Hub Transport TLS certificates

GrayhenTor

Trying to find out some more info about TLS certificate expiry on Exchange 2007 HT server...

When they pass expiry date you get event 12016:
"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN ... The continued use of that FQDN will cause mail flow problems"

The HT server continues to route emails after this though ( for at least two weeks which is how long it took me to get around to renewing the cert).
So...
- Does it route them but not encrypt them ?
- Does there come a time when the HT server will actually stop routing unless a certificate is renewed/installed? How long is this grace period ?

?

Claymoore

GrayhenTor wrote: »

The HT server continues to route emails after this though ( for at least two weeks which is how long it took me to get around to renewing the cert).
So...
- Does it route them but not encrypt them ?
- Does there come a time when the HT server will actually stop routing unless a certificate is renewed/installed? How long is this grace period ?

?

They will route but not encrypt
A connector that requires TLS will fail with an invalid cert and there is no grace period.

Exchange 2007 uses opportunistic TLS, which means it will try to send messages using TLS first and then try without TLS. When the HT server tried to connect to a third-party SMTP server, that server should have rejected the TLS connection based on the expired cert. At that point, the HT server would try a regular SMTP connection and send the mail. The only time delivery would fail is if you require the SMTP servers to authenticate or otherwise require TLS and an invalid cert would prevent the connection.