question

47451047 avatar image
0 Votes"
47451047 asked 47451047 answered

hybrid Exchange with Edge.

Hello. I have three mailbox servers and one Edge.
The mailbox servers have a purchased wildcard certificate.

  • After setting up the hybrid configuration, I can't receive emails from EXO and can't send there.

In EXO in the connector to send to my servers, I turned off TLS verification. The emails started coming from EXO.

But I cannot send to EXO from my local servers.

When I set up the hybrid configuration, Edge uses the certificate from the mailbox servers. But I get an error when I send email to EXO:

[{LED=451 4.4.395 Target host responded with error. -> 421 4.4.1 Connection timed out};{MSG=};{FQDN=resoleasing-mail-onmicrosoft-com.mail.protection.outlook.com};{IP=104.47.14.36};{LRT=16.09.2021 11:50
:19}]
- As I understand it, I need to install a commercial certificate on the SMTP service, but then I can't do the subscription since I can't use one generic certificate.

  • Do I understand correctly that when using a hybrid configuration with Edge, I need to buy 1 more certificate or what should I do ? I can't use the one generic certificate I bought and use on the mailbox servers ?

Translated with www.DeepL.com/Translator (free version)

office-exchange-hybrid-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

47451047 avatar image
0 Votes"
47451047 answered

I figured it out, thanks to this article: https://blog.matrixpost.net/category/office-365/page/5/

My mistake was that when I installed the certificate on Edge for the SMTP service, I was replacing the original one.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @47451047

What's your on-prem Exchange server version? Like you said, your issue is related to your certificate does not have a private key.

And the two links discussed about the similar issue as yours:
Certificate error in Edge Transport server in Hybrid Environment
EXCHANGE HYBRID TLS NEGOTIATION FAILED WITH ERROR NOCREDENTIALS
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Try the solution below to fix your issue:

1) Set selfsigned cert as default for SMTP. Subscribe Edge.
2) Set wildcard cert as SMTP cert. Assign TlsCertificateName to receive connector.

 $cert = Get-ExchangeCertificate -Thumbprint <3rd party cert thumbprint>
 $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
 Set-ReceiveConnector "EDGE SERVER\Default internal receive connector EDGE SERVER" -TlsCertificateName $tlscertificatename

3) restart transport service

4) check certificate in use from internet:

 openssl s_client -connect edge.contoso.com:25 -starttls smtp

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.