Can't receive mail in a hybrid environment after you install a new certificate on the server

PROBLEM
After you install a new Exchange certificate in an Exchange hybrid environment, you experience the following symptoms:
  • You cannot receive mail from the Internet or from Office 365 when you use Transport Layer Security (TLS).
  • If you use Telnet (for example, telnet localhost 25) to examine Simple Mail Transfer Protocol (SMTP) communications, you notice that the STARTTLS command is missing.
  • If you examine the Application log in Event Viewer, you see an event that resembles the following:
    Log Name: Application
    Source: MSExchangeFrontEndTransport
    Date: MM/DD/YYYY 0:00:00 AM
    Event ID: 12014
    Task Category: TransportService
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: <HybridServerName>.contoso.com
    Description:
    Microsoft Exchange could not find a certificate that contains the domain name <I>CN=Certificate Name, OU=<CertificateIssuer>, O=Certificate Provider, C=US<S>CN=mail.contoso.com, OU=IT, O=contoso, L=location, S=location, C=US in the personal store on the local computer.
  • The check connectivity test to the on-premises server fails and you receive the following error message:
    450 4.4.101 Proxy session setup failed on Frontend with '451 4.4.0 Primary target IP address responded with "451 5.7.3 STARTTLS is required to send mail." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was <endpoint>'.
CAUSE
This issue occurs if the TlsCertificateName property of the hybrid server’s receive connector contains incorrect certificate information. This property is set correctly when the Hybrid Configuration wizard is run after a new Exchange certificate is installed. However, if the Hybrid Configuration wizard is not run or if this failure occurs for any other reason, the TlsCertificateName property is not updated, and the new Exchange certificate is not used by the hybrid server’s receive connector. In this scenario, the STARTTLS command will not be present in SMTP communications.
SOLUTION
Remove the TLSCertificateName and TLSDomainCapabilities properties from the receive connector on the hybrid server. To do this, follow these steps:
  1. Run the following commands:
    Get-ReceiveConnector "ServerName\Default Frontend ReceiveConnector" | Set-ReceiveConnector -TlsCertificateName $null
    Get-ReceiveConnector "ServerName\Default Frontend ReceiveConnector" | Set-ReceiveConnector -TlsDomainCapabilities $null
  2. Rerun the Hybrid Configuration wizard to update the receive connector on the hybrid server with the certificate information.
MORE INFORMATION
For more information, see Certificate requirements for hybrid deployments.

Still need help? Go to the Office 365 Community website or the Exchange TechNet Forums.
Properties

Article ID: 2989382 - Last Review: 10/01/2015 06:33:00 - Revision: 5.0

Microsoft Exchange Online, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • o365022013 o365 o365a o365e o365m hybrid KB2989382
Feedback