Sql-server – SQL Server Send Mail to Exchange 2016 DAG Gives Certificate Error

We have an SQL Server 2008R2 installation that was sending email to our now decommissioned Exchange 2010 server. We are now running an Exchange 2016 DAG with 2 hosts (mailserver1.example.com and mailserver2.example.com) with a DNS pointer called mail.example.com that references both servers. So, when we took the old server down, we changed from using an actual host name (severname.example.com) to mail.example.com. When we did this, we get the following error:

The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2017-02-14T15:41:00). Exception Message: Cannot send mails to mail server. (The remote certificate is invalid according to the validation procedure.).

If I change the database mail configuration to point to an individual server in the DAG (mailserver1.example.com) then everything works fine.

We use a wildcard certificate (*.example.com) on the mail servers so I'm not sure if that's the issue.

I would like to fix the issue so that I maintain resiliency. Can anyone tell me what it doesn't like?

EDIT:
So I dug deeper in to what certificates are installed/being used:

Get-ExchangeCertificate -server mailserver2.example.com

Thumbprint                          Services   Subject
----------                          --------   -------
133914D76770DE347949C1FF771A64B7B6  IP.....    CN=mailserver2.example.com
4D2582DA78719BCC1B1CB8F33B3FAC2E54  IP..S..    CN=mailserver2
B39C5DED40D1C926A1ABDA2CA5B30FE305  ....S..    CN=Microsoft Exchange Server Auth Certificate
AD3C61F290199AB908ECB976A0C8341351  .......    CN=WMSvc-mailserver2
E6F14092B221239F51A62420FD74F2FA63  IP.WS..    CN=mailserver2.example.com
D1215C7C1E5D674E7C204FCB776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...


Get-ExchangeCertificate -server mailserver1.example.com

Thumbprint                          Services   Subject
----------                          --------   -------
4C560FF28A576F814DFAD198C81912C3BE  IP.....    CN=mailserver1.example.com
B39C5DED40D1C926A1A8DA2CA5B30FE305  ....S..    CN=Microsoft Exchange Server Auth Certificate
A29DA1FA4C800AB5EAD22B0BFA39D7BC5B  IP..S..    CN=mailserver1
184B109C120633C33711E26C40F4FAFFC6  .......    CN=WMSvc-mailserver1
22C69182932BE55A2F01B20C10FADBE359  IP.WS..    CN=mailserver1.example.com
D1215C7C1E5D674E7C244FCB776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...

Get-ExchangeCertificate -domainname example.com

Thumbprint                          Services   Subject
----------                          --------   -------
D1215C7C1E5D674E7C644FCB776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...

Get-ExchangeCertificate -domainname mail.example.com

Thumbprint                          Services   Subject
----------                          --------   -------
D1215C7C1E5D674E7C20D9FF776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...

When I use OPENSSL (as per answer 1 below), I am getting our internal CA certificate (CN=mailserver2.example.com) instead of the wildcard cert.

EDIT 2:
Here is the output of the OpenSSL command:
openssl s_client -connect mailserver1.example.com:25 -starttls smtp

Loading 'screen' into random state - done
CONNECTED(000001F4)
depth=1 /DC=com/DC=example/CN=example-Issuing-CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=mailserver1.example.com
   i:/DC=com/DC=example/CN=example-Issuing-CA
 1 s:/DC=com/DC=example/CN=example-Issuing-CA
   i:/CN=example-Root-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
< certificate info here >
-----END CERTIFICATE-----
subject=/CN=mailserver1.example.com
issuer=/DC=com/DC=example/CN=example-Issuing-CA
---
No client certificate CA names sent
---
SSL handshake has read 3875 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: < session ID >
    Session-ID-ctx:
    Master-Key: < master key >
    Key-Arg   : None
    Start Time: 1487248994
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 XRDST
QUIT
DONE

Best Answer

The issue you see here is related to the SSL certificate used for the SMTP service offered by the MS Exchange environment.

To check the SSL certificate you can use openSSL via:

openssl s_client -connect exchange01.int.contoso.com:25 -starttls smtp

Depending on the configuration on your MS Exchange environment multiple solutions might apply here (see here for more infos):

The hostname isn´t in the SSL certificate (might not the case with your environment)
The MS Exchange server still used an self signed certificate, you will see that with openssl
Some SSL certificates used here are outdated
Some parts from the certification chain aren´t trusted (import the missing one on the trusted root store from the machine as your case it related to SQL services)

Update (due to your edit): It looks like if the SMTP service isn´t using the correct certificate based on your troubleshooting. So the following should nail it down:

Enable-ExchangeCertificate -Thumbprint D1215C7C1E5D674E7C244FCB776D60F93E -Identity mailserver1.example.com -Services SMTP

You need to run that for both your Exchange server.

Best Answer

Related Solutions

Exchange 2016, Can’t add Send Connector

Exchange 2016 keeps giving away it’s default Self-signed certificate instead of CA one

Related Topic