STARTTLS Certificate Expiration

On our Exchange 2007 server we had a certificate installed with the local FQDN of the server as an alternate name on the the certificate (hp2.cmcfc.org) This certificate has expired and been removed from the system.   We recently purchased  new a multidomain ssl certificate and do not have the FQDN name of the server, just the external name (mail.domain.org)  We now receive Event 12014 stating that Exchange could not find a certificate that contains the domain name hp2.domain.org in the personal store on the local computer.  Therefore it is unable to support the STARTTLS SMTP verb for the connector Outbound.  I am under the impression that you can not change the FQDN to the external name on the send/receive connectors, so should I just disabled the TLS checkbox on the send connector so we no longer see this error?  Or how should I address this? SMTP is enabled for the certificate on Exchange but it doesnt have the server name in the name list so it is not recognized.  I dont think we enforce TLS on our connections so it may not be needed?
CMCITDAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
MegaNuk3Connect With a Mentor Commented:
Have a look at http://technet.microsoft.com/en-us/library/bb430748.aspx
Yes the Receive Connector also has a FQDN you can change, it is effectively the SMTP banner you see when telneting into a HT/ET on port 25
0
 
MegaNuk3Commented:
Change the FQDN on the Send Connector to match the name on the cert - which also must be your MX record externally
0
 
CMCITDAuthor Commented:
The error is relating to the RECEIVE CONNECTOR rather than the send.  I disabled the authentication properties to disable the TLS Security mechanism for incoming connections.  Is it possible to modify the FQDN for the Receive COnnectors?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
CMCITDAuthor Commented:
I did however add  the setting for the outbound as I did notice there was reference to outbound mail.
0
 
MegaNuk3Commented:
0
 
MegaNuk3Commented:
Thanks for the points, can you confirm that you set the FQDN on the receive connector/s and all was good from then on?
0
 
CMCITDAuthor Commented:
I set the FQDN for the send connectors and eliminated that part of the issue, but unable to set the receive connectors.  When I tried to modify the Receive connectors using our MX record/External name this is the error from Exchange below.  I am considering disabling the TLS setting for the Default receive connector.  I dont believe we have anyone connecting via TLS unless this is not a standard practice and I should leave it set.  We are only using the OWA client to check email outside of our building and internally are using Microsoft Outlook so I dont think it would hurt to disable the TLS?  Am I under the right assumption on that?

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

set-receiveconnector
Failed
Error:
When the AuthMechanism parameter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "hp2.cmcfc.org", the NetBIOS name of the transport server "HP2", or $null.



0
 
MegaNuk3Commented:
Did you try that on your Internet Receive Connector and did you try it from the EMC?

TLS is nice cause it stops network sniffing of your Internet mail, but how many people have their servers setup to send by it I don't know...
0
 
CMCITDAuthor Commented:
I was using th EMC.  I think when our cert is up for renewal I will define the FQDN of the server which should help.  Thanks for your professional assstance!
0
 
MegaNuk3Commented:
The other thing you can do is give your Internet facing SMTP server another IP address on the NIC/TCPIP properties and then setup a new Internet Receive Connector just for use by anonymous incoming Internet connections, turn on TLS and define your FQDN and it should not complain.
Remember to change your router /firewall to send Internet traffic on port 25 to the new IP address though...
0
 
CMCITDAuthor Commented:
Perfect.  I will look into that option as well.  Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.