Office 365 smarthost 800B010F error


#21

same error, with mail.boardmapsemail.com


#22

You haven’t answered all my questions:


#23

Just to ensure the problem is NOT with the LE cert (100%).
Please do the following:
Start
Run
MMC.EXE
Ctrl+M
“Certificates”
ADD
“Computer account”
Finish
OK

Then find your LE cert.
Double-click it.
If it shows “You have a private key that corresponds to this certificate.”, then the cert is VALID.

And the problem is with Exchange and its’ mostly undocumented expectations/requirements.


#24

Here is some external proof that the cert is VALID:

openssl s_client -connect mail.boardmapsemail.com:25 -starttls smtp
CONNECTED(000001B0)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
- - -
Certificate chain
 0 s:/CN=mail.boardmapsemail.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- - -
Server certificate
-----BEGIN CERTIFICATE-----
MIIF5jCCBM6gAwIBAgISBEMuVJEGoJY8ZSeqes7rA0otMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMDYwNDIxMzRaFw0x
OTAzMDYwNDIxMzRaMCIxIDAeBgNVBAMTF21haWwuYm9hcmRtYXBzZW1haWwuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiat9NckkuKO+GtvQ4N8m
D3qY/gAAwQ33gUxblWUYGCHmmroLN3c0ACjln6gBIjzJ8a2zPBWMWXadzrNtJxKM
nuZhcrWo9G6ROKBTPd0QdSqf9JoPbEJ8IzTfFE703J3adoiC3kQwXzx2IlrGY+NO
7FO4ST2/L14hvk/rX9IMkeLfqc8/GySB5TlVcTvVQ/hAILdZe27shZcC6E7DjU2z
RoaD0rQu4xCM5knS2Lyli+E7ydhsH1OQQYEIZ8KXIuXV1gwUYZ+2JW64nUQ7TDX1
IgQL5PMZcni2zsHt2k2BwnErnzfvNSBgXdVxu9uoEz2ibFHV87UDfMOZL6Cwa9XP
wwIDAQABo4IC7DCCAugwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTWmCqv+J6FaYpP
VxcPNRUSHweZbjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
ZW5jcnlwdC5vcmcvMIGhBgNVHREEgZkwgZaCH2F1dG9kaXNjb3Zlci5ib2FyZG1h
cHNlbWFpbC5jb22CIGRicy1leDAxLmNvcnAuYm9hcmRtYXBzZW1haWwuY29tgiBk
YnMtZXgwMi5jb3JwLmJvYXJkbWFwc2VtYWlsLmNvbYIXbWFpbC5ib2FyZG1hcHNl
bWFpbC5jb22CFm93YS5ib2FyZG1hcHNlbWFpbC5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgB0ftqDMa0z
EJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWeB9s5PAAAEAwBHMEUCIQDHjqBn
jZtkbaFY32M3vA0u8yQ81tZr8DyWE4yzp3U1ZAIgBqvnQLJiZAqGjG7a03slJD2Z
Px5aHAsAwwE7sBF99XgAdgBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvY
jQAAAWeB9tA3AAAEAwBHMEUCIQDYf3gHwVUKRMh5/fwmvJCOgt5nFbP41EOzWMvc
n+FASgIgImLFuqOU67MZpQlQMih0buwTTwqco7xhz+KD1Q39JNIwDQYJKoZIhvcN
AQELBQADggEBAAWEitPHf7KU5bKQK2EW8jBlKp0i9Aaoq+6twojemaLy7uNg/J8S
szn2yDlp9X3eV41Kx/6JmKAGS8YPHH0SIhnFeLpGAgRWxho9ZGzbbpsmB3H34HIc
5UzEbgNfQirNCl6GySNeKSaJtJPaI1akJS7iel3/ZCsfszjBdeiouejiNvZccyWK
sPbpMWBFXcHmeOCok++dxpW1dgfDwGTJpw+s83bKsUAcOuEp1n8kWBvQOJMwWTg5
2N1fDrz+dHWFoOZwdYxcgx1S/AY8jKERsU244ru+MbHC58OLhDOxq4dp4fu/VziP
XB//cX2+FQlBW95lX/FE/a0ekkpRs1iEriw=
-----END CERTIFICATE-----
subject=/CN=mail.boardmapsemail.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
- - -
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
- - -
SSL handshake has read 3724 bytes and written 471 bytes
Verification error: unable to get local issuer certificate
- - -
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: AA380000ECE2AF943C045C40E8915C99377606E1A5B2A77AFDFD0943732AFE8B
    Session-ID-ctx:
    Master-Key: E8CB02AB6289829B996C3490B0B2D31E739B94660CA8622E7B5734FF95AAA7AF1502EF0FC4A38B210367E265C4D74618
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1544085401
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
- - -
250 XRDST
^C

