On 1/9/2012 10:19 AM, Ben Curtis wrote: > Hi all, > > I've been scouring the internet trying to find someone who's done this > before, and am at a loss. > > I've got Postfix set up as a Smart Host for sending SMTP email from > Exchange 2010 (Small Business Server 2011). My problem is that I can't > get TLS to work. The error message I get back in Exchange is: > > [451 4.4.0 Primary target IP address responded with: "454 4.7.5 > Certificate validation failure." Attempted failover to alternate host, > but that did not succeed. Either there are no alternate hosts, or > delivery failed to all alternate hosts.] >
Test postfix TLS with openssl to make sure postfix is working correctly. For port 25 (or 587) with STARTTLS # openssl s_client -connect example.com:25 -starttls smtp Or if you've enabled master.cf port 465 TLS wrappermode (sometimes mistakenly referred to as SSL in mail client software): # openssl s_client -connect example.com:465 Openssl will print a couple pages of garbage-looking handshake info that ends with postfix's 250 greeting. At that point you should be able to type in "EHLO myname" and get a response from postfix. If you get that far, postfix TLS is working correctly. If postfix checks out OK, the problem is with the Exchange configuration. Maybe Exchange needs to import the private root CA you used to generate your certificates? Maybe Exchange is trying to use wrappermode on a port configured for STARTTLS (or vice versa)? > > Below are key areas of main.cf: If you need more help with postfix, show "postconf -n" output and relevant log entries. -- Noel Jones