KB ID 0001770
Problem
A few months ago I wrote an article about getting free exchange certificates with Lets ‘Encrypt’. And that still works peachy, I implemented it on my test Exchange 2019 server (in Hybrid mode) and all appeared well.
Some time later, (remember this is my test network so it’s not in production.) I noticed that mail was not getting forwarded from O365 to the on premises Exchange server. I’ve also had to fix similar problems like this before here.
These were to sort of errors I was seeing;
450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB8EUR05FT046.eop-eur05.prod.protection.outlook.com]
450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 TLS negotiation failed with error SocketError] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB3EUR04FT033.eop-eur04.prod.protection.outlook.com]
So the problem is obviously something to do with the certificate on the on premises server, so either it’s misconfigured or Microsoft O365 does not like the ‘Lets Encrypt’ certificate.
Solution
Firstly I made sure the send and receive connecters were using the correct certificate.
[box]
Get-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" | fl TlsCertificateName Get-SendConnector "Outbound to Office 365" | fl TlsCertificateName
[/box]
Note: Above, change the server names and send connector name to match your own.
At this point I was pretty sure that the problem was with that cert so I bought myself a 12 month SSL cert (for the princely sum of $17) and used that instead.
How To Swap Hybrid Connector Certificates
Get the Thumbprint for the NEW publicly signed certificate (Get-ExchangeCertificate). Then use the following PowerShell.
[box]
$cert = Get-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename Set-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" -TlsCertificateName $tlscertificatename Restart-Service MSExchangeTransport
[/box]
Now recheck the connectors again;
Then attempt to re-validate the connector in Office 365, and it works straight away.
SO NO YOU CAN’T USE ‘LETS ENCRYPT’ FREE CERTIFICATES IF YOUR EXCHANGE SERVER IS IN HYBRID MODE