If you wish to use TLS, or are using TLS authentication in a Office 365 Hybrid environment, and have manually changed or renewed the SSL certificate, you may still get errors about unable to initiate the TLS session (STARTTLS), even though the SSL certificate has been correctly renewed. Just setting the SSL certificate to be used with SMTP is not enough to make TLS work correctly. You also need to (re-)configure the TLS certificate name on your send and receive connectors.
As stated by the manual:
To properly format the contents of TlsCertificateName, you can extract it from the certificate through some rudimentary scripting.
Fire up the EMS and retrieve the current certificates:
You will get a list of all certificate, but you'll only need the one to be used for TLS, which you can extract by specifying its thumbprint. As we need to extract additional information from the certificate, we conviently dump it to a variable.
$cert = Get-ExchangeCertificate -Thumbprint DE67EC3C8D679DC35D171341FEC5148D012B1BAE2
From the variable we created, we can now compile our value for the TLS certificate name:
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
With our new variable in place, we can now change every receive connector to modify the TLS certificate name to the new value:
Set-ReceiveConnector "EXSERVERClient Frontend EXSERVER" -TlsCertificateName $tlscertificatename
If you have multiple receive connectors (or more than one server), repeat the command for every receive connector. The change is effective immediately.
Since Office 365 now requires TLS for inbound relaying, even when using sender IP address verification, you'll also need to do this on your outbound (send) connector. If you want to limit this to Office 365 only, you can create a specific send connector and set the TLSCertificateName on it:
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename