server.  Server logs showed:
"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <server.domain.local>. The existing certificate for that FQDN has expired."
- (I changed the domain name to protect client anonymity)
- Outbound email uses Postini via Private DNS

I renewed the self signed cert through Exchange Management Shell and I believe that part worked without a problem.  Rebooted the server and I'm still not getting any outbound mail flowing.   Postini reports they see no problem on their end.  

Email is queuing and shows this for all queued messages:
"451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect."

I imagine this is a fairly small thing to fix, but with an angry client with no outbound email, I am finding myself stuck.  Does anyone  have any suggestions here?

Thanks!

Andrew

0
Comment
Question by:AJ524
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
18 Comments
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512701
did you remove the old cert in powershell
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512708
get -exchangecertificate | fl
0
 

Author Comment

by:AJ524
ID: 36512732
No. the old cert is still there.  Actually, there were two certs that had expired.  One that was "remote.domain.com" and the other was the fqdn of "sbs.domain.local".  I renewed them both just in case, even though I know we're not using the name "remote" anywhere.  
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36512764
when you run get-exchangecertificate I'm guessing there are multi thumbprints there. Is the new cert enabled for IIS
0
 

Author Comment

by:AJ524
ID: 36512786
The new cert is not enabled for IIS, but then again, neither was the old one.  The IIS cert is a 3rd party cert which we purchased so that mobile devices and web browsers wouldn't panic when connecting for remote mail, etc.
0
 

Author Comment

by:AJ524
ID: 36512796
The new cert is set up for IMAP, POP and SMTP
0
 

Author Comment

by:AJ524
ID: 36512849
Quick update... ran the mail flow troubleshooter and it says that Cannot contact the external DNS server.  Postini's outbound email filtering relies on private DNS and a valid TLS cert to complete the connection, so just another sign pointing the cert.
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513176
When the old TLS cert expired did you add the same certificate domains?
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513225
All exchange services are started? services.msc
0
 

Author Comment

by:AJ524
ID: 36513228
I renewed both certs by thumbprint like so:
Get-ExchangeCertificate -thumbprint “<thumbprint>” | New-ExchangeCertificate

So it seems to have added the certificate domains automatically, right?

0
 

Author Comment

by:AJ524
ID: 36513237
Yes, all of the exchange services started.   Right now I am going to remove the old certs and see where that gets me.  I know it's something small I'm missing here.
0
 
LVL 7

Expert Comment

by:JohnGrunwell
ID: 36513274
the send connector is correct and enabled?
0
 
LVL 7

Accepted Solution

by:
JohnGrunwell earned 2000 total points
ID: 36513344
0
 

Author Comment

by:AJ524
ID: 36513383
Good detail here.   Made some minor adjustments for security purposes.

[PS] C:\Users\exchadmin\Desktop>Get-ExchangeCertificate -domain "sbs08.pawal
aw.local" | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 5/25/2012 7:51:58 PM
NotBefore          : 5/26/2011 7:51:58 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 42F41AC0000000000009
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=sbs08.domain.local
Thumbprint         : THUMB-PRINT-0F646A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 9/9/2012 11:00:03 AM
NotBefore          : 9/9/2011 11:00:03 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : SERIAL-7FCE15
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : THUMB-PRINT-5943CA

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {remote.domain.com, domain.com, sbs08.domain.local
                     }
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=remote.domain.com
NotAfter           : 9/9/2012 10:58:18 AM
NotBefore          : 9/9/2011 10:58:18 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : SERIAL-7340DE
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.domain.com
Thumbprint         : THUMB-PRINT-4F6CFB

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.domain.com, domain.com, sbs08.domain.local
                     }
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 8/18/2011 5:02:36 PM
NotBefore          : 8/18/2009 5:02:36 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : SERIAL-000005
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=remote.domain.com
Thumbprint         : THUMB-PRINT-674EE6

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, sbs08.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-sbs08-CA
NotAfter           : 8/18/2011 3:25:26 PM
NotBefore          : 8/18/2009 3:25:26 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : SERIAL-000002
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : THUMB-PRINT-F2280B



[PS] C:\Users\exchadmin\Desktop>
0
 

Author Comment

by:AJ524
ID: 36513641
Reviewing my command line, I spotted this.  This is likely related...

[PS] C:\Users\exchadmin\Desktop>Enable-ExchangeCertificate THUMB-PRINT-4F6CFB
cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services: smtp, pop, imap
WARNING: This certificate will not be used for external TLS connections with an
 FQDN of 'sbs08.domain.local' because the CA-signed certificate with
thumbprint 'THUMB-PRINT-0F646A' takes precedence. The
following connectors match that FQDN: Default sbs08, Reinjection.

Confirm
Overwrite existing default SMTP certificate,
'THUMB-PRINT-5943CA' (expires 9/9/2012 11:00:03 AM), with
 certificate 'THUMB-PRINT-4F6CFB' (expires 9/9/2012
10:58:18 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y
0
 

Assisted Solution

by:AJ524
AJ524 earned 0 total points
ID: 36514642
I solved the problem.  

So it turns out, the cable company had supplied the client with a new commercial cable modem late last night and I was not informed.  The cable company misconfigured the cable-modem with a set of rules usually applied to residential clients, particularly, the blocking of outbound port 25.  

This became apparent to me when I removed the private DNS configuration and tried connecting to recipient mail servers directly using the exchange mail flow test suite and was still unable to connect.  I then did what I should have done from the beginning... open a command line and telnet to one of those recipient mail servers directly.  My connection attempt was blocked and when I then tried connecting to the ISP's own SMTP server, that worked, so the source of my misery was then obvious.  

I called the ISP, explained the problem, they confirmed my suspicion and re-provisioned the cable-modem properly and the mail queue immediately emptied.   Thank you very much for your help, JohnGrunwell.

Andrew
0
 

Author Closing Comment

by:AJ524
ID: 36534809
Short version:  It was the ISP blocking port 25 after setting up a new cable modem the night before.  Wish the client had mentioned that.
0
 

Author Comment

by:AJ524
ID: 36514659
.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question