521 Could not deliver message over TLS for domain

A recent Exchange 2010 deployment was not able to receive email over TLS, even though a valid SAN certificate (UCC) was installed and assigned as the default for SMTP services.  Additionally, the server would log event ID 12014 every 15 minutes with the following message:eventid12014x

The error message states a certificate for the server’s internal FQDN, rather than the mail.example.com as listed on the certificate, could not be found.  Since the “Default SERVER” receive connector’s EHLO name can’t be changed from the actual FQDN of the server to the external name to match the certificate, the problem likely stemmed from when the default self-signed certificate was deleted in lieu of the new valid UCC one.

Here’s how to fix it.

Open the Exchange Management Shell and type New-ExchangeCertificate
Press “n” to skip overwriting the existing default SMTP certificate when prompted.  A new self-signed certificate will be recreated with both the hostname and internal FQDN of the server.
exchangecert

Mail started being delivered securely via TLS encryption and the event log errors ceased.

Moral of the story is don’t delete the default self-signed certificate when installing your valid certificate!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s