We use SMTP on our Exchange Servers to provide authenticated SMTP email service for those who are using email clients which require SMTP to send email. We had an issue that following a certificate expiry that any SMTP connections to the server (that were attempting to use STARTTLS) would fail. For example:
$ openssl s_client -starttls smtp exchange1.domain.com:587
CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...The issue was that the old certificates had become invalid, however they were still in use by the SMTP server. We’d already added the new certificate on there ready, we just needed to swap it. You can do this as follows, firstly get the list of certificates installed on the server.
get-exchangecertificate -server exchange1The run this to check which is installed on the Exchange server.
get-receiveconnector "EXCHANGE1\Client Frontend EXCHANGE1" | select *From the first command you’ll see a list of Thumbprints, you’ll want to identify which of these you want to use, i.e. your new certificate, once you have found the correct thumbprint:
$cert = Get-ExchangeCertificate -Thumbprint <as per the output>
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"Finally you can set the certificate on the receive connector using the following command:
Set-ReceiveConnector "EXCHANGE1\Client Frontend EXCHANGE1" -TlsCertificateName $tlscertificatenameOnce that is done, repeat the test using OpenSSL and you should find the server is responding as expected, you shouldn’t need to restart any services (e.g. Microsoft Exchange Transport Service) for the new certificate to have taken effect.