SMTP AUTH not happenning

I have IIS 5.0 configured to send everything to a non-MS smarthost.
Outbound Security is Basic Authentication w/user+pass over TLS.
This has been working fine for 6 months, but stopped working the
other day when the smarthost's root certificate expired.

I deleted all traces that I could find of the old CA cert
from the IIS machine, and installed the new one in the
Local Machine \ TRCA branch.

Now IIS will STARTTLS okay, but it never tries to send
an AUTH command. The other side is offering LOGIN and PLAIN.

The smarthost is working for other clients, just not IIS.

What could be wrong?
Why wouldn't IIS send the AUTH command?

Egbert
Sat Feb 05 07:13:24 CST 2005

"Chris Stacy" <news.cstacy@dtpq.com> wrote in message
news:exXtW6oCFHA.3908@TK2MSFTNGP12.phx.gbl...
>I have IIS 5.0 configured to send everything to a non-MS smarthost.
> Outbound Security is Basic Authentication w/user+pass over TLS.
> This has been working fine for 6 months, but stopped working the
> other day when the smarthost's root certificate expired.
>
> I deleted all traces that I could find of the old CA cert
> from the IIS machine, and installed the new one in the
> Local Machine \ TRCA branch.
>
> Now IIS will STARTTLS okay, but it never tries to send
> an AUTH command. The other side is offering LOGIN and PLAIN.

Besides installing a new certificate in the certificate container, does IIS
(SMTP) indicate that it is using that certificate?


> The smarthost is working for other clients, just not IIS.
>
> What could be wrong?
> Why wouldn't IIS send the AUTH command?

Chris
Sat Feb 05 19:48:47 CST 2005

Egbert Nierop (MVP for IIS) wrote:
> "Chris Stacy" <news.cstacy@dtpq.com> wrote in message
> news:exXtW6oCFHA.3908@TK2MSFTNGP12.phx.gbl...
>
>> I have IIS 5.0 configured to send everything to a non-MS smarthost.
>> Outbound Security is Basic Authentication w/user+pass over TLS.
>> This has been working fine for 6 months, but stopped working the
>> other day when the smarthost's root certificate expired.
>>
>> I deleted all traces that I could find of the old CA cert
>> from the IIS machine, and installed the new one in the
>> Local Machine \ TRCA branch.
>>
>> Now IIS will STARTTLS okay, but it never tries to send
>> an AUTH command. The other side is offering LOGIN and PLAIN.
>
>
> Besides installing a new certificate in the certificate container, does
> IIS (SMTP) indicate that it is using that certificate?

I don't think it was doing TLS when the certificate was expired.
Is there some way to get IIS to actually log some sort of indication
that it is using the certificate?

BTW, I think I am having a similar problem when using Postfix as
a client to sendmail. It is also successfully doing STARTTLS,
but then it complains that the certificate cannot be verified.

My theory has always been that something is wrong with either
the sendmail certificate or its CA certificate. My latest
suspicion is that the problem is that the sendmail cert's CN
is the same for both Issuer and Subject, causing it to be
considered a self-signed certificate even though the full
Distinguished Names are different from each other.

Egbert
Sun Feb 06 05:55:45 CST 2005

"Chris Stacy" <news01@news.dtpq.com> wrote in message
news:%23b2NB4%23CFHA.3132@TK2MSFTNGP09.phx.gbl...
> Egbert Nierop (MVP for IIS) wrote:
>> "Chris Stacy" <news.cstacy@dtpq.com> wrote in message
>> news:exXtW6oCFHA.3908@TK2MSFTNGP12.phx.gbl...
>>
>>> I have IIS 5.0 configured to send everything to a non-MS smarthost.
>>> Outbound Security is Basic Authentication w/user+pass over TLS.
>>> This has been working fine for 6 months, but stopped working the
>>> other day when the smarthost's root certificate expired.
>>>
>>> I deleted all traces that I could find of the old CA cert
>>> from the IIS machine, and installed the new one in the
>>> Local Machine \ TRCA branch.
>>>
>>> Now IIS will STARTTLS okay, but it never tries to send
>>> an AUTH command. The other side is offering LOGIN and PLAIN.
>>
>>
>> Besides installing a new certificate in the certificate container, does
>> IIS (SMTP) indicate that it is using that certificate?
>
> I don't think it was doing TLS when the certificate was expired.
> Is there some way to get IIS to actually log some sort of indication
> that it is using the certificate?

I remember, that I have made the log show the authentication method...

> BTW, I think I am having a similar problem when using Postfix as
> a client to sendmail. It is also successfully doing STARTTLS,
> but then it complains that the certificate cannot be verified.
>
> My theory has always been that something is wrong with either
> the sendmail certificate or its CA certificate. My latest
> suspicion is that the problem is that the sendmail cert's CN
> is the same for both Issuer and Subject, causing it to be
> considered a self-signed certificate even though the full
> Distinguished Names are different from each other.

There you go. Sometimes test-certificates are not trusted, so the other
party must trust the 'self-made issuer'. Another time, if the hostnames
differ, it does not work as well.

