question

PawelJarosz-0356 avatar image
0 Votes"
PawelJarosz-0356 asked ZhengqiLou-MSFT commented

Exchange (Multirole + Edge) and certificate from local CA.

Hi Everyone,

I am setting up certificates in really simple on-prem environment - 2 servers: 1st - multirole (no mailboxes, just for simple relay and O365 management), 2nd - edge role.

Everything works when I generate certificate directly in Exchange, however when trying to use the certificate from the local CA emails are stuck in the queue on multirole server. The root certificate is added to the trusted root store on the edge server. I do not really have any more ideas on what can be done, what I've done was:

  1. Generate new subscription file on edge

  2. Enabled local CA certificate on multirole server for all the services (IIS,SMTP,POP,IMAP)

  3. Imported build new subscription on multirole server based on the subscription file

  4. Started the synchronization

  5. Rebooted the servers

Synchronization seems to be ok - got susscesss state, however messages sit in the queue on multirole server with no willingness to go to the edge server, any ideas what step do I miss?

Cheers,
J




office-exchange-server-administrationoffice-exchange-server-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ZhengqiLou-MSFT avatar image
0 Votes"
ZhengqiLou-MSFT answered ZhengqiLou-MSFT commented

Hi @PawelJarosz-0356 ,

Please first check the OWA and EAC(ECP), if they are good then we could bypass the cert.
And what does the multirole means? Mailbox + ClientAccess? What's your Exchange server, is it 2013? And have you added the CA certificate to the trusted root store on Multirole server?
Sorry I don't know how you sent the emails without mailboxes. Please share more info so we can know this issue better.

Regards,
Lou


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

ECP looks good - it opens and all is good apart from that it says it is not trusted.

These servers are Exchange 2019 CU8 servers, installed on Windows Server 2019 core.

There was on-premises infra but all mailboxes were migrated to the cloud, and local Exchange has been left just to manage mailboxes and it is used as a relay server (apps send from it with no authorization).

Cheers,
J

0 Votes 0 ·

Hi @PawelJarosz-0356 ,

Hybrid? Based on my knowledge, it requires the third-party business certificate. Certificate requirements for hybrid deployments
80963-image.png

Regards,
Lou

0 Votes 0 ·
image.png (13.9 KiB)

Well it is not hybrid by all it means - no mailboxes locally, all in O365, MX is also in O365. One more time - we use this server only to manage remote mailboxes / DLs and as a relay server. There is a send connector that sends messages from Multirole (relay server) to the Edge server and from Edge to O365. However when switching from Exchange generated certificate to CA generated certificate messages got stuck on the Multirole server - they won't go to Edge server.

0 Votes 0 ·
Show more comments