After moving on-premise exchange to online no longer able to connect

0 votes

Can you give me a clue why this not working any more?

Code 

private static void ConnectImap(Imap imap)
{
    imap.ServerCertificateValidate +=
        new ServerCertificateValidateEventHandler(Validate);
    var sslport = Config.Read("SSLPORT");
    if (String.IsNullOrWhiteSpace(sslport))
        imap.Connect(Server);
    else
    {
        imap.Connect(Server, Convert.ToInt32(sslport), true);
    }
}

Exception Type: Limilabs.Client.ServerException
Exception: Authenticate as SSL client failed. You might be connecting to non SSL port.
Source: Mail
Method: System.Net.Security.SslStream (System.IO.Stream) More information: 

-- Stack Trace: --
   at Limilabs.Client.ClientBase. (Stream  )
   at Limilabs.Client.ClientBase. ()
   at Limilabs.Client.ClientBase.Connect(String host, Int32 port, Boolean useSSL)
   at EmailImportService.EmailProces.ConnectImap(Imap imap)
   at EmailImportService.EmailProces..ctor(DateTime lastRunDateTime, EventLog uxEmailProcesseventLog)

Exception Type: System.IO.IOException
Exception: Authentication failed because the remote party has closed the transport stream.
Source: System
Method: Void StartReadFrame(Byte[], Int32, System.Net.AsyncProtocolRequest) More information: 

-- Stack Trace: --
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at Limilabs.Client.ClientBase. (Stream  )

OPENSSL :

C:\Users\theol>openssl s_client -connect exchange.vezet.nl:993

Connecting to 10.0.100.248
CONNECTED(000001F4)
depth=1 C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=webmail.vezet.nl
verify return:1
---
Certificate chain
 0 s:CN=webmail.vezet.nl
   i:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Sep 20 00:00:00 2024 GMT; NotAfter: Oct 15 23:59:59 2025 GMT
 1 s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   a:PKEY: RSA, 2048 (bit); sigalg: sha384WithRSAEncryption
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGlTCCBX2gAwIBAgIRAIxydG90Glq97xq/Ron1CjswDQYJKoZIhvcNAQELBQAw
...
vQUMVtL6WEXrX+P933EsFtzGTFLLU1fH9iWaAb8aUOjBcn7UCLb4ZrYSxfPIiiNF
rys+o7Xbd58w
-----END CERTIFICATE-----
subject=CN=webmail.vezet.nl
issuer=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 3771 bytes and written 1708 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 69270000587982EE5B4DB4EF385786B8C88D8E354A32A9C5DA6CF64BBA9207CA
    Session-ID-ctx:
    Master-Key: E76E8DA24162F8107CD7756CBF360BA09C4351066BBCA04E909A0A8183E41D5CA601030044EC4403B3EDB1A34FE051CC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1750770334
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
* OK The Microsoft Exchange IMAP4 service is ready.
* BYE Connection is closed. 13
4C4E0000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:696:
ago by

1 Answer

0 votes

Make sure you are using Imap.ConnectSSL or Imap.Connect with useSSL set to true.

Make sure you are using TLS 1.2:

using (Imap imap = new Imap())
{
    imap.SSLConfiguration.EnabledSslProtocols 
        = SslProtocols.Tls12;

    imap.ConnectSSL("imap.example.com");

    // ... 

    imap.Close();
}
ago by (303k points)

ok adding sslprotocols helps

but this code also gets Authenticate as SSL client failed. You might be connecting to non SSL port.

// Send the message  
using (var smtp = new Smtp())
{
    // Minimalistic version to accept any certificate: 
    smtp.ServerCertificateValidate += (sender, e) => { e.IsValid = true; };
    smtp.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;
    smtp.ConnectSSL(Server);
    smtp.UseBestLogin(User, Password);
    smtp.SendMessage(responseemail);
    smtp.Close();
}

listener trace :

