New SSL certificate causing mail flow to fail in hybrid deployments

This is a problem that I have seen, and just came up on the Exchange master list, so I thought it would be something that might save others some time and headaches. Renewing your SSL certificate on your Exchange hybrid server can cause mail flow to stop. Here’s why…

The problem goes like this. You have an Exchange 2013 server setup in hybrid deployment with Exchange Online. This problem does not affect Exchange 2010 hybrid servers. Your SSL certificate is about to expire, so being a diligent administrator you renew it and install the new certificate on your hybrid server. Maybe a few weeks go by with everything working fine because your original certificate has not expired yet, but one day your mail flow stops coming in from Office 365 (depending on how you have your MX records set up, this might just be internal email or it might be all email). You see mail queues starting to build up in EOP, but since you have not changed anything on your servers in weeks you figure Microsoft must have screwed something up.

If you run Get-ReceiveConnector on your hybrid connector and compare TlsCertificateName to the same on your new SSL certificate, you’ll see they no longer match. The solution is simply to run Set-ReceiveConnector with –TlsCertificateName matching that of the new certificate.

This is not a terribly complicated problem to fix, but it is also not obvious what the problem is when mail flow just stops working for what seems like no good reason at all.