Solved

STARTTLS Certificate Expiration

Posted on 2011-03-08
11
834 Views
Last Modified: 2012-05-11
On our Exchange 2007 server we had a certificate installed with the local FQDN of the server as an alternate name on the the certificate (hp2.cmcfc.org) This certificate has expired and been removed from the system.   We recently purchased  new a multidomain ssl certificate and do not have the FQDN name of the server, just the external name (mail.domain.org)  We now receive Event 12014 stating that Exchange could not find a certificate that contains the domain name hp2.domain.org in the personal store on the local computer.  Therefore it is unable to support the STARTTLS SMTP verb for the connector Outbound.  I am under the impression that you can not change the FQDN to the external name on the send/receive connectors, so should I just disabled the TLS checkbox on the send connector so we no longer see this error?  Or how should I address this? SMTP is enabled for the certificate on Exchange but it doesnt have the server name in the name list so it is not recognized.  I dont think we enforce TLS on our connections so it may not be needed?
0
Comment
Question by:CMCITD
  • 6
  • 5
11 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35072462
Change the FQDN on the Send Connector to match the name on the cert - which also must be your MX record externally
0
 

Author Comment

by:CMCITD
ID: 35073670
The error is relating to the RECEIVE CONNECTOR rather than the send.  I disabled the authentication properties to disable the TLS Security mechanism for incoming connections.  Is it possible to modify the FQDN for the Receive COnnectors?
0
 

Author Comment

by:CMCITD
ID: 35073702
I did however add  the setting for the outbound as I did notice there was reference to outbound mail.
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
ID: 35074870
Have a look at http://technet.microsoft.com/en-us/library/bb430748.aspx
Yes the Receive Connector also has a FQDN you can change, it is effectively the SMTP banner you see when telneting into a HT/ET on port 25
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35074887
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35085513
Thanks for the points, can you confirm that you set the FQDN on the receive connector/s and all was good from then on?
0
 

Author Comment

by:CMCITD
ID: 35085553
I set the FQDN for the send connectors and eliminated that part of the issue, but unable to set the receive connectors.  When I tried to modify the Receive connectors using our MX record/External name this is the error from Exchange below.  I am considering disabling the TLS setting for the Default receive connector.  I dont believe we have anyone connecting via TLS unless this is not a standard practice and I should leave it set.  We are only using the OWA client to check email outside of our building and internally are using Microsoft Outlook so I dont think it would hurt to disable the TLS?  Am I under the right assumption on that?

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

set-receiveconnector
Failed
Error:
When the AuthMechanism parameter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "hp2.cmcfc.org", the NetBIOS name of the transport server "HP2", or $null.



0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35085650
Did you try that on your Internet Receive Connector and did you try it from the EMC?

TLS is nice cause it stops network sniffing of your Internet mail, but how many people have their servers setup to send by it I don't know...
0
 

Author Comment

by:CMCITD
ID: 35085819
I was using th EMC.  I think when our cert is up for renewal I will define the FQDN of the server which should help.  Thanks for your professional assstance!
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35086053
The other thing you can do is give your Internet facing SMTP server another IP address on the NIC/TCPIP properties and then setup a new Internet Receive Connector just for use by anonymous incoming Internet connections, turn on TLS and define your FQDN and it should not complain.
Remember to change your router /firewall to send Internet traffic on port 25 to the new IP address though...
0
 

Author Comment

by:CMCITD
ID: 35086614
Perfect.  I will look into that option as well.  Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now