A recent Exchange 2010 deployment was not able to receive email over TLS, even though a valid SAN certificate (UCC) was installed and assigned as the default for SMTP services. Additionally, the server would log event ID 12014 every 15 minutes with the following message:
The error message states a certificate for the server’s internal FQDN, rather than the mail.example.com as listed on the certificate, could not be found. Since the “Default SERVER” receive connector’s EHLO name can’t be changed from the actual FQDN of the server to the external name to match the certificate, the problem likely stemmed from when the default self-signed certificate was deleted in lieu of the new valid UCC one.
Here’s how to fix it.
Open the Exchange Management Shell and type New-ExchangeCertificate
Press “n” to skip overwriting the existing default SMTP certificate when prompted. A new self-signed certificate will be recreated with both the hostname and internal FQDN of the server.
Mail started being delivered securely via TLS encryption and the event log errors ceased.
Moral of the story is don’t delete the default self-signed certificate when installing your valid certificate!