question

DrageirArmanre-9072 avatar image
0 Votes"
DrageirArmanre-9072 asked joyceshen-MSFT commented

Exchange 2013 bounce incoming email after certificate renewal RRS feed

Hi everyone.

First of all, I'm not skilled with Exchange, I inherited from the previous technician.

Recently I renewed my domain certificate with Let'sEncrypt. I did it the same way as always:

1) renew from Let's Encrypts app.

2) go to IIS, remove the 443 binding from Exchange Back End.

3) Restart IIS.

But this time the server doesn't receive mail. When I do a test with gmail it get's through, but I get complaints from my boss that he doesn't receive specific mail. I've added thoses emails to the whitelist but it doesn't seems to work.

When I do a "Get-MessageTracking Log", I got a huge ammount of Fail SMTP emails, but I don't know how to continue.

Thank you for your time.

office-exchange-server-administrationoffice-exchange-server-mailflow
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DrageirArmanre-9072

Any update about your issue?

0 Votes 0 ·

Hi @DrageirArmanre-9072

Do suggestions below help?

0 Votes 0 ·

1 Answer

joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered joyceshen-MSFT commented

Hi @DrageirArmanre-9072

According to your information above, your organization failed receiving messages after renewing certificate. Did you get any error information when access outlook or OWA or ECP after that?

Could you please provide the complete message tracking log you received for troubleshooting?(note to erase personal information)

We could firstly use the ExRCA Tool to help us check the Inbound SMTP Email for our organization
44196-qa-2020-12-02-10-50-26.png

In addition, please also check the configuration of the certificates with command below (note to erase personal information):

 Get-ExchangeCertificate -Thumbprint XXXXXXXX | Format-List

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Greetings @joyceshen-MSFT.



When accessing Outlook it pops the message "the security certificate has expired or is not valid". That's strange because the certificate is indeed renewed when I enter the Exchange server. Maybe is not correctly linked to the service? Not a problem accessing owa or ECL, though.

I used the ExRCA Tool and it says the email is ok.

44391-sin-titulo.png


Thank you for your time.


0 Votes 0 ·
sin-titulo.png (13.7 KiB)

Doing a Get-ExchangeCertificate | Format-List FriendlyName,Subject,CertificateDomains,thumbprint,services shows that the Certificate is linked to IMAP, POP, IIS and SMTP services.

44118-sin-titulo2.png


0 Votes 0 ·
sin-titulo2.png (10.4 KiB)

Update:
Many of my clients are getting 550 5.7.1 Sender ID (PRA) Not Permitted, so it could be a SenderID problem. I added the domains to CententFilterConfig and SenderIdConfig, but it doesn't work. Also it's weird that SenderId started not working when I renew my certificate but it was fine before that.

I can receive emails from Microsoft, Gmail, Apple, Lenovo, Mxtoolbox... but none of my clients can contact me. I'm not in any Blacklist, yet.

Here are the bindins of my Exchange Backend:
44475-exch3.png


0 Votes 0 ·
exch3.png (4.9 KiB)

Hi @DrageirArmanre-9072

Generally we include all the SANs in one certificate like mail.domain.com, autodiscover.domain.com, domain.com ...

Then we assign services to this one certificate, the services introduction here: Certificate requirements for Exchange services

So I would suggest you apply for a new certificate which include all the SANs in your environment then assign IIS IMAP POP SMTP services to this certificate, just like below

44637-qa-2020-12-03-16-37-20.png


0 Votes 0 ·