Funky Flow of Internal to External mail stops after TLS/SSL Certificate renewal (Full Version)

All Forums >> [Microsoft Exchange 2013] >> Management

Message -> Funky Flow of Internal to External mail stops after TLS/SSL Certificate renewal (9.May2016 7:27:21 PM)


Our TLS/SSL certificates are expiring this Friday. Last Friday evening, we began the process of renewing certificates on our Exchange server(s) within our environment. We had to step back the update because of an issue I describe below. We have less than a week to determine what went wrong so we can repeat the process before our certs expire.

We have two servers in our Exchange platform. Both 2012 RT. One is a Mailbox server on our domain within our network. The other is an Edge Transport server not on our domain within our DMZ. We've been running these servers for almost one year now. The mailbox server has a wildcard certificate and the Edge transport server uses it's self-signed cert. The Edge subscription works and we've no issues since they were stood up.

As mentioned earlier, last Friday we began updating our certificates. We have a new wildcard certificate from Symantec and a newly created self-signed certificate for the Edge transport. Both certificates were added to the local stores of their corresponding servers either by the mmc snap-in or Import-ExchangeCertificate cmndlet.

Next, via powershell they were enabled for SMTP (on edge) and SMTP, IIS (on mailbox server). We then created a new subscription on the edge server and quickly copied that .xml over to the mailbox server. Via powershell we ran New-EdgeSubscription on the mailbox server.

We verified via ECP new send connectors were created and were setup correctly apart from SMTP logging, and max send size. All mail was flowing into the environment (i.e. from gmail, hotmail, yahoo to our Exchange) but no mail was flowing out.

The very weird part:
We were all submitting several 'test' messages from Outlook, OWA, and our mobile phones. None were being delivered. However, the message queues were showing No message in the queues of either server. There were also no errors in the event logs of either server.

We troubleshooted by restarting services, then servers, and finally after 3 hours of no email, reverted back to the old certificates, basically redoing what we had done to renew but with the old original certificates.
Once we did that, almost at once, the message queues filled up with all of our test messages and those messages began flowing out to our various personal emails.

The only antivirus we have running on our servers is McAfee Security for Exchange. I talked with them this morning and they assured me their software has no way of stopping, halting, and/or queuing messages in that manner.

We're at a loss. I've never hopped on MSExchange before as I have always been able to figure it out. This has me beat... Any help would be appreciated greatly. I'm more than willing to provide any information that I may have left out within the bounds of security safety. -> RE: Funky Flow of Internal to External mail stops after TLS/SSL Certificate renewal (10.May2016 3:48:13 PM)

Well, tonight (in 4 hours 15 min @ 8pm CT) I have provided a 2 hours maintenance window to try the following:

Stage this out, and only replace the Edge Transport Server Certificate first. Test mail flow and see if that works.
If it does, try the wildcard cert update again.
If it does not, perform some logging tests.

Anyone else have any ideas I'm game. I can't believe how rare of an issue this seems to be within this community of experts.


Page: [1]