Exchange 2010 IMAP SSL Certificate Error in a DAG

I run 2 server2008r2 Exchange servers in a DAG.  they are phyiscally located on the same site so no WAN connection between them
Failover between the to servers work just fine for Outlook / OWA connectivity.  HOWEVER some mobile users connect via IMAP.  
I have a UCC, 5 domain exchange certificate from GoDaddy.com
IMAP works just fine ONLY on one of the servers.  IMAP users can connect and view their email folders however we get this error on the other server.  keep in mind, everything else works just fine regardless of which server is active.

Exchange 2010 certificate screenshot

Microsoft Exchange could not find a certificate that contains the domain name vancouver-info-chip.com in the personal store on the ocal computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector icc relay (photocopier, etc) with a FQDN parameter of vancouver-info-chip.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
LVL 1
infochipAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Most Exchange servers will now have two SSL certificates on them, the trusted one and the self signed one. You cannot really operate with a single certificate because internal names on the SSL certificate are not allowed.

To resolve the error about SMTP and StartTLS, just run new-exchangecertificate from EMS, no command switches or anything. Exchange will generate a self signed certificate which will be fine for SMTP traffic. If you get a question about replacing the default certificate, accept it.

For IMAP, this can be more difficult. I would strongly encourage you to drop it if possible, and have users on Outlook Anywhere or EWS (Mac).
IMAP clients can get funny over the SSL certificate and for most compatibility you need to use the Common Name on the SSL certificate as the host name for the clients to connect to. This also means the X.509 address is configured to match.

If the two servers are on the same WAN, I would look at using a load balancer, so that you don't have to think about which server the clients connect to.

Simon.
0
 
RadweldCommented:
You can see from the screenshot above that IMAP is still being secured by the self signed certificate, if this works on the other node of the cluster ok then it's likely the other node has the IMAP service bound to this certificate. You can assign the IMAP service either in Exchange Management Console or Shell.

As for Secure SMTP, self signed certificates are used by default to secure communication between transport nodes, if you wish to secure SMTP externally then remove SMTP from the self signed certificate just leaving the 3rd party cert bound to smtp
0
 
infochipAuthor Commented:
dg
0
 
infochipAuthor Commented:
tgerteg
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.