Exchange 2010 / SBS 2011 DNS problem? Certificate error in outlook

Everything was working fine with outlook on the users PCs on the LAN connecting to the SBS 2011 box.

Then we made the following changes and at the end, users are now getting security alerts that the name on the security certificate is invalid or does not match the name of the site.

Not sure what to do.

1) The system was set up to send mail out from server via DNS on a static IP from a T1 provider. Incoming mail was picked up via POP3 connector from a spam filtering service

2) We got a new IP address from verizon a week ago. It turned out to be on a microsoft RBL and Microsoft hasn't responded to our emails asking to be delisted.

3) So we set up exchange to send out via the spam filterers smart host and changed exchange to receive mail via SMTP, not the POP3 connector.

And now when opening outlook on any of the machines on the lan, we get certificate errors about:
and sometimes

from any of these machines, if we ping those addresses, we get the server's IP.

if we look at the certificate, it says it was issued to (also, pinging from inside the LAN, it gets the server IP address).

looking at the detail, the Subject is
under subject alternate name,
DNS name =
dns name=
dns name = server.domain.local

the last 2 resolve to the server IP

in outlook, the settings for the account on each users machine is the same, except for their user name:

the server is listed as server.domain.local
under security tab, encrypt between outlok and server is checked
and login network security is set to negotiate

under connection, the outlook anywhere box is checked and the settings are:
connection settings:

only connect to proxy servers taht have the principal name as is checked and the box has:

and authentication is set to basic.

so again, the things that changed are:
Public IP changed (and the public DNS was changed to reflect that)
Moved away from POP3 to SMTP receive
Moved from DNS sending to smart host sending.  

all that was on the server.  so what's broken between server and desktops that outlook is complaining : ) ??

I am thining - we did have problems with the smtp receive and I deleted / recreated 2 receive connectors.....   it asks what it's looking for in the helo field.

hmmmm   could that be it?  what should I use then?  I put in for both
Who is Participating?
rick81Connect With a Mentor Commented:
re-create the connectors again,  make sure all exchange services are running.  then send some emails in and out.
Cliff GaliherConnect With a Mentor Commented:
This can happen if you don't stick to the SBS wizards and don't set up exchange properly. There are a few moving parts (all of which the SBS wizards automate.)

Exchange autodiscover URLs *must* match one of the subject names on the certificate. The SBS internet address wizard sets exchange URLs properly when it is run, so this default is and the SBS certificate wizard makes sure that name is in the SSL certificate.

DNS must resolve *that* name to the server. The SBS internet address wizard configures split DNS by default.

Note that these can also be configured manually, but they still mist all be configured to match to avoid prompts. Based on your description, there is a mismatch where one or more items are configured for exchange, while others are configured for remote, and that is the issue.

The receive connectors do not play a part here but if THEY don't match, other issues could also still arise.

The easiest fix would be to rerun the wizards (after making a backup) and sticking with a consistent name. But sometimes too many changes from defaults will cause the wizard to fail, in which case you will need to manually inspect and configure the above settings.
rick81Connect With a Mentor Commented:
re-run some of the wizards.  connect to the internet wizard and setup your internet address.  the later should fix the issue with outlook.  

as Cliff mentioned check your ssl cert matches your remote name.  if not you can change the remote name when you go through settings up the internet address.  clients should auto update these changes.  click yes to any cert prompts, close outlook and re-open, reboot computer if necessary.
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

BeGentleWithMe-INeedHelpAuthor Commented:
Not sure if I am breaking things worse...  no mail is coming in

There are supposed to be 2 receive connectors in the EMC, right? one for internal and one for external?

I deleted both and ran the setup your internet address wizard thinking it would make the 2 of them.  it failed saying it can't configure exchange for your domain.  it says t run fix my network.  

that also failed.

So I manually created 2 connectors. still no mail coming in.  I ran set up your internet address and it failed again.  do I need to restart any exchange services to get it to start using the new connectors? What services?

ran fix my network wizard and it says 'exchange smtp connectors are invalid - exchange is not configure to communicate over your local network.

let it try to fix the connectors and it says they are fixed..  when I send an email from outside, it goes to their spam filter, but bounces back

recipient was rejected. STARTTLS proto=TLSv1; cipher=DHE-RSA-AES256-SHA.
Remote host said: 550 (result of an earlier callout reused).

know what that means?
rick81Connect With a Mentor Commented:
first off double check those receive connectors are ok.  the two links below should help.

looking at an sbs2008 machine mine has 3 connectors

1.  Default - servername
2.  windows SBS Fax Sharepoint Receive - server name (this is probably due to premium sbs add on)
3.  Windows SBS Internet Receive - server name
Problem solved? What was the specific fix?
BeGentleWithMe-INeedHelpAuthor Commented:
trying lots of things mentioned above - try different urls, run wizards... repeatedly, reboot, repeat...  so not sure if restarting 1 or more of the exchange services after each change would have made a difference, but did a bunch of things, then rebooted, so who knows what was the solution : (

I can see how moving mail to the cloud and letting others worry about the nuances of the server is popular.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.