Recently working for a client as part of an Exchange 2013 Hybrid deployment with centralised mail transport they were not receiving email at EOL from their on-prem environment. An "454 4.7.5 certificate validation failure" was logged on the server.
I found the problem was due to the configuration of the TLS certificate. They were using an mail.domain.com cert for their CAS server/URL's but had a *.domain.com certificate on their Edge server's. I resolved the issue by installing the wildcard certificate on the CAS boxes and re-running then Hybrid configuration wizard, but I could of also installed the mail.domain.com certificate on the edge servers.
Another issue it could have been if the certificate had expired/renewed and the send connector had not been updated. which is documented by David Smith at - https://texmx.net/2014/08/19/update-send-connector-ssl-certificate-for-hybrid-configuration/
Open Exchange Management Shell on the on-premises Exchange server
Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used.
Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
Update the send connector with the new values
Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert
Another article in relation to this is by Paul Cunningham
https://practical365.com/exchange-server/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/
I found the problem was due to the configuration of the TLS certificate. They were using an mail.domain.com cert for their CAS server/URL's but had a *.domain.com certificate on their Edge server's. I resolved the issue by installing the wildcard certificate on the CAS boxes and re-running then Hybrid configuration wizard, but I could of also installed the mail.domain.com certificate on the edge servers.
Another issue it could have been if the certificate had expired/renewed and the send connector had not been updated. which is documented by David Smith at - https://texmx.net/2014/08/19/update-send-connector-ssl-certificate-for-hybrid-configuration/
Open Exchange Management Shell on the on-premises Exchange server
Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used.
Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
Update the send connector with the new values
Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert
Another article in relation to this is by Paul Cunningham
https://practical365.com/exchange-server/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/
Comments
Post a Comment