I'm relaying inbound mail from salesforce.com to onprem exchange 2010 server internal recipients. on Feb 18, 2018, we renewed a self-signed cert with service IIS assigned to it, and that's it. the validity date pushed forward, I was good to go.
However, the email log from salesforce began generating an error, indicates this error began the morning of Feb 16 sometime after it was renewed on 02/15.
451 4.7.6 [internal] STARTTLS required but not advertised
this is a SHA1 cert, so I thought perhaps ciphers were the problem. I inserted a SHA2 cert generated using command line and bound it to the * 443 interface in IIS and found no change.
TLS is offered on all receive connectors. a godaddy cert is bound to SMTP/POP/IMAP. the error causes the mail to not be received. changing to TLS "preferred" instead of "Required" on the salesforce side results in flowing mail but unencrypted messages are not an option.
any ideas? I've checked the cert and the connector, and salesforce tech support seems stumped. I still think there is something to the cert..