SMTP Certificate and Banner Mismatch

[krtg2 0]

With our Exchange 2016 we can send and receive emails (internal and external). But for some providers we got blacklisted. We have tried several tools for SMTP checks and there seems to be a Certificate mismatch. 

 

https://ssl-tools.net/ claims that there is no certificate for mail.domain.de, although we have installed and enabled the respective certificate in Exchange. 

 

We can see 3 certificates in ECP: 1st: our own (domain.de) that is assigned to iis, smtp, pop, and IMAP, 2nd: Microsoft Exchange Server Auth Certificate, also assigned to SMTP and WMSVC-SHA2 assigned to none.

 

We have also Configured the TLS Certificate Name for Exchange Server Client/Default Frontend but this did not help. 

 

https://mxtoolbox.com reports that the "Reverse DNS does not match SMTP Banner". The report is the following: 

    

220 mail.domain.de [212 ms]

EHLO keeper-us-east-1b.mxtoolbox.com

250-[FQDN of Exchange server] Hello [Internal Firewall IP]

 

We had corrected the 220 response but where can we change the 250 that is sharing internal information?

 

Any help would be appreciated!

[NorbertFe 2.034]

Hi,

 

you have to diffentiate between sendconnector (EHLO string) and receive connector (EHLO string). The first one you can change as you like to match your desired name within your certificates SANs. The receiveconnector receiving mails from internet is usually the default frontend connector and there you can't (and shouldn't) change the EHLO string. Change the connector scope to only match your internal IP networks and create a new frontend connector (type internet) afterwards. There you can change the EHLO response to match one of your certificate's SANs. The receivce connector shouldn't cause blacklisting usually.

 

Hope that helps

Norbert

[krtg2 0]

36 minutes ago, NorbertFe said:

Hi,

 

you have to diffentiate between sendconnector (EHLO string) and receive connector (EHLO string). The first one you can change as you like to match your desired name within your certificates SANs. The receiveconnector receiving mails from internet is usually the default frontend connector and there you can't (and shouldn't) change the EHLO string. Change the connector scope to only match your internal IP networks and create a new frontend connector (type internet) afterwards. There you can change the EHLO response to match one of your certificate's SANs. The receivce connector shouldn't cause blacklisting usually.

 

Hope that helps

Norbert

 

Hi,

 

Thanks a lot for your quick help.

I am wondering how to change the connector's scope to only match the internal ip. Now it is defined as:

{::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}

what should be there instead?

Should any port be specified?

 

[NorbertFe 2.034]

Hi,

 

change it to f.i.

{::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 192.168.17.0/24, 192.168.18.0/24}

 

(add all IP subnets you're using)

 

[krtg2 0]

4 hours ago, NorbertFe said:

Hi,

 

change it to f.i.

{::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 192.168.17.0/24, 192.168.18.0/24}

 

(add all IP subnets you're using)

 

 

Thank you very much. 

We applied these changes and have repeated the test. There is still the banner mismatch issue:

 

Reverse DNS does not match SMTP Banner

 

220 mail.domain.de Microsoft ESMTP MAIL Service ready at Tue, 15 Feb 2022 16:19:34 +0100 [213 ms]
EHLO keeper-us-east-11b.mxtoolbox.com
250-mail.domain.de Hello [internal firewall ip]

[NorbertFe 2.034]

vor 2 Minuten schrieb krtg2:

Reverse DNS does not match SMTP Banner

Check your reverse DNS in your public DNS zone. Usually this can be done at your ISP (not your domain hoster). So in Germany usually Vodafone, Telekom aso. There you should be able to match the reverse record of the sending IP to the EHLO host string.

Btw. (internal Fireall IP) seems like your Firewall is acting as SMTP smarthost or proxy. Than you should configure the hoststrings there instead of the Exchange (maybe). you don't have posted enough information to give you an exact advise.

 

HTH

Norbert

[krtg2 0]

13 minutes ago, NorbertFe said:

Check your reverse DNS in your public DNS zone. Usually this can be done at your ISP (not your domain hoster). So in Germany usually Vodafone, Telekom aso. There you should be able to match the reverse record of the sending IP to the EHLO host string.

Btw. (internal Fireall IP) seems like your Firewall is acting as SMTP smarthost or proxy. Than you should configure the hoststrings there instead of the Exchange (maybe). you don't have posted enough information to give you an exact advise.

 

HTH

Norbert

 

Thank you very much! We are sitting in a company network, with an additional firewall server before our own exchange server. I will further investigate and try to come back with a more concrete question. 

 

In the meantime, do you also have some advice why our certificate is not shown in the SSL check (tested by https://ssl-tools.net/)? 

 

[NorbertFe 2.034]

Gerade eben schrieb krtg2:

In the meantime, do you also have some advice why our certificate is not shown in the SSL

Probably because of the additional firewall in front of your exchange server. Cisco ASA is know for such behaviour. Btw. we always can talk in German here, as this is a German speaking forum and it seems that you're using a .de domain in your screenshot. ;)