0

We have setup a windows server virtual SMTP (under IIS6 manager). In the SMTP settings, TLS encryption is enabled, fqdn field is "sharepoint.mycompany.com".

In the server's cert store "personal" folder we have the certificate "sharepoint.mycompany.com". The real fqdn of server is "server01.testdomain.com". By some reason we cannot apply cert for testdomain.com. By ping "sharepoint.mycompany.com" it is resolving to our server's IP.

We need to send email by relay to our company's public SMTP server. The SMTP server admin said they don't care the cert name as long as there is a cert issued by our company's CA (which we already have).

After some tests, the connection is established. However we got "No client certificate presented" respond:

STARTTLS

220+2.0.0+Ready+to+start+TLS

EHLO sharepoint.mycompany.com

21+4.7.1 +Error:+No+client+certificate+presented

My question is, how to test or configure the certificate? In windows virtual SMTP manager, there is no place to setup which certificate we are using. Also, I heard that OpenSSL program must be used to request a standard cert. Our cert was generated with IIS7. I am not sure whether it is the cause because the error message is not complaining the format or validation of cert.

Thanks for advice.

Mark
  • 217
  • 3
  • 11
  • You should try with openssl to start TLS like: ```openssl s_client -connect sharepoint.mycompany.com:25 -starttls smtp``` – vx3r Sep 11 '19 at 08:08
  • @vx3r but I am not the public SMTP server admin. Should I try the command in local host of virtual smtp? – Mark Sep 11 '19 at 08:10
  • @vx3r I test in virtual smtp localhost, it seems returning the information of another cert (sharepointtest.mycompany.com) installed in same server. Is it the problem? Can I set the correct cert "sharepoint.mycompany.com" in 1st priority? – Mark Sep 11 '19 at 08:15
  • may be, refer to this to configure right certificate https://support.microsoft.com/en-ie/help/4014125/how-to-configure-iis-smtp-for-outgoing-tls-authentication – vx3r Sep 11 '19 at 08:32
  • Our STARTTLS use port 587. So I type "openssl s_client -connect sharepoint.mycompany.com:587 -starttls smtp" and get follow: `8964:error:0200274D:system library:connect:reason(1869):crypto\bio\b_sock2.c:110: `8964:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:111: `connect:errno=0 – Mark Sep 11 '19 at 08:33
  • Wrong, the flow is SMTP on 25 then STARTLS on 587, its done automatically by the server and first openssl command is following the flow. Your server have to pick the right certificate – vx3r Sep 11 '19 at 08:37
  • @vx3r thanks. I follow the url and able to configure the right cert. By run the same command on port 25. It returns a bunch of information. The last few lines return `Verify return code: 20 (unable to get local issuer certificate)` – Mark Sep 11 '19 at 08:43
  • means, that the openssl does not know your root CA cert., you can add the option ```-CAfile /etc/ssl/certs/ca.pem``` to specify the CA certificate – vx3r Sep 11 '19 at 09:03
  • i believe you can try with the actual client software to connect, if in the bunch of information you have the right certificate – vx3r Sep 11 '19 at 09:05
  • @vx3r Finally we can connect to server by generate a new cert with OpenSSL. The old cert was generated with IIS cannot be verified by some unknown reason. Since my question is asking how to test and you definitely answered it, would you like to write down your answer and I will mark it as answer. Thank you. – Mark Sep 12 '19 at 04:21

1 Answers1

1

You should try with openssl to start TLS like: 

openssl s_client -connect sharepoint.mycompany.com:25 -starttls smtp

the flow is SMTP on 25 then STARTLS on 587, its done automatically by the server and the openssl command is following the flow. Your server have to present the right certificate

vx3r
  • 368
  • 2
  • 9