Exchange 2010 SSL/TLS certificate presenting on port 25

Hello Experts,
I have an issue that I am not sure where to begin to fix. We have an SSL cert for our Exchange 2010 server that is used for IIS, SMTP, POP and IMAP.

We have several Ubuntu servers that connect to the exchange server via TLS. starting today, our linux admin says that the cert is not being presented when connecting to port 25 but it is when connecting to port 443.

I am not sure where to look for this. My understanding was, as long as the SSL cert is installed and assigned to services, it will present the cert.

the command our linux admin is using is:

echo |  openssl s_client -ssl3 -msg -state -connect name of exchange server:25

echo |  openssl s_client -ssl3 -msg -state -connect name of exchange server:443

when using port 25 a message comes up that says:
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
140027732485792:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1446577982
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

when using 443 it shows the certificate, the issuer and the SSL-Session.

I am not familiar with these linux commands so I am not 100% sure what its doing. The linux admin said it was working yesterday but I can't verify that.

I'm not sure how to tell exchange to present the certificate on port 25. I've always assumed that was a given.
LVL 2
msidnamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff LewandowskiCommented:
"when using 443 it shows the certificate, the issuer and the SSL-Session."

Port 25 will not show the certificate and will not start the handshake.  It is an unsecured SMTP port.  You need to use port 443 for this purpose.
msidnamAuthor Commented:
What about when starting a TLS session on port 25?
Jeff LewandowskiCommented:
Sorry read it too fast.  Any updates to the servers, changes to the certificate, changes to the TLS settings on the Exchange server or Ubuntu servers?

Seems like they can't agree on a protocol version.  Are there older versions of TLS, SSL enabled?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

msidnamAuthor Commented:
No updates to the exchange server or certs. I will ask about linux updates.

I used a powershell script and a program called IIS Crypto about a year or so ago to remove all the weak ciphers. But i havent changed anything since. Below is a pic of what I have enabled. This hasn't changed for a while.

SSL/TLS ciphers
Jeff LewandowskiCommented:
Check with the Linux admin about which versions of TLS are enabled on the Ubuntu servers.  

Also, your screen shot shows SSL 3.0 as disabled.  The Linux admin is using "SSL-Session:
    Protocol  : SSLv3"

That might be why you are getting the "SL3_GET_RECORD:wrong version" error.  Have the Linux admin disable SSL 3.0 on the Ubuntu servers and then re-test it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
msidnamAuthor Commented:
when i sent the screenshot i got to thinking the same thing. but if i change the port from 25 to 443, it responds back with the cert info.
msidnamAuthor Commented:
My Linux admin never got back with me after i asked him the question. So I am thinking it's something on his end.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.