Hi everyone, I'll try and explain as best as I can since this enviroment was deployed before I joined the company, but we are having an issue with IMAP SMTP and certificates. Our internal domain is abc.com, however, our external domain is xyz.com. So, our Exchange servers internally are named exch1.abc.com while externally they are reached via exch1.xyz.com. Now the problem I am running into is the self signed certificate that is automatically assigned to the SMTP service is issued to exch1.abc.com, which we do not have authority over as a domain (internal domain only). We also have a SAN certificate that has the exch1.xyz.com listed but when clients connect ecternally via IMAP and try and send, they get a cert error because the self signed cert is listed as abc.com. The SAN cert is assigned to all services, including SMTP, but the self signed default certification is only set to SMTP which is grayed out with the check box. How would I go about resolving this situation? Thanks!

Hi, I can´t recall a check box for any certification setting. Can you pleases explain what you mean with "but the self signed default certification is only set to SMTP which is grayed out with the check box" Can you please run Get-exchangecertificate | fl and post the output? :MartinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.

Hi, I can´t recall a check box for any certification setting. Can you pleases explain what you mean with "but the self signed default certification is only set to SMTP which is grayed out with the check box" Can you please run Get-exchangecertificate | fl and post the output? :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. What I mean by that is under "Server Configuration" --> EXCH1 (under the server name at the top of the page). Then on the bottom window the certificates appear for Exchange. The SAN certificate is listed as well as the "Microsoft Exchange" self signed cert. When I click "Assign Services to Certificate" on the self signed cert the SMTP box is checked and grayed out. Here is the output of Get-exchangecertificate | fl: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {exchange.securemissionsolutions.com, www.exchange.securemissionsolutions.com, smschsexch1.securem issionsolutions.com, smschsexch2.securemissionsolutions.com, securemissionsolutions.com, autodisco ver.securemissionsolutions.com, imap.securemissionsolutions.com, mail.securemissionsolutions.com, smschsexch3.securemissionsolutions.com} HasPrivateKey : True IsSelfSigned : False Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy. com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US NotAfter : 3/15/2016 11:18:47 AM NotBefore : 3/15/2011 11:18:47 AM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 27A755F988426B Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=exchange.securemissionsolutions.com, OU=Domain Control Validated, O=exchange.securemissionsolut ions.com Thumbprint : 0C39B15E559A99D313A428A6734007D15B2EE000 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {smschsexch1, smschsexch1.sms.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=smschsexch1 NotAfter : 3/10/2016 5:07:44 PM NotBefore : 3/10/2011 5:07:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 1F12A05E567FD998455620F7F8FD117D Services : SMTP Status : Valid Subject : CN=smschsexch1 Thumbprint : 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA

Hi, Thanks, I guess I spend to little time inte EMC :) If you run: Get-TransportServer | ft Name,InternalTransportCertificateThumbprint -auto I belive that you will see the thumbprint of of your internal certificate. If I am right, you might be able to change it by running: set-transportserver -internalTransportCertificateThumbprint 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA :MartinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.

Hi, Thanks, I guess I spend to little time inte EMC :) If you run: Get-TransportServer | ft Name,InternalTransportCertificateThumbprint -auto I belive that you will see the thumbprint of of your internal certificate. If I am right, you might be able to change it by running: set-transportserver -internalTransportCertificateThumbprint 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Here is the output file: Name InternalTransportCertificateThumbprint ---- -------------------------------------- SMSCHSEXCH1 0C39B15E559A99D313A428A6734007D15B2EE000 SMSCHSEXCH2 0C39B15E559A99D313A428A6734007D15B2EE000 smschsextmg1 991DB6441F81467596D93A96A44991694916A0C8 smschsextmg2 87CD7903BA4D1311F19E255CDD9A73F660A33AB4 Now, I want the SAN certificate (with the domain that we have authority over) as the primary SMTP certificate, just so we're clear :).

Aha, I made a copy/paste mistake :) Hmm, I have some doubts about this. You might get a lot of error in the Application Log if a certificate doesn´t include the name of the Exchange Server. But you can defninetly try and post back your result. set-transportserver mschsextmg1 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 set-transportserver mschsextmg2 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 On every server, run Enable-ExchangeCertificate -Thumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 -Services SMTP If this doesn´t work, you can try and 1. Remove the self-signed certificate 2. Then run the above :Martina Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.

Aha, I made a copy/paste mistake :) Hmm, I have some doubts about this. You might get a lot of error in the Application Log if a certificate doesn´t include the name of the Exchange Server. But you can defninetly try and post back your result. set-transportserver mschsextmg1 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 set-transportserver mschsextmg2 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 On every server, run Enable-ExchangeCertificate -Thumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 -Services SMTP If this doesn´t work, you can try and 1. Remove the self-signed certificate 2. Then run the above :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. I'm a little hesitent to try anythng if you have some doubts lol. I don't want there to be (and there cant be) any fallout or loss of service so I would rather not delete any certs without knowing for sure that it will work (I have heard in other posts that those self signed auto generated certs are needed for certain inter-Exchange communications?)...