Chris
Mon Feb 07 23:39:15 CST 2005

Egbert Nierop (MVP for IIS) wrote:
> "Chris Stacy" <news01@news.dtpq.com> wrote in message
> news:%23b2NB4%23CFHA.3132@TK2MSFTNGP09.phx.gbl...
>
>> Egbert Nierop (MVP for IIS) wrote:
>>
>>> "Chris Stacy" <news.cstacy@dtpq.com> wrote in message
>>> news:exXtW6oCFHA.3908@TK2MSFTNGP12.phx.gbl...
>>>
>>>> I have IIS 5.0 configured to send everything to a non-MS smarthost.
>>>> Outbound Security is Basic Authentication w/user+pass over TLS.
>>>> This has been working fine for 6 months, but stopped working the
>>>> other day when the smarthost's root certificate expired.
>>>>
>>>> I deleted all traces that I could find of the old CA cert
>>>> from the IIS machine, and installed the new one in the
>>>> Local Machine \ TRCA branch.
>>>>
>>>> Now IIS will STARTTLS okay, but it never tries to send
>>>> an AUTH command. The other side is offering LOGIN and PLAIN.
>>>
>>>
>>>
>>> Besides installing a new certificate in the certificate container,
>>> does IIS (SMTP) indicate that it is using that certificate?
>>
>>
>> I don't think it was doing TLS when the certificate was expired.
>> Is there some way to get IIS to actually log some sort of indication
>> that it is using the certificate?

What I said was: it stopped doing TLS when the Issuer's certificate
was expired, and that it started doing TLS again when the new CA
certificate was installed. I also asked if there was a way to
enable any useful logging for the SMTP service.

What are you trying to say?

> I remember, that I have made the log show the authentication method...
>
>> BTW, I think I am having a similar problem when using Postfix as
>> a client to sendmail. It is also successfully doing STARTTLS,
>> but then it complains that the certificate cannot be verified.
>>
>> My theory has always been that something is wrong with either
>> the sendmail certificate or its CA certificate. My latest
>> suspicion is that the problem is that the sendmail cert's CN
>> is the same for both Issuer and Subject, causing it to be
>> considered a self-signed certificate even though the full
>> Distinguished Names are different from each other.
>
>
> There you go. Sometimes test-certificates are not trusted, so the other
> party must trust the 'self-made issuer'. Another time, if the hostnames
> differ, it does not work as well.

There you -- what? There are no test certificates installed.
I don't understand what are you trying to tell me here.

You appear to be babbling incoherently.

Egbert
Wed Feb 23 03:46:32 CST 2005

"Chris Stacy" <news01@news.dtpq.com> wrote in message
news:etSLICaDFHA.1628@TK2MSFTNGP15.phx.gbl...
> Egbert Nierop (MVP for IIS) wrote:
>> "Chris Stacy" <news01@news.dtpq.com> wrote in message
>> news:%23b2NB4%23CFHA.3132@TK2MSFTNGP09.phx.gbl...
>>
>>> Egbert Nierop (MVP for IIS) wrote:
>>>
>>>> "Chris Stacy" <news.cstacy@dtpq.com> wrote in message
>>>> news:exXtW6oCFHA.3908@TK2MSFTNGP12.phx.gbl...
>>>>
>>>>> I have IIS 5.0 configured to send everything to a non-MS smarthost.
>>>>> Outbound Security is Basic Authentication w/user+pass over TLS.
>>>>> This has been working fine for 6 months, but stopped working the
>>>>> other day when the smarthost's root certificate expired.
>>>>>
>>>>> I deleted all traces that I could find of the old CA cert
>>>>> from the IIS machine, and installed the new one in the
>>>>> Local Machine \ TRCA branch.
>>>>>
>>>>> Now IIS will STARTTLS okay, but it never tries to send
>>>>> an AUTH command. The other side is offering LOGIN and PLAIN.

TLS is 'only' encryption. To force or enable authentication, there are
other options you need to set it at both SMTP hosts.

>>>>
>>>>
>>>> Besides installing a new certificate in the certificate container, does
>>>> IIS (SMTP) indicate that it is using that certificate?
>>>
>>>
>>> I don't think it was doing TLS when the certificate was expired.
>>> Is there some way to get IIS to actually log some sort of indication
>>> that it is using the certificate?

See below

> What I said was: it stopped doing TLS when the Issuer's certificate
> was expired, and that it started doing TLS again when the new CA
> certificate was installed. I also asked if there was a way to
> enable any useful logging for the SMTP service.
>
> What are you trying to say?

I admire your parents for teaching you to be politely.
I said:
1) TLS stopped working when the certificate was not correct.
2) TLS worked only if the remote host asked for TLS, so it is optional
unless you configure it.

But i understand you were not asking for troubleshouting TLS.


>> I remember, that I have made the log show the authentication method...
>>
>>
>>
>> There you go. Sometimes test-certificates are not trusted, so the other
>> party must trust the 'self-made issuer'. Another time, if the hostnames
>> differ, it does not work as well.
>
> There you -- what? There are no test certificates installed.
> I don't understand what are you trying to tell me here.
>
> You appear to be babbling incoherently.

Thank you for being thankfull.

<Besides installing a new certificate in the certificate container, does IIS
(SMTP) indicate that it is using that certificate?>

Look at your SMTP configuration -logging- click 'properties' - + 'advanced
tab'and enable to log the Method (cs-method)...

Authentication only will be performed if you indicate so using configuration
and if the remote server indicates it wants authentication, SMTP can support
it.

To see if you do support it, just see your authentication button at the
'Access Tab'.