Internal transport certificate expired

by Shijaz Abdulla on 27.01.2009 at 16:47

January 27, 2009

The internal transport certificate is automatically generated at the Exchange Server 2007 hub transport server and is usually valid only for one year. Once the certificate expires, you will receive continuous event 12019 errors in your Edge transport servers that are subscribed via Edgesync.

Event Type:      Error
Event Source:    MSExchangeTransport
Event Category:  TransportService
Event ID:        12019
Date:            1/27/2009
Time:            4:46:34 PM
User:            N/A
Computer:        EDGETRANSPORT
Description:
The remote internal transport certificate expired. Certificate subject: CN=<hub transport server>.

You can generate a new SMTP transport certificate on the Hub transport server by running the New-ExchangeCertificate cmdlet with no arguments.

image

This will automatically generate a new certificate. You then need to restart the Microsoft Exchange Edgesync service so that the Edge transport servers will be informed of the change.

4.7.0 Timeout waiting for client Input

by Shijaz Abdulla on 15.04.2008 at 08:31

A few weeks ago, when we switched from our Exchange 2003 relay servers to our Exchange 2007 Edge Transport servers, we experienced problems receiving email from specific domains.

I checked the message tracking logs and I could not find a trace of these emails. So I enabled Protocol Logging on the edge transport servers and found something interesting:

2008-03-18T07:02:47.218Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,0,xx.xx.xx.xx:25,203.91.198.75:28664,+,, 2008-03-18T07:02:47.218Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,1,xx.xx.xx.xx:25,203.91.198.75:28664,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2008-03-18T07:02:47.218Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,2,xx.xx.xx.xx:25,203.91.198.75:28664,>,”220 myserver.mydomain.com Microsoft ESMTP MAIL Service ready at Tue, 18 Mar 2008 11:02:47 +0400“,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,3,xx.xx.xx.xx:25,203.91.198.75:28664,<,EHLO wipro-blr-out02.wipro.com,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,4,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-myserver.mydomain.com Hello [203.91.198.75],
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,5,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-SIZE 10485760,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,6,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-PIPELINING,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,7,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-DSN,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,8,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-ENHANCEDSTATUSCODES,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,9,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-STARTTLS,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,10,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-X-ANONYMOUSTLS,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,11,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-AUTH,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,12,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-X-EXPS NTLM,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,13,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-8BITMIME,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,14,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-BINARYMIME,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,15,xx.xx.xx.xx:25,203.91.198.75:28664,>,250-CHUNKING,
2008-03-18T07:02:47.296Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,16,xx.xx.xx.xx:25,203.91.198.75:28664,>,250 XEXCH50,
. . .
2008-03-18T07:05:24.781Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,17,xx.xx.xx.xx:25,203.91.198.75:28664,>,451 4.7.0 Timeout waiting for client input,
2008-03-18T07:05:24.781Z,myserverDefault internal receive connector myserver,08CA51E4179C05C2,18,xx.xx.xx.xx:25,203.91.198.75:28664,-,,Local

It seems that the remote server is establishes an SMTP session with the Edge Transport server and after the initial exchange of EHLO greetings, there is silence from the remote server. After a timeout period (defined by ConnectionTimeout & ConnectionInactivityTimeout properties on the ReceiveConnector), the Edge Transport server closes the connection with a 4.7.0 Timeout waiting for client input.

The culprit was a rule on the IPS device that filters suspicious TLS connections – it was incorrectly identifying traffic to Exchange Edge Transport servers as a threat. An update from IPS vendor solved the issue.