XFOR: Server Advertises STARTTLS Even Though SSL Certificate Not Available

ID: Q237327

The information in this article applies to:

Microsoft Exchange Server, version 5.5 SP2
Microsoft Commercial Internet System version 2.0
Microsoft Internet Information Server version 4.0

SYMPTOMS

When responding to an EHLO command, the Simple Mail Transfer Protocol (SMTP) service included with the Microsoft products listed at the beginning of this article always indicates that it supports the STARTTLS command, even if no Secure Sockets Layer (SSL) certificates are available for the connection. If an SMTP client sends a STARTTLS command to the server when no SSL certificates are available, the following entry appears in the SMTP log file (Smtp.log):

554 Unable to initialize security subsystem

If the SMTP client is connected to the server through a firewall, the firewall may respond to the STARTTLS command itself, instead of passing the command to the server. This causes the client to use encryption, even though the server is not configured to support it. As a result, the client is unable to send messages across the connection. This behavior is known to occur with the Cisco PIX Firewall and Secure Computing's Sidewinder Security Server firewall, but it may also occur with other firewalls.

RESOLUTION

Exchange Server 5.5

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Microsoft Exchange Server version 5.5 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

The English version of this fix should have the following file attributes or later:

Component: Internet Mail Service

File name	Version
Msexcimc.exe	5.5.2648.0

This hotfix has been posted to the following Internet location as Psp2imca.zip and Psp2imci.zip:

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/imc-fix

NOTE: If this product was already installed on your computer when you purchased it from the Original Equipment Manufacturer (OEM) and you need this fix, please call the Pay Per Incident number listed on the above Web site. If you contact Microsoft to obtain this fix, and if it is determined that you only require the fix you requested, no fee will be charged. However, if you request additional technical support, and if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support, you may be charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base:

Q154871 Determining If You Are Eligible for No-Charge Technical Support

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

Certificates are configured using the Internet Information Service (IIS) Key Manager program. In IIS, certificates can be applied to all Internet Procotol (IP) addresses, one particular IP address, or no IP addresses. In Microsoft Commercial Internet System (MCIS), certificates can be bound to one particular IP address or all unassigned IP addresses. In MCIS, certificates can also be bound to one particular Transmission Control Protocol (TCP) port or all unassigned TCP ports. The SMTP service indicates that it supports TLS even if the IP address and TCP port you are connected to do not have an associated certificate.

After you apply the fix, the SMTP service only indicates that it supports TLS if the IP address and TCP port you are connected to has an associated certificate.

The third-party products discussed here are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability.

Additional query words:


Keywords          : prodmcis2 prodIMS exc55sp2 
Version           : winnt:2.0,4.0,5.5 SP2
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: August 2, 1999