XIMS: Server Advertises STARTTLS Even Though the SSL Certificate Is Not Available (237327)


The information in this article applies to:

  • Microsoft Exchange Server 5.5 SP2
  • Microsoft Commercial Internet System 2.0
  • Microsoft Internet Information Server 4.0
This article was previously published under Q237327

SYMPTOMS

When responding to an EHLO command, the Simple Mail Transfer Protocol (SMTP) service included with the Microsoft products listed at the beginning of this article always indicates that it supports the STARTTLS command, even if no Secure Sockets Layer (SSL) certificates are available for the connection. If an SMTP client sends a STARTTLS command to the server when no SSL certificates are available, the following entry appears in the SMTP log file (Smtp.log):
554 Unable to initialize security subsystem
If the SMTP client is connected to the server through a firewall, the firewall may respond to the STARTTLS command itself, instead of passing the command to the server. This causes the client to use encryption, even though the server is not configured to support it. As a result, the client is unable to send messages across the connection. This behavior is known to occur with the Cisco PIX Firewall and Secure Computing Sidewinder Security Server firewall, but it may also occur with other firewalls.

RESOLUTION

Exchange Server 5.5

Exchange Server Computer Is Not Operating Behind a Proxy Server

To resolve this problem, obtain the latest service pack for Exchange Server version 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

191014 XGEN: How to Obtain the Latest Exchange Server 5.5 Service Pack

Exchange Server Computer Is Operating Behind a Proxy Server

To resolve this problem, obtain the latest service pack for Exchange Server version 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

191014 XGEN: How to Obtain the Latest Exchange Server 5.5 Service Pack

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Exchange Server Computer Is Not Operating Behind a Proxy Server

This problem was first corrected in Exchange Server 5.5 Service Pack 3.

Exchange Server Computer Is Operating Behind a Proxy Server

This problem was first corrected in Exchange Server 5.5 Service Pack 4.

MORE INFORMATION

Certificates are configured using the Internet Information Service (IIS) Key Manager program. In IIS, certificates can be applied to all Internet Protocol (IP) addresses, one particular IP address, or no IP addresses. In Microsoft Commercial Internet System (MCIS), certificates can be bound to one particular IP address or all unassigned IP addresses. In MCIS, certificates can also be bound to one particular Transmission Control Protocol (TCP) port or all unassigned TCP ports. The SMTP service indicates that it supports TLS even if the IP address and TCP port you are connected to do not have an associated certificate.

After you apply the fix, the SMTP service only indicates that it supports TLS if the IP address and TCP port you are connected to has an associated certificate.

For additional information about configuring Exchange Server to operate behind Proxy Server 2.0, click the article number below to view the article in the Microsoft Knowledge Base:

181847 XADM: How to Configure Microsoft Exchange Server with Proxy Server

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Modification Type:MinorLast Reviewed:9/23/2005
Keywords:kbHotfixServer kbQFE EXC55SP3Fix kbbug kbExchange550preSP4fix kbExchange550sp4Fix kbfix KB237327 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.