#25

with new certificate cn, and dns only mail.boardmapsemail.com

2018-12-06T08:38:26.366Z,My company to Office 365,08D65B4DD9C42243,0,104.47.44.36:25,,attempting to connect
2018-12-06T08:38:26.475Z,My company to Office 365,08D65B4DD9C42243,1,10.0.10.8:9333,104.47.44.36:25,+,
2018-12-06T08:38:26.600Z,My company to Office 365,08D65B4DD9C42243,2,10.0.10.8:9333,104.47.44.36:25,<,“220 SN1NAM04FT035.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 6 Dec 2018 08:38:25 +0000”,
2018-12-06T08:38:26.600Z,My company to Office 365,08D65B4DD9C42243,3,10.0.10.8:9333,104.47.44.36:25,>,EHLO mail.boardmapsemail.com,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,4,10.0.10.8:9333,104.47.44.36:25,<,250-SN1NAM04FT035.mail.protection.outlook.com Hello [51.75.164.54],
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,5,10.0.10.8:9333,104.47.44.36:25,<,250-SIZE 157286400,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,6,10.0.10.8:9333,104.47.44.36:25,<,250-PIPELINING,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,7,10.0.10.8:9333,104.47.44.36:25,<,250-DSN,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,8,10.0.10.8:9333,104.47.44.36:25,<,250-ENHANCEDSTATUSCODES,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,9,10.0.10.8:9333,104.47.44.36:25,<,250-STARTTLS,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,10,10.0.10.8:9333,104.47.44.36:25,<,250-8BITMIME,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,11,10.0.10.8:9333,104.47.44.36:25,<,250-BINARYMIME,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,12,10.0.10.8:9333,104.47.44.36:25,<,250-CHUNKING,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,13,10.0.10.8:9333,104.47.44.36:25,<,250 SMTPUTF8,
2018-12-06T08:38:26.709Z,My company to Office 365,08D65B4DD9C42243,14,10.0.10.8:9333,104.47.44.36:25,>,STARTTLS,
2018-12-06T08:38:26.819Z,My company to Office 365,08D65B4DD9C42243,15,10.0.10.8:9333,104.47.44.36:25,<,220 2.0.0 SMTP server ready,
2018-12-06T08:38:26.819Z,My company to Office 365,08D65B4DD9C42243,16,10.0.10.8:9333,104.47.44.36:25,
,Sending certificate
2018-12-06T08:38:26.819Z,My company to Office 365,08D65B4DD9C42243,17,10.0.10.8:9333,104.47.44.36:25,,CN=mail.boardmapsemail.com,Certificate subject
2018-12-06T08:38:26.819Z,My company to Office 365,08D65B4DD9C42243,18,10.0.10.8:9333,104.47.44.36:25,
,“CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US”,Certificate issuer name
2018-12-06T08:38:26.819Z,My company to Office 365,08D65B4DD9C42243,19,10.0.10.8:9333,104.47.44.36:25,,04C11A2387535CD9B4CDCD9D595089714A77,Certificate serial number
2018-12-06T08:38:26.819Z,My company to Office 365,08D65B4DD9C42243,20,10.0.10.8:9333,104.47.44.36:25,
,36243E5ECE739E8FF18CB98EAA1146175196D7D4,Certificate thumbprint
2018-12-06T08:38:26.819Z,My company to Office 365,08D65B4DD9C42243,21,10.0.10.8:9333,104.47.44.36:25,,mail.boardmapsemail.com,Certificate alternate names
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,22,10.0.10.8:9333,104.47.44.36:25,
,Remote certificate
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,23,10.0.10.8:9333,104.47.44.36:25,,“CN=mail.protection.outlook.com, O=Microsoft Corporation, L=Redmond, S=Washington, C=US”,Certificate subject
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,24,10.0.10.8:9333,104.47.44.36:25,
,“CN=GlobalSign Organization Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE”,Certificate issuer name
