Exchange 2016: SMTP Connector and wildcard / SAN certificates

Anyone using Exchange 2016 in conjunction with a wildcard certificate should also configure the receive and send connectors accordingly. This may also be necessary for SAN certificates.

If the SAN certificate contains the domain name as the "Common Name (issued for)" and not the corresponding server name of the Exchange server, problems occur, for example, when encrypting the SMTP connection using STARTTLS. Here is an example of the Thunderbird mail client that wants to establish an SMTP connection to an Exchange server via STARTTLS:

In this case, a SAN certificate was used which entered the domain name (e.g. frankysweb.de) as the common name and not the host name (e.g. mail.frankysweb.de). The additional host names were specified as SAN attributes as usual.

The situation is similar for wildcard certificates, where the corresponding wildcard entry is normally set as the common name and SAN attribute (e.g. *.frankysweb.de).

To solve the problem, however, it is not necessary to replace the certificate; it is sufficient to configure the send and receive connectors accordingly.

Configuring the receive and send connector

First, the thumbprint of the certificate must be determined using the following command:

Get-ExchangeCertificate | where {$_.services -match "IIS"}

In this case, the certificate with the thumbprint "2B7B52B5BB8A3F53E048F4D875A41DCDC71C3910" is used. The thumbprint is used to form the TLS certificate name. This is done using the following commands:

$Cert = Get-ExchangeCertificate -Thumbprint 2B7B52B5BB8A3F53E048F4D875A41DCDC71C3910
$TLSCertificateName = "$($Cert.Issuer)$($Cert.Subject)"
$TLSCertificateName

Get-ReceiveConnector

Set-ReceiveConnector "EXCHANGE\Default Frontend EXCHANGE" -TlsCertificateName $TLSCertificateName
set-ReceiveConnector "EXCHANGE\Client Frontend EXCHANGE" -TlsCertificateName $TLSCertificateName

Get-SendConnector
Get-SendConnector | Set-SendConnector -TlsCertificateName $TLSCertificateName