If you wish to use TLS, or are using TLS authentication in a Office 365 Hybrid environment, and have manually changed or renewed the SSL certificate, you may still get errors about unable to initiate the TLS session (STARTTLS), even though the SSL certificate has been correctly renewed. Just setting the SSL certificate to be used with SMTP is not enough to make TLS work correctly. You also need to (re-)configure the TLS certificate name on your send and receive connectors.

As stated by the manual:

TlsCertificateName

The TlsCertificateName parameter specifies the X.509 certificate to use with TLS sessions and secure mail. Valid input for this parameter is [I]Issuer[S]Subject. The Issuer value is found in the certificate's Issuer field, and the Subject value is found in the certificate's Subject field. You can find these values by running the Get-ExchangeCertificate cmdlet.

To properly format the contents of TlsCertificateName, you can extract it from the certificate through some rudimentary scripting.

Fire up the EMS and retrieve the current certificates:

Get-ExchangeCertificate

You will get a list of all certificate, but you'll only need the one to be used for TLS, which you can extract by specifying its thumbprint. As we need to extract additional information from the certificate, we conviently dump it to a variable.

$cert = Get-ExchangeCertificate -Thumbprint DE67EC3C8D679DC35D171341FEC5148D012B1BAE2

From the variable we created, we can now compile our value for the TLS certificate name:

$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

With our new variable in place, we can now change every receive connector to modify the TLS certificate name to the new value:

Set-ReceiveConnector "EXSERVERClient Frontend EXSERVER" -TlsCertificateName $tlscertificatename

If you have multiple receive connectors (or more than one server), repeat the command for every receive connector. The change is effective immediately.

Since Office 365 now requires TLS for inbound relaying, even when using sender IP address verification, you'll also need to do this on your outbound (send) connector. If you want to limit this to Office 365 only, you can create a specific send connector and set the TLSCertificateName on it:

Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

Notice

I've noticed that if a certificate is expired and being replaced, the TlsCertificateName seems to be reset, in which case it is necessary to run the command each time after a certificate is replaced (using Enable-ExchangeCertificate).