Anyone using Exchange 2016 in conjunction with a wildcard certificate should also configure the receive and send connectors accordingly. This may also be necessary for SAN certificates.
If the SAN certificate contains the domain name as the "Common Name (issued for)" and not the corresponding server name of the Exchange server, problems occur, for example, when encrypting the SMTP connection using STARTTLS. Here is an example of the Thunderbird mail client that wants to establish an SMTP connection to an Exchange server via STARTTLS:
In this case, a SAN certificate was used which entered the domain name (e.g. frankysweb.de) as the common name and not the host name (e.g. mail.frankysweb.de). The additional host names were specified as SAN attributes as usual.
The situation is similar for wildcard certificates, where the corresponding wildcard entry is normally set as the common name and SAN attribute (e.g. *.frankysweb.de).
To solve the problem, however, it is not necessary to replace the certificate; it is sufficient to configure the send and receive connectors accordingly.
Configuring the receive and send connector
First, the thumbprint of the certificate must be determined using the following command:
Get-ExchangeCertificate | where {$_.services -match "IIS"}
In this case, the certificate with the thumbprint "2B7B52B5BB8A3F53E048F4D875A41DCDC71C3910" is used. The thumbprint is used to form the TLS certificate name. This is done using the following commands:
$Cert = Get-ExchangeCertificate -Thumbprint 2B7B52B5BB8A3F53E048F4D875A41DCDC71C3910 $TLSCertificateName = "$($Cert.Issuer)$($Cert.Subject)" $TLSCertificateName
Now the certificate can be assigned to the corresponding SMTP frontend connectors. To do this, the names of the connectors must first be determined:
Get-ReceiveConnector
Connectors containing port 25 and 587 are selected. In this case, "Exchange\Default Frontend Exchange" and "Exchange\Client Frontend Exchange". The certificate can now be bound to these two connectors:
Set-ReceiveConnector "EXCHANGE\Default Frontend EXCHANGE" -TlsCertificateName $TLSCertificateName set-ReceiveConnector "EXCHANGE\Client Frontend EXCHANGE" -TlsCertificateName $TLSCertificateName
To ensure that the certificate is also used for outgoing SMTP connections, it can also be bound to the send connector in the same way:
Get-SendConnector Get-SendConnector | Set-SendConnector -TlsCertificateName $TLSCertificateName
You can test whether STARTTLS works using the following website:
The result is then displayed accordingly:
You can also check whether TLS was used in the e-mail header, here is an example of a Received header (version=TLS1_2)
Received: from EXCHANGE.frankysweb.de () by EXCHANGE.frankysweb.de
() with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Sun, 11 Feb
2018 20:49:12 +0100