Kevin, I may be incorrect, but I believe I read somewhere that internal SMTP is encrypted with TLS using internal certs even on machines that have public certs installed. We also have a somewhat similar setup to the one you speak about and I was confused when we started getting eventlog errors that internal SMTP traffic was now unencrypted because a certificate had expired and I knew the public cert had another 2 months. It turned out I needed to renew that internal cert as well, for some reason internal traffic wasn't using the public cert.
If you find more detail on this (I know you have James Bondish connections at MS) I would love to hear the official word. -Troy -----Original Message----- From: KevinM [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 8:41 AM To: MS-Exchange Admin Issues Subject: Which Cert do I Use Basic Question = When you have 2 SSL certs on a server, and both of them are enabled for SMTP. How does Exchange determine which to use? A bit more detailed Question -- I have a SAN cert assigned to SMTP on my EDGE server and my HUB server [1] .I also have the default self signed certificate installed on both servers. When I add the SAN cert to the server and I add it to the SMTP service I'm presented with the option to replace the default; yes or no. Either answer I give results in both certificates being assigned to the SMTP service. Edge sync will break if the default Cert is the SAN cert. Edge sync will work if the SAN cert is not the default. Outlook SMTP over SSL will not ask to verify the cert if both certs are enabled regardless of which cert is the default. My question is -- How does the server / client know which cert to use... and What does Default Cert mean to Exchange. [1] This is not supported http://technet.microsoft.com/en-us/library/cc671171.aspx But works if you pick the default cert the right way ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~