Email Notification Exchange 2013 error

Hi Experts,

Am trying to send an approval email notification in version 8.0 and gives me the below certificate error.

Please find the below log and configuration parameter.

I have used the same SMTP server in my password manager and notification works well over there.

When I send directly from powershell ISE also it works fine.

Send-MailMessage -From $From -to $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer -port $SMTPPort  -Credential (Get-Credential)

Please advice.

 

Thanks in advance.

Vijay

  • I'm just curious. Did you try to enable the configuration parameter Common\Mailnotification\TransportSecurity? (you can leave the value AUTO)
  • In reply to Markus Weiss-Ehlers:

    Hi Markus,

    Yes, I tried with your suggestion and also enabling ssl.
    I am getting the same certificate error message.

    Regards,
    Vijay
  • In reply to vijay.anand:

    If you enable SSL, the error seems to be logical if the server certificate of your email server is a self signed one or if your machine, you run the job server on does not trust the CA that has issued the certificate.
  • In reply to Markus Weiss-Ehlers:

    Markus,

    Irrespective of Auto or ssl, we are getting the certificate error.
    And I tried to open the https://SmptpServer/owa inside my job server and I can land the page, there is no certificate error.
    Password manager also use the same smtp and works well.

    Regards,
    Vijay
  • In reply to vijay.anand:

    Vijay,
    What browser are you using? Some use the system certificate store, some use a private store.
  • In reply to George Cerbone:

    George,
    I am using Internet Explorer 11.
    Regards,
    Vijay
  • In reply to vijay.anand:

    IE uses the system store. Other thing to check would be to check the certificate chain, and make sure that the root certificate is trusted in the Machine store, not the user's store.
  • In reply to George Cerbone:

    Hi Markus,

    I am getting same issue in my Labs when running version 8. Same SMTP is used in version 7, there is no issue in version 7.

     

     

    Regards,

    Enayathulla

  • In reply to Enayathulla Sadhakathulla:

    Enayathulla,

    can you please be more specific about version 7? Which version of 7 are you referring to where this worked? 7.0.2? 7.1.1?...

    Thank you
  • In reply to Markus Weiss-Ehlers:

    Version7_1_1.txt
    2018-02-14 15:28:57 +04:00 - \D1IM-JSW - Process step parameter ada8edf1-0fd5-4361-a5ee-efb667c437a4:
    [Job]
    	ComponentAssembly=MailComponent
    	ComponentClass=VI.JobService.JobComponents.MailComponent
    	Task=SendRichMail
    	Executiontype=EXTERNAL
    [Parameters]
    	Account=svcD1IMService
    	Address=E.SADHAKATHULLA@*****.labs (en-US)
    	AuthenticationString=Hidden
    	BaseObject=<Key><T>PWOHelperPWO</T><P>D9C9CFB9-2152-4966-9577-BC94E247DA12</P></Key>
    	ConnectionProvider=VI.DB.ViSqlFactory,VI.DB
    	ConnectionString=Hidden
    	Domain=*****LABS
    	Encrypt=
    	EncryptionCertificateScript=
    	IgnoreMissingBaseObject=True
    	MailID=QER-3f793fd6c45546b4be0f3f524cf9f66a
    	ParamName1=NoSubscription
    	ParamValue1=https://idm/IdentityManager/page.axd?ContextID=VI_MyData_MailSubscription&aeweb_UID_DialogRichMail=QER-3f793fd6c45546b4be0f3f524cf9f66a
    	Password=Hidden
    	ProcID=e6ba7606-4306-41f9-a636-be5d1b62105d
    	SenderAddress=svc***Service@****.labs
    	Sign=False
    	SignCertificateThumbprint=
    	SmtpPort=587
    	SmtpServer=exch-srv2
    	UseDefaultCredentials=
    
    

