Sunday , November 8 2020

Replacing Send Connector Certificate

A special Rpc error occurs on server EXCH1: These certificates are tagged with following Send Connectors : Outbound to Office 365. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.

$cert = Get-ExchangeCertificate -Thumbprint XXXXXX 
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

To Replace Send Connector –

Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

To Replace Receive Connector –

Set-ReceiveConnector "EXCH1\Default Frontend EXCH1" -TlsCertificateName $tlscertificatename

if you don’t update receive connector you can see hybrid mail flow stops with TLS error

Reason: [{LED=450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=83.0.59.81] [LastAttemptedIP=83.0.59.81:25] [DX2ARE01FT002.eop-are01.prod.protection.outlook.com]};{MSG=451 5.7.3 STARTTLS is required to send mail};{FQDN=83.0.59.81};{IP=83.0.59.81};. OutboundProxyTargetIP: 83.0.59.81.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Simulate backup in a Exchange Server to Clear Logs

Simulating backup in a Exchange Server to Clear Logs happens sometimes when the backup stops …

6 comments

  1. I ran into this problem today, and unfortunately this did not fix the issue. Here is how i fixed it.

    First (fail) I re-ran the HCW and linked the send connector to the new certificate and tried to remove the old one. Still failed with the same message.

    Luckily, we are still in the testing phase of O365 mail, so I just deleted the ‘Outbound to Office 365’ send connector, deleted the old certificate and re-ran the HCW.

    In a full production environment, this will break mail flow, so use wisely! Hope this helps someone else out.

    • Thank you for the Additional inputs

      • Hi Satheshwaran Manoharan

        I had the issue where my connector “Outbound to Office 365” was using a expired certificate,

        Once I did the following
        get-exchangecertificate
        copied the thumbprint from new cert

        get-sendconnector “outbound to office 365” |fl
        verify what cert it was using

        ran your Cmd
        $cert = Get-ExchangeCertificate -Thumbprint XXXXXX
        $tlscertificatename = “$($cert.Issuer)$($cert.Subject)”
        Set-SendConnector “Outbound to Office 365” -TlsCertificateName $tlscertificatename

        get-sendconnector “outbound to office 365” |fl

        new certificate was applied

        1376 emails began flowing

        thankyou so much , your website got me up and running again.

        Paul

  2. I tried this method and Set-SendConnector returned a message that it had completed successfully but not made any changes. Unfortunately the issuer and subject of my old and new certificates are exactly the same, so I assume Set-SendConnector isn’t able to tell the difference. What I ended up doing was temporarily setting the connector to use one of the other Exchange certificates so that the identifiers WERE different, long enough to delete the expired certificate and then set the connector back to the correct and non-expired certificate. As warned above, this will probably stop mail flow but should take only a minute or two to accomplish.

  3. Satheshwaran – thanks a lot.. this worked for us.. after a few hours of troubleshooting much appreciated! great work. cheers!

Leave a Reply

Your email address will not be published.