START TLS Event 12014 (different internal/external names)

Hello,

I have an exchange server with external name mail.domain.com and internal name mail.domain.local.

In event log I get the event ID 12014:

Microsoft Exchange could not find a certificate that contains the domain name mail.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MAIL with a FQDN parameter of mail.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I have certificate for *.domain.com which is assigned to all exchange servers. What are my options here to resolve the problem? If I generate a certificate in my internal CA for mail.domain.local will it work for TLS with exchange servers external to my organization?

If I try to change FQDN on connector I get the error:

If the AuthMechanism attribute on
a Receive connector contains the value ExchangeServer, you must set the
FQDN parameter on the Receive connector to one of the following values:
the FQDN of the transport server "mail.domain.local", the NetBIOS name
of the transport server "MAIL", or $null.


  • Edited by Aurimas N 21 hours 46 minutes ago
May 26th, 2015 4:29am

As a security best practice (although it may not be required for SMTP), you should make sure that,

  • The TLS certificate match the host name, i.e. you need a cert of mail.domain.local
  • It is issued by a trusted CA, i.e. it can be a internal CA which is trusted by the server which Exchange server communicate with

You need to enable the cert for SMTP service using Enable-ExchangeCertificate -Service SMTP

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2015 5:04am

As a security best practice (although it may not be required for SMTP), you should make sure that,

  • The TLS certificate match the host name, i.e. you need a cert of mail.domain.local
  • It is issued by a trusted CA, i.e. it can be a internal CA which is trusted by the server which Exchange server communicate with

You need to enable the cert for SMTP service using Enable-ExchangeCertificate -Service SMTP

Thanks for advice.

How about using TLS with external servers? Is it possible to achieve this when internal server name is  mail.domain.local. I mean that external servers won't trust my internal CA so there is no way to make TLS work in this case?



May 26th, 2015 10:27am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics