I am stumped on this. I have Exchange Server 2003 still in use. I created a valid LetsEncrypt SSL cert, and successfully imported the pfx in my Default SMTP Virtual Server properties, Access tab. Now, clients sending EHLO are told STARTTLS is available. But several of my email clients (which must be set to use STARTTLS if available) stopped being able to send mail. I've used Wireshark to observe successful emails going out before adding the cert (authentication is performed) and again after adding the cert. After adding the cert, EHLO indicates STARTTLS is available. The client sends STARTLS. The server responds "2.0.0 SMTP server ready". The client sends the SSL Client Hello, and 10ms later, the SMTP Server closes the connection (FIN,ACK packet sent back to the client). That's the end.
Not sure how to diagnose this. Nothing in the event log. I do have a log in windows LogFIles SMTPSvc1 folder. Here is what it shows when STARTTLS is specified and the server hangs up:
2017-10-28 14:20:01 192.168.5.80 localhost 250 0 110
2017-10-28 14:20:01 192.168.5.80 localhost 220 0 0
2017-10-28 14:20:01 192.168.5.80 localhost 220 0 0
2017-10-28 14:20:01 192.168.5.80 localhost 503 2148074248 31
2017-10-28 14:20:01 192.168.5.80 localhost 240 203 31
For reference, when I remove the cert, so no STARTTLS is sent, the client authenticates and then sends successfully, and here are the log entries:
2017-10-28 13:43:26 192.168.5.80 localhost 250 0 0
2017-10-28 13:43:26 192.168.5.80 localhost 250 0 0
2017-10-28 13:43:26 192.168.5.80 localhost 250 0 0
2017-10-28 13:43:26 192.168.5.80 localhost 250 0 281
2017-10-28 13:43:26 192.168.5.80 localhost 240 703 0
And in case someone knows what's in here and it may be helpful, here are the final two packets traced - the Client Hello and the RST hangup...
No. Time Source Destination Protocol Length Info
17 2017-10-28 09:41:05.669172000 192.168.5.80 192.168.1.11 SSL 583 Client Hello
Frame 17: 583 bytes on wire (4664 bits), 583 bytes captured (4664 bits) on interface 0
Internet Protocol Version 4, Src: 192.168.5.80 (192.168.5.80), Dst: 192.168.1.11 (192.168.1.11)
Transmission Control Protocol, Src Port: 48022 (48022), Dst Port: 25 (25), Seq: 27, Ack: 485, Len: 517
Source Port: 48022 (48022)
Destination Port: 25 (25)
[Stream index: 1]
[TCP Segment Len: 517]
Sequence number: 27 (relative sequence number)
[Next sequence number: 544 (relative sequence number)]
Acknowledgment number: 485 (relative ack number)
Header Length: 32 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
Window size value: 237
[Calculated window size: 30336]
[Window size scaling factor: 128]
Checksum: 0x87d7 [validation disabled]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 512
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303)
Random
Session ID Length: 0
Cipher Suites Length: 124
Cipher Suites (62 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 343
Extension: server_name
Type: server_name (0x0000)
Length: 17
Server Name Indication extension
Server Name list length: 15
Server Name Type: host_name (0)
Server Name length: 12
Server Name: 192.168.1.11
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 10
Elliptic Curves Length: 8
Elliptic curves (4 curves)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 32
Signature Hash Algorithms Length: 30
Signature Hash Algorithms (15 algorithms)
Extension: Unknown 22
Type: Unknown (0x0016)
Length: 0
Data (0 bytes)
Extension: Unknown 23
Type: Unknown (0x0017)
Length: 0
Data (0 bytes)
Extension: Padding
Type: Padding (0x0015)
Length: 248
Padding Data: 000000000000000000000000000000000000000000000000...
No. Time Source Destination Protocol Length Info
18 2017-10-28 09:41:05.675195000 192.168.1.11 192.168.5.80 TCP 66 25→48022 [FIN, ACK] Seq=485 Ack=544 Win=64992 Len=0 TSval=52648030 TSecr=1233339601
Frame 18: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Internet Protocol Version 4, Src: 192.168.1.11 (192.168.1.11), Dst: 192.168.5.80 (192.168.5.80)
Transmission Control Protocol, Src Port: 25 (25), Dst Port: 48022 (48022), Seq: 485, Ack: 544, Len: 0
Source Port: 25 (25)
Destination Port: 48022 (48022)
[Stream index: 1]
[TCP Segment Len: 0]
Sequence number: 485 (relative sequence number)
Acknowledgment number: 544 (relative ack number)
Header Length: 32 bytes
.... 0000 0001 0001 = Flags: 0x011 (FIN, ACK)
Window size value: 64992
[Calculated window size: 64992]
[Window size scaling factor: 1]
Checksum: 0x9699 [validation disabled]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]