Exchange 2007:Transport error when sending emails using TLS (0x80040213)

Error: “The transport failed to connect to the server”, Code:80040213, Source:CDO.Message.1. Does that look familiar? This was something that I kept running into while trying to send mail using CDOSYS with SSL/TLS enabled. Vikas already has a post explaining some of the details that you could refer to but there are some more finer points that need to be kept in mind for you to successfully send out mails. Below is what you should check:

1) Do a Telnet to the SMTP server on port 25 and then issue an ehlo command. This should list out the verbs that are supported by the SMTP server. If you do not see “250-STARTTLS” in the list then there is a problem with the certificate and you should fix that first. What can you do to fix it?
   
That really depends on the resources that are available to you. You could purchase a certificate from a Trusted Root Certification Authority or generate one on you own. Assuming that we want to generate one, we could use the New-ExchangeCertificate cmdlet to generate one and associate it with SMTP. In my case my machine was called Ex200701 and my domain was “mycomany.com”. The FQDN for my machine was Ex200701.mycompany.com. Below is how I generated the certificate for my use:

Step 1: New-ExhcangeCertificate –DomainName “Ex200701, Ex200701.mycompany.com” .
The FQDN specified in the above command should match the one specified in the Receive Connector. This generates a new certificate and shows you the thumbprint for the certificate. Note that thumbprint down.

Step 2: Enable-ExchangeCertificate – thumbprint “Thumbprint that you noted in the pervious Step 1” –Services SMTP
This steps associates the certificate with the SMTP service.

Step 3: Restart the Transport service.

Step 4: Do a Telnet to the SMTP server on port 25 and then issue an ehlo command. You should now see “250-STARTTLS” in verbs listed.

2) When you to a Telnet to the SMTP server on port 25 and then issue an ehlo command and you see the “250-STARTTLS” in the list then most likely the certificate is ok but be sure to verify the certificate by using the certificates snap-in and specifically looking to the “Subject Alternative Name” in the certificate details. In case you have more that one certificates installed and you want to know which one is being used by the SMTP, the simplest way to find that out is to enable Verbose logging on the Receive Connector and then looking at the Verbose logs. Below is how the logs would look like:

>,"220 Ex200701.mycompany.com Microsoft ESMTP MAIL Service ready at Fri, 25 Feb 2011 14:06:20 -0600",
<,EHLO AKASHB,
>,250-Ex200701.mycompany.com Hello [10.171.79.38],
>,250-SIZE,
>,250-PIPELINING,
>,250-DSN,
>,250-ENHANCEDSTATUSCODES,
>,250-STARTTLS,
>,250-X-ANONYMOUSTLS,
>,250-AUTH GSSAPI NTLM,
>,250-X-EXPS GSSAPI NTLM,
>,250-8BITMIME,
>,250-BINARYMIME,
>,250-CHUNKING,
>,250-XEXCH50,
>,250 XRDST,
<,STARTTLS,
>,220 2.0.0 SMTP server ready,
*,,Sending certificate
*,CN=Ex200701,Certificate subject
*,CN=Ex200701,Certificate issuer name
*,76B8F8FF8379FABD49B1A3E486CE0B31,Certificate serial number
*,480F5316242A7D40E25CF0F0D63827D3A02B5B15,Certificate thumbprint
*,Ex200701;Ex200701.mycompany.com,Certificate alternate names

Note down the Certificate thumbprint, open all the existing certificates and find the one that has a matching thumbprint.

3) Export the certificate to a .cer file. How do you do that? That’s easy – Open the certificate by double clicking it, go to the “Details” tab and click on the “Copy to File” button and keep clicking Next with the default options selected, enter a file name to save the file as and you are done.

Certificate

4) Why do I need to export the certificate? The certificate that we generated in Step 1 is a not from a Trusted Root Certification Authority and hence cannot be vaildate. The certificate will now have to be placed in the “Personal”, “Trusted Root Certification Authorities”, “Intermediate Certification Authorities” folders in certificate store on the client machine from where you are trying to send the mail from(just to be absolutely sure it is found). Please note that the pervious step and this step would not be necessary had you purchased the certificate from Trusted Root Certification Authority.

5) Now while sending the mail, make sure that you specify one of the names specified in the Domain Name parameter in Step 1 as the Server Name in the code and set the smtpusessl configuration to true. Below is the sample VBScript code I used to send mails out:

 Dim iMsg
Dim iConf
Dim Flds

Const cdoSendUsingPort = 2
Const cdoBasic = 1
Const cdoNTLM = 2

set iMsg = CreateObject("CDO.Message")
set iConf = CreateObject("CDO.Configuration")

Set Flds = iConf.Fields
With Flds
    .Item("https://schemas.microsoft.com/cdo/configuration/sendusing") = cdoSendUsingPort
    .Item("https://schemas.microsoft.com/cdo/configuration/smtpserver") = "Ex200701.mycompany.com"
    .Item("https://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 30
    .Item("https://schemas.microsoft.com/cdo/configuration/smtpserverport")=25
    .Item("https://schemas.microsoft.com/cdo/configuration/smtpauthenticate")=cdoBasic
    .Item("https://schemas.microsoft.com/cdo/configuration/sendusername")="akashb@mycompany.com"
    .Item("https://schemas.microsoft.com/cdo/configuration/sendpassword")="Password123"
    .Item("https://schemas.microsoft.com/cdo/configuration/smtpusessl")=true
    .Update
End With


With iMsg
   Set .Configuration = iConf
   .From = "akashb@mycompany.com"
   .To = "akashb@mycompany.com"
   .Subject = "This is a test CDOSYS message"
   .HTMLBody = "Test Message"
   .Send
End With


' Clean up variables.

Set iMsg = Nothing
Set iConf = Nothing
Set Flds = Nothing

MsgBox "Mail Sent!"

6) You should be successfully able to send out mails using SSL. If you still cannot send out mails, configure Outlook Express using the server & user details and remember to enable SSL for Outgoing mail.

SMTP

If Outlook Express send out a test mail fine then you code should also be able to do it. If not, Outlook Express will give you the exact error you are running into and will help you trouble shoot the problem further. OOPS! I just let out a secret!

Enjoy!