Recently had a customer with an Exchange 2013 Hybrid config require updating an expired SSL certificate. When they imported the new certificate and assigned it SMTP services, mail flow from on-premises to Office 365 stopped.
This was because the on-premises send connector to Office 365 was still configured to look for that expired certificate (which had also been deleted already).
The fix was to perform the following:
- Open Exchange Management Shell on the on-premises Exchange server
- Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used.
- Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
- Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
- Update the send connector with the new values
Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert
After completing this, any queued mail destined for the Office 365 tenant should begin flowing