SYMPTOMS:
Your Exchange server receives extremely delayed (or even does not receive) emails from some domains (e.g. @gmail.com).
In your SMTP logs you see a sequence of 503 and 240 (quit) protocol status message from problematic domains smtp server incoming connections.
CAUSE:
Exchange server advertises TLS as available, and those domains' servers are configured to try STARTTLS first. Your SBS (tipically self-signed) certificate has expired.
RESOLUTION:
When SBS certificate expired you probably ran Internet Connection Wizard in order to renew it. That wizard does NOT replace the certificate stored in exchange smtp server configuration for protected (TLS) communication. This has to be done manually.
In smtp virtual server properties in the connection tab, under protection configuration click "Certificate" button and select "Replace existing certificate". Select the new valid certificate from the list and click next.
Mails start flowing!
Hi Raf,
ReplyDeleteThanks for such a clear explanation. I've just spent half a day struggling with the same situation - renewed a client's SBS 2003 self-signed certificate a week ago but didn't know about updating it in Exchange.
Your solution got it working again in about 1 minute (including sending the test message)!
Thanks again.
I was looking for this answer for the past 7 days! Thank you! THANK YOU!
ReplyDeleteYou Sir, are a star!
ReplyDeleteAbsolute legend! Thank you.
ReplyDeleteSeems to be a few people here still supporting SBS 2003!
Thank you, thank you and thank you!
ReplyDelete