User & Admin Learning Support & FAQs Product updates Forums

SMTP issue with Exchange server

lock
push_pin
done
Answered
2
7

Hello

we tried to use for customer service an Exchange server to send email over smtp.

But we get te error below. The servers are using valid self signed certificats. And we even did not select the SSL option in the settings dialog. Has anyone an idea, where the certificate could be missing?

 

Outbox::sendMails() Error: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates. SSL certificate problem: unable to get local issuer certificate(220)

 

Thanks

C
Christian Kogel
29 Jun 2022 | 06:57 AM

All Replies (7)

Hi,

The certificate that is returned by the SMTP server needs to be a valid public one that can be validated by the ca-bundle used by service. So self signed certificates won't work.

D
David Hollegien
29 Jun 2022 | 07:09 AM

Some complementary comments.

  • The SSL-checkbox
    • Actually, it is my understanding that when connecting to a server that supports newer encryption standards, like START-TLS, the SSL-checkbox should NOT be checked (I know this is not especially obvious or user friendly though :)). The connection will then self-propagate to the highest level of security supported by both sides of the connection.
    • In your case it seems that both servers support START-TLS, which then automatically makes the servers to try to connect using an encrypted connection, which will then fail due to the self-signed certificate which Service will not allow as it requires a public certificate or a self-signed certificate authorized by a certificate chain, with a public CA-cert in the top of the chain.
  • The CA-cert workflow
    • As David mentions, Service, which uses the LibCurl-library behind the scenes, doesn't use the Windows Certificate Storage for its CA-Cert-loookups, but its own CA-Cert-file which contains CA-Certs in PEM-format (Base64-encoded plain text versions of the certificates).
    • Some larger organizations, sometimes uses self-signed certificates for their internal servers, but these certificates might be authorized by an internal certificate chain, with a public organization-certificate in the top.
    • These authorizing chain-certificates are often pushed to the certificate storage on all internal servers, to make it possible to have applications to accept self-signed certificates owned by the chain.
    • The problem in this case is that Service doesn't use the Windows Certificate Storage for its CA-cert-lookup, so it has no information that the self-signed certificate should be accepted.
    • The solution is to export the certificates in the certificate chain in PEM-format and add these to the CA-Cert-file in Service.
    • Service will then have knowledge of the owning certifcates in the chain and will accept the self-signed certificate on the mail server.
    • I suppose that you could also add the self-signed certificate directly to the CA-cert-file, if there isn't an architecture using a certificate-chain.

I hope this give some further clarification to the problem and hopefully also the solution. :)

Best Regards
Marcus

 

Marcus Svenningsson
14 Jul 2022 | 11:22 AM
Hi, sorry for hijacking this thread. But Today a big customer of mine reports this exact problem. (They have changed underlying SMTP servers and the new servers offers TLS support, but they uses a certificate from their own CA. Probably that is causing issues for SO service (Marketing in their case)

Marcus => You mentioned that one solution is to export the "chain" certs as PEM-formated files and then add them to the CA-Cert-file in Service?
Where is this file located? Type of file? or is it in the database?
I have found the curl-ca-bundle.crt but nota place where this is referenced to?
Best regards
Anders
Anders Larsson
3 Jun 2024 | 02:06 PM
Hi Anders,

The normal storage for server certificates on a Windows Server, is in the Server Certificate Storage, which you can access via the admin tools for certificates. Search for "certiicate" and you would probably get some suggestions on local admin apps to open.

Though, it isn't sure that the self-signed certificates or the chain certs that the new smtp-server is using, actually has been pushed/deployed to the SO-server's certificate storage. But, if it is, it could possibly be extracted/exported in PEM format using some PowerShell from the cert storage.

By doing a smtp-connection to the smtp-server from the SO-server, using OpenSSL command prompt commands, you may extract the used certificates by the smtp-server that way as well, and can store these in the ca-file as well.

Unfortunately I don't have time to dig out my own old scripts and commands, but I think the following openssl-command might give you the active certs used by the smtp-server:

openssl s_client -starttls smtp -connect smtp.example.com:587 -showcerts

Otherwise, you hopefully understand what to look for now so you can do your own research. :)

Good luck!

/Marcus
Marcus Svenningsson
3 Jun 2024 | 02:59 PM
This is a OpenSSL-win-compilation that I have been using historically:

https://slproweb.com/products/Win32OpenSSL.html

But you might be able to use powershell to do this as well.
Marcus Svenningsson
3 Jun 2024 | 03:04 PM

Hi! Did find the solution. (in my case, the customer actually pointed my to correct way and handle me the signatures needed) 
Just open curl-ca-bundle.cret and added their CA cert /chain info at the end.

===================================
Name 1

-----BEGIN CERTIFICATE-----
Signature...

-----BEGIN CERTIFICATE-----

===================================
Name 2

-----BEGIN CERTIFICATE-----
Signature...

-----BEGIN CERTIFICATE-----


It is easy to test if it works just by going into marketing and the settings button there. If no error i works. 
(Not even needed to restart the server , IIS-reset etc)

/Thanks 

Anders Larsson
3 Jun 2024 | 03:04 PM
Great to hear!
Marcus Svenningsson
3 Jun 2024 | 08:44 PM

Add reply