question

LuisCoca avatar image
0 Votes"
LuisCoca asked YukiSun-MSFT commented

Cert Hostname DOES NOT VERIFY, certificate let's encrypt exchange 2016 cu 21.

Practicing with the certificates, in let's encrypt win-acme normal is created, works owa, imap autodiscover with SSL.

Testing with checktls, it gives me an alert message :

Cert Hostname DOES NOT VERIFY ,

(mail.contoso.com != mail | DNS:mail | DNS:mail.lan.contoso.com)

In this forum they mention something of the error.

Recommendations of this forum, my dns settings :

Private AD DNS (lan.contoso.com)



Record Type DNS Name Internal IP
A mail.lan.contoso.com 192.168.1.4
A DC01.lan.contoso.com 192.168.1.3

Private DNS (contoso.com) SPLIT



Record Type DNS Name Internal IP
A mail.contoso.com 192.168.1.4
A autodiscover.contoso.com 192.168.1.4

Public DNS (contoso.com)


Record Type DNS Name Value
A mail.contoso.com xxx.xxx.xxx.xxx
A autodiscover.contoso.com xxx.xxx.xxx.xxx
MX @ mail.contoso.com


The certificate is for the public domain, but the smtp sends me a response from the private AD domain and not from the split domain equal to the public domain.
What am I forgetting to configure, by the way the PTR record is already registered by the ISP.








office-exchange-server-connectivity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuisCoca avatar image
1 Vote"
LuisCoca answered YukiSun-MSFT commented

After much testing, I understand some of the error message in CheckTls. It is the certificate used by the Exchange reception connector.
I retest in CheckTls and passed the entire test without errors.

Thanks for the advice @YukiSun-MSFT , I will continue to practice .


I share my solution with you, I hope it helps others with this problem.

I do not know if it is a good procedure, the solution that I am using
Use the following Microsoft documentation for reference.

  1. Verify the Let's Encrypt certificate is created and services enabled

    Get-ExchangeCertificate | Format-List FriendlyName,Thumbprint,Issuer,Subject,CertificateDomains,Services


  2. Identify the reception connector to assign, I was more focused on anonymous users

    Get-ReceiveConnector | where {$_.Bindings -like '*25' -AND $_.PermissionGroups -like '*AnonymousUsers*'} | Format-List Identity,Bindings,RemoteIPRanges,PermissionGroups

  3. Having identified the connector, I proceed to assign the certificate

    $cert = Get-ExchangeCertificate -Thumbprint xxxxxxxx

    $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

    Set-ReceiveConnector "Server_Name\Default Frontend Server_Name" -TlsCertificateName $tlscertificatename


  4. Verify if the certificate was assigned to the reception connector

    Get-ReceiveConnector -Identity "Server_Name\Default Frontend Server_Name" | Format-List Name,Fqdn,TlsCertificateName

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Many thanks @LuisCoca for your valuable sharing and hopefully it can help others who encounter a similar situation!
By the way, if you don't mind, you can click "Accept Answer" under your post so that it can be easier for others reading this thread to see the solution: )

0 Votes 0 ·
YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered LuisCoca commented

Hi @LuisCoca,

Aside from the alert message, is it causing real problems like messages cannot be sent or received? If yes, is there any clues in the undeliverable message?

Besides, noticed that as mentioned in the last article about internal dns settings you shared above, the recommended internal dns records are slightly different in the DNS Name fields as yours:

 Record Type              DNS Name                     Internal IP
       A                mail.contoso.com                    192.168.1.3
       A                autodiscover.contoso.com      192.168.1.3

So I'd suggest checking it from your side and update the internal settings in the split domain to see how it goes.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @YukiSun-MSFT .

I have no problem sending or receiving mail.
I want to use certificates, to prevent the sender from reaching the sender as spam and improve security.

In DNS configuration there are two types of suggestion: Pinpoint DNS or Split DNS. I prefer to use Microsoft's recommendation.

Reading I realize that it only works with 2016 and I use 2012r2. I'm going to take a test and I'm going to tell you how it went.

But I was reading about the FQDN of the SMTP, and I suspect it is in the Receive connectors in Exchange Server.


0 Votes 0 ·

Hi @LuisCoca,

Thanks for the response. Regarding the DNS configuration, from the "Applies to" section, agree with you that the documentation mentioned doesn't seem to be suitable for Windows server 2012 R2. Then considering that the"office-exchange-server-connectivity" tag mainly focuses on client connectivities questions for Exchange server, but DNS configuration issue is more related to Windows server, so you could open up a new thread for the specific query about dns configuration for Windows 2012 R2 using some windows server related tags for better help.

But I was reading about the FQDN of the SMTP, and I suspect it is in the Receive connectors in Exchange Server.

By "FQDN of the SMTP", are you referring to "SMTP banner" mentioned in the forum link you provided earlier? If this is the case, yes, it usually means the SMTP banner on receive connectors. For more details, you may refer to Modify the SMTP banner on Receive connectors


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

Hi @YukiSun-MSFT.

For the error message in checktls, I understand that it indicates about DNS, so I was asking if someone had this type of problem.
I do not know if it is DNS service of the domain or Exchange FQDN services.
I will take your advice, a new thread with another tag


In this forum, comment that the error message refers to the SMTP banner, I make the change of the banner and it follows the same error message.



0 Votes 0 ·