locked
Anonymous relay not working after cert replacement on Hybrid Exchange 2016 RRS feed

  • Question

  • Hi all,

    Our certificate was about to expire and we decided to replace it with another CA.

    We did that and it all went well except for the anonymous relay that we have on some of our printers.

    It just stopped working (was working before which indicates that our connectors were working fine).

    Did any of you had a similar issue?

    Do I have to re-run the Exchange hybrid wizard?

    Any ideas?

    I have done telnet test and it connects fine but the email stays in the queue.



    Friday, February 16, 2018 8:38 PM

Answers

  • Well turns out it was the Smart Host connector.

    For any reason it just stopped working. Used the second one and it worked fine.

    Anonymous relay is working as it should

    • Marked as answer by GPS_Unit Tuesday, February 27, 2018 6:25 PM
    Tuesday, February 27, 2018 6:25 PM

All replies

  • What's error it gets while hanging out in the queue, 550 5.7.64?

    Is it a cert-based or IP based connector? If cert-based, did you assign that new cert to the connector itself?

    There's a cmdlet for that...I forget off the top of my head the exact syntax, I'll try to dig it up.


    My Blog: http://exchangeitup.blogspot.com My Twitter: http://twitter.com/ExchangeITup


    Friday, February 16, 2018 8:56 PM
  • It's a wildcard *.domain.com

    Basically all the connectors were in place already. Only thing we did was install the wildcard and assign the services IIS and SMTP. 

    So you're saying that after doing this I have to manually assign the cert to the connectors?

    Friday, February 16, 2018 10:53 PM
  • Yeah if it's a cert-based connector, which woulda had the old cert assigned, you'd need to update it with the new one on the connector.

    My Blog: http://exchangeitup.blogspot.com My Twitter: http://twitter.com/ExchangeITup

    Saturday, February 17, 2018 4:50 PM
  • Hello.

    In addition, we can check the last error of the queued messages with the command: get-queue | fl lasterror*

    We need to assign the cert to the connector and then we need to restart the transport service and check the results.

    Hope it helps.


    Best Regards,
    Jason Chao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Jason.Chao Tuesday, February 20, 2018 8:31 AM
    Monday, February 19, 2018 6:53 AM
  • Did applied the new cert to that connector. 

    But emails from the UPS's and the printers are still not coming.

    Not sure what else to try.

    Created a new connector just in case and also added the cert to it through command line... and still no emails

    Funny thing is that the UPS says email sent successfully but nothing shows up on my inbox

    Tuesday, February 20, 2018 5:00 PM
  • Your issue is probably that Office 365 is no longer trusting the connectivity from your on-prem server. First thing to verify is the send connector to Office 365 and ensure hostname in the send connector is included in the certificate. If not, then it won't be able to send by using TLS which is required.

    I just replaced a certificate today and the receive connector in O365 was based on the certificate name of the hybrid server. Just replacing the cert worked fine.

    Over time they've changed how hybrid mailflow is authenticated. I think at one point, they used to authenticate based on certificate thumbprint which would change when the cert is updated. In that case, re-run the hybrid wizard to fix it up.

    The key is to look at your send connector on the hybrid server and the receive connector in O365.


    Byron Wright (http://byronwright.blogspot.ca)

    • Proposed as answer by Jason.Chao Tuesday, February 27, 2018 3:02 AM
    Wednesday, February 21, 2018 1:30 AM
  • Well turns out it was the Smart Host connector.

    For any reason it just stopped working. Used the second one and it worked fine.

    Anonymous relay is working as it should

    • Marked as answer by GPS_Unit Tuesday, February 27, 2018 6:25 PM
    Tuesday, February 27, 2018 6:25 PM