Solved

STARTTLS Certificate Expiration

Posted on 2011-03-08
11
845 Views
Last Modified: 2012-05-11
On our Exchange 2007 server we had a certificate installed with the local FQDN of the server as an alternate name on the the certificate (hp2.cmcfc.org) This certificate has expired and been removed from the system.   We recently purchased  new a multidomain ssl certificate and do not have the FQDN name of the server, just the external name (mail.domain.org)  We now receive Event 12014 stating that Exchange could not find a certificate that contains the domain name hp2.domain.org in the personal store on the local computer.  Therefore it is unable to support the STARTTLS SMTP verb for the connector Outbound.  I am under the impression that you can not change the FQDN to the external name on the send/receive connectors, so should I just disabled the TLS checkbox on the send connector so we no longer see this error?  Or how should I address this? SMTP is enabled for the certificate on Exchange but it doesnt have the server name in the name list so it is not recognized.  I dont think we enforce TLS on our connections so it may not be needed?
0
Comment
Question by:CMCITD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35072462
Change the FQDN on the Send Connector to match the name on the cert - which also must be your MX record externally
0
 

Author Comment

by:CMCITD
ID: 35073670
The error is relating to the RECEIVE CONNECTOR rather than the send.  I disabled the authentication properties to disable the TLS Security mechanism for incoming connections.  Is it possible to modify the FQDN for the Receive COnnectors?
0
 

Author Comment

by:CMCITD
ID: 35073702
I did however add  the setting for the outbound as I did notice there was reference to outbound mail.
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
ID: 35074870
Have a look at http://technet.microsoft.com/en-us/library/bb430748.aspx
Yes the Receive Connector also has a FQDN you can change, it is effectively the SMTP banner you see when telneting into a HT/ET on port 25
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35074887
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35085513
Thanks for the points, can you confirm that you set the FQDN on the receive connector/s and all was good from then on?
0
 

Author Comment

by:CMCITD
ID: 35085553
I set the FQDN for the send connectors and eliminated that part of the issue, but unable to set the receive connectors.  When I tried to modify the Receive connectors using our MX record/External name this is the error from Exchange below.  I am considering disabling the TLS setting for the Default receive connector.  I dont believe we have anyone connecting via TLS unless this is not a standard practice and I should leave it set.  We are only using the OWA client to check email outside of our building and internally are using Microsoft Outlook so I dont think it would hurt to disable the TLS?  Am I under the right assumption on that?

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

set-receiveconnector
Failed
Error:
When the AuthMechanism parameter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "hp2.cmcfc.org", the NetBIOS name of the transport server "HP2", or $null.



0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35085650
Did you try that on your Internet Receive Connector and did you try it from the EMC?

TLS is nice cause it stops network sniffing of your Internet mail, but how many people have their servers setup to send by it I don't know...
0
 

Author Comment

by:CMCITD
ID: 35085819
I was using th EMC.  I think when our cert is up for renewal I will define the FQDN of the server which should help.  Thanks for your professional assstance!
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35086053
The other thing you can do is give your Internet facing SMTP server another IP address on the NIC/TCPIP properties and then setup a new Internet Receive Connector just for use by anonymous incoming Internet connections, turn on TLS and define your FQDN and it should not complain.
Remember to change your router /firewall to send Internet traffic on port 25 to the new IP address though...
0
 

Author Comment

by:CMCITD
ID: 35086614
Perfect.  I will look into that option as well.  Thanks!
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question