Avatar of CMCITD
CMCITD
Flag for United States of America asked on

STARTTLS Certificate Expiration

On our Exchange 2007 server we had a certificate installed with the local FQDN of the server as an alternate name on the the certificate (hp2.cmcfc.org) This certificate has expired and been removed from the system.   We recently purchased  new a multidomain ssl certificate and do not have the FQDN name of the server, just the external name (mail.domain.org)  We now receive Event 12014 stating that Exchange could not find a certificate that contains the domain name hp2.domain.org in the personal store on the local computer.  Therefore it is unable to support the STARTTLS SMTP verb for the connector Outbound.  I am under the impression that you can not change the FQDN to the external name on the send/receive connectors, so should I just disabled the TLS checkbox on the send connector so we no longer see this error?  Or how should I address this? SMTP is enabled for the certificate on Exchange but it doesnt have the server name in the name list so it is not recognized.  I dont think we enforce TLS on our connections so it may not be needed?
Exchange

Avatar of undefined
Last Comment
CMCITD

8/22/2022 - Mon
MegaNuk3

Change the FQDN on the Send Connector to match the name on the cert - which also must be your MX record externally
CMCITD

ASKER
The error is relating to the RECEIVE CONNECTOR rather than the send.  I disabled the authentication properties to disable the TLS Security mechanism for incoming connections.  Is it possible to modify the FQDN for the Receive COnnectors?
CMCITD

ASKER
I did however add  the setting for the outbound as I did notice there was reference to outbound mail.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
MegaNuk3

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
MegaNuk3

MegaNuk3

Thanks for the points, can you confirm that you set the FQDN on the receive connector/s and all was good from then on?
CMCITD

ASKER
I set the FQDN for the send connectors and eliminated that part of the issue, but unable to set the receive connectors.  When I tried to modify the Receive connectors using our MX record/External name this is the error from Exchange below.  I am considering disabling the TLS setting for the Default receive connector.  I dont believe we have anyone connecting via TLS unless this is not a standard practice and I should leave it set.  We are only using the OWA client to check email outside of our building and internally are using Microsoft Outlook so I dont think it would hurt to disable the TLS?  Am I under the right assumption on that?

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

set-receiveconnector
Failed
Error:
When the AuthMechanism parameter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "hp2.cmcfc.org", the NetBIOS name of the transport server "HP2", or $null.



⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
MegaNuk3

Did you try that on your Internet Receive Connector and did you try it from the EMC?

TLS is nice cause it stops network sniffing of your Internet mail, but how many people have their servers setup to send by it I don't know...
CMCITD

ASKER
I was using th EMC.  I think when our cert is up for renewal I will define the FQDN of the server which should help.  Thanks for your professional assstance!
MegaNuk3

The other thing you can do is give your Internet facing SMTP server another IP address on the NIC/TCPIP properties and then setup a new Internet Receive Connector just for use by anonymous incoming Internet connections, turn on TLS and define your FQDN and it should not complain.
Remember to change your router /firewall to send Internet traffic on port 25 to the new IP address though...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
CMCITD

ASKER
Perfect.  I will look into that option as well.  Thanks!