By default, Exchange 2007 and 2010 attempt to use Transport Layer Security (TLS) for all SMTP traffic. TLS uses a certificate on the receiving server to encrypt SMTP traffic between SMTP servers, similar to the way a certificate on the CAS server is used to secure OWA traffic. If TLS cannot be negotiated, SMTP will usually fallback to non-encrypted SMTP.
In order for a server to send SMTP email via TLS:
- The receiving server must have an Exchange certificate in the computer's local Personal store.
- The SMTP service must be assigned to use this certificate.
- The FQDN used in the Receive Connector must match either the Common Name or one of the Subject Alternative Names (if they exist) on the SMTP certificate.
If any one of these requirements is not met, you will see the following error in the application log of the Edge Transport server:
Log Name: Application
Source: MSExchangeTransport
Date: 9/28/2010 9:35:58 AM
Event ID: 12014
Task Category: TransportService
Level: Error
Keywords: Classic
User: N/A
Computer: mailgate
Description:
Microsoft Exchange could not find a certificate that contains the domain name mail1.expta.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default internal receive connector MAILGATE with a FQDN parameter of mail.expta.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
You can fix this by reconfiguring the offending connector to use the Common Name or Subject Alternative Name used on the Exchange certificate. You can find this value by viewing the certificate from the Certificates MMC, as shown below:
- On the Edge server, open the Exchange Management Console.
- Navigate to Microsoft Exchange > EdgeTransport.
- Click the Receive Connectors tab to view the existing connectors.
- Double-click the Default internal receive connector SERVER connector to view its properties.
- In the Specify the FQDN this connector will provide in response to HELO or EHLO field, enter the certificate's Common Name (for example, mailgate.expta.com) as shown below, and click OK.
To reconfigure the Hub Transport's Send Connector:
- On the Hub Transport, open the Exchange Management Console.
- Navigate to Microsoft Exchange > Microsoft Exchange On-Premises > Organization Configuration > Hub Transport.
- Click the Send Connectors tab to view the existing Send Connectors.
- Double-click the EdgeSync - Inbound to domain connector to view its properties.
- In the Specify the FQDN this connector will provide in response to HELO or EHLO field enter the Hub Transport certificate's Common Name (for example, ht01.expta.com) and click OK.
Jeff, this is a very helpful erticle. Thanks.
ReplyDeleteSwish
ReplyDeleteThanks Jeff, I was wondering why I was getting that error, looks like I fat fingered it and typed the wrong name on the send connector. Don't I feel stupid.
ReplyDeleteThanks Jeff! you are real guru!
ReplyDeleteI have the issue a long time and try to solve it by anyway...
your instruction is great than Microsoft KB.
thanks again!
George wang
Jeff,
ReplyDeletePlease, sorry for my english. The idea of the fix is modify de fdqn of the conector (sender & receiver), have to be same of the certificate ??? I see ex1.expta.com at the configuration and the certificate is mailgate.expta.com??
You modify the configuration of the sender to mailgate.expta.com???
Thanks!!!
Thanks for your comment, Erwin. I messed up my screenshots and I fixed them.
Delete