Exchange 2007: Transport error when sending emails using TLS (0x80040213)

  • Article

Ok, this was a fun case and I never had such fun on a CDOSYS case & I am lying. I spent nearly all day in hunting down a Transport failure issue when sending emails using CDOSYS and Exchange 2007 as backend.

This was the configuration of the default Receive connector, pretty secured…huh??? Yeah!!!

image

Goal: Send secured emails using CDOSYS over TLS using BASIC authentication

Challenges: ‘80040213’ The transport failed to connect to the server.

I confirmed that the issue is not in connectivity and I could easily do a telnet to port 25 and get the banner and supported verbs lists. The problem was that I could not do STARTTLS… heck it was not listed in the verbs list. With my “Mr. Fix It” cap on I took an ETL trace and started debugging the issue.

I concluded that the certificates was the blocking issue, and I quickly turned back to the Event Viewer to see the following event log

Event Type: Error

Event Source: MSExchangeTransport

Event Category: TransportService

Event ID: 12014

Date: 7/23/2010

Time: 6:26:25 PM

User: N/A

Computer: MSGEX07

Description:

Microsoft Exchange couldn't find a certificate that contains the domain name msgex07.msglab.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of msgex07.msglab.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

 

 

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

clip_image001

Once I have resolved the Certificate issues, I can see the STARTTLS verb supported by the Exchange server.

clip_image001[5]

If you do not see STARTTLS and DO see the event log entry then you need to verify the following things

1) The FQDN of the server which is specified in the code, abc.xyz.com MUST match with the FQDN of the certificate

2) The FQDN of the Receive Connector MUST match the FQDN of the certificate

3) The Certificate in itself should be a valid one (not expired or with missing root CA)

You can verify these details with the help of your Exchange Admin and the following Powershell Cmdlet

Get-ExchangeCertificate | fl

Enable-ExchangeCertificate –Services SMTP

New-ExchangeCertificate

See the below link for more information

Reference: https://technet.microsoft.com/en-us/library/bb430748.aspx