Ask a question


How can we help you today?

Ask Question
Manage notifications
Subscribe to this question
Bill Swan

TLS 1.2 communication with a BANK ( UK Based )

Hi All

Quote from Bank Support

Unfortunately, when we checked the TLS compatibility of your domain we noted that you currently use a self-signed certificate to support your current TLS configuration (as illustrated below). 

SSLVersion in use: TLSv1_2

Cipher in use: ECDHE-RSA-AES256-GCM-SHA384

Perfect Forward Secrecy: yes

Session Algorithm in use: Curve X25519 DHE(253 bits)

Certificate #1 of 1 (sent by MX):

Cert VALIDATION ERROR(S): unable to get local issuer certificate

This may help: What Is An Intermediate Certificate

So email is encrypted but the recipient domain is not verified

Cert Hostname DOES NOT VERIFY (mail.companydomian.co.uk != Exchsvr | DNS:Exchsvr | DNS:Exchsvr.companyname.local)

So email is encrypted but the host is not verified

Not Valid Before: Jan 12 16:12:54 2020 GMT

Not Valid After: Jan 12 16:12:54 2025 GMT

We do use Lets Encrypt / Cerify the web I presume the bank is getting the internal info from the receive connectors. If I try to change the ehlo to mail.company.co.uk I get the error in Capture3. Do I need to change the settings in security settings of the receive connector and in doing so what will it affect?

 

p.s and the bank says this.. ( Lets Encrypt is not on the list..)

Our TLS provider insists that a verified certificate from an approved certificate authority (https://knowledge.broadcom.com/external/article/161437/trusted-certificate-authorities-when-enf.html ) is in place before configuring Enforced TLS.
 

Attached Files
asked06/14/2022 15:20
92 views
Add Comment
Mariette Knap

If you want to encrypt outgoing mail pls check the config of your send connector and set it to mail.companydomian.co.uk. Let's Encrypt is the largest CA in the world so if that is a problem I suggest you find another bank.

Bill Swan

Thanks for approving and replying.

 

Its not outgoing.. The bank receives fine from my clients ( send connector has mail.companydomain.co.uk ), the bank cannot send to my client, the staff receive a bounce back, of course they have no control as its the Bank IT... LLOYDS..

Remote Server returned '554 5.4.0 < #4.7.5 smtp; 454 4.7.5 [internal] verify error:num=21:unable to verify the first certificate:depth=0:/CN=Exchsvr> ( Exchsvr being Exchange 2016 server name )

Its the receive connectors having internal server configurations and I presume need mail.companydomain.co.uk in the ehlo but if I try to change to mail.companydomain.co.uk I get the information in the first attachment uploaded so I presume I have to change some security settings on the receive connector but unsure which and what affect that may have internally.

This is the only bank I know of implementing this and there is no chance of changing banks, they bank with them, they deal with their subsidiaries for their clients finance

Attached files again..

Attached Files
replied 06/14/2022 17:47
Bill Swan

Just some more info... 

 

I dont think its the receive connectors. I think TLS 1.2 communication is picking up the server self signed certificate.

 

Is there a way for it to have the Lets encrypt cert ?

 

Thanks

replied 06/16/2022 07:00
Bill Swan

Update.. Think Im getting there and may help others..

 

1. This link shows TLScertificate is blank ( On the receive connector )
https://everything-powershell.com/exchange-2019-set-tls-certificate-name-on-your-receive-connector/

2. However I get ..
Cannot process argument transformation on parameter 'TlsCertificateName'. Cannot convert value "CN=R3, O=Let's
Encrypt, C=USCN=remote.domainname.co.uk" to type "Microsoft.Exchange.Data.SmtpX509Identifier". Error: ""CN=R3,
O=Let's Encrypt, C=USCN=remote.domainname.co.uk" isn't a valid Certificate Identifier."
    + CategoryInfo          : InvalidData: (:) [Set-ReceiveConnector], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformati ,Set-ReceiveConnector
    + PSComputerName        : exchsvr.domain.local

This was the issue.. Have dual name cert remote. and mail. 
https://stackoverflow.com/questions/62092609/exchange-2016-error-assigning-tlscertificatename-to-receive-connector

However I do not know how they solved it if someone could assist..

The SSL certificate I'm using is a Multi-domain certificate, and since the common name can only contain up to one entry, the certificate uses a field called Subject Alternate Name (SAN) which allows multiple names to be included. Therefor there is no CN field available in the subject.

Exchange does not read/use the SAN field and wasn't accepting the command because of the missing CN (wish this was documented somewhere and their support knew it as well).

The solution was to use the contents of the TLSCertName variable in the command, and manually add the CN value to the subject section.

 

 

replied 06/16/2022 07:55
Reply
Last Activity 06/16/2022 19:12

1 Answer(s)

  • Mariette Knap

    Pls, set your Default Frontend receive connector to the correct FQFN banner

    Set-ReceiveConnector -Identity "Default Frontend $env:COMPUTERNAME" -Banner "220 mail.domain.com"

    With the following command you can see if you have set the banner correct

    Get-ReceiveConnector -Identity "Default Frontend $env:COMPUTERNAME" | Ft Identity,Banner
    answered 06/16/2022 19:00
    Add Comment
Add an Answer