- You cannot receive mail from the Internet or from Office 365 when you use Transport Layer Security (TLS).
- If you use Telnet (for example, telnet localhost 25) to examine Simple Mail Transfer Protocol (SMTP) communications, you notice that the STARTTLS command is missing.
- If you examine the Application log in Event Viewer, you see an event entry that resembles the following: Log Name: Application
Date: MM/DD/YYYY 0:00:00 AM
Event ID: 12014
Task Category: TransportService
Microsoft Exchange could not find a certificate that contains the domain name <I>CN=Certificate Name, OU=<CertificateIssuer>, O=Certificate Provider, C=US<S>CN=mail.contoso.com, OU=IT, O=contoso, L=location, S=location, C=US in the personal store on the local computer.
- The check connectivity test to the on-premises server fails, and you receive the following error message: 450 4.4.101 Proxy session setup failed on Frontend with '451 4.4.0 Primary target IP address responded with "451 5.7.3 STARTTLS is required to send mail." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was <endpoint>'.
The TlsCertificateName property is set correctly when the Hybrid Configuration wizard (HCW) is run after a new Exchange certificate is installed.
However, if the HCW is not run, or if a failure occurs for any other reason when you run the HCW, the TlsCertificateName property is not updated, and the new Exchange certificate is not used by the hybrid server's receive connector.
In this scenario, the STARTTLS command is not present in SMTP communications, and the mail flow from Office 365 fails.
Make sure that the new certificate is enabled for SMTP. If it's not, run the following command to enable the SMTP service on the newly installed certificate.
Enable-ExchangeCertificate <thumbprint> -services SMTP
Note Select No when you are prompted to overwrite the default certificate). Otherwise, EdgeSync breaks and has to be re-created. Then, remove the TlsCertificateName property from the receive connector on the hybrid server. To do this, run the following command:
Get-ReceiveConnector "ServerName\Default Frontend ReceiveConnector" | Set-ReceiveConnector -TlsCertificateName $null
Rerun the Hybrid Configuration wizard to update the receive connector on the hybrid server that has the newly installed certificate information.