Selection of Inbound STARTTLS Certificates

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2011-01-19

The selection of an inbound STARTTLS certificate occurs in the following scenarios:

  • Simple Mail Transfer Protocol (SMTP) hosts request Transport Layer Security (TLS) with Edge Transport servers. The host that requests TLS with the Edge Transport server may be any other SMTP host. This also describes the Domain Security scenario. For more information about Domain Security, see Planning for Domain Security.

  • SMTP clients, such as Microsoft Outlook Express, request TLS with Hub Transport servers.

  • Internet-facing Hub Transport servers request TLS with an Edge Transport server.

When an SMTP session is established, the receiving server initiates a certificate selection process to determine which certificate to use in the TLS negotiation. The sending server also performs a certificate selection process. For more information about that process, see Selection of Outbound Anonymous TLS Certificates.

This topic describes the certificate selection process for inbound STARTTLS. All the steps described in this topic are performed on the receiving server. The following figure shows the steps of this process.

Selection of an inbound STARTTLS certificate

Selection of an inbound STARTTLS certificate
  1. When the SMTP session is established, Microsoft Exchange calls a process to load the certificates.

  2. In the load certificate function, the Receive connector to which the session is connected is checked to see whether the AuthMechanism property is set to a value of TLS. You can set the AuthMechanism property on the Receive connector by using the Set-ReceiveConnector cmdlet. You can also set the AuthMechanism property to TLS by selecting Transport Security Layer (TLS) on the Authentication tab of a given Receive connector.

    If TLS is not enabled as an authentication mechanism, the server does not advertise X-STARTTLS as an option to the sending server and no certificate is loaded. If TLS is enabled as an authentication mechanism, the certificate selection process continues to the next step.

  3. The certificate selection process retrieves the fully qualified domain name (FQDN) value from the Receive connector configuration. If the FQDN value on the Receive connector is null, the server’s physical FQDN is retrieved.

  4. The certificate selection process searches the local computer certificate store for certificates that match the FQDN. If a certificate is not found, the server does not advertise X-STARTTLS, no certificate is loaded, and Event ID 12014 is logged in the Application log.

  5. The certificate selection process searches for all certificates in the certificate store that have a matching FQDN. From this list, the certificate selection process identifies a list of eligible certificates. Eligible certificates must meet the following criteria:

    • The certificate is an X.509 version 3 or a later version certificate.

    • The certificate has an associated private key.

    • The Subject or Subject Alternate Name fields contain the FQDN that was retrieved in step 3.

    • The certificate is enabled for Secure Sockets Layer (SSL)/TLS use. Specifically, the SMTP service has been enabled for this certificate by using the Enable-ExchangeCertificate cmdlet.

  6. If no eligible certificates are found after these checks, the server does not advertise X-STARTTLS, no certificate is loaded, and Event ID 12014 is logged in the Application log.

  7. From the eligible certificates, the best certificate is selected based on the following sequence:

    • Sort eligible certificates by most recent Valid from date. Valid from is a Version 1 field on the certificate.

    • The first valid public key infrastructure (PKI) certificate that is found in this list is used.

    • If no valid PKI certificates are found, the first self-signed certificate is used.

  8. The certificate is checked to see whether it has expired. The Valid to field in the certificate properties is compared to the current date and time. If the certificate has not expired, STARTTLS is advertised. If the certificate has expired, Event ID 12016 is logged in the Application log, but STARTTLS is still advertised.

For more information about how certificates are selected for other TLS scenarios, see the following topics: