Getting The remote certificate is invalid according to the validation procedure when SMTP server has a valid certificate

Question

This seems a common error but while I ve found a work-around  see below  I can t pin down the reason I m getting it in the first place   I am writing SMTP functionality into our application and I m attempting to add SSL functionality to the working SMTP we already have   I am testing using our company s MS Exchange server and specifically the webmail option enabled on that  I can send emails internally through my code by not authenticating my connection and sending anonymously  however those emails won t relay to external email addresses due to our companies policy  Besides which I am programming this for our customers and they don t all allow open relay and or anonymous connections   I believe the Exchange server is using Explicit SSL  TLS  I have tried telnet to the server s address on port 25 and got a text response  human readable response  which according to some of my searches previously means it s using Explicit SSL  TLS   I have the following test code  SmtpClient SMTPClient   new SmtpClient webmailaddress   SMTPClient Port   25  SMTPClient UseDefaultCredentials   true  SMTPClient EnableSsl   true  System Net Mail MailMessage Message   new   System Net Mail MailMessage emailFrom emailTo subject body   SMTPClient Send Message     During my searching for a solution I came across this  quot The remote certificate is invalid according to the validation procedure  quot  using Gmail SMTP server  From which I got the following code     ServicePointManager ServerCertificateValidationCallback   new RemoteCertificateValidationCallback ValidateServerCertificate    public static bool ValidateServerCertificate object sender X509Certificate certificate X509Chain chain SslPolicyErrors sslPolicyErrors        if  sslPolicyErrors    SslPolicyErrors None          return true      else               if  System Windows Forms MessageBox Show  The server certificate is not valid  nAccept     Certificate Validation   System Windows Forms MessageBoxButtons YesNo  System Windows Forms MessageBoxIcon Question     System Windows Forms DialogResult Yes              return true          else             return false            This works in my test code  HOWEVER the actual process I m writing  rather than my test code  is going to run in the background and can t really ask the user  instead it reports errors in the windows error log    As I started  my question is really why I m getting this error at all  If I go to https webmail ourdomain co uk in a browser it shows a valid certificate and there is no option to install the certificate  as I would have done if it were a self-signed one     However when I run my code  with a debug break poing in the ValidateServerCertificate method  I look at the certificate values and see an issuer of our local server and  don t use before   and  don t use after  properties of today  This does not match the certificate I am getting   I ve also checked what the sslPolicyErrors flags are in the debug of ValidateServerCertificate  and they are showing  RemoteCertificateChainErrors  and  RemoteCertificateNameMismatch    So what am I missing about this    why is it not using the correct certificate  If there are steps I need to take to install the certificate locally for it to use then I need to know them so I can tell my customers what to do if they get this   I don t want to just by-pass the check by returning true from the ValidateServerCertificate method  and because it s a background process I can t ask the user  so I need to understand how to get my code to use the correct trusted certificate   Hope someone can advise

User · Answer

Old post  but I thought I would share my solution because there aren t many solutions out there for this issue   If you re running an old Windows Server 2003 machine  you likely need to install a hotfix  KB938397        This problem occurs because the Cryptography API 2  CAPI2  in Windows   Server 2003 does not support the SHA2 family of hashing algorithms    CAPI2 is the part of the Cryptography API that handles certificates    https   support microsoft com en-us kb 938397  For whatever reason  Microsoft wants to email you this hotfix instead of allowing you to download directly   Here s a direct link to the hotfix from the email   http   hotfixv4 microsoft com Windows Server 2003 sp3 Fix200653 3790 free 315159 ENU x64 zip exe

User · Answer

Old post but as you said  why is it not using the correct certificate  I would like to offer an way to find out which SSL certificate is used for SMTP  see here  which required openssl      openssl s client -connect exchange01 int contoso com 25 -starttls smtp   This will outline the used SSL certificate for the SMTP service  Based on what you see here you can replace the wrong certificate  like you already did  with a correct one  or trust the certificate manually

User · Answer

The answer I have finally found is that the SMTP service on the server is not using the same certificate as https   The diagnostic steps I had read here make the assumption they use the same certificate and every time I ve tried this in the past they have done and the diagnostic steps are exactly what I ve done to solve the problem several times   In this case those steps didn t work because the certificates in use were different  and the possibility of this is something I had never come across   The solution is either to export the actual certificate from the server and then install it as a trusted certificate on my machine  or to get a different valid trusted certificate for the SMTP service on the server  That is currently with our IT department who administer the servers to decide which they want to do

[c#] Getting "The remote certificate is invalid according to the validation procedure" when SMTP server has a valid certificate

Examples related to c#

Examples related to email

Examples related to ssl

Examples related to smtpclient

Examples related to client-certificates