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,25,10.0.10.8:9333,104.47.44.36:25,,5760C0769D1714309D2D95DE,Certificate serial number
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,26,10.0.10.8:9333,104.47.44.36:25,
,73B89750FA406F7D4F7E43A9355A9D271079E938,Certificate thumbprint
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,27,10.0.10.8:9333,104.47.44.36:25,,mail.protection.outlook.com;.mail.eo.outlook.com;.mail.protection.outlook.com;mail.messaging.microsoft.com;outlook.com;.olc.protection.outlook.com;.pamx1.hotmail.com,Certificate alternate names
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,28,10.0.10.8:9333,104.47.44.36:25,
,“TLS protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 256 bits”
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,29,10.0.10.8:9333,104.47.44.36:25,,Received certificate
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,30,10.0.10.8:9333,104.47.44.36:25,
,73B89750FA406F7D4F7E43A9355A9D271079E938,Certificate thumbprint
2018-12-06T08:38:27.053Z,My company to Office 365,08D65B4DD9C42243,31,10.0.10.8:9333,104.47.44.36:25,>,EHLO mail.boardmapsemail.com,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,32,10.0.10.8:9333,104.47.44.36:25,<,250-SN1NAM04FT035.mail.protection.outlook.com Hello [51.75.164.54],
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,33,10.0.10.8:9333,104.47.44.36:25,<,250-SIZE 157286400,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,34,10.0.10.8:9333,104.47.44.36:25,<,250-PIPELINING,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,35,10.0.10.8:9333,104.47.44.36:25,<,250-DSN,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,36,10.0.10.8:9333,104.47.44.36:25,<,250-ENHANCEDSTATUSCODES,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,37,10.0.10.8:9333,104.47.44.36:25,<,250-8BITMIME,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,38,10.0.10.8:9333,104.47.44.36:25,<,250-BINARYMIME,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,39,10.0.10.8:9333,104.47.44.36:25,<,250-CHUNKING,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,40,10.0.10.8:9333,104.47.44.36:25,<,250 SMTPUTF8,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,41,10.0.10.8:9333,104.47.44.36:25,*,sending message with RecordId 365072220184 and InternetMessageId c409fe2a0f3f4dc2a05addf29ff66b94@dbs-ex02.corp.boardmapsemail.com
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,42,10.0.10.8:9333,104.47.44.36:25,>,MAIL FROM:cage@boardmapsemail.com SIZE=4176,
2018-12-06T08:38:27.163Z,My company to Office 365,08D65B4DD9C42243,43,10.0.10.8:9333,104.47.44.36:25,>,RCPT TO:dmitriy.pisarevskiy@gmail.com,
2018-12-06T08:38:27.272Z,My company to Office 365,08D65B4DD9C42243,44,10.0.10.8:9333,104.47.44.36:25,<,250 2.1.0 Sender OK,
2018-12-06T08:38:27.428Z,My company to Office 365,08D65B4DD9C42243,45,10.0.10.8:9333,104.47.44.36:25,<,550 5.7.64 TenantAttribution; Relay Access Denied [SN1NAM04FT035.eop-NAM04.prod.protection.outlook.com],
2018-12-06T08:38:27.428Z,My company to Office 365,08D65B4DD9C42243,46,10.0.10.8:9333,104.47.44.36:25,>,QUIT,
2018-12-06T08:38:27.537Z,My company to Office 365,08D65B4DD9C42243,47,10.0.10.8:9333,104.47.44.36:25,<,221 2.0.0 Service closing transmission channel,
2018-12-06T08:38:27.537Z,My company to Office 365,08D65B4DD9C42243,48,10.0.10.8:9333,104.47.44.36:25,-,Local


