SBS 2008 Exchange won't send

Posted on 2009-07-11
Last Modified: 2013-11-30
I had this thing all setup and working fine until I changed the IP addresses due to moving it to a different network.  It receives email ok, but when I try to send out it hangs in the queue.  After running the Exchange Mail Flow Troubleshooter, it give me the following error:

Error submitting mail: Mail submission failed: Error message: Server does not support secure connections..

All other tests pass fine.  I can telnet out to the mail server I'm trying to send to.  I'm guessing it has to do with the certificate, but I only set this up a few months back so it shouldn't be expired.  In fact it is a trial version that appears to have expired and says it's not genuine but still works fine otherwise.

I verified the send connector exists, and is of type 'Internet' SMTP * 1.  

My server is setup on a dynamic IP, but I have verified the host and MX records are setup properly and are current.  I can't setup a reverse DNS record since it's dynamic, but doubt that is the problem, especially since I've tried sending to another outside Exchange mail server that has no spam filtering setup.  It is a different domain altogether.

I also received event ID 12023.  Type: TransportService
Microsoft Exchange could not load the certificate with thumbprint of FD6C18FE7C47E51795D84E8A4441F3B045146F01 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint DF4FA71547E302A3CA916207C6969A526DEDB463 is being used.

When I try to run the cmdlet as instructed above, I get:
The term 'Enable-ExchangeCertificate' is not recognized as a cmdlet, function, operable program, or script file. Verify
 the term and try again.
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services SMTPEnable-ExchangeCertificate FD
6C18FE7C47E51795D84E8A4441F3B045146F01 -Services SMTPEnable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F0
1 -Services SMTP

Also, the other cmdlet fails.  Does SBS2008 not have all the cmdlets that the full blown Exchange 2007 have?  Not sure what's going on here.

I reran the Connect to the Internet wizard, the Fix My Network wizard, and they all turn up ok.

Originally, I setup a certificate that I had purchased with the internet host name and OWA worked fine.  I can still connect fine via OWA with no cert errors, but it just won't send.

Sure it's a trial and I could wipe it and start over, but what fun would that be?
Question by:B1izzard
  • 4
  • 4
LVL 30

Expert Comment

ID: 24832487
Do a Get-ExchangeCertficate to verify that the cert footprint you have in your error is the one that you've actually purchased and installed. Then, the command should be exactly as follows. It appears there may be an extra space in your command at line 27. SBS does include the standard set of the command in the power shell.

If you don't see your cert installed or you see the wrong cert installed you'll need to re-import your cert

Import-ExchangeCertificate -Path c:\yourcert.crt
Enable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services "POP, IMAP, IIS, SMTP"

Next, here's a quality article that explains in detail how to configure your send connector:

Also, are you sending using a smarthost or are you sending using DNS? Try using DNS if you're not already.


Author Comment

ID: 24832652
I get the following error.  My powershell doesn't seem to have the necessary cmdlets.

PS C:\Users\Steve> Import-ExchangeCertificate -Path c:\
The term 'Import-ExchangeCertificate' is not recognized as a cmdlet, function, operable program, or script file. Verify
 the term and try again.
At line:1 char:27
+ Import-ExchangeCertificate  <<<< -Path c:\

The Get-ExchangeCertficate gives an error as well.

I am using DNS, no smart host configured.

I am reinstalling the powershell and rebooting right now.  

LVL 30

Expert Comment

ID: 24832657
You need to make sure you're launching the Exchange Management Shell and not just the powershell.
LVL 65

Assisted Solution

Mestha earned 100 total points
ID: 24832659
When it comes to sending email, your certificate has nothing to do with it. It is down to the remote side to provide the certificate. Given the error that you have provided, it would seem that the Send Connector has been set to require TLS. Did you setup the Send Connector manually, or did you use the wizards?

Ensure that you are using the Exchange Management Shell and not plain PowerShell to run the enable-exchangecertificate command. The Exchange Management Shell has the additional extensions that are required.

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.


Author Comment

ID: 24833483
I forgot that the PowerShell and Exchange Shell were separate.  Now I can run the commands.  When I ran the enable-exchangecertificate command, it was successful, but now owa is broken.  I used the thumbprint of the internet certificate when I enabled it.  Now I just get the error 'Internet Explorer cannot display the webpage'.  This certificate thing is a PITA.  Microsoft did a lousy job with something this simple IMO.   It's way too convoluted.  I'll have to troubleshoot this further tomorrow.  Thanks for the help so far.
LVL 30

Accepted Solution

renazonse earned 400 total points
ID: 24834220
Have you tried HTTP and HTTPS to get to your OWA? You may need to go into the default Website in IIS and make sure it's using the correct certificate.

Author Comment

ID: 24834972
I got owa working again by setting the default website binding on port 443 for the default website as recommended.  When I try to run the command

Enable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services "POP, IMAP, IIS, SMTP"

I get the following error:

Enable-ExchangeCertificate : An unexpected error occurred while the forms-based
 authentication settings for path /LM/W3SVC/1 were being modified. The error re
turned was 5506.
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< c2c130d3a521616e2b3ffb16761fc46202cad198 -Se
rvices "POP, IMAP, IIS, SMTP"

I tried deleting the certificate and reimporting, but I still get the above error.
LVL 30

Expert Comment

ID: 24835050
Sorry...try this:

Enable-ExchangeCertificate -thumbprint FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services "POP, IMAP, IIS, SMTP"

Author Comment

ID: 24910843
I got it working.  I'm not 100% sure what it was, but I went into IIS and set the SBS Web Applications site's binding on port 443 to use the certificate I purchased at Godaddy.  The Enable-ExchangeCertificate command still gives an error, but sending email works.

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now