Disabling the SMTP Exit Module of a Certification Authority

Assume the following scenario:

• The certification authority is configured to send e-mail notifications about the events on the certification authority only using the SMTP Exit module.
• The configured SMTP server is unreachable, for example due to a failure.

In this case, the exit module cannot deliver the email notifications. It will time out and the certificate authority will work very slowly.

In the Windows event display the Event no. 46 logged.

The "Windows default" Exit Module "Initialize" method returned an error. The transport failed to connect to the server. The returned status code is 0x80040213 (-2147220973). The Certification Authority was unable to send an email notification for EXITEVENT_STARTUP to admins1@fabrikam.com,admin2@fabrikam.com.

In such a case, it makes sense to disable the SMTP exit module.

This can be done by unsubscribing from all events.

Which events trigger an e-mail notification is defined in the following registry value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{name-of-certification authority}\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\smtp\EventFilter

If the value is set to "0", all events are cancelled.

The following command line command can also be used to cancel all events.

certutil -setreg exit\smtp\eventfilter 0

For the changes to take effect, the Certification Authority service must be restarted.

Alternative: Disable exit module completely

It is also possible to disable the exit module completely. See article "Operating the Certification Authority without exit module„.

Related links:

• Combining the SMTP Exit Module with a local SMTP server for increased resilience
• Operating the Certification Authority without exit module