question

DavideZampatori-0286 avatar image
0 Votes"
DavideZampatori-0286 asked LucasLiu-MSFT commented

Wrong SMTP certificate on Exchange Server 2016

Hello,

I've installed a brand new exchange 2016 server and my company is running on it straight and clean from a month or so, but last week a user asked me why the SMPT certificate gives an error. Looking at the error, the certificate that the user get is the built-in SMTP certificate of the installation and not the one from the public CA.

I've reassigned the SMTP service via EAC and on ECP, nothing works.

The question is... there is some way to unassign SMTP service to built-in certficate?



Many Thanks

office-exchange-server-administration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DavideZampatori-0286 ,
How is the issue now? If it has been resolved, please click “Accept as answer” to mark helpful reply as an answer to close the thread. Your action would be helpful to other users who encounter the same issue and read this thread.

0 Votes 0 ·
ManuPhilip avatar image
0 Votes"
ManuPhilip answered DavideZampatori-0286 commented

Hello,

When you install Microsoft Exchange Server , it creates a self-signed certificate with a validity period of 5 years. This certificate is assigned as the initial default SMTP certificate. This certificate is used for the mutual TLS connections between the Microsoft Exchange Servers within an Exchange Organization. This certificate is also presented to external mail systems when mutual TLS is required.
Normally, these certificates won't impact the normal working of SMTP functionality. But, if for any reason, if you need to un assign the SMTP service, please follow the steps
1. Run Get-ExchangeCertificate and find the thumbprint of the interested certificates
2. Run Disable-ExchangeCertificate –Thumbprint xxxxxx –Service SMTP Substitute the thumbprint from the first step

Please mark as "Accept the answer" if the answer helps you. Your suggestion will help others also !

Regards,
Manu

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The cmdlet doesn't exist on Exchange 2016 environment

0 Votes 0 ·
AndyDavid avatar image
1 Vote"
AndyDavid answered DavideZampatori-0286 edited

You can't unless you remove the cert. Do not remove the built-in cert however. The Exchange transport will pick the certificate that "fits" the best, based on the if its a third party certificate, the expiration date and if a subject name on the certificate matches what is set for the FQDN on the connector used.

Having said all that, I dont quite understand your scenario. What exactly is this user doing when the error is surfaced and the built-in SMTP cert is being used?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In Mail flow → Send Connectors → Scope → FQDN there is the same name as public certificate

0 Votes 0 ·
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered

Hi,
Did this user do anything before this issue occurred?
Based on my knowledge, after creating Exchange, three self-signed certificates will be automatically generated, among which Microsoft Exchange self-signed certificate to encrypt network traffic between Exchange servers and services.
For more information:Certificates in Exchange

Once we enable a service for the certificate, we cannot disable it. We could only re-import a new certificate, assign the started service, and then delete the old certificate. Considering that deleting a self-signed certificate may cause other effects, it is recommended that you run the following command line to export the certificate after confirming that the service has been enabled on the new certificate. Then please run the IISreset in CMD started as administrator and see if the issue is solved.

 Export-ExchangeCertificate -Thumbprint <> -Server <> -FileName "<>"

For more information:export-exchangecertificate


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

Hi @DavidEZampatori-0286,
I'm still not understanding the scenario when this issue happens. Can you break it down for me and describe the exact steps when it occurs and the end-user is doing? Client, process etc...
Users should never see the cert set on the send connector. They might see a cert set on a receive connector if the client they are using is sending via SMTP ( POP/IMAP an App using Exchange etc..)

"but last week a user asked me why the SMPT certificate gives an error."

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered

Hi,
I agree with Andy.
Did you try to assign the SMTP service to new certificate and export the Microsoft Exchange self-sign certificate.
Could you share the specific error information with us? Please note that hide your private information.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavideZampatori-0286 avatar image
0 Votes"
DavideZampatori-0286 answered

Hi I've tryed to delete the certificate by backupping the VM that runs Exchange.
Deleting it cause the server to go nuts... nothing work and even if I assign the SMTP service to the public certificate the service still expect the built-in certificate.

The user is using Thunderbird configured in IMAP.
When looking for the STARTTLS certificte used is the built-in: I get CN="SERVERNAME" and not the public one.
I've tryed enabling both via EAC and ECP.

There is no more breaking down... Simply the server keep using the built-in even if I've associated the SMTP service with the correct certificate.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered DavideZampatori-0286 commented

Yikes. Ok, as I mentioned, do not delete that certificate.
Can you list all the Exchange Certificates with Get-ExchangeCertificate |FL ?
Remove any personal information

What is set for the FQDN on the "Client Frontend <ServerName>" receive connector? That should match a subject name on the certificate enabled for SMTP
The IMAP clients should be using port 587 to submit messages and they use that connector

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AD-7937 sorry for the late answer
Here the output from the command Get-ExchangeCertificate.

15358-image.png



The first is the public certificate (you can see mail and autodiscover names) the FQDN on the receive connector is the same written here.
The 2nd and 3rd are the built-in and I see the 2nd used for SMTP so the STARTTLS is not recognized.

0 Votes 0 ·
image.png (96.1 KiB)
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered LucasLiu-MSFT edited

Hi,
If exporting the certificate causes the server to fail, please run the following command line to create a new self-signed certificate.
New-ExchangeCertificate -FriendlyName Microsoft Exchange -SubjectName <> -DomainName <> -Services <>
For more information:Create a new Exchange Server self-signed certificate
What is the error given by the SMTP certificate?


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That wouldn't apply if he deleted the cert.

0 Votes 0 ·
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered LucasLiu-MSFT commented

Hi,
Please follow the steps below to bind the specific certificate to the receive connector and see if the issue is resolved.
1. Please run the following command to get information of your certificate:
Get-ExchangeCertificate
2. Please run the following command to Capture the certificate as a variable.
$cert = Get-ExchangeCertificate -Thumbprint <>
3. In order to configure the certificate on the receive connector, please run the following command to create a special string that contains the issuer and the subject of the certificate:
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
4. Please run the following command to configure the receive connector:
Set-ReceiveConnector "<>" -TlsCertificateName $tlscertificatename
For more information you could refer to: Configuring the TLS Certificate Name for Exchange Server Receive Connectors and Configuring a Certificate on Exchange Receive Connector
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Done that already... still get subject=CN = EXCHANGE-16

Nothing changes

0 Votes 0 ·

Hi,
Do you still receive the same error after binding a specific certificate to the receiving connection?
Please try to create a new receive connector with the same configuration as the problem receive connector. And bind the specified certificate again to see if the problem is solved.

0 Votes 0 ·

Hi @DavideZampatori-0286 ,
Will the issue still occur after rebuilding the receive connector? If there is no issue, please click “Accept as answer” to mark helpful reply as an answer to close the thread. Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.

0 Votes 0 ·

Sorry for the late answer... I was away for the past week.

I don't know if I can create a new receive connector, the server is live atm, since we discovered the issue after we put it online.
There is a way to create a new receive connector without disabling the functionality of the server and then switch it?

0 Votes 0 ·

Hi,
Is your Exchange a hybrid environment?
Can you provide specific error information? It should be note that please hide your private information.
Please try to run the following command to clear the certificate bound to the receive connector, and then bind again in the above way to see if the binding can be successful.

 Set-receiveconnector -Identity <> -tlscertificatename $null.

18288-55555.png


0 Votes 0 ·
55555.png (8.7 KiB)

Hi DavideZampatori,
I am writing to check if provided information is helpful. Please let me know if you need further assistance.



If the response is helpful, please click "Accept Answer" and upvote it.



0 Votes 0 ·