550+Remote+host+must+supply+it’s+certificate+for+verification+[nmacl]

Issue

A new Windows Server 2012 R2 Server was built, running SMTP Server (a Windows Server Feature), to act as an SMTP gateway between the customer Exchange Server and CJSM (Criminal Justice Secure eMail system).

A new CSR was generated from IIS for cjsm.x500.co.uk.cjsm and passed to Egress, who issued a certificate together with the Trusted Root CA Certificate (Criminal Justice IT Root CA (CJSM)).  Both certificates were imported into the correct Certificate Store on the server.

The FQDN of the SMTP Virtual Server was set to match the CN of the certificate.

Fully-qualified domain name: cjsm.x500.co.uk.cjsm

IISSMTP1

The certificate is clearly valid as the ‘Require TLS encryption’ option is available.  If there wasn’t a valid certificate that matched the FQDN of the SMTP Virtual Server, this option would be greyed out.

IISSMTP2

TLS was enabled on the Remote Domain (*.cjsm.net).

IISSMTP3

A test message sent to echo@pnn.police.uk.cjsm.net failed with the following error:

550+Remote+host+must+supply+it’s+certificate+for+verification+[nmacl]

Tests to the other echo accounts within the CJSM email community also failed, e.g.:

  • echo@gsi.gov.uk.cjsm.net
  • echo@gsx.gov.uk.cjsm.net
  • responder@hosting-s.gcsx.gov.uk.cjsm.net
  • responder@hosting-w.gcsx.gov.uk.cjsm.net

Full logs for the transaction:

OutboundConnectionResponse SMTPSVC1 X500RELAY01v – 3735608 – – 220+smtp.cjsm.net+(1)+ESMTP 0 0 27 0 0 SMTP – – – –
OutboundConnectionCommand SMTPSVC1 X500RELAY01v – 3735608 EHLO – cjsm.x500.co.uk.cjsm 0 0 4 0 0 SMTP – – – –
OutboundConnectionResponse SMTPSVC1 X500RELAY01v – 3735608 – – 250-smtp.cjsm.net+Hello+cjsm.x500.co.uk.cjsm+[x.x.x.x] 0 0 71 0 62 SMTP – – – –
OutboundConnectionCommand SMTPSVC1 X500RELAY01v – 3735608 STARTTLS – – 0 0 8 0 62 SMTP – – – –
OutboundConnectionResponse SMTPSVC1 X500RELAY01v – 3735608 – – 220+TLS+go+ahead 0 0 16 0 78 SMTP – – – –
OutboundConnectionCommand SMTPSVC1 X500RELAY01v – 3735608 EHLO – cjsm.x500.co.uk.cjsm 0 0 4 0 125 SMTP – – – –
OutboundConnectionResponse SMTPSVC1 X500RELAY01v – 3735608 – – 250-smtp.cjsm.net+Hello+cjsm.x500.co.uk.cjsm+[x.x.x.x] 0 0 71 0 125 SMTP – – – –
OutboundConnectionCommand SMTPSVC1 X500RELAY01v – 3735608 MAIL – FROM:<SteveTest1@x500.co.uk>+SIZE=6031 0 0 4 0 125 SMTP – – – –
OutboundConnectionResponse SMTPSVC1 X500RELAY01v – 3735608 – – 250+OK 0 0 6 0 172 SMTP – – – –
OutboundConnectionCommand SMTPSVC1 X500RELAY01v – 3735608 RCPT – TO:<echo@pnn.police.uk.cjsm.net> 0 0 4 0 172 SMTP – – – –
OutboundConnectionResponse SMTPSVC1 X500RELAY01v – 3735608 – – 550+Remote+host+must+supply+it’s+certificate+for+verification+[nmacl] 0 0 69 0 187 SMTP – – – –
OutboundConnectionCommand SMTPSVC1 X500RELAY01v – 3735608 RSET – – 0 0 4 0 187 SMTP – – – –
OutboundConnectionResponse SMTPSVC1 X500RELAY01v – 3735608 – – 250+Reset+OK 0 0 12 0 203 SMTP – – – –
OutboundConnectionCommand SMTPSVC1 X500RELAY01v – 3735608 QUIT – – 0 0 4 0 203 SMTP – – – –

Investigation

Certificates were all ok (although I did try removing them, rebooting the server, and reinstalling them).  SMTP Server configuration was fine.

I installed Wireshark onto the server, and found that the SMTP Server wasn’t presenting the correct certificate to CJSM.  It was instead choosing a different certificate from the Computer Personal Certificate Store that matched the FQDN of the Windows Server, instead of the FQDN of the SMTP Virtual Server.

Resolution

I removed the other certificates from the Computer Personal Certificate Store, leaving only the CJSM certificate.  This resolved the issue, and mail could be successfully sent into CJSM.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s