Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: 
2016 2019 Subscription Edition
Important
Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019 will reach end of support on Oct 14, 2025. To stay supported, you need to upgrade. For more information, see End of Support for Exchange 2016 and Exchange Server 2019.
This article describes the certificate selection process for inbound STARTTLS that is performed on the Receiving server. The inbound STARTTLS certificate selection process is triggered when a Simple Mail Transfer Protocol (SMTP) server tries to open a secure SMTP session with Microsoft Exchange Mailbox server or Microsoft Edge transport server so that either of these servers serve as the Receiving server and initiate a certificate selection process to determine which certificate to use in the TLS negotiation.
The following figure depicts the steps of the certificate selection process for inbound STARTTLS:
The steps depicted in the preceding diagram are explained here:
When the SMTP session is established, Microsoft Exchange calls a process to load the certificates.
In the "load certificate" function, the Receiving connector, to which the session is connected, is checked to see whether the AuthMechanism property is set to a value of TLS by running the following command:
Get-ReceiveConnector -Identity <Receive Connector Identity> | fl AuthMechanismIf the AuthMechanism property's value is null, you can set the value to TLS by running the following command:
$AuthMechanism = (Get-ReceiveConnector -Identity <Receive Connector Identity>).AuthMechanism $AuthMechanism += "TLS" Set-ReceiveConnector -Identity <Receive Connector Identity> -AuthMechanism $AuthMechanismYou can also set the AuthMechanism property's value to TLS by selecting Transport Security Layer (TLS) on the Authentication tab of a given Receive connector.
If TLS isn't enabled as an authentication mechanism, the server doesn't advertise X-STARTTLS to the Sending server in the SMTP session, and no certificate is loaded.
The certificate selection process retrieves the TlsCertificateName value from the Receive connector configuration when you run the following command:
Get-ReceiveConnector -Identity <Receive Connector Identity> | fl TlsCertificateNameYou can also set the TlsCertificateName value on the Receive connector by performing the following steps:
Retrieving Thumbprint of a valid SMTP-enabled third-party certificate.
Running the following command:
$TLSCert = Get-ExchangeCertificate -Thumbprint <thumbprint retrieved in the previous step> $TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)" Set-ReceiveConnector -Identity <Receive Connector Identity> -TlsCertificateName $TlsCertName
If the TlsCertificateName value on the Receive connector is null, the fully qualified domain name (FQDN) is retrieved. If the FQDN is null, you can set the FQDN value.
To retrieve or set the FQDN value, perform the following steps:
Retrieve the FQDN value by running the following command:
Get-ReceiveConnector -Identity <Receive Connector Identity> | fl fqdnSet the FQDN value by running the following command:
Set-ReceiveConnector -Identity <Receive Connector Identity> -fqdn <fqdn value>
If the FQDN value on the Receive connector is null, the server's physical FQDN is retrieved.
The local computer certificate store is searched for certificates that match TlsCertificateName/FQDN. If a certificate isn't found, the server doesn't advertise X-STARTTLS, no certificate is loaded, and Event ID 12014 is logged in the Application log.
In the certificate store, a search is implemented for all certificates that have a matching TlsCertificateName/FQDN. From this list, a list of eligible certificates are identified. These eligible certificates must meet the following criteria:
The certificate is an X.509 version 3 or a later-version certificate.
The certificate has an associated private key.
The Subject or Subject Alternate Name field contains the TlsCertificateName/FQDN that was retrieved in earlier steps.
The certificate is enabled for Secure Sockets Layer (SSL)/TLS use; specifically, the SMTP service has been enabled for this certificate by using the
Enable-ExchangeCertificatecmdlet. You can verify whether the SMTP service is enabled by running the following command to retrieve their values:Get-ExchangeCertificate -Thumbprint <value of the thumbprint> | fl ServicesIf you find that the SMTP service hasn't been enabled, you can manually enable the SMTP service by running the following command:
Enable-ExchangeCertificate -Thumbprint <value of the thumbprint> -Services "SMTP"Note
If the TlsCertificateName/FQDN-matched certificate doesn't have SMTP service enabled, Exchange will still choose that certificate for STARTTLS, but TLS communication will fail at later stage.
If no eligible certificates are found after these checks, it results in the server not being able to advertise X-STARTTLS with no certificate being loaded, and Event ID 12014 is logged in the Application log.
If eligible certificates are found, the best certificate is selected based on the following sequence:
- Sort eligible certificates by most recent Valid from date. Valid from is a "Version 1" field on the certificate.
- The first valid public key infrastructure (PKI) certificate that is found in this list is used.
- If no valid PKI certificates are found, the first self-signed certificate is used.
The certificate is checked to see whether it has expired. The Valid to field in the certificate properties is compared to the current date and time. If the certificate hasn't expired, STARTTLS is advertised. If the certificate has expired, Event ID 12016 is logged in the Application log but STARTTLS is still advertised.
Important
If the certificate has expired, you must renew the certificate irrespective of whether STARTTLS is advertised or not. For information on how to renew the certificate, see Renew an Exchange Server certificate.
Setting the value for FQDN property
To set the value for the FQDN property, run the following command:
Set-ReceiveConnector -Identity <Receive Connector Identity> -fqdn <fqdn value>
More information
For more information about how certificates are selected for other TLS scenarios, see the following articles: