SBS 2008 Exchange won't send

Posted on 2009-07-11
Medium Priority
Last Modified: 2013-11-30
I had this thing all setup and working fine until I changed the IP addresses due to moving it to a different network.  It receives email ok, but when I try to send out it hangs in the queue.  After running the Exchange Mail Flow Troubleshooter, it give me the following error:

Error submitting mail: Mail submission failed: Error message: Server does not support secure connections..

All other tests pass fine.  I can telnet out to the mail server I'm trying to send to.  I'm guessing it has to do with the certificate, but I only set this up a few months back so it shouldn't be expired.  In fact it is a trial version that appears to have expired and says it's not genuine but still works fine otherwise.

I verified the send connector exists, and is of type 'Internet' SMTP * 1.  

My server is setup on a dynamic IP, but I have verified the host and MX records are setup properly and are current.  I can't setup a reverse DNS record since it's dynamic, but doubt that is the problem, especially since I've tried sending to another outside Exchange mail server that has no spam filtering setup.  It is a different domain altogether.

I also received event ID 12023.  Type: TransportService
Microsoft Exchange could not load the certificate with thumbprint of FD6C18FE7C47E51795D84E8A4441F3B045146F01 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint DF4FA71547E302A3CA916207C6969A526DEDB463 is being used.

When I try to run the cmdlet as instructed above, I get:
The term 'Enable-ExchangeCertificate' is not recognized as a cmdlet, function, operable program, or script file. Verify
 the term and try again.
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services SMTPEnable-ExchangeCertificate FD
6C18FE7C47E51795D84E8A4441F3B045146F01 -Services SMTPEnable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F0
1 -Services SMTP

Also, the other cmdlet fails.  Does SBS2008 not have all the cmdlets that the full blown Exchange 2007 have?  Not sure what's going on here.

I reran the Connect to the Internet wizard, the Fix My Network wizard, and they all turn up ok.

Originally, I setup a certificate that I had purchased with the internet host name and OWA worked fine.  I can still connect fine via OWA with no cert errors, but it just won't send.

Sure it's a trial and I could wipe it and start over, but what fun would that be?
Question by:B1izzard
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 30

Expert Comment

by:Britt Thompson
ID: 24832487
Do a Get-ExchangeCertficate to verify that the cert footprint you have in your error is the one that you've actually purchased and installed. Then, the command should be exactly as follows. It appears there may be an extra space in your command at line 27. SBS does include the standard set of the command in the power shell.

If you don't see your cert installed or you see the wrong cert installed you'll need to re-import your cert

Import-ExchangeCertificate -Path c:\yourcert.crt
Enable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services "POP, IMAP, IIS, SMTP"

Next, here's a quality article that explains in detail how to configure your send connector: http://www.petri.co.il/configuring-exchange-2007-send-external-email.htm

Also, are you sending using a smarthost or are you sending using DNS? Try using DNS if you're not already.


Author Comment

ID: 24832652
I get the following error.  My powershell doesn't seem to have the necessary cmdlets.

PS C:\Users\Steve> Import-ExchangeCertificate -Path c:\mail.mydomain.com
The term 'Import-ExchangeCertificate' is not recognized as a cmdlet, function, operable program, or script file. Verify
 the term and try again.
At line:1 char:27
+ Import-ExchangeCertificate  <<<< -Path c:\mail.mydomain.com.crt

The Get-ExchangeCertficate gives an error as well.

I am using DNS, no smart host configured.

I am reinstalling the powershell and rebooting right now.  

LVL 30

Expert Comment

by:Britt Thompson
ID: 24832657
You need to make sure you're launching the Exchange Management Shell and not just the powershell.
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

LVL 65

Assisted Solution

Mestha earned 400 total points
ID: 24832659
When it comes to sending email, your certificate has nothing to do with it. It is down to the remote side to provide the certificate. Given the error that you have provided, it would seem that the Send Connector has been set to require TLS. Did you setup the Send Connector manually, or did you use the wizards?

Ensure that you are using the Exchange Management Shell and not plain PowerShell to run the enable-exchangecertificate command. The Exchange Management Shell has the additional extensions that are required.


Author Comment

ID: 24833483
I forgot that the PowerShell and Exchange Shell were separate.  Now I can run the commands.  When I ran the enable-exchangecertificate command, it was successful, but now owa is broken.  I used the thumbprint of the internet certificate when I enabled it.  Now I just get the error 'Internet Explorer cannot display the webpage'.  This certificate thing is a PITA.  Microsoft did a lousy job with something this simple IMO.   It's way too convoluted.  I'll have to troubleshoot this further tomorrow.  Thanks for the help so far.
LVL 30

Accepted Solution

Britt Thompson earned 1600 total points
ID: 24834220
Have you tried HTTP and HTTPS to get to your OWA? You may need to go into the default Website in IIS and make sure it's using the correct certificate.

Author Comment

ID: 24834972
I got owa working again by setting the default website binding on port 443 for the default website as recommended.  When I try to run the command

Enable-ExchangeCertificate FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services "POP, IMAP, IIS, SMTP"

I get the following error:

Enable-ExchangeCertificate : An unexpected error occurred while the forms-based
 authentication settings for path /LM/W3SVC/1 were being modified. The error re
turned was 5506.
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< c2c130d3a521616e2b3ffb16761fc46202cad198 -Se
rvices "POP, IMAP, IIS, SMTP"

I tried deleting the certificate and reimporting, but I still get the above error.
LVL 30

Expert Comment

by:Britt Thompson
ID: 24835050
Sorry...try this:

Enable-ExchangeCertificate -thumbprint FD6C18FE7C47E51795D84E8A4441F3B045146F01 -Services "POP, IMAP, IIS, SMTP"

Author Comment

ID: 24910843
I got it working.  I'm not 100% sure what it was, but I went into IIS and set the SBS Web Applications site's binding on port 443 to use the certificate I purchased at Godaddy.  The Enable-ExchangeCertificate command still gives an error, but sending email works.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question