This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 48%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello,
I've installed a brand new exchange 2016 server and my company is running on it straight and clean from a month or so, but last week a user asked me why the SMPT certificate gives an error. Looking at the error, the certificate that the user get is the built-in SMTP certificate of the installation and not the one from the public CA.
I've reassigned the SMTP service via EAC and on ECP, nothing works.
The question is... there is some way to unassign SMTP service to built-in certficate?
Many Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Davide Zampatori ,
How is the issue now? If it has been resolved, please click “Accept as answer” to mark helpful reply as an answer to close the thread. Your action would be helpful to other users who encounter the same issue and read this thread.
Hi I've tryed to delete the certificate by backupping the VM that runs Exchange.
Deleting it cause the server to go nuts... nothing work and even if I assign the SMTP service to the public certificate the service still expect the built-in certificate.
The user is using Thunderbird configured in IMAP.
When looking for the STARTTLS certificte used is the built-in: I get CN="SERVERNAME" and not the public one.
I've tryed enabling both via EAC and ECP.
There is no more breaking down... Simply the server keep using the built-in even if I've associated the SMTP service with the correct certificate.
Yikes. Ok, as I mentioned, do not delete that certificate.
Can you list all the Exchange Certificates with Get-ExchangeCertificate |FL ?
Remove any personal information
What is set for the FQDN on the "Client Frontend <ServerName>" receive connector? That should match a subject name on the certificate enabled for SMTP
The IMAP clients should be using port 587 to submit messages and they use that connector
@AD-7937 sorry for the late answer
Here the output from the command Get-ExchangeCertificate.
The first is the public certificate (you can see mail and autodiscover names) the FQDN on the receive connector is the same written here.
The 2nd and 3rd are the built-in and I see the 2nd used for SMTP so the STARTTLS is not recognized.
Hi,
If exporting the certificate causes the server to fail, please run the following command line to create a new self-signed certificate.
New-ExchangeCertificate -FriendlyName Microsoft Exchange -SubjectName <> -DomainName <> -Services <>
For more information:Create a new Exchange Server self-signed certificate
What is the error given by the SMTP certificate?
That wouldn't apply if he deleted the cert.
Hi,
Please follow the steps below to bind the specific certificate to the receive connector and see if the issue is resolved.
Done that already... still get subject=CN = EXCHANGE-16
Nothing changes
Hi,
Do you still receive the same error after binding a specific certificate to the receiving connection?
Please try to create a new receive connector with the same configuration as the problem receive connector. And bind the specified certificate again to see if the problem is solved.
Hi @Davide Zampatori ,
Will the issue still occur after rebuilding the receive connector? If there is no issue, please click “Accept as answer” to mark helpful reply as an answer to close the thread. Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.
Sorry for the late answer... I was away for the past week.
I don't know if I can create a new receive connector, the server is live atm, since we discovered the issue after we put it online.
There is a way to create a new receive connector without disabling the functionality of the server and then switch it?
Hi,
Is your Exchange a hybrid environment?
Can you provide specific error information? It should be note that please hide your private information.
Please try to run the following command to clear the certificate bound to the receive connector, and then bind again in the above way to see if the binding can be successful.
Set-receiveconnector -Identity <> -tlscertificatename $null.
Hi DavideZampatori,
I am writing to check if provided information is helpful. Please let me know if you need further assistance.
If the response is helpful, please click "Accept Answer" and upvote it.