Exchange On Premises and Office 365 Mail Flow Issues: TlsCertificateName of the SendConnector Could Not Be Found

By December 16, 2019September 23rd, 2020Blog, Exchange, Microsoft
Microsoft Exchange infrastructure diagram

We recently had a client who had an issue after replacing their external certificate for their Exchange 2016 Hybrid. While they could send emails out, inbound emails were not reaching the individuals’ mailboxes in Office 365.

Upon researching the issue, I noticed the following error in their mail queues:

–> 454 4.7.5 The certificate specified in TlsCertificateName of the SendConnector could not be found.

Inside this queue were now hundreds of messages that had obviously reached the server, but had not been delivered to the individual mailboxes in Office 365.

I knew the new certificate was in place and had the correct services assigned to it. Since email was flowing outbound and I could see messages in the queue, mail was at least getting to the on-prem Exchange server. This, along with the error message led me to be positive the error was in the send connector to Office 365.

The Root of the Problem

When a new certificate is assigned services, if it sees another certificate that has the same services assigned, it will ask if you want to overwrite the old certificate’s thumbprint with the new one to provide these services. By selecting yes, this should tell the connector that you want to use this new certificate for the services. This doesn’t always happen. So what do you do?

To fix this Mailflow issue with Exchange Server is quite simple.

  1. Verify the intermediate certificates for your new certificate are placed in the proper containers
  2. Most likely, the send connector is not using the new certificate. This is not possible to see in the GUI.
  3. To fix, perform the following to update the TLSCertificateName attribute on the Office 365 SendConnector

$Cert = Get-ExchangeCertificate -Thumbprint <New Exchange Certificate>

$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)

Set-SendConnector -Identity <Office 365 send Connector> -TLSCertificateName $TLSCert

This should resolve the issue. If you retry the queue it should change to active and mail should now flow into the individual mailboxes.

Myke Schwartz, Director of IT Operations


Leave a Reply