locked
Enable-ExchangeCertificate - Problem with SMTP RRS feed

  • Question

  • Hello,

    i have a problem with all our new Exchange 2016 servers. If i enable our thirdparty certificate for IMAP, POP, IIS and SMTP, it works only for IMAP, POP and IIS. Not for SMTP. But they are no errors. Neither in the Exchange Admin Center nor in PowerShell.

    PowerShell Command: Enable-ExchangeCertificate -Thumbprint XxXxX -Services SMTP

    The certificate have multiple SANs:

    • OldLongDomain.com
    • exchange.OldLongDomain.com
    • autodiscover.OldLongDomain.com
    • legacy.OldLongDomain.com
    • domain.com
    • Exchange.domain.com
    • autodiscover.domain.com
    • legacy.domain.com

    It's that a problem? But why only for the SMTP service? The others works fine.

    In the eventlog are'nt any errors too.

    Many Greetings

    Markus

    Monday, July 2, 2018 10:21 AM

All replies

  • Hi Markus,

    What's your problem with certificate, mail flow with SMTP?

    Do you get any warning when enable certificate for SMTP service? Similar like below:

    Normally, we don't need to replace default SMTP certificate if it remain works.
    Moreover, it's fine to replace it with new public certificate.

    Best Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, July 3, 2018 7:10 AM
  • Hi Allan,

    thanks for the answer. Mailflow or something ist not yet tested.

    I cannot assign the cert:

    [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 8DDBB3799CDD701551E0F1A1714C54EA202902E -Services SMTP

    [PS] C:\Windows\system32>
    [PS] C:\Windows\system32>Get-ExchangeCertificate -Thumbprint 8DDBB3799CDD701551E0F1A1714C54EA202902E | fl

    AccessRules        :
    CertificateDomains : {domain.com, autodiscover.domain.com, exchange.domain.com, legacy.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    NotAfter           : 16.10.2020 11:50:19
    NotBefore          : 17.10.2017 11:50:19
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    Services           : IMAP, POP, IIS
    Status             : Valid
    Thumbprint         : 8DDBB3799CDD701551E0F1A1714C54EA202902E

    Tuesday, July 3, 2018 10:10 AM
  • No warning or error returns?
    Would you please run below command to check the certificate for SMTP service?
    Get-ExchangeCertificate | FL Thumbprint,Services,RootCAType,Status,CertificateDomains,Not*

    Moreover, open Event Viewer to check Application log, MSExchange Management to find more information about this problem.

    Best Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, July 4, 2018 6:00 AM
  • Good Morning,

    all servers have a computer certificate (signed by our enterprise ca) only with the computername. this happens automatically by grouppolicy. This cert was present during the Exchange Installation and only this cert is assigned to the SMTP service.

    I cannot unassign the cert

    There are no relevant errors in the eventlog.

    Your command shows the folling:

    Thumbprint         : 61F183292947F37D85A99243A18D0A3CCDB9A035
    Services           : None
    RootCAType         : None
    Status             : Valid
    CertificateDomains : {}
    NotAfter           : 12.04.2023 11:19:38
    NotBefore          : 08.05.2018 11:19:38

    Thumbprint         : 8F713AA808498891103AD4E963E03002E0193820
    Services           : None
    RootCAType         : None
    Status             : Valid
    CertificateDomains : {ex16srv, ex16srv.domain.com}
    NotAfter           : 08.05.2023 11:17:32
    NotBefore          : 08.05.2018 11:17:32

    Thumbprint         : B4151CA1C007A81575598F8C04C0280CC053AEF5
    Services           : None
    RootCAType         : Registry
    Status             : Valid
    CertificateDomains : {WMSvc-SHA2-ex16srv}
    NotAfter           : 27.04.2028 10:53:35
    NotBefore          : 30.04.2018 10:53:35

    Thumbprint         : C2F813333ACF83DD438D96226C9C1B37789D38FE
    Services           : IIS, SMTP
    RootCAType         : GroupPolicy
    Status             : Valid
    CertificateDomains : {ex16srv.domain.com}
    NotAfter           : 26.04.2020 09:56:33
    NotBefore          : 27.04.2018 09:56:33

    Thumbprint         : 8DDBB3799CDD701551E0F1A1714C54EA202902E
    Services           : IMAP, POP, IIS
    RootCAType         : ThirdParty
    Status             : Valid
    CertificateDomains : {domain.com, exchange.domain.com, autodiscover.domain.com, legacy.domain.com}
    NotAfter           : 16.10.2020 11:50:19
    NotBefore          : 17.10.2017 11:50:19


    Wednesday, July 4, 2018 7:41 AM
  • Hi Markus,

    I suppose it might be limited by group policy, you can contact your IT manager to double confirm.
    By the way, if it works fine with your company policy and security, you can ignore it.

    Best Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Manu Meng Monday, July 23, 2018 5:54 AM
    Tuesday, July 10, 2018 2:54 AM
  • Okay, i ignore it and go ahead.


    Thanks
    Friday, July 20, 2018 9:16 AM
  • Hi Markus,

    If you don't mind, we'd suggest you mark the replies above as answers, so it will be easy for other community members to find the useful one/ones.

    Thanks a lot for your understanding.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, July 23, 2018 5:55 AM