Mail.dll: 5 11:14:01 Connecting to 'exchange.vezet.nl:587', SSL: False.
Mail.dll: 5 11:14:01 S: 220 WVAS-EXM-01.vezet.local Microsoft ESMTP MAIL Service ready at Wed, 25 Jun 2025 11:14:01 +0200
Mail.dll: 5 11:14:01 C: EHLO [10.0.100.100]
Mail.dll: 5 11:14:01 S: 250-WVAS-EXM-01.vezet.local Hello [10.0.100.100]
Mail.dll: 5 11:14:01 S: 250-SIZE 37748736
Mail.dll: 5 11:14:01 S: 250-PIPELINING
Mail.dll: 5 11:14:01 S: 250-DSN
Mail.dll: 5 11:14:01 S: 250-ENHANCEDSTATUSCODES
Mail.dll: 5 11:14:01 S: 250-STARTTLS
Mail.dll: 5 11:14:01 S: 250-AUTH GSSAPI NTLM
Mail.dll: 5 11:14:01 S: 250-8BITMIME
Mail.dll: 5 11:14:01 S: 250-BINARYMIME
Mail.dll: 5 11:14:01 S: 250-CHUNKING
Mail.dll: 5 11:14:01 S: 250 SMTPUTF8
Mail.dll: 5 11:14:01 C: STARTTLS
Mail.dll: 5 11:14:01 S: 220 2.0.0 SMTP server ready

ago by (101 points)

Your code doesn't match the log file, ConnectSSL can't result in "Connecting to 'exchange.vezet.nl:587', SSL: False" log entry.

Your code for SMTP supporting STARTTLS should look like this:

using (Smtp smtp = new Smtp())
{
    smtp.SSLConfiguration.EnabledSslProtocols 
        = SslProtocols.Tls12;

    smtp.ServerCertificateValidate += (sender, e) => 
        { e.IsValid = true; };

    smtp.Connect("exchange.vezet.nl");
    smtp.StartTLS();

    smtp.Close();    
}

If you are getting "Authenticate as SSL client failed", there's something wrong with establishing proper SSL/TLS tunnel or the certificate.

You need to analyze the inner exception to get the details. Check if the certificate callback is called.

Is this server publicly available?

ago by (303k points)

listener trace

Mail.dll: 12 13:00:35 3.0.14310.1602
Mail.dll: 12 13:00:35 Connecting to 'wvas-exm-01.vezet.local:587', SSL: False.
Mail.dll: 12 13:00:35 S: 220 WVAS-EXM-01.vezet.local Microsoft ESMTP MAIL Service ready at Wed, 25 Jun 2025 13:00:34 +0200
Mail.dll: 12 13:00:35 C: EHLO [10.0.101.172]
Mail.dll: 12 13:00:35 S: 250-WVAS-EXM-01.vezet.local Hello [10.0.101.172]
Mail.dll: 12 13:00:35 S: 250-SIZE 37748736
Mail.dll: 12 13:00:35 S: 250-PIPELINING
Mail.dll: 12 13:00:35 S: 250-DSN
Mail.dll: 12 13:00:35 S: 250-ENHANCEDSTATUSCODES
Mail.dll: 12 13:00:35 S: 250-STARTTLS
Mail.dll: 12 13:00:35 S: 250-AUTH GSSAPI NTLM
Mail.dll: 12 13:00:35 S: 250-8BITMIME
Mail.dll: 12 13:00:35 S: 250-BINARYMIME
Mail.dll: 12 13:00:35 S: 250-CHUNKING
Mail.dll: 12 13:00:35 S: 250 SMTPUTF8
Mail.dll: 12 13:00:35 C: STARTTLS
Mail.dll: 12 13:00:35 S: 220 2.0.0 SMTP server ready
Mail.dll: 12 13:00:35 C: EHLO [10.0.101.172]
Mail.dll: 12 13:00:35 S: 250-WVAS-EXM-01.vezet.local Hello [10.0.101.172]
Mail.dll: 12 13:00:35 S: 250-SIZE 37748736
Mail.dll: 12 13:00:35 S: 250-PIPELINING
Mail.dll: 12 13:00:35 S: 250-DSN
Mail.dll: 12 13:00:35 S: 250-ENHANCEDSTATUSCODES
Mail.dll: 12 13:00:35 S: 250-AUTH GSSAPI NTLM LOGIN
Mail.dll: 12 13:00:35 S: 250-8BITMIME
Mail.dll: 12 13:00:35 S: 250-BINARYMIME
Mail.dll: 12 13:00:35 S: 250-CHUNKING
Mail.dll: 12 13:00:35 S: 250 SMTPUTF8
Mail.dll: 12 13:00:35 C: AUTH LOGIN

ago by (101 points)

This shows you are properly connected and connection is secured using SSL/TLS.

ago by (303k points)

correct, we switched back to the former environment.

monday we will try again

we think it's now something in de exchange environment because other applications also show strange behaviour

ago by (101 points)
...