我们有一个将电子邮件发送到我们现在退役的Exchange 2010服务器的SQL Server 2008R2安装。 我们现在使用一个名为mail.example.com的DNS指针来运行带有两个主机(mailserver1.example.com和mailserver2.example.com)的Exchange 2016 DAG,它引用了这两个服务器。 所以,当我们把旧的服务器closures时,我们从使用实际的主机名(severname.example.com)到mail.example.com。 当我们这样做,我们得到以下错误:
The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2017-02-14T15:41:00). Exception Message: Cannot send mails to mail server. (The remote certificate is invalid according to the validation procedure.). 如果我将数据库邮件configuration更改为指向DAG(mailserver1.example.com)中的单个服务器,则一切正常。
我们在邮件服务器上使用通配符证书(* .example.com),所以我不确定是否是这个问题。
我想解决这个问题,以保持弹性。 谁能告诉我它不喜欢什么?
编辑:所以我深入挖什么证书安装/正在使用:
Get-ExchangeCertificate -server mailserver2.example.com Thumbprint Services Subject ---------- -------- ------- 133914D76770DE347949C1FF771A64B7B6 IP..... CN=mailserver2.example.com 4D2582DA78719BCC1B1CB8F33B3FAC2E54 IP..S.. CN=mailserver2 B39C5DED40D1C926A1ABDA2CA5B30FE305 ....S.. CN=Microsoft Exchange Server Auth Certificate AD3C61F290199AB908ECB976A0C8341351 ....... CN=WMSvc-mailserver2 E6F14092B221239F51A62420FD74F2FA63 IP.WS.. CN=mailserver2.example.com D1215C7C1E5D674E7C204FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company... Get-ExchangeCertificate -server mailserver1.example.com Thumbprint Services Subject ---------- -------- ------- 4C560FF28A576F814DFAD198C81912C3BE IP..... CN=mailserver1.example.com B39C5DED40D1C926A1A8DA2CA5B30FE305 ....S.. CN=Microsoft Exchange Server Auth Certificate A29DA1FA4C800AB5EAD22B0BFA39D7BC5B IP..S.. CN=mailserver1 184B109C120633C33711E26C40F4FAFFC6 ....... CN=WMSvc-mailserver1 22C69182932BE55A2F01B20C10FADBE359 IP.WS.. CN=mailserver1.example.com D1215C7C1E5D674E7C244FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company... Get-ExchangeCertificate -domainname example.com Thumbprint Services Subject ---------- -------- ------- D1215C7C1E5D674E7C644FCB776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company... Get-ExchangeCertificate -domainname mail.example.com Thumbprint Services Subject ---------- -------- ------- D1215C7C1E5D674E7C20D9FF776D60F93E ...WS.. CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...
当我使用OPENSSL(根据下面的答案1),我得到我们的内部CA证书(CN = mailserver2.example.com),而不是通配符证书。
编辑2:这是OpenSSL命令的输出:openssl s_client -connect mailserver1.example.com:25 -starttls smtp
Loading 'screen' into random state - done CONNECTED(000001F4) depth=1 /DC=com/DC=example/CN=example-Issuing-CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/CN=mailserver1.example.com i:/DC=com/DC=example/CN=example-Issuing-CA 1 s:/DC=com/DC=example/CN=example-Issuing-CA i:/CN=example-Root-CA --- Server certificate -----BEGIN CERTIFICATE----- < certificate info here > -----END CERTIFICATE----- subject=/CN=mailserver1.example.com issuer=/DC=com/DC=example/CN=example-Issuing-CA --- No client certificate CA names sent --- SSL handshake has read 3875 bytes and written 485 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: < session ID > Session-ID-ctx: Master-Key: < master key > Key-Arg : None Start Time: 1487248994 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- 250 XRDST QUIT DONE
您在此处看到的问题与用于MS Exchange环境提供的SMTP服务的SSL证书有关。
要检查SSL证书,可以通过以下方式使用openSSL:
openssl s_client -connect exchange01.int.contoso.com:25 -starttls smtp
根据您的MS Exchange环境中的configuration,可能会在这里应用多种解决scheme(请参阅此处了解更多信息):
更新(由于您的编辑):它看起来像SMTP服务没有根据您的疑难解答使用正确的证书。 所以下面应该把它弄明白:
Enable-ExchangeCertificate -Thumbprint D1215C7C1E5D674E7C244FCB776D60F93E -Identity mailserver1.example.com -Services SMTP
你需要为你的Exchange服务器运行它。