Share via

SMTP server (IIS) 2012 R2 is using incorrect certificate by outbound connection

Daniël de Jager 1 Reputation point
2020-08-11T15:07:12.18+00:00

I have setup a Windows server 2012 R2 SMTP server and it's working fine, accept that is not using the correct certificate for the outbound connection, which is een problem because i need it for my office365 (exchange-online) connector to identify itself so i can relay emails.

In the personal certificate store on the server there are two certificates that are almost identical, accept one is .local and the other one .nl. Without any reason its using the .local certificate to communicate. The only way to force the smtp server to use the .nl certificate is when i remove the other certificate or if i disable its client authentication function. The fully-quilified domain name in the advanced delivery tab is the same as the certificates subject name and I'm seeing the correct date under "access -> secure communication".

I'm using port 25 for outbound connections and TLS encryption is enabled.

Does anyone have an idea how i can force the smtp server to use the correct certificate without disabling the other one?

I already tried to use "netsh -> http -> add sslcert" to force port 25 to use the certificate but it doesn't work. Probably because its using starttls after the connection is made.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,538 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,241 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yuki Sun-MSFT 40,881 Reputation points
    2020-08-12T03:07:58.62+00:00

    According to the documentation below, "Confirm that only the certificate to be used by the SMTP server is in the Local_Machine\Personal certificates repository. Additional certificates can be added later.“ So it's suggested to try removing the .local certificate first, follow the steps in the article to configure the certificate. Re-add the .local certificate back after confirming that the .nl certificate is found by the SMTP service.

    Reference: How to configure IIS SMTP for outgoing TLS authentication

    0 comments
  2. Daniël de Jager 1 Reputation point
    2020-08-12T14:01:31.197+00:00

    I reinstalled the SMTP feature with only the .nl certificate in the Local_Machine\Personal certificates repository. It worked fine until i re-added the .local certificate.

    Any other ideas?

  3. Daniël de Jager 1 Reputation point
    2020-08-14T10:12:34.71+00:00

    Some other things i tried today is buying a new certificate with a name not related to the hostname of the server. After setting everything up again with that new certificate. It worked fine, but after putting the local certificate in the personal store it didn't work anymore.

    I also tested without the local certificate and only the new and old .nl certificate. The system uses the old .nl certificate despite it's not configured in the smtp server.

    The only simple solution i can think right now is taking the server out of the domain en maken it standalone (workgroup).