From: Z on 6 May 2010 14:32
We have been using TLS (over SMTP) for many years on Exchange 2003 SP2
(Windows 2003 SP2).
A time has come to renew a certificate as the existing one was expiring, so
we did renew. We installed the new ceritificate successfully 2 month before
expiration of the current/old certificate.
When the old certificate expired we were still receiving secure email (TLS)
from most senders but few. No problems to send secure email.
We tested the SMTP protocol using telnet and all looked fine up to the last
step you can test with telnet (issuing STARTTLS command and receive correct
response 220 .....). But one of the vendors had logs showing that they cannot
proceed beyond this point (failed TLS handshake).
We also noticed Event ID 2008 ("invalid or expired certificate) reported by
smtpsvc service few minutes after the service restart. If you manually delete
the old certificate you receive Event ID 2002 (cert missing) instead of 2008.
Solutiion follows in response to this question so it can be usefull to
somebody else with this issue.
From: Z on 6 May 2010 14:44
And now the solution.
The problem was that the smtpsvc service (which servers for example “Default
SMTP virtual server”) was still bound to the old certificate despite the fact
the cert was properly installed.
The solution is simple, just open ESM (Exchange System Manager on Exchange
2003), browse all the way to smtp virtual server (the default one is to
“Default SMTP virtual server”), click Properties/Access/Certificate and use
the launched wizard to select the correct certificate. I am not sure if a
service restart is necessary but I did restart smtpsvc.
That fixed it, issue no more, no more 2002 or 2008.