Office 365 smarthost 800B010F error

Hello! we have problem with enabling smart host in on-primes Exchange 2013 cu21.
Enroll let’s encrypt certificate example mail.mydomain.com
Run Microsoft Office 365 Hybrid Configuration Wizard certificate is valid.
I created smarthost to send email to internet via office365
New-SendConnector -Name “My company to Office 365” -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn “mail.mydomain.com” -RequireTLS $true -SmartHosts mydomain-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

And got error 800B010F:

  • 30 0 2 30 0 0x4000000000000001 405146 Microsoft-Windows-CAPI2/Operational mail.mydomain.com
  • The certificate's CN name does not match the passed value.

If the certificate is valid, then this is a Microsoft Exchange implementation issue.

That command appears to be creating a new send connector.. But is why do you include your FQDN?

yes, FQDN is correct. But it’s still not work.

The question is: Why are you including your FQDN in s send connector?

this provided by Microsoft how to create smart host to send emails to internet via office365.
In hybrid environment i don’t know why it’s don’t work and how users on premise send email to hosted in office365.

Then you need to review their instructions or ask them for clarification/help.

I think I found the instructions you are following online.
The FQDN must match "CertificateHostNameValue"
Can you show the public cert that you are using?

microsoft support said: ask question in letsencrypt on Microsoft side all it’s ok, but certificate validation not succeed.

Please show from PowerShell:
Set-Location Cert:\LocalMachine\My
Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint -AutoSize

These two statements are confusing:

Do you have a valid LE cert?

-----BEGIN CERTIFICATE-----
MIIF5jCCBM6gAwIBAgISBEMuVJEGoJY8ZSeqes7rA0otMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMDYwNDIxMzRaFw0x
OTAzMDYwNDIxMzRaMCIxIDAeBgNVBAMTF21haWwuYm9hcmRtYXBzZW1haWwuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiat9NckkuKO+GtvQ4N8m
D3qY/gAAwQ33gUxblWUYGCHmmroLN3c0ACjln6gBIjzJ8a2zPBWMWXadzrNtJxKM
nuZhcrWo9G6ROKBTPd0QdSqf9JoPbEJ8IzTfFE703J3adoiC3kQwXzx2IlrGY+NO
7FO4ST2/L14hvk/rX9IMkeLfqc8/GySB5TlVcTvVQ/hAILdZe27shZcC6E7DjU2z
RoaD0rQu4xCM5knS2Lyli+E7ydhsH1OQQYEIZ8KXIuXV1gwUYZ+2JW64nUQ7TDX1
IgQL5PMZcni2zsHt2k2BwnErnzfvNSBgXdVxu9uoEz2ibFHV87UDfMOZL6Cwa9XP
wwIDAQABo4IC7DCCAugwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTWmCqv+J6FaYpP
VxcPNRUSHweZbjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
ZW5jcnlwdC5vcmcvMIGhBgNVHREEgZkwgZaCH2F1dG9kaXNjb3Zlci5ib2FyZG1h
cHNlbWFpbC5jb22CIGRicy1leDAxLmNvcnAuYm9hcmRtYXBzZW1haWwuY29tgiBk
YnMtZXgwMi5jb3JwLmJvYXJkbWFwc2VtYWlsLmNvbYIXbWFpbC5ib2FyZG1hcHNl
bWFpbC5jb22CFm93YS5ib2FyZG1hcHNlbWFpbC5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgB0ftqDMa0z
EJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWeB9s5PAAAEAwBHMEUCIQDHjqBn
jZtkbaFY32M3vA0u8yQ81tZr8DyWE4yzp3U1ZAIgBqvnQLJiZAqGjG7a03slJD2Z
Px5aHAsAwwE7sBF99XgAdgBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvY
jQAAAWeB9tA3AAAEAwBHMEUCIQDYf3gHwVUKRMh5/fwmvJCOgt5nFbP41EOzWMvc
n+FASgIgImLFuqOU67MZpQlQMih0buwTTwqco7xhz+KD1Q39JNIwDQYJKoZIhvcN
AQELBQADggEBAAWEitPHf7KU5bKQK2EW8jBlKp0i9Aaoq+6twojemaLy7uNg/J8S
szn2yDlp9X3eV41Kx/6JmKAGS8YPHH0SIhnFeLpGAgRWxho9ZGzbbpsmB3H34HIc
5UzEbgNfQirNCl6GySNeKSaJtJPaI1akJS7iel3/ZCsfszjBdeiouejiNvZccyWK
sPbpMWBFXcHmeOCok++dxpW1dgfDwGTJpw+s83bKsUAcOuEp1n8kWBvQOJMwWTg5
2N1fDrz+dHWFoOZwdYxcgx1S/AY8jKERsU244ru+MbHC58OLhDOxq4dp4fu/VziP
XB//cX2+FQlBW95lX/FE/a0ekkpRs1iEriw=
-----END CERTIFICATE-----

Try using the first name found in the SAN: autodiscover…
(as the FQDN in your powershell command)

New-SendConnector -Name “My company to Office 365” -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn “autodiscover.mydomain.com” -RequireTLS $true -SmartHosts mydomain-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

And show this to ensure it was loaded into Windows correctly:

Also, which version of Windows are you running?

