locked
Exchange 2013 TLS and SMTP RRS feed

  • Question

  • Hi Guys,

    I have a small issue with my Exchange 2013. Few days ago I change one certificate to the new one and apply to the  SMTP, IMAP, POP, and IIS. Old cert was deleted and after 48 hours I start having some issues related to SMTP, TLS. Secure transfer can;t be established any more.

    We are using Mimecast services and all the emails going through them to our exchange server on site. Mimecast console has some testing tools for TLS. 

    Results of Strict TLS test between Mimecast servers and our exchange:

    ##########################################################

    Mimecast Administration Checking the IP address x.x.x.200: 
    The IP address has a valid format.
    The IP address is public.
    Execute the SMTP connection test with the given parameters:
    220 eu-smtp-1.mimecast.com ESMTP ; Tue, 15 Nov 2016 09:29:26 +0000
    MCCONNECT null x.x.x.200:25
    220 BWMAIL01.domain.co.uk Microsoft ESMTP MAIL Service ready at Tue, 15 Nov 2016 09:29:26 +0000
    EHLO eu-smtp-1.mimecast.com
    250-BWMAIL01.domain.co.uk Hello [x.x.x.250]
    250-SIZE 104857600
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250 XRDST
    STARTTLS
    220 2.0.0 SMTP server ready
    An error occured.

    Execute the SMTP connection test with the given parameters:
    220 eu-smtp-1.mimecast.com ESMTP ; Tue, 15 Nov 2016 09:29:26 +0000
    MCCONNECT null x.x.x.200:25
    220 BWMAIL01.domain.co.uk Microsoft ESMTP MAIL Service ready at Tue, 15 Nov 2016 09:29:26 +0000
    EHLO eu-smtp-1.mimecast.com
    250-BWMAIL01.domain.co.uk Hello [10.50.1.252]
    250-SIZE 104857600
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250 XRDST
    STARTTLS
    220 2.0.0 SMTP server ready
    An error occured.
    ##############################################################

    I already try to fix by one of the post:

    "Configuring the TLS Certificate Name for Exchange Server Receive Connectors" 

    but no luck yet.

    Thanks for the help


    • Edited by Zee.UK Wednesday, November 16, 2016 3:46 PM
    Wednesday, November 16, 2016 3:45 PM

All replies

  • Hi,

    From your description, I want to confirm:
    1. Do you install this new Exchange certificate in root trusted CA?
    2. Does Exchange client get this new certificate from toot CA, include this Mimecast server?

    We need install this certificate into root trusted CA, and client update this certificate to take effect (build secure connection or encryption).

    If this certificate is used to S/MIME, please re-export it to .OST file, then configure SMIMECertificateIssuingCA by  Set-SmimeConfig. Please refer to: https://technet.microsoft.com/en-IN/library/dn626155%28v=exchg.150%29.aspx


    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Monday, November 21, 2016 2:37 PM
    Saturday, November 19, 2016 2:18 PM
  • Finally, I found out what was the issue. As certificate was reissued after 48H old cert expired. All the roles has been assigned to the new cert and old cert was deleted from exchange buy GUI on Exchange Administrative Center. After checking cert manager on the server I found the same deleted old cert (just grayed out as it was expired already), so after removal from cert manager everything falls back in places and starts working! 

    Zee

    • Proposed as answer by Allen_WangJF Friday, November 25, 2016 8:12 AM
    Wednesday, November 23, 2016 8:55 AM
  • Hi,

    Thanks for your posting here and sharing the resolution!
    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 25, 2016 8:12 AM