Exchange 2007 SMTP TLS Error Oddly Resolves Itself

I noticed that my SBS 2008 Server was generating 70 or 80 of these errors every day since May 30:

Log Name:      Application
Source:        MSExchangeTransport
Date:          6/11/2012 10:15:04 AM
Event ID:      11005
Task Category: MessageSecurity
Level:         Error
Keywords:      Classic
User:          N/A
Unable to validate the TLS certificate of the smart host for the connector Windows SBS Internet Send SBS. The certificate validation error for the certificate is UntrustedRoot. If the problem persists, contact the administrator of the smart host to resolve the problem.

I use HostGator as a smart host for Exchange 2007. Why is the root certificate chained from HostGator no longer trusted?

Confirm in Exchange

In the Exchange Management Console, I opened my Send Connector and enabled Verbose logging:

TLS issue 1

Then I clicked on Toolbox > Queue Viewer and told it to Retry sending the stuck messages. After that, I was able to review the outbound log in this folder:

C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend

The short log file was is instructive. It shows the upload of the SBS server certificate followed by the download of the HostGator certificate. It repeats the UntrustedRoot message, and includes the thumbprint of the HostGator certificate:  7600DF3AB4AE70D9D26D8AFE5C15631AF264D0AC.

Review Foreign Server’s TLS Certificate

Fortunately, this ServerFault article has specific instructions on how to get info about a foreign server’s TLS certificate. I already had OpenSSL installed under Windows, so all I had to do was issue this command:

openssl s_client -connect -starttls smtp

This shows the full certificate chain, the certificate itself, and lots of other info. (I also ran this under Linux and saw the same info.)

Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

The certificate chain tells me that the apparently untrusted root is AddTrust External CA Root. This certificate decoder site gave me a little more info about the certificate itself.

Trusted by Internet Explorer

I realized that my HostGator server probably uses the same certificate for SSL web connections. I went to the HostGator cPanel control panel in Internet Explorer, then opened the certificate from the web browser’s lock icon. First thing to notice is that it was issues May 28, 2012, the same day I started having trouble:

TLS issue 2

Checking the thumbprint on the Details tab confirmed that this is the same certificate presented to my Exchange server:

TLS issue 3

Finally we see on the Certification Path tab, after clicking on the root USERTrust certificate, that it’s the same Issuer (AddTrust External CA Root) and that Internet Explorer considers the certificate to be OK:

TLS issue 4

Not in Computer Store – or Is It?

Next step is check CertMgr.msc on the SBS server. Yep, the certificate is listed as a Trusted Root Certificate:

TLS issue 5

But that only describes the user’s certificate store. What about the computer store (the one that Exchange uses)? To check that, run mmc.exe, File > Add/Remove Snap-in > Certificates and choose Computer account.

Huh, this time, no AddTrust certificate in the list of Trusted Root Certificates. That explains why Exchange is complaining about not trusting the root certificate.

This Is Where It Gets Really Strange

Here’s the strange part. While I was poking around in the certificates, I also let SBS install an unrelated update that had been pending (KB2720211). That update required restarting the computer. I clicked Restart and pondered the wisdom of adding the AddTrust certificate to the server’s trusted root store.

The server came back up and … wait, how did those emails arrive in my inbox? Those were in the queue waiting to go out… Lo and behold, the SBS server computer store now includes the AddTrust certificate in its list of Trusted Root Certification Authorities!

TLS issue 6

How that got added, I have no idea. But Exchange is once again able to send through my HostGator smart host.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.