Hey,
Inline with the change to certificates so that internal names are no longer allowed, we updated ours to not have internal names.
This is a sample of our cert:
mail.domain.com
autodiscover.domain.com
server1 (NetBIOS name of server)
server1.corp.domain.com (FQDN of server)
So I removed the last 2 from the cert. We're now getting bouncebacks when external recipients send us TLS emails and we get a lot of this error in the logs (every 15 minutes or so, event ID is 12014):
Microsoft Exchange could not find a certificate that contains the domain name server1.corp.domain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default server1 with a FQDN parameter of server1.corp.domain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
The cert is from DigiCert and is set to use the IMAP, POP, IIS and SMTP services.
What is the solution to this? I read this and it states you do not need the CAS array name in the cert (our CAS array name is the FQDN of the server - single server deployment):
http://blogs.technet.com/b/awang/archive/2012/02/22/exchange-2010-certificate-planning.aspx
We use mail.domain.com instead of smtp.domain.com as shown in the article.
I tried changing the FQDN HELO response for the default receive connector but it won't let me without removing Exchange Server authentication. I then tried creating a new receive connector of type 'Internet' but that failed as 2 connectors can't use the same IP address and port. So I then changed the port of the default receive connector and created a new one (of type Internet) that uses port 25.
That seems to stop error 12014 appearing in the logs.
Not sure if any of this is the right thing to do, especially changing the port on the default connector!