Scenario: Messages are getting deferred in Exchange Online when trying to send to our newly added Hybrid Exchange On-Premises servers. When investigating, we receive UntrustedRoot in the details of the connection error.
Cause/Solution: Although the new Hybrid Exchange On-Premises servers have the correct Exchange Certificate installed, we still needed to add the TLSCertificateName AND the TLSDomainCapabilities values into the Front-End Connector for each of the new servers.
For Troubleshooting purposes, here is what we did:
1. Ran the Get-exchangecertificate on each server and verified that SMTP was associated with the correct third-party certificate. It is represented with an S (for smtp) in the services.
2. Ran the Get-transportservice to verify the InternalTransportCertificateThumbprint is the correct thumbprint of the cert that we verified in step 1.
3. Ran the Get-ReceiveConnector on the received connector that should be receiving SMTP connections from Exchange Online (For us it was the default front end). THIS WAS OUR SOLUTION: We had to set the TLSCertificateName AND TLSDomainCapabilities properties on this receive connector:
TLSCertificateName = “CN=<cert identifiable value”
TLSDomainCapabilities = “mail.protection.outlook.com:AcceptCloudServicesMail”
Skip to content
Ex-Shell 