Discussion:
exchange 2007 FQDN error
(too old to reply)
Andrea Racca
2008-03-26 22:21:17 UTC
Permalink
hi,
I have exchange 2007. One server with Client Access Role, Mailbox Role and
Hub Role. I create a "Internet Send Connector" with this setting:
"use domain name system (DNS) "MX" records to route mail automatically".I
specify like FQDN in general tab, the name of my mx server (is not the
exchange 2007).
In EV I receive this error:

Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 26/03/2008
Time: 22.32.28
User: N/A
Computer: EXCHANGE
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name
mx.domain.it in the personal store on the local computer. Therefore, it is
unable to support the STARTTLS SMTP verb for the connector Internet
Connector by dns with a FQDN parameter of mx.domain.it. If the connector's
FQDN is not specified, the computer's FQDN is used. Verify the connector
configuration and the installed certificates to make sure that there is a
certificate with a domain name for that FQDN. If this certificate exists,
run Enable-ExchangeCertificate -Services SMTP to make sure that the
Microsoft Exchange Transport service has access to the certificate key.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Any helps?? It's important verify and remove the condition caused by this
problem?
Thank's.
Cary Shultz
2008-03-27 01:20:43 UTC
Permalink
Open up the Exchange "Command Prompt" and enter the following:

get-exchangeCertificate | fl

Look at all the certificates that are displayed. I would suggest that you
take note and maybe remove all those that you do not need......but I
digress.

Look for the "Services" along the left edge. Look for the "SMTP". If you
do not find that then you do not have a certificate for SMTP. This would be
the problem.

Do you have a UCC Certificate installed?

If you do, and you did not enable it for SMTP (let's say that it is enabled
for IIS) then this is simple. All you would do is enter the following:

enable-exchangeCertificate -Thumbprint XYZ -Services "SMTP"

That is it.

Now, lets say that you also need to enable IMAP (boss bought herself an
iPhone....). You would do this:

enable-exchangeCertificate -Thumbprint XYZ -Services "SMTP, IMAP"

Does this help?

Cary
Post by Andrea Racca
hi,
I have exchange 2007. One server with Client Access Role, Mailbox Role and
"use domain name system (DNS) "MX" records to route mail automatically".I
specify like FQDN in general tab, the name of my mx server (is not the
exchange 2007).
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 26/03/2008
Time: 22.32.28
User: N/A
Computer: EXCHANGE
Microsoft Exchange couldn't find a certificate that contains the domain name
mx.domain.it in the personal store on the local computer. Therefore, it is
unable to support the STARTTLS SMTP verb for the connector Internet
Connector by dns with a FQDN parameter of mx.domain.it. If the connector's
FQDN is not specified, the computer's FQDN is used. Verify the connector
configuration and the installed certificates to make sure that there is a
certificate with a domain name for that FQDN. If this certificate exists,
run Enable-ExchangeCertificate -Services SMTP to make sure that the
Microsoft Exchange Transport service has access to the certificate key.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Any helps?? It's important verify and remove the condition caused by this
problem?
Thank's.
Andrea Racca
2008-03-27 12:45:51 UTC
Permalink
I have this result after "get-exchangeCertificate | fl"


I have this result



CertificateDomains: servername,servername.localdomain.local
HasPrivateKey: True
IsSelfSigned: True
Issuer: CN=servername
NotAfter: 19/10/2008
NotBefore: 19/10/2007
PublicKeySize:2048
RooCAType:None
Services:IMAP,POP,IIS,SMTP
Statud: Valid
Subject:CN=servername
Post by Cary Shultz
get-exchangeCertificate | fl
Look at all the certificates that are displayed. I would suggest that you
take note and maybe remove all those that you do not need......but I
digress.
Look for the "Services" along the left edge. Look for the "SMTP". If you
do not find that then you do not have a certificate for SMTP. This would
be the problem.
Do you have a UCC Certificate installed?
If you do, and you did not enable it for SMTP (let's say that it is
enabled for IIS) then this is simple. All you would do is enter the
enable-exchangeCertificate -Thumbprint XYZ -Services "SMTP"
That is it.
Now, lets say that you also need to enable IMAP (boss bought herself an
enable-exchangeCertificate -Thumbprint XYZ -Services "SMTP, IMAP"
Does this help?
Cary
Post by Andrea Racca
hi,
I have exchange 2007. One server with Client Access Role, Mailbox Role and
"use domain name system (DNS) "MX" records to route mail automatically".I
specify like FQDN in general tab, the name of my mx server (is not the
exchange 2007).
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 26/03/2008
Time: 22.32.28
User: N/A
Computer: EXCHANGE
Microsoft Exchange couldn't find a certificate that contains the domain name
mx.domain.it in the personal store on the local computer. Therefore, it is
unable to support the STARTTLS SMTP verb for the connector Internet
Connector by dns with a FQDN parameter of mx.domain.it. If the connector's
FQDN is not specified, the computer's FQDN is used. Verify the connector
configuration and the installed certificates to make sure that there is a
certificate with a domain name for that FQDN. If this certificate exists,
run Enable-ExchangeCertificate -Services SMTP to make sure that the
Microsoft Exchange Transport service has access to the certificate key.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Any helps?? It's important verify and remove the condition caused by this
problem?
Thank's.
Rich Matheisen [MVP]
2008-03-27 17:20:24 UTC
Permalink
Post by Andrea Racca
I have exchange 2007. One server with Client Access Role, Mailbox Role and
"use domain name system (DNS) "MX" records to route mail automatically".I
specify like FQDN in general tab, the name of my mx server (is not the
exchange 2007).
The FQDN on the "General" tab of the send connector is the name your
server will use. The name "mx.domain.it" must be present in the SSL
certificate. That name isn't present in the certifcate you're using.
These are the names in your current cert:

servername,servername.localdomain.local

You need to create a new certificate, load it into the certificate
store, and then enable it for use by SMTP (and the other protocols).

So you'd want a certificate that had these names:

servername,servername.localdomain.local,mx.domain.it,domain.it

You might even want to add "autodiscover.domain.it" to that list.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:***@getronics.com
Or to these, either: mailto:***@pinkroccade.com mailto:***@getronics.com mailto:***@pinkroccade.com
Andrea Racca
2008-03-27 22:11:24 UTC
Permalink
Thank's there's any "how to" to create this certificate?
hi
Post by Rich Matheisen [MVP]
Post by Andrea Racca
I have exchange 2007. One server with Client Access Role, Mailbox Role and
"use domain name system (DNS) "MX" records to route mail automatically".I
specify like FQDN in general tab, the name of my mx server (is not the
exchange 2007).
The FQDN on the "General" tab of the send connector is the name your
server will use. The name "mx.domain.it" must be present in the SSL
certificate. That name isn't present in the certifcate you're using.
servername,servername.localdomain.local
You need to create a new certificate, load it into the certificate
store, and then enable it for use by SMTP (and the other protocols).
servername,servername.localdomain.local,mx.domain.it,domain.it
You might even want to add "autodiscover.domain.it" to that list.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Rich Matheisen [MVP]
2008-03-28 02:11:59 UTC
Permalink
Post by Andrea Racca
Thank's there's any "how to" to create this certificate?
Do you have your own CA? You can buy a cert from a CA like godaddy.com
(a SAN/UCC cert with 5 domanin names is about $60/year).
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:***@getronics.com
Or to these, either: mailto:***@pinkroccade.com mailto:***@getronics.com mailto:***@pinkroccade.com
Loading...