#26

-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgISBMEaI4dTXNm0zc2dWVCJcUp3MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMDYwNzI3MzdaFw0x
OTAzMDYwNzI3MzdaMCIxIDAeBgNVBAMTF21haWwuYm9hcmRtYXBzZW1haWwuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh2pRx3VbtCUG43uJ7g5q
iKulBLvs+vdWTzEL4K0z6MJZpN0C+qNy2qyFPv3vGfnPcSq7ujQu/65IZuzCxOok
+shk8DrsAk0RshLBsP0N0kk10waZgeaa9+M7gttmyg9GQDBAni1VhQ6DkgeiOcxB
OT3NkNz1m99uojXPahpISMHE9yUeRC6KCEQ9fJsgyvh5x0vWvOpVgDszNYdY9Anh
lN9tO42RqpQ/bw5hrd8YXwXfNK5ay6TYlvOCo6RtlI0xQeYKCSjjcxL8TRmeKxdG
xgS4h9V1jhRvJL0BF4r/QVVOVIbywjhgA2y/ZjjcG0QJi8vJGuGxZ5w45Mw3Ig+Z
OwIDAQABo4ICajCCAmYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTVL/n+YS1ktsft
Nal8lSzE6wa0bzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
ZW5jcnlwdC5vcmcvMCIGA1UdEQQbMBmCF21haWwuYm9hcmRtYXBzZW1haWwuY29t
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB
8wSB8ADuAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFngqEk
tAAABAMARjBEAiBTxBtIvjPiHYrlPKqTxR5gITTOwrgOsg/MnKraW6tj7QIgDl/f
VqZhGPUPhkEVRyRvowtb6mUxuFZcr/S3/yhJeJoAdQBj8tvN6DvMLM8LcoQnV2sz
pI1hd4+9daY4scdoVEvYjQAAAWeCoSMRAAAEAwBGMEQCIBVcfGusk39PJ9CGFl+R
dAooJf9BdhA+IMTPteC5OZ3xAiAZpbVXeX+up7dpaRpqwL0RIlZFzqN3ROOh47RG
r8IJOjANBgkqhkiG9w0BAQsFAAOCAQEAPIauuiJqUdiw5YGOnT58HyCChktN1xMZ
sXqs3eIT4VkkuikjH9ydS7Duv1YHpSeBTnsvi/oNmbKj2w0XFIYj7GXmBpWLCqZP
FcqIw3uAhMiD0Ng493ei3d8nwplcdpUDXeDvNAb5uXPcEi0NggM+uBytrMA7Ibre
KP4b0qCUwd8b2eGqxSg80REiXi/ToGdXW3GVUyGn6L+p79sXZWg2u81rKa2XlpVf
I0QMyv3I111YeC2mgjBnvKL6E1Ev1qo3nW8nYMo2RhPHTA9lSq5xF0gAwzSwaZDJ
ceB9bYpUOwUuPn9m26p8IM9d1+F5o5E/b+dgXhQgSheGO6hzR+dugA==
-----END CERTIFICATE-----


#27

You have two errors, neither of which is caused by the cert:


#28


#29

microsoft answer with ,550 5.7.64 TenantAttribution; Relay Access Denied [SN1NAM04FT035.eop-NAM04.prod.protection.outlook.com]

raised by 800B010F - The certificate’s CN name does not match the passed value.


#30

That shows two certs for the same FQDN mail.boardmapsemail.com.
3624…
F8C6…

That may be another reason the powershell fails - when you say -FQDN “mail.boardmapsemail.com” which cert is chosen?
If you don’t need both certs, delete one.
Then try the powershell again.


#31

I already tried it, does not help


#32

Tried what?
Please be more clear.


#33

make only one certificate, and setup Exchange edge server, on edge server also this error


#34

I still see two certificates with that same name.


#35

i does it yesterday.


#36

So why do you have two certs with the same FQDN today?
Also, have you tried the powershell with FQDN autodiscover?


#37

ok i try to upgrade to Exchange 2016. Thanks you!


#38

That will probably have the same problem.
But good luck to you.

https://support.microsoft.com/en-us/help/4051495/550-5-7-64-tenantattribution-relay-access-denied-smtp-error-when-users