A new TLS certificate is coming to Exchange Online

A new TLS certificate is coming to Exchange Online

This Article references MC146001 "A new TLS certificate is coming to Exchange Online" which you should find in your Office 365 Message center.

Problem Description:

You may be running in Hybrid mode or have an inbound TLS configuratiion using Exchange Online and noticed that you have a sudden build-up of inbound messages toward your on-premises Exchange servers. Starting on the 3'rd of August, Exchange Online has updated the certificate used for services including TLS. If your Exchange servers are unable to verify the validity of the new certificate due to firewall lockdown and other restrictions, your mail flow will stop, with queues building up in the online segment of your organisation until Exchange on-premises (or other mail servers on-premises) are able to resolve the online certificate.

How do I know?

You'll notice that your queues are building up in the Mail Flow Insights Dashboard in the Security and Compliance Center

In locked down environments, that is as simple as allowing TCP 80 outbound towards the following three hosts until the certificate is validated again.:

  • ocsp.globalsign.com
  • crl.globalsign.com
  • secure.globalsign.com

Steps to take:

  • Modify firewall rules so that Exchange servers that are Exchange online Facing are able to resolve the certificate Revocation List (CRL) on the three hosts noted above.
  • Cycle the Microsoft Exchange Transport Services
  • Navigate back to https://protection.office.com/#/mailflow/dashboard and check that the queues are clearing.
  • Lock down firewall rules