Phasing out Intranet Names and IP Addresses in SSLs

My client is running Exchange 2010.  A couple of weeks ago we started receiving the following email rejections messages:
"Recipient address rejected: Message rejected due to: SPF fail - not authorized"

After doing some investigating I found the FQDN on our send connector did not match what was on our MX record and this was causing the problem.  So,  I changed the send connector to match our MX record and the above error was resolved but the following error is now showing up on our Exchange server

Event Id:12041
Source: MSExchangetransport
Microsoft Exchange could not find a certificate that contains the domain name mail.xxx-logistics.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet Send connector with a FQDN parameter of mail.xxx-logistics.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

So I contacted GoDaddy to add the domain name into the certificate.  We have two certificates, neither contain mail.xxx-logistics.com.  But one of the certificate contains HQ06SV.mlg.us which is the FQDN of our Exchange server.  This is when I was informed that intranet Names and IP addresses in SSL will no loner work after Nov. 1, 2015.

So I'm very confused at how to proceed.
When I add mail.xxx-logistics to our certificate the Exchange error above should go away.  But my FQDN which is on both of the exchange receive connectors (Client and Default)  is still HQ06SV.mlg.us.   I cannot change the FQDN on either of these receive connectors.

Go Dadddy stated I Need to Reconfiguring Microsoft Exchange Server to Use a Fully Qualified Domain Name.

Can anyone help clarify how to handle this FQDN in Exchange and in our certificates.

This is hard to explain I hope it makes sense.
mlghelpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Receive Connectors do not matter.
You need to leave those with the internal name. A self signed certificate will work for those.
For everything else, I would switch to mail.example.com, set it as the common name on the certificate. Configure a split DNS so that it resolves internally as well, then reconfigure Exchange to use that name.
http://semb.ee/hostnames2010

Add in autodiscover.example.com on to the certificate as well for everything to work correctly. Job done.

Simon.
0
mlghelpAuthor Commented:
Turns out our send connector was blank.  When blank Exchange builds its own connector string using the machine name.  The string created using the machine name did not match the MX record we had out on our external DNS.  Therefore since the two did not match our emails were being suddenly kicked out do to the mismatch.

I added the MX record domain name into the Send connector FQDN: "Specify the FQDN this connector will provide in response to HELO or EHLO"  This resolved the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.