exchangefreaks.com Forum Index
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

what will happen to outbound TLS connection if receiver's ce

 
Post new topic   Reply to topic    exchangefreaks.com Forum Index -> MS Exchange 2000 Connectivity
Author Message
Confused by TLS



Joined: 06 Aug 2007
Posts: 1
PostPosted: Tue May 17, 2005 1:26 pm    Post subject: what will happen to outbound TLS connection if receiver's ce Reply with quote
Hi all

After the cert used by sendmail (8.12.11 on Redhat Enterprise Linux 3)
has expired for 4 hours, all TLS connections from certain servers fail
with the following entries in the /var/log/maillog file:

May 17 21:06:44 mail Receive[15172]: STARTTLS=server, relay=[sender's
IP], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
May 17 21:06:45 mail Receive[15172]: j4HD6gGQ015172: [sender's IP] did
not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Before a cert was cretead, thoese exchange servers can send mail to the
sendmail through non-TLS session only. After assigning a new cert, the
connections from those servers are back to normal.

The senders are running exchange 2000 & exchange 2003.

My questions:

1. Why the connections fails four hours later, not immediately.
Between the time at which the cert expired and the time at which the
first failed connection appeared, there were a lot of successful
connections from those servers.

2. Why the expired certs don't affect the TLS connections between the
sendmail and other servers, be it inbound TLS or outbound TLS?

3. How does certs come into the picutre of TLS connection?
My understanding of TLS connection is that cert is not required for
TLS.

4. Could it be the exchange's configuration issue?
Is it possible that the exchange servers are configured in such way
that it needs certs for TLS connection to work? e.g. for
authentication. Is possible for exchange to have outbound TLS
connection to sendmail no matter sendmail's cert has expired or not?

5. Why the exchange servers didn't fall back to non-TLS connection?

6. I guess the connections were dropped by exchange servers after the
TLS hanshake, not during the TLS handshake. Is it so?

7. where and how can I look for more information for troubleshooting?

The following error message appear in the eventlong of one of the
exchange server:

Source: Schannel
Event ID: 36871
Description: A fatal error occurred while creating an SSL server
credential.

Thanks,

Archived from group: microsoft>public>exchange2000>connectivity
Back to top
View user's profile Send private message
Kenny Wood



Joined: 05 Aug 2007
Posts: 2
PostPosted: Sat May 21, 2005 10:15 pm    Post subject: RE: what will happen to outbound TLS connection if receiver' Reply with quote
Hello Kehboon,

To answer your questions:

1. Not sure, I will have to research if we have a grace period or cache.

2. Not all servers will fail if a certificate is invalid, this is dependant on their configuration.

3. TLS is certificate based (http://www.faqs.org/rfcs/rfc2246.html)

4. Turning off certificate validation would partially defeat the purpose of TLS. TLS is not only meant to encrypt the data, but also to be assured that the server you are
communicating with is the one you intended to be communicating with. If you turn off certificate validation, how would you know if someone was performing a man in the
middle attack on you?

5. You either set TLS on the virtual server or only had ONE connector, Try creating two connectors and giving the TLS connector a higher priority.

6. It should have failed DURING the TLS negotiation.

7. Google.

Thank you for your post.

