Windows Server - SMTP TLS

Asked By wildgoosed on 03-Sep-09 07:41 AM
Hey everyone.

I have a funny feeling that my smtp service on Exchange 2007 is not
doing TLS.

I first noticed this when I was attempting to connect my IPhone to my
exchange server. It keeps failing on making an encrypted connection to
the exchange smtp service (imaps works fine).

When I telnet into port 25 on the Exchange server, and type ehlo I see
the following supported authentications...

250-SIZE
250-DSN
250 AUTH NTLM

Should I be seeing something regarding TLS ?

Thanks!




Rich Matheisen [MVP] replied on 31-Aug-09 01:20 PM
If that is all you see, I am gonna guess that that is not your Exchange
server you are connected to. :-)
---
Rich Matheisen
MCSE+I, Exchange MVP
wildgoosed replied on 03-Sep-09 07:41 AM
Hey Rich,

I am pretty sure it is.

telnet 192.168.1.8 25 (local ip for this server)

220 london.ia.localMicrosoft ESMTP MAIL Service ready at Mon, 31 Aug
2009 12:16
ehlo
250-london.ia.local Hello [192.168.0.20]
250-SIZE
250-DSN
250 AUTH NTLM
Ed Crowley [MVP] replied on 31-Aug-09 03:52 PM
What does Get-ExchangeCertificate show?
--
Ed Crowley MVP
.


Hey Rich,

I am pretty sure it is.

telnet 192.168.1.8 25 (local ip for this server)

220 london.ia.localMicrosoft ESMTP MAIL Service ready at Mon, 31 Aug
2009 12:16
ehlo
250-london.ia.local Hello [192.168.0.20]
250-SIZE
250-DSN
250 AUTH NTLM
wildgoosed replied on 03-Sep-09 07:41 AM
Control Validated
wildgoosed replied on 03-Sep-09 07:41 AM
y
to
ee
U=3DDomain

I ran the get-exchangecertificate | FL command and it shows I have a
couple certificates (including the certificate that was created when
we installed exchange) as being enabled for smtp.

Any ideas?
wildgoosed replied on 03-Sep-09 07:41 AM
."
..
t
my
n to
see
e
OU=3DDomain

In addition, I am receiving the following error.

The name on the security certificate is invalid or does not match the
name of the site.

I know this is a problem, however would this be breaking smtp tls on
this server?
Ed Crowley [MVP] replied on 31-Aug-09 05:48 PM
You show two certificates enabled for SMTP.  I am not sure which one is
actually being used but you should review what certs you have installed and
whether they are appropriate for the purposes.  Usually the self-signed
certificate that is installed by default is sufficient for SMTP unless
you are doing something special.  You might want to disable your
www.domain.ca cert from SMTP and enable it only for IIS.
--
Ed Crowley MVP
.


In addition, I am receiving the following error.

The name on the security certificate is invalid or does not match the
name of the site.

I know this is a problem, however would this be breaking smtp tls on
this server?
Andy David {MVP} replied on 31-Aug-09 06:30 PM
You should upgrade that Iphone! Version 2 and 3 use ActiveSync.
Rich Matheisen [MVP] replied on 31-Aug-09 09:10 PM
[ snip ]


Here is what you should be seeing if you say EHLO to your default SMTP
receive connector:

250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST

So, is it your default receive connector you are connecting to? And if
it is, where did all the other keywords disappear to?

Do you have more than one receive connector for this machine? If you
do, is the one that works with your remoteiprange configured
correctly? Use "get-receiveconnector | fl" and check the values of
these properties:

AuthMechanism
BinaryMimeEnabled
ChunkingEnabled
EightBitMimeEnabled
EnhancedStatusCodesEnabled
PipeliningEnabled

Maybe someone's "secured" your reveive connector to the point it no
longer functions the way you expect it to?
---
Rich Matheisen
MCSE+I, Exchange MVP
wildgoosed replied on 03-Sep-09 07:41 AM
=A0 =A0 [ snip ]

I have done some testing here and here are my results so far.

I installed the telnet client on the server and locally connected to
port 25. I issued the ehlo command and got the following!

220 london.ia.local Microsoft ESMTP MAIL Service ready at Tue, 1 Sep
2009 11:04:
46 -0600
ehlo
250-london.ia.local Hello [::1]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST

This Exchange server is behind a firewall, but there is no smtp proxy
so I do not understand why clients on our network and clients outside
our network see different connections options.

Here is the output from get-receiveconnectors

[PS] C:\Windows\System32>get-receiveconnector

Identity              Bindings              Enabled
--------              --------              -------
LONDON\Default LONDON {:::25, 0.0.0.0:25}   True
LONDON\Client LONDON  {:::587, 0.0.0.0:587} True

Here is some output from get-receiveconnectors | fl

Identity                                : LONDON\Default LONDON
Ed Crowley [MVP] replied on 01-Sep-09 04:09 PM
port, which is now 587 to eliminate the need to enable relay on your regular
SMTP port to support POP and IMAP clients.
--
Ed Crowley MVP
.


I have done some testing here and here are my results so far.

I installed the telnet client on the server and locally connected to
port 25. I issued the ehlo command and got the following!

220 london.ia.local Microsoft ESMTP MAIL Service ready at Tue, 1 Sep
2009 11:04:
46 -0600
ehlo
250-london.ia.local Hello [::1]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST

This Exchange server is behind a firewall, but there is no smtp proxy
so I do not understand why clients on our network and clients outside
our network see different connections options.

Here is the output from get-receiveconnectors

[PS] C:\Windows\System32>get-receiveconnector
wildgoosed replied on 03-Sep-09 07:41 AM
ion
lar
wildgoosed replied on 03-Sep-09 07:41 AM
ssion
gular
.
Rich Matheisen [MVP] replied on 01-Sep-09 08:32 PM
[ snip ]


There is obviously something different here. You connected to the same
machine and issued the same command (EHLO) and got two different
results????

I'd sure as heck have a look at that firewall. You /say/ it is not a
SMTP proxy. Are you positive that it is not doing ugly things with
SMTP? Is it not passing all the ESMTP keywords from the SMTP server
back to the SMTP client?


I do not think, based on your 2nd EHLO connection that your problem has
anything to do with Exchange.


Usually, yes. There the 'default' (listining on port 25) and 'client'
(listening on port 587) receive connectors.
---
Rich Matheisen
MCSE+I, Exchange MVP
Rich Matheisen [MVP] replied on 01-Sep-09 08:41 PM
[ snip ]

[ snip ]


I'd bet not. If it was it would not pass the EHLO command to Exchange
(which is probably what is sending the ESMTP keywords) -- unless it is
making up it is own set of ESMTP keywords.

What do you see in Exchange's SMTP receive log files, EHLO or HELO?
---
Rich Matheisen
MCSE+I, Exchange MVP
Ed Crowley [MVP] replied on 01-Sep-09 09:04 PM
That's what it always is.
--
Ed Crowley MVP
.