Hello everyone!
I once again had to change the wildcard certificates on our Exchange 2016.
As always, I followed Frank's instructions:
https://www.frankysweb.de/exchange-2016-smtp-connector-und-wildcard-san-zertifikate/
I encountered the same problems as in the comments, but fortunately there was also a solution that led to success and thanks to the comments I finally managed it via Powershell.
Here is a summary of what I have done (PS):
# Import of the new certificate with command
# Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('E:\Script\ExChange2022.pfx')) -Password (ConvertTo-SecureString -String ******** -AsPlainText -Force)
Get-ExchangeCertificate
$NeuesZertifikat = „1809259D7212234095DE61A53F859D62D1D4A6AA“
$TLSCert = Get-ExchangeCertificate -Thumbprint $NewCertificate
$TLSCertName = "$($TLSCert.Issuer)$($TLSCert.Subject)"
Enable-ExchangeCertificate -Thumbprint $NewCertificate -Service SMTP,IIS
Set-ReceiveConnector "EXCHANGE2016\Default Frontend EXCHANGE2016" -TlsCertificateName $TLSCertName
Set-ReceiveConnector "EXCHANGE2016\Client Frontend EXCHANGE2016" -TlsCertificateName $TLSCertName
Set-SendConnector "To Internet" -TlsCertificateName $TLSCertName
Now I wanted to delete the old certificate in EAC because it has expired anyway.
Here, however, it complains because the old certificate is supposedly still bound to the send connector.
How can I check this or how do I disable the SendConnector?
I'm a bit stumped at the moment. Maybe someone can help me.
Greetings Sascha
Here, however, it complains because the old certificate is supposedly still bound to the send connector.
Do you have the exact error message? Or are you only configuring the receive connectors with your commands above? So if it is reporting the transmit connector, you should also configure it with the new certificate.
@norbertfe
I have configured the SendConnector with the command
Set-SendConnector "To Internet" -TlsCertificateName $TLSCertName
also equipped with the new certificate.
The following message appears when deleting:
Deleting the ExChange2021 certificate on the Exchange2016.coesfeld-main.de server can affect various Exchange services. Would you like to delete this certificate?
In the EAC, "SMTP" is still displayed under services for the old certificate.
How can I remove it before deleting it?
Export the old certificate with private key and then remove it.
Has worked so far.
How can I now check which certificate the SendConnector is using?
just to be on the safe side! :-)
Thank you...everything is running!
Small update.
It seems that something has gone badly wrong.
This morning I am being bombarded by users with messages that are not being delivered or are being delayed.
message looks something like this.
Delivery to the following recipients or groups will be delayed:
This message has not yet been delivered. An attempt is still being made to deliver the message.
The server will try to deliver the message for another 1 day, 19 hours and 51 minutes. You will receive a notification if the message could not be delivered by then.Diagnostic information for administrators:
Generating server: Exchange2016.coesfeld-main.de
xxxx@xxxxx.com
Server returned '400 4.4.7 Message delayed'Original news heads:
Received: from Exchange2016.coesfeld-main.de (192.168.100.5) by
Exchange2016.coesfeld-main.de (192.168.100.5) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.12; Thu, 15 Sep 2022 15:05:59 +0200
Received: from Exchange2016.coesfeld-main.de ([fe80::5042:d67a:6159:7473]) by
Exchange2016.coesfeld-main.de ([fe80::5042:d67a:6159:7473%3]) with mapi id
15.01.2507.012; Thu, 15 Sep 2022 15:05:59 +0200
From: Sascha Basinski
To: "xx"
Subject: xxx
Thread-Topic: xxx
Thread index: AdjJA7KF8evA+FmkSVyyZhUG4w2/GQ==
Date: Thu, 15 Sep 2022 13:05:59 +0000
Message-ID:
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.100.80]
x-esetresult: clean, is OK
x-esetid: 37303A29EABC8D556D716B
Content-Type: multipart/alternative;
boundary="_000_c434c5d85fd64867bdc48d357ab5d629coesfeldcom_"
MIME version: 1.0
A quick look at the send queue on the server shows a number of mails that have piled up.
I can't quite piece together the error message right now, but it said something about the specified certificate in the SendConnector could not be found.
So it doesn't seem to have worked out that way after all.
I have now helped myself by creating a new SendConnector and deactivating the old one.
ZACK--Emails out...
Again my question from yesterday. Is there somewhere to check which certificate is used by the SendConnector?
Since I have now created a new one and have not explicitly assigned a certificate to it via the shell, I would like to see which one it uses.
TLSCheck also seems to be ok:
seconds lookup result
[000,000] DNS LOOKUPS
[000.010] SEARCHLIST 104.131.108.216,134.209.169.224,1.1.1.1,8.8.8.8,67.207.67.3
[000.013] MX (10) webmail.coesfeld.com
[000.015] MX:A-->webmail.coesfeld.com 80.151.64.154
seconds test stage and result
[000.000] Trying TLS on webmail.coesfeld.com[80.151.64.154:25] (10)
[000.095] Server answered
[000.190] <-- 220 Exchange2016.coesfeld-main.de Microsoft ESMTP MAIL Service ready at Fri, 16 Sep 2022 08:52:57 +0200
[000.190] We are allowed to connect
[000.190] --> EHLO www11-do.CheckTLS.com
[000.285] <-- 250-Exchange2016.coesfeld-main.de Hello [167.71.160.115]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCED STATUS CODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
[000.285] We can use this server
[000.285] TLS is an option on this server
[000.285] --> STARTTLS
[000.380] <-- 220 2.0.0 SMTP server ready
[000.380] STARTTLS command works on this server
[000.590] Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES128-GCM-SHA256
Perfect Forward Secrecy: yes
Session Algorithm in use: Curve P-256 DHE(256 bits)
Certificate #1 of 3 (sent by MX):
Cert VALIDATED: ok
Cert Hostname VERIFIED (webmail.coesfeld.com = *.coesfeld.com | DNS:*.coesfeld.com | DNS:coesfeld.com)
Not Valid Before: Sep 6 00:00:00 2022 GMT
Not Valid After: Sep 16 23:59:59 2023 GMT
subject: /CN=*.coesfeld.com
issuer: /C=US/O=DigiCert, Inc./CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1
Certificate #2 of 3 (sent by MX):
Cert VALIDATED: ok
Not Valid Before: May 4 00:00:00 2022 GMT
Not Valid After: Nov 9 23:59:59 2031 GMT
subject: /C=US/O=DigiCert, Inc./CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Certificate #3 of 3 (added from CA Root Store):
Cert VALIDATED: ok
Not Valid Before: Nov 10 00:00:00 2006 GMT
Not Valid After: Nov 10 00:00:00 2031 GMT
subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
[000.805] ~~> EHLO www11-do.CheckTLS.com
[000.901] <~~ 250-Exchange2016.coesfeld-main.de Hello [167.71.160.115]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCED STATUS CODES
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
[000.901] TLS successfully started on this server
[000.901] ~~> MAIL FROM:
[000.997] <~~ 250 2.1.0 Transmitter OK
[000.997] Transmitter is OK
[000.997] ~~> QUIT
[001.092] <~~ 221 2.0.0 Service closing transmission channel
I can't quite piece together the error message right now, but it said something about the specified certificate in the SendConnector could not be found.
However, this could/must have been seen in the event log. In my opinion, you made the change correctly. But if it works now, that's ok.
Again my question from yesterday. Is there somewhere to check which certificate is used by the SendConnector?
The answer is still checktls. :/
https://www.checktls.com/TestSender