Kenny Wood
CISSP, MCSE (+S, +M)
PSS Security
Microsoft Corporation
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
--------------------
| From: "Confused by TLS"
| Newsgroups: microsoft.public.exchange2000.connectivity,microsoft.public.exchange2000.general
| Subject: what will happen to outbound TLS connection if receiver's cert has expired?
| Date: 17 May 2005 09:26:03 -0700
| Organization: http://groups.google.com
| Lines: 54
| Message-ID:
| NNTP-Posting-Host: 203.95.78.129
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1116347170 14526 127.0.0.1 (17 May 2005 16:26:10 GMT)
| X-Complaints-To: groups-abuse@google.com
| NNTP-Posting-Date: Tue, 17 May 2005 16:26:10 +0000 (UTC)
| User-Agent: G2/0.2
| Complaints-To: groups-abuse@google.com
| Injection-Info: f14g2000cwb.googlegroups.com; posting-host=203.95.78.129;
| posting-account=H-56vgwAAACrkrMfaSA4hkwZBH5kvUZJ
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!
f14g2000cwb.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.exchange2000.general:12649 microsoft.public.exchange2000.connectivity:3322
| X-Tomcat-NG: microsoft.public.exchange2000.general
|
| Hi all
|
| After the cert used by sendmail (8.12.11 on Redhat Enterprise Linux 3)
| has expired for 4 hours, all TLS connections from certain servers fail
| with the following entries in the /var/log/maillog file:
|
| May 17 21:06:44 mail Receive[15172]: STARTTLS=server, relay=[sender's
| IP], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
| May 17 21:06:45 mail Receive[15172]: j4HD6gGQ015172: [sender's IP] did
| not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
|
| Before a cert was cretead, thoese exchange servers can send mail to the
| sendmail through non-TLS session only. After assigning a new cert, the
| connections from those servers are back to normal.
|
| The senders are running exchange 2000 & exchange 2003.
|
| My questions:
|
| 1. Why the connections fails four hours later, not immediately.
| Between the time at which the cert expired and the time at which the
| first failed connection appeared, there were a lot of successful
| connections from those servers.
|
| 2. Why the expired certs don't affect the TLS connections between the
| sendmail and other servers, be it inbound TLS or outbound TLS?
|
| 3. How does certs come into the picutre of TLS connection?
| My understanding of TLS connection is that cert is not required for
| TLS.
|
| 4. Could it be the exchange's configuration issue?
| Is it possible that the exchange servers are configured in such way
| that it needs certs for TLS connection to work? e.g. for
| authentication. Is possible for exchange to have outbound TLS
| connection to sendmail no matter sendmail's cert has expired or not?
|
| 5. Why the exchange servers didn't fall back to non-TLS connection?
|
| 6. I guess the connections were dropped by exchange servers after the
| TLS hanshake, not during the TLS handshake. Is it so?
|
| 7. where and how can I look for more information for troubleshooting?
|
| The following error message appear in the eventlong of one of the
| exchange server:
|
| Source: Schannel
| Event ID: 36871
| Description: A fatal error occurred while creating an SSL server
| credential.
|
| Thanks,
|
|
Back to top
View user's profile Send private message
Display posts from previous:   
Related Topics:
Outbound Mail Still not going I have tried every suggestion in an earlier thread to be able to finalize the configuration of Exchange 2000 in Win2k Active Directory. I have only been successful in receiving mails from everyone (LAN or Internet) but I am only able to send messages on m

Outbound mail from secondary Exchange server Hi all, We have two Exchange 2003 servers on two different sites. Primary server (EX1) has public IP address, MX record and reverse DNS. Secondary server (EX2) has no public IP and no reverse DNS. They are connected via routing group connectors, and every

outbound messsages to 3 external domains are stuck in queue The Default SMTP Virtual Server on my Exchange 2k server with SP3 and post sp3 rollup has been operating fine for several months and still is for messages going to most external domains. However, today messages for three particular domains are getting st

SMTP error 454, wont send outbound but will recieve ok Just installed Exchange 2k over our 5.5 installation (didn't do an upgrade, did a fresh install and routed users into the new machine). I setup the default's pretty much on everything but now, when I attempt to send email out of the office using either o

AOL dropping the connection Hi there, Our Exchange server 2000 is not able to send emails to AOL users. I've already checked the IP address for the mail server in dnsstuff.com, and have verified that the reverse DNS is setup and working. Does anybody know what's causing this? Thanks
Post new topic   Reply to topic    exchangefreaks.com Forum Index -> MS Exchange 2000 Connectivity All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group