SMTP issue with Exchange server
we tried to use for customer service an Exchange server to send email over smtp.
But we get te error below. The servers are using valid self signed certificats. And we even did not select the SSL option in the settings dialog. Has anyone an idea, where the certificate could be missing?
Outbox::sendMails() Error: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates. SSL certificate problem: unable to get local issuer certificate(220)
RE: SMTP issue with Exchange server
Some complementary comments.
- The SSL-checkbox
- Actually, it is my understanding that when connecting to a server that supports newer encryption standards, like START-TLS, the SSL-checkbox should NOT be checked (I know this is not especially obvious or user friendly though :)). The connection will then self-propagate to the highest level of security supported by both sides of the connection.
- In your case it seems that both servers support START-TLS, which then automatically makes the servers to try to connect using an encrypted connection, which will then fail due to the self-signed certificate which Service will not allow as it requires a public certificate or a self-signed certificate authorized by a certificate chain, with a public CA-cert in the top of the chain.
- The CA-cert workflow
- As David mentions, Service, which uses the LibCurl-library behind the scenes, doesn't use the Windows Certificate Storage for its CA-Cert-loookups, but its own CA-Cert-file which contains CA-Certs in PEM-format (Base64-encoded plain text versions of the certificates).
- Some larger organizations, sometimes uses self-signed certificates for their internal servers, but these certificates might be authorized by an internal certificate chain, with a public organization-certificate in the top.
- These authorizing chain-certificates are often pushed to the certificate storage on all internal servers, to make it possible to have applications to accept self-signed certificates owned by the chain.
- The problem in this case is that Service doesn't use the Windows Certificate Storage for its CA-cert-lookup, so it has no information that the self-signed certificate should be accepted.
- The solution is to export the certificates in the certificate chain in PEM-format and add these to the CA-Cert-file in Service.
- Service will then have knowledge of the owning certifcates in the chain and will accept the self-signed certificate on the mail server.
- I suppose that you could also add the self-signed certificate directly to the CA-cert-file, if there isn't an architecture using a certificate-chain.
I hope this give some further clarification to the problem and hopefully also the solution. :)