SMTP Certificate ‘Does not support TLS’

Home Forums Messaging Software Exchange 2007 / 2010 / 2013 SMTP Certificate ‘Does not support TLS’

This topic contains 6 replies, has 6 voices, and was last updated by Avatar Egyptian _Hacker71 7 years, 4 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • Avatar
    QuattroDave
    Member
    #160433

    Hiya,

    A colleague has asked me to have a look at this one and I think I’m missing something.

    Exchange 2010, Mxtoolbox says ‘Does not support TLS’. So I though easy one, just assign the self signed certificate to the SMTP service. SMTP already has a self signed but valid certificate assigned to it. Not sure what I’m missing, can anyone see/think what I’ve done wrong or overlooked?

    Pls see attached pics…

    Thanks

    Dave

    Avatar
    Lior_S
    Member
    #282978

    Re: SMTP Certificate ‘Does not support TLS’

    enter your email address on this site
    http://www.checktls.com/perl/TestReceiver.pl
    You will get much more info regarding any issues.

    Avatar
    Virtual
    Member
    #334432

    Re: SMTP Certificate ‘Does not support TLS’

    Verify whether TLS is supported using a self signed certificate. I always use a 3rd Party SAN or Wildcard certificate for Exchange.

    #384229

    Re: SMTP Certificate ‘Does not support TLS’

    Thanks for that, quite a nice little test site..!
    Yes I have other sites that have self signed certificate and TLS works just fine…

    The results are:-

    [FONT=&quot][000.206] Connected to server [/FONT]
    [FONT=&quot][000.365] 220 mail.domaininquestion.com Microsoft ESMTP MAIL Service ready at Thu, 29 Nov 2012 08:01:18 +0000 [/FONT]
    [FONT=&quot][000.366] We are allowed to connect [/FONT]
    [FONT=&quot][000.478] EHLO checktls.com [/FONT]
    [FONT=&quot][000.636]250-mail.domaininquestion.com Hello [204.225.38.191]
    250-SIZE 10485760
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-AUTH
    250-8BITMIME
    250-BINARYMIME
    250 CHUNKING [/FONT]
    [FONT=&quot][000.637] We can use this server [/FONT]
    [FONT=&quot][000.687] TLS is not an option on this server [/FONT]
    [FONT=&quot][000.688] –> MAIL FROM: [/FONT]
    [FONT=&quot][000.845] < — 250 2.1.0 Sender OK [/FONT]
    [FONT=&quot][000.845] Sender is OK [/FONT]
    [FONT=&quot][000.959] –> RCPT TO: [/FONT]
    [FONT=&quot][001.116] < — 250 2.1.5 Recipient OK [/FONT]
    [FONT=&quot][001.118] Recipient OK, E-mail address proofed [/FONT]
    [FONT=&quot][001.120] –>QUIT [/FONT]
    [FONT=&quot][001.277] <– 221 2.0.0 Service closing transmission channel[/FONT]

    Avatar
    Ossian
    Moderator
    #187668

    Re: SMTP Certificate ‘Does not support TLS’

    No exchange server handy, but aren’t there TLS options on the send and receive connectors?

    #384230

    Re: SMTP Certificate ‘Does not support TLS’

    Hiya,

    Yes, receive connector does have TLS settings but they are fine.

    Was on a similar server this morning (where TLS works fine) and noticed the certificate ‘Subject’ used for SMTP was:

    ‘CN=mail.otherdomain.com’

    where as the server in question the certificate ‘Subject’ used for SMTP reads:

    ‘CN=server1’

    Does the certificate have to match the FQDN, do i generate a new certificate and use it just for SMTP??

    Many thanks

    Dave

    Avatar
    Sembee
    Member
    #261005

    Re: SMTP Certificate ‘Does not support TLS’

    For TLS to work, the common name should match the host name that the clients are connecting to.
    TLS is the same as all other SSL operations, it needs to pass all three tests – date valid, trusted and matching host name. Some MTAs will ignore the trust.

    Therefore if you have a certificate with the common name of “server” then that is unlikely to work reliably. Using a self signed certificate is unlikely to work reliably.

    Simon.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.