Hi everyone, I'll try and explain as best as I can since this enviroment was deployed before I joined the company, but we are having an issue with IMAP SMTP and certificates. Our internal domain is abc.com, however, our external domain is xyz.com. So, our Exchange servers internally are named exch1.abc.com while externally they are reached via exch1.xyz.com. Now the problem I am running into is the self signed certificate that is automatically assigned to the SMTP service is issued to exch1.abc.com, which we do not have authority over as a domain (internal domain only). We also have a SAN certificate that has the exch1.xyz.com listed but when clients connect ecternally via IMAP and try and send, they get a cert error because the self signed cert is listed as abc.com. The SAN cert is assigned to all services, including SMTP, but the self signed default certification is only set to SMTP which is grayed out with the check box. How would I go about resolving this situation? Thanks! You can create a new DNS zone for your external dns domain on your internal DNS server. Copy in the records like www and also add the records for your internal mail services. That way clients outside point to the outside IP and clients inside point to the inside IP all without reconfiguration. This will also allow you to have a certificate with only the outside domain name. Mike Crowley | MVP My Blog -- Planet Technologies

Hi, I can´t recall a check box for any certification setting. Can you pleases explain what you mean with "but the self signed default certification is only set to SMTP which is grayed out with the check box" Can you please run Get-exchangecertificate | fl and post the output? :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. What I mean by that is under "Server Configuration" --> EXCH1 (under the server name at the top of the page). Then on the bottom window the certificates appear for Exchange. The SAN certificate is listed as well as the "Microsoft Exchange" self signed cert. When I click "Assign Services to Certificate" on the self signed cert the SMTP box is checked and grayed out. Here is the output of Get-exchangecertificate | fl: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {exchange.xyz.com, www.exchange.securemissionsolutions.com, smschsexch1.xyz .com, smschsexch2.xyz.com, xyz.com, autodisco ver.xyz.com, imap.xyz.com, mail.xyz.com, smschsexch3.xyz.com} HasPrivateKey : True IsSelfSigned : False Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy. com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US NotAfter : 3/15/2016 11:18:47 AM NotBefore : 3/15/2011 11:18:47 AM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 27A755F988426B Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=exchange.sxyz.com, OU=Domain Control Validated, O=exchange.xyz.com Thumbprint : 0C39B15E559A99D313A428A6734007D15B2EE000 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {exch1, exch1.abc.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=exch1 NotAfter : 3/10/2016 5:07:44 PM NotBefore : 3/10/2011 5:07:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 1F12A05E567FD998455620F7F8FD117D Services : SMTP Status : Valid Subject : CN=exch1 Thumbprint : 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA

Hi, I can´t recall a check box for any certification setting. Can you pleases explain what you mean with "but the self signed default certification is only set to SMTP which is grayed out with the check box" Can you please run Get-exchangecertificate | fl and post the output? :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. What I mean by that is under "Server Configuration" --> EXCH1 (under the server name at the top of the page). Then on the bottom window the certificates appear for Exchange. The SAN certificate is listed as well as the "Microsoft Exchange" self signed cert. When I click "Assign Services to Certificate" on the self signed cert the SMTP box is checked and grayed out. Here is the output of Get-exchangecertificate | fl: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {exchange.xyz.com, www.exchange.xyzcom, smschsexch1.xyz .com, smschsexch2.xyz.com, xyz.com, autodisco ver.xyz.com, imap.xyz.com, mail.xyz.com, smschsexch3.xyz.com} HasPrivateKey : True IsSelfSigned : False Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy. com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US NotAfter : 3/15/2016 11:18:47 AM NotBefore : 3/15/2011 11:18:47 AM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 27A755F988426B Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=exchange.sxyz.com, OU=Domain Control Validated, O=exchange.xyz.com Thumbprint : 0C39B15E559A99D313A428A6734007D15B2EE000 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {exch1, exch1.abc.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=exch1 NotAfter : 3/10/2016 5:07:44 PM NotBefore : 3/10/2011 5:07:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 1F12A05E567FD998455620F7F8FD117D Services : SMTP Status : Valid Subject : CN=exch1 Thumbprint : 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA

Hi, Thanks, I guess I spend to little time inte EMC :) If you run: Get-TransportServer | ft Name,InternalTransportCertificateThumbprint -auto I belive that you will see the thumbprint of of your internal certificate. If I am right, you might be able to change it by running: set-transportserver -internalTransportCertificateThumbprint 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Here is the output file: Name InternalTransportCertificateThumbprint ---- -------------------------------------- EXCH1 0C39B15E559A99D313A428A6734007D15B2EE000 EXCH2 0C39B15E559A99D313A428A6734007D15B2EE000 extmg1 991DB6441F81467596D93A96A44991694916A0C8 extmg2 87CD7903BA4D1311F19E255CDD9A73F660A33AB4 Now, I want the SAN certificate (with the domain that we have authority over) as the primary SMTP certificate, just so we're clear :).