Share via

Problem with SMTP Intra-Organization connector certificate

Rubberduck3000 196 Reputation points
2020-09-25T12:37:44.667+00:00

Hi!

Got Event is 12035 in my event log

Exchange was unable to load certificate mxm.contoso.local. More information: Is FrontEnd Proxy enabled: false. Original backend Server: mxm.CONTOSO.local. Send Connector Name from the original request: Send connector SMTP Intra-Organization.

I've got mxm.contoso.local cerificate in local store but it has WebServer template.
Should I get another one with Computer template?
Is there any way to change certificate on an implicit connector?

Best regards, Alex.

Exchange | Exchange Server | Management
0 comments
Accepted answer
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2020-09-25T20:36:43.493+00:00

    Ok, so it looks like you have two for mxm.contoso.local.
    The second one ( Services : IMAP, POP) is one you generated from an internal Windows CA or 3rd party, yes?

    What about the first one listed there? Where is that from?

    Services : None
    Subject : CN=mxm.contoso.local

    and where is the certificate named "Microsoft Exchange"? That's typically the cert used for internal message traffic.

    One of those ( Usually the cert called "Microsoft Exchange") should be enabled for SMTP. when you do that, it will prompt you to replace the existing certificate that's enabled for SMTP. Just say NO and it will be fine. ( It will actually be fine if you say YES, but say NO when prompted) 

    Enable-ExchangeCertificate -Thumbprint <thumbprint of Exchange Self-signed cert>  -Services SMTP
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rubberduck3000 196 Reputation points
    2020-09-27T14:39:41.273+00:00

    Hi!

    Right, I have one .local certificate made with web server tempalte.
    And another one (with no services) made with computer template.
    I added SMTP to certificate which has POP,IMAP already cause it has more SANs added.
    Didn't replace default smtp certificate as you recommended and the error has gone.

    Thanks for help, Alex.

    1 person found this answer helpful.
    0 comments
  2. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2020-09-25T12:49:50.627+00:00

    If you can see that cert with Exchange MGMT tools in Powershell enable it for SMTP on the server 

    Get-ExchangeCertificate |FL Thumbprint, Subject

    Subject should equal "mxm.contoso.local"

    then 

    Enable-ExchangeCertificate -Thumbprint <String> -Services SMTP

    Thumbprint from that cert above with the subject "mxm.contoso.local"

    If you don't see that cert, then simply create a new one that server and Exchange will assign the server name as the subject 

    New-ExchangeCertificate
    0 comments
  3. Rubberduck3000 196 Reputation points
    2020-09-25T18:11:58.763+00:00

    Hi!

    Thanks for youe answer.

    Yes I can see certificate.
    Actually I created a new one with internal CA using Computer template.
    But I ahave wilcard certificate (*.contoso.com) binded to my SMTP already .

    So I'm afraid that TLS (or something else) for external smtp connections will not work with local certificate because external name is mxm.contoso.com and subject on certificate will be mxm.contoso.local.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.