Exchange 2010 - Cannot connect to port 25 (421 4.3.2 Service not available)

Hi All,

I have an Exchange Server 2010 running on SBS2011Std that is refusing incoming connections today (was okay up until now).

If I try to telnet in from outside I get:

421 4.3.2 Service not available

Connection to host lost.

Open in new window



I am not sure if this is related, but seems likely - there are non-stop errors in the event log:

Source:  schannel
Event ID:  36887
The following fatal alert was received: 46

Open in new window


Finally, my suspicion is that this has been caused by us trying to renew the external TLS certificate (Go Daddy) which was done a couple of days ago, and the old one would have expired today.

I have researched all of the above on the net, but have gotten precisely nowhere.

Any thoughts would be appreciated.

Thanks,

Alan.
LVL 24
AlanConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam FarageSr. Enterprise ArchitectCommented:
Error 46 = Unknown TLS Certificate. This is typically caused for one of two reasons:

1) You did not import the certificate properly
2) You did not enable the certificate for the SMTP service and then restart the services afterwards (transport + IIS)

I would first check to see if the SSL certificate is valid. Look for it, make sure it shows up as IsValid = True and that it has the private key. Furthermore look to make sure the services are assigned properly (Pop, Imap, IIS, SMTP)

Get-ExchangeCertificate | FL

Open in new window


If you notice that the services above are not assigned to your GoDaddy public SSL certificate, and that the certificate (and intermediate / root cert is installed) then I would enable those services:

Enable-ExchangeCertificate -Thumbprint <insert thumbprint without brackets here> -Services IIS, Pop, IMAP, SMTP

Open in new window


Once that is done restart the services Microsoft Exchange Transport and IIS. That should do it...

.. now in the event that you see SMTP assigned to the old certificate, I would just remove it by running the following:
Remove-ExchangeCertificate -Thumbprint <insert thumbprint without brackets here - OLD CERTIFICATE> 

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David AtkinTechnical DirectorCommented:
With this being SBS your alternative is to run the Fix my Network wizard from the SBS Console>Network>Connectivity

This will check the certificates in IIS and confirm that they are associated correctly in Exchange.
AlanConsultantAuthor Commented:
@Adam:  I ran the Get-ExchangeCertificate | FL command, and this is what it returned (I replaced things that might be bad to post publicly, but let me know if any of them are needed by you):

AccessRules        : 
CertificateDomains : {remote.example.com, www.remote.example.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy
                     .com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 15 Aug 2016 19:18:02
NotBefore          : 11 Aug 2015 10:14:38
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : {ReplacedByAlanBeforePostingToExpertsExchange}
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.example.com, OU=Domain Control Validated
Thumbprint         : {ReplacedByAlanBeforePostingToExpertsExchange}

AccessRules        : 
CertificateDomains : {SBS2011Server.example.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=example-SBS2011Server-CA
NotAfter           : 3 Jun 2016 12:40:49
NotBefore          : 4 Jun 2015 12:40:49
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : {ReplacedByAlanBeforePostingToExpertsExchange}
Services           : None
Status             : Valid
Subject            : CN=SBS2011Server.example.local
Thumbprint         : {ReplacedByAlanBeforePostingToExpertsExchange}

AccessRules        : 
CertificateDomains : {example-SBS2011Server-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=example-SBS2011Server-CA-CA
NotAfter           : 16 Jul 2019 09:46:55
NotBefore          : 16 Jul 2014 09:36:55
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : {ReplacedByAlanBeforePostingToExpertsExchange}
Services           : None
Status             : Valid
Subject            : CN=example-SBS2011Server-CA
Thumbprint         : {ReplacedByAlanBeforePostingToExpertsExchange}

AccessRules        : 
CertificateDomains : {WMSvc-WIN-PJEQKO94199}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-PJEQKO94199
NotAfter           : 13 Jul 2024 09:34:59
NotBefore          : 16 Jul 2014 09:34:59
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : {ReplacedByAlanBeforePostingToExpertsExchange}
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-PJEQKO94199
Thumbprint         : {ReplacedByAlanBeforePostingToExpertsExchange}

Open in new window


So it appears that the certificate is valid, that the server has the private key, and that the services are assigned properly (Pop, Imap, IIS, SMTP).  However, there does not appear to be any mention in there of an intermediate certificate.  When I renewed the GoDaddy cert, I followed their instructions to install their intermediate cert into the cert store on the server.

If I go into the certificate store (MMC), and go to the 'Intermediate Certification Authorities\Certificates', I do see 'Go Daddy Root Certificate Authority - G2' certificate in there.

There are also a couple of Go Daddy certs in the root certificate store.

If I open our own Go Daddy cert from the EMC - Server - Exchange Certificates list, it confirms there that the certification path is validly anchored to a trusted root cert.

Do I need to somehow install the intermediate cert into Exchange itself?

In terms of the services to restart, I did both of:

IIS Admin Service
Microsoft Exchange Transport

Are those the correct ones?

Thanks for your help - I really appreciate it.  Getting worried that this will be an issue into next week!

Alan.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

AlanConsultantAuthor Commented:
@David:

I ran the 'Fix My Network' wizard, and it shows the following three 'issues' all of which I believe were there previously, and have not caused any problems before:

1) Network Adapter has multiple IP Addresses

This is due to a requirement of a LoB app on another machine that wants to connect to a fixed IP

2) The DNS Server is not listening to the IP Address of the primary network adapter

It is listening on the other IP - this has not caused any problems previously.

3) DNS is using a DNS forwarder

We changed it from root hints since the DNS forwarder is much faster overall.  We know that if the forwarder IP were to change, we would have to change this.




None of those shout to me as having anything to do with the certificate issue / exchange not responding on port 25, but what do you think?

Thanks,

Alan.
AlanConsultantAuthor Commented:
Hi Guys,

For the avoidance of doubt, I have now rebooted the server, so all services have definitely been restarted.

However, nothing has changed - I am still getting the same (421 4.3.2 Service not available) error when I try connecting to Port 25 from outside.

Thanks,

Alan.
Adam FarageSr. Enterprise ArchitectCommented:
Is windows firewall, or any other firewall / av installed local to the machine?

You could very well be blocking TCP 25...
AlanConsultantAuthor Commented:
@Adam:

No firewall (except the standard install that came with SBS2011 and we haven't touched that for at least a year).

Also, if I attempt to telnet into port 25 I get the following results;

1. Outside

421 4.3.2 Service not available

2. Inside - Domain Joined Machine

220 (Normal response ready to accept incoming email)

3. Inside - Non Domain Linux Machine

220 (Normal response ready to accept incoming email)

If a firewall (or faulty router or similar) was stopping communication to the Exchange Service on port 25 from outside, would I expect to get a '421 4.3.2 Service not available' error?

Thanks,

Alan.
AlanConsultantAuthor Commented:
Hi All,

Now I feel like a total idiot!

Adam's question above made me do those tests internally and externally, and gave the results as above.

There is no firewall, but it made me wonder if the gateway router was actually transmitting packets from outside to port 25 on the Exchange Server or not, so I checked it's config, and all looks good, but I figured, best to be as sure as possible, so I wiped the gateway router's config, and restored from backup..... and now things appear to be working fine.

My sincere apologies for the wild goose chase - and sincere thanks for walking the path with me, as it led to the solution even though I misled you (and myself!)

Thanks,

Alan.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.