Hello,

I have an exchange server with external name mail.domain.com and internal name mail.domain.local.

In event log I get the event ID 12014:

Microsoft Exchange could not find a certificate that contains the domain name mail.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MAIL with a FQDN parameter of mail.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I have certificate for *.domain.com which is assigned to all exchange servers. What are my options here to resolve the problem? If I generate a certificate in my internal CA for mail.domain.local will it work for TLS with exchange servers external to my organization?

If I try to change FQDN on connector I get the error:

If the AuthMechanism attribute on
a Receive connector contains the value ExchangeServer, you must set the
FQDN parameter on the Receive connector to one of the following values:
the FQDN of the transport server "mail.domain.local", the NetBIOS name
of the transport server "MAIL", or $null.

• Edited by Aurimas N Tuesday, May 26, 2015 9:42 AM

As a security best practice (although it may not be required for SMTP), you should make sure that,

• The TLS certificate match the host name, i.e. you need a cert of mail.domain.local
• It is issued by a trusted CA, i.e. it can be a internal CA which is trusted by the server which Exchange server communicate with

You need to enable the cert for SMTP service using Enable-ExchangeCertificate -Service SMTP

• Proposed as answer by Allen_WangJFMicrosoft contingent staff, Moderator 22 hours 9 minutes ago

As a security best practice (although it may not be required for SMTP), you should make sure that,

• The TLS certificate match the host name, i.e. you need a cert of mail.domain.local
• It is issued by a trusted CA, i.e. it can be a internal CA which is trusted by the server which Exchange server communicate with

You need to enable the cert for SMTP service using Enable-ExchangeCertificate -Service SMTP

Thanks for advice.

How about using TLS with external servers? Is it possible to achieve this when internal server name is  mail.domain.local. I mean that external servers won't trust my internal CA so there is no way to make TLS work in this case?

• Edited by Aurimas N Wednesday, May 27, 2015 7:19 AM

Hi,

Heres an article about Microsoft Exchange could not load the STARTTLS certificate from the local store because it did not match the FQDN from the connector configuration:
https://technet.microsoft.com/en-us/library/bb217330(v=exchg.80).aspx

For your question, please run Get-ExchangeCertificate | FL Identity,Issuer,Services,Subject,Status,*Domain* to check whether internal name mail.domain.local consist in certificate which enable SMTP service.
we need regenerate an self-signed Exchange certificate which contain all relevant name, then enable it with SMTP services.
Besides, I find an similar thread about your question. For your convenience:
https://social.technet.microsoft.com/Forums/exchange/en-US/20a7fde2-baf9-4a22-b297-6bde92ebbd2a/eventid-12014-could-not-find-a-certificate-that-contains-the-domain-name-

Thanks

Hi,

Heres an article about Microsoft Exchange could not load the STARTTLS certificate from the local store because it did not match the FQDN from the connector configuration:
https://technet.microsoft.com/en-us/library/bb217330(v=exchg.80).aspx

For your question, please run Get-ExchangeCertificate | FL Identity,Issuer,Services,Subject,Status,*Domain* to check whether internal name mail.domain.local consist in certificate which enable SMTP service.
we need regenerate an self-signed Exchange certificate which contain all relevant name, then enable it with SMTP services.
Besides, I find an similar thread about your question. For your convenience:
https://social.technet.microsoft.com/Forums/exchange/en-US/20a7fde2-baf9-4a22-b297-6bde92ebbd2a/eventid-12014-could-not-find-a-certificate-that-contains-the-domain-name-

Thanks for advice.

How about using TLS with external servers? Is it possible to achieve this when internal server name is  mail.domain.local. I mean that external servers won't trust my internal CA so there is no way to make TLS work in this case?

You can configure your send connector to use mail.domain.com while communicating with external server. And your certificate of above name should be issued by a trusted public CA.

Set-SendConnector -Fqdn mail.domain.com