Announcement

Collapse
No announcement yet.

SMTP Certificate 'Does not support TLS'

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SMTP Certificate 'Does not support TLS'

    Hiya,

    A colleague has asked me to have a look at this one and I think I'm missing something.

    Exchange 2010, Mxtoolbox says 'Does not support TLS'. So I though easy one, just assign the self signed certificate to the SMTP service. SMTP already has a self signed but valid certificate assigned to it. Not sure what I'm missing, can anyone see/think what I've done wrong or overlooked?

    Pls see attached pics...

    Thanks

    Dave
    Attached Files

  • #2
    Re: SMTP Certificate 'Does not support TLS'

    enter your email address on this site
    http://www.checktls.com/perl/TestReceiver.pl
    You will get much more info regarding any issues.
    "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

    Comment


    • #3
      Re: SMTP Certificate 'Does not support TLS'

      Verify whether TLS is supported using a self signed certificate. I always use a 3rd Party SAN or Wildcard certificate for Exchange.

      Comment


      • #4
        Re: SMTP Certificate 'Does not support TLS'

        Thanks for that, quite a nice little test site..!
        Yes I have other sites that have self signed certificate and TLS works just fine...

        The results are:-


        [000.206] Connected to server
        [000.365] 220 mail.domaininquestion.com Microsoft ESMTP MAIL Service ready at Thu, 29 Nov 2012 08:01:18 +0000
        [000.366] We are allowed to connect
        [000.478] EHLO checktls.com
        [000.636]250-mail.domaininquestion.com Hello [204.225.38.191]
        250-SIZE 10485760
        250-PIPELINING
        250-DSN
        250-ENHANCEDSTATUSCODES
        250-AUTH
        250-8BITMIME
        250-BINARYMIME
        250 CHUNKING

        [000.637] We can use this server
        [000.687] TLS is not an option on this server
        [000.688] --> MAIL FROM: <[email protected]>
        [000.845] <-- 250 2.1.0 Sender OK
        [000.845] Sender is OK
        [000.959] --> RCPT TO: <[email protected]>
        [001.116] <-- 250 2.1.5 Recipient OK
        [001.118] Recipient OK, E-mail address proofed
        [001.120] -->QUIT
        [001.277] <-- 221 2.0.0 Service closing transmission channel
        Last edited by QuattroDave; 29th November 2012, 11:25.

        Comment


        • #5
          Re: SMTP Certificate 'Does not support TLS'

          No exchange server handy, but aren't there TLS options on the send and receive connectors?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: SMTP Certificate 'Does not support TLS'

            Hiya,

            Yes, receive connector does have TLS settings but they are fine.

            Was on a similar server this morning (where TLS works fine) and noticed the certificate 'Subject' used for SMTP was:

            'CN=mail.otherdomain.com'

            where as the server in question the certificate 'Subject' used for SMTP reads:

            'CN=server1'

            Does the certificate have to match the FQDN, do i generate a new certificate and use it just for SMTP??

            Many thanks

            Dave
            Last edited by QuattroDave; 29th November 2012, 15:20. Reason: typo

            Comment


            • #7
              Re: SMTP Certificate 'Does not support TLS'

              For TLS to work, the common name should match the host name that the clients are connecting to.
              TLS is the same as all other SSL operations, it needs to pass all three tests - date valid, trusted and matching host name. Some MTAs will ignore the trust.

              Therefore if you have a certificate with the common name of "server" then that is unlikely to work reliably. Using a self signed certificate is unlikely to work reliably.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment

              Working...
              X