Rexxer

Some tips for me and other

Exchange 2019 + Receive Connector Certificate Issue

We’ve got an error from the client about WordPress mail sending failure.

Debug:

Email Source: WP Mail SMTP

Mailer: Other SMTP

SMTP Error: Could not connect to SMTP host. Connection failed. stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:

error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failedSMTP server error: QUIT command failed

2023-12-18 17:20:35 CLIENT -> SERVER: STARTTLS

2023-12-18 17:20:35 SERVER -> CLIENT: 220 2.0.0 SMTP server ready

2023-12-18 17:20:35 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [/var/www/html/wp-includes/PHPMailer/SMTP.php line 476]

SMTP Error: Could not connect to SMTP host. Connection failed. stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2023-12-18 17:20:35 CLIENT -> SERVER: QUIT

SMTP OpenSSL check:

openssl s_client -connect mail.server.com:587 -starttls smtp

CONNECTED(00000003)

depth=0 CN =.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN =.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 CN =.com

verify return:1

Certificate chain

 0 s:CN =.com

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Dec 14 18:43:46 2023 GMT; NotAfter: Dec 13 18:43:46 2024 GMT

Server certificate

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

subject=CN =.com

issuer=DC = com,

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA

Server Temp Key: ECDH, secp384r1, 384 bits

SSL handshake has read 2679 bytes and written 513 bytes

Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 964A0000F62300131AB8EC758DB53C2BDB0EBBBC6CC6AFC58A0D7CFBF4A80680

    Session-ID-ctx:

    Master-Key:

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1703004291

    Timeout   : 7200 (sec)

    Verify return code: 21 (unable to verify the first certificate)

    Extended master secret: yes

250 SMTPUTF8

We checked the Exchange Server:

[PS] C:\>Get-ExchangeCertificate

Thumbprint                                Services   Subject

———-                                ——–   ——-

D58156A24F5F75F1A5EA288B3FE92CA1B5C33859  …….    CN=.com

A2A66C232FBB1AD846386FDBAC38EBC225844E89  ….S..    CN= V28

745634734DF2974C9441092DBE1DF7E9F2DDDBE7  …….    CN=CLIUSR

9803DE33A89F90B06E2629A7BC52C51969A66017  IP.WS..    CN=.com

2DC2C1DAA06E234ABF57D3E8792FA93320C532DD  …….    CN=CLIUSR

1511938F82535F158ED22F3040E2D900BED6A49D  …….    CN=CLIUSR

027B83E66330CCACF1560F805C0C79AEA93CFC1E  …….    CN=CLIUSR

8C928F1ED907DF896A3DD4216F47C45B2EF3ECE2  ….S..    CN=Microsoft Exchange Server Auth Certificate

9A13D41F2C19D04B1930A79F383E0B948982774B  ….S..    CN= V28

27A2966214A07F6F4C946D650A87F1751596ACCA  …….    CN=WMSvc-SHA2-EX22

get-receiveconnector ” V28\Client Proxy V28″ | fl

We saw that there is the certificate from our internal CA for this server. So, the server automatically enrolled the certificate and replaced somehow the certificate for Receive Connector at port 587.

We replaced the certificate as in an example:

We found the certificate thumbprint and apply Set-ReceiveConnector for this Connector.

Get-ExchangeCertificate

$cert = Get-ExchangeCertificate -Thumbprint DE67EC3C8D679AA35D17678FEC51907272B1BAE2

$tlscertificatename = “<i>$($cert.Issuer)<s>$($cert.Subject)”

Set-ReceiveConnector “EX2016SRV1\Client Frontend EX2016SRV1” -TlsCertificateName $tlscertificatename

The issue was fixed.

Openssl showed:

subject=CN =.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority – G2

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA

Server Temp Key: ECDH, secp384r1, 384 bits

SSL handshake has read 5066 bytes and written 513 bytes

Verification: OK

Comments are currently closed.