Do you have a valid LE cert?

Yes, fqdn - mail.boardmapsemail.com

in logs also we have 550 5.7.64 TenantAttribution; Relay Access Denied [BN3NAM04FT010.eop-NAM04.prod.protection.outlook.com]

windows server 2012 r2

I don’t see how Microsoft can say there is a problem with the cert.
Windows shows it is installed.
Please try this in powershell (fill in the full thumbprint from the LE cert):
Enable-ExchangeCertificate -Thumbprint F8C693311... -Services SMTP
Also show:
Get-ExchangeCertificate

Listen this is going way of track.
If there is a problem with the cert, then the problem is Microsoft.
They are notorious for failing for the most obscure/insignificant things.
Like in this case, Exchange is probably complaining (without any clear notice) that the certname doesn’t match the SAN - because they are only looking at the first name in the SAN in that comparison.
If that is the case, you may need to get another cert that has a CN of the first name in the SAN.
Since LE sorts the names alphabetically, that puts AUTODISCOVER first.
And that may well be the name they expect to find.

I can help you verify that the cert is installed/valid and “useable” by any other program (even IIS).
But I can’t make Exchange like it/use it/nor tell you exactly why it fails their test.
For that you need to speak with Microsoft.

One last suggestion, to try:
After trying autodiscover as FQDN, also replace FQDN with TlsCertificateName.

New-SendConnector -Name “My company to Office 365” -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn “autodiscover.mydomain.com” -RequireTLS $true -SmartHosts mydomain-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

New-SendConnector -Name “My company to Office 365” -AddressSpaces * -CloudServicesMailEnabled $true -TlsCertificateName “autodiscover.mydomain.com” -RequireTLS $true -SmartHosts mydomain-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

