Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Event ID:12014: unable to support the STARTTLS SMTP verb for the connector Does it matter?

167 views
Skip to first unread message

Frank

unread,
Nov 26, 2009, 5:49:53 AM11/26/09
to
In order to send mail to the rest of the world I have put a fqdn on the send
connector which matches the PTR record for the IP address.

I get a warning:
Source: MSExchangeTransport
Event ID: 12014

Microsoft Exchange couldn't find a certificate that contains the domain name
foo.bar in the personal store on the local computer. Therefore, it is unable
to support the STARTTLS SMTP verb for the connector RestOfWorld with a FQDN
parameter of foo.bar

Does it really matter if I am sending SMTP to the internet?

Frank


Martijn Bellaard

unread,
Nov 26, 2009, 9:26:55 AM11/26/09
to
Dear Frank

Yes en No
Yes: If you want to use SSL for SMTP. Sometimes partners will ask for SMTP
over SSL
No: If you like to be unsecure and don't want to use SSL.

Martijn Bellaard

"Frank" <nor...@127.0.0.1> wrote in message
news:unvbyYob...@TK2MSFTNGP06.phx.gbl...

Frank

unread,
Nov 26, 2009, 10:03:54 AM11/26/09
to
Thanks for your input Martijn

How often will a SMTP server that is setup to receive standard internet mail
ask for SSL?

I guess if I was sending to a known partner then I could make a specific
send connector for that domain

F

"Martijn Bellaard" <mar...@mbco.nl> wrote in message > Yes: If you want to

Rich Matheisen [MVP]

unread,
Nov 26, 2009, 2:01:37 PM11/26/09
to
On Thu, 26 Nov 2009 10:49:53 -0000, "Frank" <nor...@127.0.0.1> wrote:

>In order to send mail to the rest of the world I have put a fqdn on the send
>connector which matches the PTR record for the IP address.

No, you don't. While there may be some overzealous admins out there,
there's no requirement that the name on the PTR must match the name in
the ELHO/HELO command. It's not a bad idea to have them match, but
usually only a PTR record for the IP is needed.

>I get a warning:
>Source: MSExchangeTransport
>Event ID: 12014
>
>Microsoft Exchange couldn't find a certificate that contains the domain name
>foo.bar in the personal store on the local computer. Therefore, it is unable
>to support the STARTTLS SMTP verb for the connector RestOfWorld with a FQDN
>parameter of foo.bar
>
>Does it really matter if I am sending SMTP to the internet?

Sending? Not usually. The only time you'd HAVE to use TLS is if the
receiving MTA accepted only TLS connections.
---
Rich Matheisen
MCSE+I, Exchange MVP

Ed Crowley [MVP]

unread,
Nov 26, 2009, 9:27:28 PM11/26/09
to
Exchange 2007 servers will communicate to each other using TLS when both are
so configured with certificates.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.

"Frank" <nor...@127.0.0.1> wrote in message

news:uTSVtmqb...@TK2MSFTNGP06.phx.gbl...

Frank

unread,
Nov 29, 2009, 9:17:10 AM11/29/09
to
"Rich Matheisen [MVP]" wrote >

> Sending? Not usually. The only time you'd HAVE to use TLS is if the
> receiving MTA accepted only TLS connections.

Thanks Rich and everyone else who replied

I do wish microsoft wouldn't give us red error log messages when something
may be discretionary, it leads us to devalue the logs, and perhaps ignore a
warning when it should be heeded

F


Martijn Bellaard

unread,
Nov 29, 2009, 9:38:27 AM11/29/09
to
Dear Frank

> I guess if I was sending to a known partner then I could make a specific
> send connector for that domain

Yes you can.

Martijn

"Frank" <nor...@127.0.0.1> wrote in message

news:uTSVtmqb...@TK2MSFTNGP06.phx.gbl...

Rich Matheisen [MVP]

unread,
Nov 29, 2009, 11:42:27 AM11/29/09
to

The error is legitimate. You may, or may not, encounter email systems
that require the use of TLS. You can pretty easily create a
self-signed certificate for the machine, or use your own CA to create
certificates for this, and other, machines in your own forest. Or you
can spend $30 and get a SSL/TLS cert from a CA such as godaddy.com.

Your question wasn't whether you /should/ ignore the event. You asked
if you /could/ ignore it. As with many things, ignoring them is okay
until they become an issue.

Frank

unread,
Nov 30, 2009, 12:12:05 PM11/30/09
to
"Rich Matheisen [MVP]" wrote

> You can pretty easily create a
> self-signed certificate for the machine, or use your
> own CA to create
> certificates for this, and other, machines in
> your own forest.

Do you have a link to instructions on how to do the above for exchange 07?

F


Rich Matheisen [MVP]

unread,
Nov 30, 2009, 9:42:36 PM11/30/09
to

The CA is a "Windows thing". You'll get better answers in the Windows
newsgroups.

Once you have your CA installed and operational you can use the
New-ExchangeCertificate cmdlet. DigiCert has a nice web page that'll
create the cmdlet for you:
https://www.digicert.com/easy-csr/exchange2007.htm


Technet and other web pages have lots of help, too:
http://technet.microsoft.com/en-us/library/bb310781.aspx
http://msexchangeteam.com/archive/2007/02/19/435472.aspx

Frank

unread,
Dec 1, 2009, 5:19:35 AM12/1/09
to
Thanks Rich

I'll follow those up
F


"Rich Matheisen [MVP]" <rich...@rmcons.com.NOSPAM.COM> wrote in message
news:8pv8h5lipb5u84ni9...@4ax.com...

0 new messages