I've had a very strange issue today...
Our customer has a UTM working as a transparent proxy (https: URL filtering only) in the configuration: LAN -> UTM -> transfer network -> other firewall -> internet
The firewall rule on the UTM is Any:Any:Any sincte the other firewall is handling the external traffic. On the UTM the POP3 proxy is active, SMTP proxy is NOT used.
Customer has an Exchange 2013 Server that is collecting it's mail with POP-Beamer, using the POP3 Proxy of the UTM. Sending of emails worked via smarthost send connector that used "SMTP (port 25). His mail provider changed his smtp server to SMTP (port 587) and the exchange server stopped sending mails because of certificate validation issues. I found a blog post that was handling the same error message and the author managed to get it up again by enabling netshell winhttp proxy settings. It seemed to have something to do with ocsp verification for the TLS certificate of the new mail server.
I tried excluding the exchange server's traffic completely via skip list entry, no luck. What should I say, I gave it a try and set the netshell proxy to use the (transparent) proxy as dedicated proxy and voilá, the sh..t worked! I'm fine with the "solution" for the moment but there remains a big big question about it...
I can't understand why the verification of the TLS certificate doesn't work in transparent proxy mode with a skiplist entry. Can anybody explain this to me?
first try to set the SMTP to smtp.ionos.de port 587
then if this does not work:
try to install the https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/59-t-telesec-globalroot-class-2
ROOT Certificate as it got lost by a Windows Server Update on Your Exchange Server.
MMC on your Exchange
Trusted Root Certificates.
Restart the Transport Service after that and see the Mails getting send again.
Thanks to Sebastian Hetzel here - he saved my brain today getting the same errors.