Everyone that has ever installed SBS 2008 has encountered the wizard that create certificate and remote workplace – by default called remote.company.com (yes, you can chose other prefixes but let say that I like remote becouse it is easy to remember for my users…).
SBS wizards generates a certificate for this hostname and uses it for all services (Outlook web access, Active Sync stuff and also for SMTP receive and send connectors…).
The problem is when you want to rename your SMTP receive and send connectors to match the records in DNS. It is a best practice to have same SMTP greetings as the records in DNS so for example if you have a domain company.com and you have an host record A called mail.company.com and MX record pointed to mail.company.com it is correct and I suggest you to folow this rule to have SMTP greeting or fqdn for SMTP connectors to match mail.company.com.
You can rename your connectors however you want by using Exchange management console but you will lose functionality of TLS in SMTP traffic – becouse the certificate remote.company.com does not match fqdn or smtp greeting of a connector that advertise mail.company.com. You will also get an error in Event log saying:
Microsoft Exchange could not find a certificate that contains the domain name mail.company.com in the personal store on the local computer…
Ok, what can we do now?
Well turn on Exchange Management Shell – that is Powershell with modules for Exchange 2007 management – you can find it in star menu… And first of all we want to see current Exchange certificates that are enabled for Exchange services by using cmdlet:
[PS] C:WindowsSystem32>Get-ExchangeCertificate
and you wil receive something like this:
———- ——– ——-
45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4 IP.WS CN=remote.company.com
42F146B12BEF918A6A8FC730F5AA87AC4ACB1CEB IP..S CN=remote.company.com
817F1311CB72FB70F962EC0FAD2D8FA857F114A4 ….S CN=sbssrv01.company.local
4BAAC7906689AFF0129767CF492AAE058B5DF494 ….S CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9 ….. CN=xxxxxx-xxxxxxxx-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145 ….. CN=WMSvc-WIN-K7KGUV5MQ40
Overwrite existing default SMTP certificate,
’45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4′ (expires 14.1.2012 22:37:04), with
certificate ’59D62E7850EE4093AFF1EC73E2623D52058C2B35′ (expires 27.1.2015
17:09:02)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”): N
———- ——– ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35 ….. CN=mail.company.com
[PS] C:WindowsSystem32>Get-ExchangeCertificate
[PS] C:WindowsSystem32>
———- ——– ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35 ….S CN=mail.company.com
45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4 IP.WS CN=remote.company.com
4BAAC7906689AFF0129767CF492AAE058B5DF494 ….S CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9 ….. CN=xxxxxxxxxxx-xxxxxxxxxxxx01-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145 ….. CN=WMSvc-WIN-K7KGUV5MQ40
12:09 +0100
13:07 +0100
helo test.blablabla.si
250 mail.xxxxxxxxxxxxxxxx.si Hello [xxx.xxx.xxxx.xxx]
500 5.3.3 Unrecognized command