Ssl – Exchange TLS Receive Connector Cert


We are using Securence incoming filtering in front of our Exchange 2010 server. It's basically a spam filter. I'm trying to get TLS communication between Securence and our server on incoming connections. We have a signed cert from GoDaddy installed on the Exchange server and assigned to SMTP. I also have the FQDN of the SSL cert assigned to my receive connector. However, the Securence mail logs state:

"failed TLS negotiation: Cannot accept self-signed certificate"

There are two other self-signed certs on the exchange server. They have no remove option so I assume they are required by Exchange, is that correct? Assuming they are I get the impression from the error that Securence provides they are seeing these certs instead of our signed one from GoDaddy. The only reason that I can think of for this would be that the signed cert doesn not have the internal name of our Exchange server on it. Do you think that would cause this problem? Or do you think there's something else I'm missing?


I was able to remove the self-signed certs with this command:

Get-ExchangeCertificate | ?{$_.IsSelfSigned -eq $true} | Remove-ExchangeCertificate -Confirm:$false

Unfortunately I still get the error mentioned above. There are no self-signed certificates on the server. The only issue I can see is that my cert doesn't have the internal DNS name (server.domain.local) listed as a Subject Alternate. I will continue to troubleshoot with the filtering company, maybe something is wrong on their end…

Best Answer

Exchange creates self signed certs when you first install it. They may still be being used.

  • Open Exchange Management Console
  • Go to Microsoft Exchange On-Premises → Server Configuration
  • In the bottom pane, right click the Godaddy certificate → Assign Services to Certificate

Make sure all the services are checked to use the Godaddy certificate, then right click the old certificates and click remove. If it's no longer being used for anything, it will let you remove them.

It's possible you have different receive connectors setup for internal vs external connections, and that's why your spam filter sees a different certificate than outside connections do.