Cannot set a default SMTP server certificate on Exchange Server 2013

exchange-2013smtpssl-certificate

I've an Exchange 2013 Server with two wildcard certificates, one for matching the internal AD zone and the other one with the public domain.

The certificates are defined with those names:

*.example.com
*.local.example.com

When I try to connect through the Submission port (587) the presented certificate is the one of the zone *.local.example.com which ends complaining about the hostname mismatch of the service.

IMAP service works as expected with the correct *.example.com certificate, but SMTP don't.

Already tried things like Enable-ExchangeCertificate on Powershell to remove the SMTP service from the certificate, but it does not work.

Best Answer

Don't try and force which certificate is used. You can have multiple certificates enabled for SMTP, so set them all to be enabled for that service. The actual certificate is then set by the FQDN on the Receive Connector. Don't change the FQDN value on the Default Connector, as that will cause problems.

Related Solutions

Exchange 2010 Transport Certificate , Event ID 12014

You can expand any of the sections (doesn't matter) under the "Exchange Configuration" page of the new certificate wizard and just type in mail.mydomainhere.com, and hit next. The wizard is just trying to help make sure you've covered all of your bases, and helps you build a list of names if you're applying for a Unified Communications/SAN certificate.

The "Certificate Domains" page will list all of the names you are putting on the certificate. Since you are only applying for a single name, this should only show the name you entered on the previous page. Again, it doesn't matter which section you put the name under.

Fill out the rest of your organization info and the wizard will generate your CSR.

I generally recommend getting a UC cert that contains all of the names you need or will need for Exchange, so that you can assign one certificate to all services:

mail.domain.com (client access and transport TLS)
autodiscover.domain.com

You can handle autodiscover for any additional domains by using SRV records that point to autodiscover.domain.com.

Exchange 2013 Client Frontend connector will not accept TLS

First check whether the Tls AuthMechanism is enabled on the connector:

Get-ReceiveConnector -Identity "SERVER\Default Frontend SERVER" | Format-List

If this is not the case, enable it:

Set-ReceiveConnector -Identity "SERVER\Default Frontend SERVER" -AuthMechanism "None,Tls"

Then also make sure that you have a certificate for the Smtp service registered:

Get-ExchangeCertificate | Format-List

Finally verify everything: http://www.checktls.com/index.html

Best Answer

Related Solutions

Exchange 2010 Transport Certificate , Event ID 12014

Exchange 2013 Client Frontend connector will not accept TLS

Related Topic