    Version8.txt
    2018-02-14 15:00:04 +04:00 - \D1IM2016-SRV01 - Process step parameter 5aad9112-efaa-4c1c-96d8-efec10ecbabb:
    [Job]
    	ComponentAssembly=MailComponent
    	ComponentClass=VI.JobService.JobComponents.MailComponent
    	Task=SendRichMail
    	Executiontype=EXTERNAL
    [Parameters]
    	Account=svc*****Service
    	Address=E.SADHAKATHULLA@*****.labs (en-US)
    	AuthenticationString=Hidden
    	BaseObject=<Key><T>PWOHelperPWO</T><P>AA490E2D-739A-4D80-83EA-6B886B2790F2</P></Key>
    	ConnectionProvider=VI.DB.ViSqlFactory,VI.DB
    	ConnectionString=Hidden
    	Domain=*****LABS
    	Encrypt=
    	EncryptionCertificateScript=
    	IgnoreMissingBaseObject=True
    	MailID=QER-3f793fd6c45546b4be0f3f524cf9f66a
    	ParamName1=NoSubscription
    	ParamValue1=http://D1IM2016-SRV02.*****.labs/IdentityManager//page.axd?ContextID=VI_MyData_MailSubscription&aeweb_UID_DialogRichMail=QER-3f793fd6c45546b4be0f3f524cf9f66a
    	Password=Hidden
    	ProcID=e3fa249c-0f33-4310-8e63-01f8b1dc629d
    	SenderAddress=svc****Service@******.labs
    	Sign=False
    	SignCertificateThumbprint=
    	SmtpPort=587
    	SmtpServer=exch-srv2
    	UseDefaultCredentials=
    
    
    
    
    Error:
    
    2018-02-14 15:00:09 +04:00 - \D1IM2016-SRV01 - VI.JobService.JobComponents.MailComponent - 5aad9112-efaa-4c1c-96d8-efec10ecbabb: Errors occurred
        [System.Security.Authentication.AuthenticationException] The remote certificate is invalid according to the validation procedure.
           at StdioProcessor.StdioProcessor._Execute(Job job)
           at VI.JobService.JobComponents.MailComponent.Activate(String task)
           at VI.JobService.JobComponents.MailComponent._SendRichMail()
           at VI.JobService.JobComponents.MailComponent._Send(MimeMessage message, MailSecurity security)
           at VI.JobService.JobComponents.MailComponent._GetOrOpenSmtpConnection()
           at MailKit.Net.Smtp.SmtpClient.Connect(String host, Int32 port, SecureSocketOptions options, CancellationToken cancellationToken)
           at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
           at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
    

    Hi Markus,

    it was working in version 7.1.1. Please find more details.

     

     

  • In reply to Enayathulla Sadhakathulla:

    In version 8, we have updated the 3rd party component that is used for the mail operations. It enforces the normal, windows integrated, validity checks for the certificate used by the mail server (The older version simply allowed every certificate as valid which is not a secure choice at all).

    I assume you are using self-signed certificates for your mail server and the job server machine that is executing the jobs do not trust the certificate or the CA that created the certificate.

    So as written by George Cerbone you need to ensure that your machine trusts the certificate or the CA if the Job Service is running as system user.

  • In reply to Markus Weiss-Ehlers:

    Hi Markus,

    The certificate is issues by local CA. I did not get any certificate error in browser. Job service is running using domain account. Job server is also part of same domain. Do I need to use the service account used by job service for SMTP authentication? Do I need to get the certificate used by exchange and install it in Trusted stored of the Job server ?

     

     

  • In reply to Enayathulla Sadhakathulla:

    Did you test the certificate in the browser using the service account of the job server? You need to trust the complete certificate chain including the local CA as the authoritative source.
  • In reply to Markus Weiss-Ehlers:

    Hi Markus,

    Yes. I tested with service account (logged in to job server using service account). There is no certificate error.
  • In reply to Enayathulla Sadhakathulla:

    So this is now the time to contact support I suggest.