I have a Windows 2019 server using its SMTP server to send email. We recently added client.EnableSsl = true; to the SmtpClient. I added the following function to the Windows service that sends the email:
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateCertificate);
...
public static bool ValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
if (certificate.GetCertHashString().ToLower() == CertificateThumbprint)
{
return true;
}
...
}
sslPolicyErrors contains the value "RemoteCertificateNameMismatch" and when you look at the "Certificate Hash", it's our certificate... not always because other certs (not ours) go thorugh with sslPolicyErrors = None.
I was actually surprised to see our certificate there because it's a wild card certificate for the web server. Since the website is IIS, I'm guessing that's why it's connected to SMTP. Anyway, the certificate works perfectly well on the web server for the various webs running under IIS.
I have a workaround that checks "Certificate Hash" against our cert thumbprint and returns true but I'm sure there is a more appropriate way to validate the certificate.
Can anyone let me what's going on with my certificate and how to properly fix it? Many thanks!
Certificate:
Archived: false
Extensions: {System.Security.Cryptography.X509Certificates.X509ExtensionCollection}
FriendlyName: ""
Handle: 0x00000259a9ca7f70
HasPrivateKey: false
Issuer: "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O=\"GoDaddy.com, Inc.\", L=Scottsdale, S=Arizona, C=US"
IssuerName: {System.Security.Cryptography.X509Certificates.X500DistinguishedName}
NotAfter: {5/2/2024 7:05:24 AM}
NotBefore: {4/1/2023 8:01:11 AM}
PrivateKey: null
PublicKey: {System.Security.Cryptography.X509Certificates.PublicKey}
RawData: {byte[1677]}
RawDataMemory: "System.ReadOnlyMemory<Byte>[1677]"
SerialNumber: "00AEE89C39F9916FF2"
SerialNumberBytes: "System.ReadOnlyMemory<Byte>[9]"
SignatureAlgorithm: {System.Security.Cryptography.Oid}
Subject: "CN=*.servername.com"
SubjectName: {System.Security.Cryptography.X509Certificates.X500DistinguishedName}
Thumbprint: "402010..........373DDA30F455"
Version: 3
Steffen really should get credit here, that was the issue. We have a wild card certificate for our web servers. While I thought we were using the domain name to connect with the SMTP servers, we were using its IP since they are all on the subnet. I made sure each of our servers had the domain name in the hosts file and then switched all servers to use the domain name of the SMTP server. Works great, gets certified just like all the others.