Internal transport certificate expired

by Shijaz Abdulla on 27.01.2009 at 16:47

January 27, 2009

The internal transport certificate is automatically generated at the Exchange Server 2007 hub transport server and is usually valid only for one year. Once the certificate expires, you will receive continuous event 12019 errors in your Edge transport servers that are subscribed via Edgesync.

Event Type:      Error
Event Source:    MSExchangeTransport
Event Category:  TransportService
Event ID:        12019
Date:            1/27/2009
Time:            4:46:34 PM
User:            N/A
Computer:        EDGETRANSPORT
The remote internal transport certificate expired. Certificate subject: CN=<hub transport server>.

You can generate a new SMTP transport certificate on the Hub transport server by running the New-ExchangeCertificate cmdlet with no arguments.


This will automatically generate a new certificate. You then need to restart the Microsoft Exchange Edgesync service so that the Edge transport servers will be informed of the change.

Allowing application servers to relay on Exchange 2007 Hub Transport servers

by Shijaz Abdulla on 03.08.2008 at 14:00

I finally decided to switch off my Exchange 2003 Servers which handled relay requests from application servers. The Exchange Server 2007 hub transport servers would be entrusted with this task. I modified the DNS record so that all SMTP relaying will be directed to my Hub transport server.

However, once I did this, I found that most of my application servers could not relay messages that were destined for recipients outside the organization. A closer examination revealed that the hub transport servers were closing connections by returning a "550 5.7.1 Unable to Relay" error message.

Here’s what I did to workaround the problem.

I created a new SMTP Connector with the following properties:


The important bit is where you specify the remote servers that should be allowed to send mail via this connector. Although it’s tempting to add all IP addresses, make sure you add only your application server IP addresses here. Otherwise you’re gonna have a major email security problem!


In the authentication options, enable only TLS and Externally Secured. This is a method of re-assuring Exchange that email sent is externally secured and its okay to take it easy and accept email and that you totally trust these IP addresses.


Under Permission Groups, make sure you select Exchange Servers and Anonymous.


And you’re all set. The IP addresses that you specified on this connector will use this receive connector to relay messages internally and outside your organization.