1

We are using Securence incoming filtering in front of our Exchange 2010 server. It's basically a spam filter. I'm trying to get TLS communication between Securence and our server on incoming connections. We have a signed cert from GoDaddy installed on the Exchange server and assigned to SMTP. I also have the FQDN of the SSL cert assigned to my receive connector. However, the Securence mail logs state:

"failed TLS negotiation: Cannot accept self-signed certificate"

There are two other self-signed certs on the exchange server. They have no remove option so I assume they are required by Exchange, is that correct? Assuming they are I get the impression from the error that Securence provides they are seeing these certs instead of our signed one from GoDaddy. The only reason that I can think of for this would be that the signed cert doesn not have the internal name of our Exchange server on it. Do you think that would cause this problem? Or do you think there's something else I'm missing?

Update:

I was able to remove the self-signed certs with this command:

Get-ExchangeCertificate | ?{$_.IsSelfSigned -eq $true} | Remove-ExchangeCertificate -Confirm:$false

Unfortunately I still get the error mentioned above. There are no self-signed certificates on the server. The only issue I can see is that my cert doesn't have the internal DNS name (server.domain.local) listed as a Subject Alternate. I will continue to troubleshoot with the filtering company, maybe something is wrong on their end...

Community
  • 1
skinneejoe
  • 274
  • 2
  • 8
  • 20

1 Answers1

1

Exchange creates self signed certs when you first install it. They may still be being used.

  • Open Exchange Management Console
  • Go to Microsoft Exchange On-Premises → Server Configuration
  • In the bottom pane, right click the Godaddy certificate → Assign Services to Certificate

Make sure all the services are checked to use the Godaddy certificate, then right click the old certificates and click remove. If it's no longer being used for anything, it will let you remove them.

It's possible you have different receive connectors setup for internal vs external connections, and that's why your spam filter sees a different certificate than outside connections do.

Grant
  • 17,859
  • 14
  • 72
  • 103
  • I have assigned the GoDaddy cert to SMTP, but the other self-signed certs are also assigned to SMTP, and the check boxes to un-assign them are greyed out. There's also no remove option in EMC. However, I just found out I could remove them using PowerShell with this command: Get-ExchangeCertificate | ?{$_.IsSelfSigned -eq $true} | Remove-ExchangeCertificate -Confirm:$false I'll see if that helps the situation... – skinneejoe Sep 23 '14 at 20:20
  • If you can't remove them from the exchange console, try from mmc.exe -> Certificates. – Grant Sep 23 '14 at 20:23
  • I removed the self-signed certs, but still the error in the mail logs of my spam provider says: "failed TLS negotiation: Cannot accept self-signed certificate" – skinneejoe Sep 23 '14 at 21:00
  • Use http://www.checktls.com/ to test which certificate your server is presenting. – Grant Sep 24 '14 at 00:53
  • CheckTLS.com returns the correct certificate. I ran this past the tech support at our SPAM filter company and they are escalating the issue to top tier support. Hopefully they will help me find a resolution. – skinneejoe Sep 24 '14 at 14:54
  • If CheckTLS.com is returning the right certificate, and not showing any other errors, the error is likely on their side. The only other thing I can think to check is that CheckTLS.com shows that all the chained certificates are being sent (the godaddy intermediate and root certificates for your cert). – Grant Sep 24 '14 at 15:38