0

Some time ago I set up an SMTP server on a Windows Server 2019 machine. The FQDN for this server is smtp.mydomain.com and the smart host is set as smtp-relay.gmail.com, though I don't think that this is important.

I installed a wildcard certificate (*.mydomain.com) generated by the Let's Encrypt CA to the Personal store and was able to set up TLS for the SMTP server:

enter image description here

Now, I want to update the certificate. For this, I installed an updated certificate with the same subject (CA=*.mydomain.com) generated by the same CA to the Personal store. Then I stopped the SMTP server and deleted the old certificate. After that, I started the server and went to check if the new certificate had been caught, but it was not!

enter image description here

The message tells "TLS is not available without a certificate." that means that SMTP server cannot find the correct certificate. I read a dozen blogs and QAs, but was unable to resolve this.

Does anybody know how to correctly update a certificate for an SMTP server on a Windows Server 2019 machine?

Update -- The new certificate contains a private key and works fine for a web server running on the same machine.

Dmitry Nikolaev
  • 139
  • 1
  • 2
  • 8

2 Answers2

2

I have same issue with some differences.
I am in the middle of investigation, my up to now findings:

I do not use wildcard certificate, I have Let's Encrypt certificate with SANs. It had worked for several months, three renews were done without any issue. Now, after the fourth renew SMTP stopped working. The last working certificate was issued on 2020-07-28, the renewal was done on 2020-09-22. If the certificate is a root of the problem, then there was some change on Let's Encrypt's side in this time period.

The bahaviour is strange. When smtpsvc service starts, it finds the certificate, it logs

A TLS server certificate was found for SMTP virtual server instance '1' with thumbprint <certificate_thumbprint_removed>. TLS will be available for this virtual-server.

in the Event Log, but in Internet Information Services (IIS) 6.0 Manager in SMTP Virtual Server properties on tab Access in Secure communication section I can see

TLS is not available without a certificate.

There had to be some changes in certificate itself, or there were some Windows updates changing smtpsvc functionality or there were some changes regarding SSL/TLS.

By the way, I found Microsoft has a bug in the code of the smtpsvc service. If you use a certificate with Subject Alternative Names (SAN), when it searches for suitable certificate it does not check Commmon Name (CN), it checks the first entry in SAN list only! If the first SAN matches the FQDN entered on tab Delivery, button Advanced..., in the field Fully-qualified domain name, smtpsvc will use the certificate. If matching name is in CN or in the second, third, etc. place in SAN list, it will not use the certificate and log

No usable TLS server certificate for SMTP virtual server instance '1' could be found. TLS will be disabled for this virtual-server.

rga.cz
  • 36
  • 1
  • Thank you for your insights. I've generated a separate certificate with a single specific CN and this certificate was accepted by IIS. – Dmitry Nikolaev Nov 02 '20 at 07:47
  • Very few responses on the web mention that the TLS certificate must match the "Fully-qualified domain name" under Delivery -> Advanced. In hindsight, it's "duh", but this threw us off. Add to that the absence of a private key... – Mayyit Oct 25 '22 at 07:08
0

We ran into the same issue - wildcard replaced with wildcard, but it turned out we had to use legacy wildcard instead of regular one and then turn off outbound tls, restart smtp, turn on tls, restart again and after that it was working as intended.

papski
  • 1
  • 1