By default, Exchange 2007 and 2010 attempt to use Transport Layer Security (TLS) for all SMTP traffic. TLS uses a certificate on the receiving server to encrypt SMTP traffic between SMTP servers, similar to the way a certificate on the CAS server is used to secure OWA traffic. If TLS cannot be negotiated, SMTP will usually fallback to non-encrypted SMTP.
In order for a server to send SMTP email via TLS:
- The receiving server must have an Exchange certificate in the computer’s local Personal store.
- The SMTP service must be assigned to use this certificate.
- The FQDN used in the Receive Connector must match either the Common Name or one of the Subject Alternative Names (if they exist) on the SMTP certificate.
If any one of these requirements is not met, you will see the following error in the application log of the Edge Transport server:
When you see this error on Edge Transport servers you have to examine the error description to determine where the mismatch occurs. In the example above, the connector in error is the “Default internal receive connector MAILGATE“, which is the receive connector that exists on the Edge server itself. If the connector in error is on the “EdgeSync – Inbound to domain” connector, the mismatch is on the Hub Transport server’s receive connector.
Log Name: Application
Date: 9/28/2010 9:35:58 AM
Event ID: 12014
Task Category: TransportService
Microsoft Exchange could not find a certificate that contains the domain name mail1.expta.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default internal receive connector MAILGATE with a FQDN parameter of mail.expta.com. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
You can fix this by reconfiguring the offending connector to use the Common Name or Subject Alternative Name used on the Exchange certificate. You can find this value by viewing the certificate from the Certificates MMC, as shown below:To reconfigure the Edge Server’s Receive Connector:
To reconfigure the Hub Transport’s Receive Connector:
- On the Edge server, open the Exchange Management Console.
- Navigate to Microsoft Exchange > EdgeTransport.
- Click the Receive Connectors tab to view the existing connectors.
- Double-click the Default internal receive connector SERVER connector to view its properties.
- In the Specify the FQDN this connector will provide in response to HELO or EHLO field, enter the certificate’s Common Name (for example, ex1.expta.com) as shown below, and click OK.
- On the CAS, open the Exchange Management Console.
- Navigate to Microsoft Exchange > Microsoft Exchange On-Premises > Organization Configuration > Hub Transport.
- Click the Send Connectors tab to view the existing Send Connectors.
- Double-click the EdgeSync – Inbound to domain connector to view its properties.
- In the Specify the FQDN this connector will provide in response to HELO or EHLO field enter the certificate’s Common Name (for example, ex1.expta.com) as shown above, and click OK.