in logs

#Software: Microsoft Exchange Server
#Version: 15.0.0.0
#Log-type: SMTP Send Protocol Log
#Date: 2018-12-06T08:18:44.843Z
#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
2018-12-06T08:18:42.343Z,My company to Office 365,08D65B4DD9C4222D,0,,104.47.44.36:25,*,,attempting to connect
2018-12-06T08:18:42.452Z,My company to Office 365,08D65B4DD9C4222D,1,10.0.10.8:8324,104.47.44.36:25,+,,
2018-12-06T08:18:42.593Z,My company to Office 365,08D65B4DD9C4222D,2,10.0.10.8:8324,104.47.44.36:25,<,"220 SN1NAM04FT058.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 6 Dec 2018 08:18:42 +0000",
2018-12-06T08:18:42.593Z,My company to Office 365,08D65B4DD9C4222D,3,10.0.10.8:8324,104.47.44.36:25,>,EHLO autodiscover.boardmapsemail.com,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,4,10.0.10.8:8324,104.47.44.36:25,<,250-SN1NAM04FT058.mail.protection.outlook.com Hello [51.75.164.54],
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,5,10.0.10.8:8324,104.47.44.36:25,<,250-SIZE 157286400,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,6,10.0.10.8:8324,104.47.44.36:25,<,250-PIPELINING,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,7,10.0.10.8:8324,104.47.44.36:25,<,250-DSN,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,8,10.0.10.8:8324,104.47.44.36:25,<,250-ENHANCEDSTATUSCODES,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,9,10.0.10.8:8324,104.47.44.36:25,<,250-STARTTLS,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,10,10.0.10.8:8324,104.47.44.36:25,<,250-8BITMIME,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,11,10.0.10.8:8324,104.47.44.36:25,<,250-BINARYMIME,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,12,10.0.10.8:8324,104.47.44.36:25,<,250-CHUNKING,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,13,10.0.10.8:8324,104.47.44.36:25,<,250 SMTPUTF8,
2018-12-06T08:18:42.702Z,My company to Office 365,08D65B4DD9C4222D,14,10.0.10.8:8324,104.47.44.36:25,>,STARTTLS,
2018-12-06T08:18:42.812Z,My company to Office 365,08D65B4DD9C4222D,15,10.0.10.8:8324,104.47.44.36:25,<,220 2.0.0 SMTP server ready,
2018-12-06T08:18:42.812Z,My company to Office 365,08D65B4DD9C4222D,16,10.0.10.8:8324,104.47.44.36:25,*,,Sending certificate
2018-12-06T08:18:42.812Z,My company to Office 365,08D65B4DD9C4222D,17,10.0.10.8:8324,104.47.44.36:25,*,CN=mail.boardmapsemail.com,Certificate subject
2018-12-06T08:18:42.812Z,My company to Office 365,08D65B4DD9C4222D,18,10.0.10.8:8324,104.47.44.36:25,*,"CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",Certificate issuer name
2018-12-06T08:18:42.812Z,My company to Office 365,08D65B4DD9C4222D,19,10.0.10.8:8324,104.47.44.36:25,*,04432E549106A0963C6527AA7ACEEB034A2D,Certificate serial number
2018-12-06T08:18:42.812Z,My company to Office 365,08D65B4DD9C4222D,20,10.0.10.8:8324,104.47.44.36:25,*,F8C693311568D928EDA1278E2206E0861BD8ACBB,Certificate thumbprint
2018-12-06T08:18:42.812Z,My company to Office 365,08D65B4DD9C4222D,21,10.0.10.8:8324,104.47.44.36:25,*,mail.boardmapsemail.com;autodiscover.boardmapsemail.com;dbs-ex01.corp.boardmapsemail.com;dbs-ex02.corp.boardmapsemail.com;owa.boardmapsemail.com,Certificate alternate names
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,22,10.0.10.8:8324,104.47.44.36:25,*,,Remote certificate
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,23,10.0.10.8:8324,104.47.44.36:25,*,"CN=mail.protection.outlook.com, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",Certificate subject
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,24,10.0.10.8:8324,104.47.44.36:25,*,"CN=GlobalSign Organization Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE",Certificate issuer name
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,25,10.0.10.8:8324,104.47.44.36:25,*,5760C0769D1714309D2D95DE,Certificate serial number
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,26,10.0.10.8:8324,104.47.44.36:25,*,73B89750FA406F7D4F7E43A9355A9D271079E938,Certificate thumbprint
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,27,10.0.10.8:8324,104.47.44.36:25,*,mail.protection.outlook.com;*.mail.eo.outlook.com;*.mail.protection.outlook.com;mail.messaging.microsoft.com;outlook.com;*.olc.protection.outlook.com;*.pamx1.hotmail.com,Certificate alternate names
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,28,10.0.10.8:8324,104.47.44.36:25,*,,"TLS protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,29,10.0.10.8:8324,104.47.44.36:25,*,,Received certificate
2018-12-06T08:18:43.093Z,My company to Office 365,08D65B4DD9C4222D,30,10.0.10.8:8324,104.47.44.36:25,*,73B89750FA406F7D4F7E43A9355A9D271079E938,Certificate thumbprint
2018-12-06T08:18:43.171Z,My company to Office 365,08D65B4DD9C4222D,31,10.0.10.8:8324,104.47.44.36:25,>,EHLO autodiscover.boardmapsemail.com,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,32,10.0.10.8:8324,104.47.44.36:25,<,250-SN1NAM04FT058.mail.protection.outlook.com Hello [51.75.164.54],
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,33,10.0.10.8:8324,104.47.44.36:25,<,250-SIZE 157286400,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,34,10.0.10.8:8324,104.47.44.36:25,<,250-PIPELINING,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,35,10.0.10.8:8324,104.47.44.36:25,<,250-DSN,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,36,10.0.10.8:8324,104.47.44.36:25,<,250-ENHANCEDSTATUSCODES,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,37,10.0.10.8:8324,104.47.44.36:25,<,250-8BITMIME,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,38,10.0.10.8:8324,104.47.44.36:25,<,250-BINARYMIME,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,39,10.0.10.8:8324,104.47.44.36:25,<,250-CHUNKING,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,40,10.0.10.8:8324,104.47.44.36:25,<,250 SMTPUTF8,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,41,10.0.10.8:8324,104.47.44.36:25,*,,sending message with RecordId 365072220172 and InternetMessageId <8c253ebefeb44f2a83f810ded8c10772@dbs-ex02.corp.boardmapsemail.com>
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,42,10.0.10.8:8324,104.47.44.36:25,>,MAIL FROM:<cage@boardmapsemail.com> SIZE=4176,
2018-12-06T08:18:43.280Z,My company to Office 365,08D65B4DD9C4222D,43,10.0.10.8:8324,104.47.44.36:25,>,RCPT TO:<dp@gmail.com>,
2018-12-06T08:18:43.390Z,My company to Office 365,08D65B4DD9C4222D,44,10.0.10.8:8324,104.47.44.36:25,<,250 2.1.0 Sender OK,
2018-12-06T08:18:43.562Z,My company to Office 365,08D65B4DD9C4222D,45,10.0.10.8:8324,104.47.44.36:25,<,550 5.7.64 TenantAttribution; Relay Access Denied [SN1NAM04FT058.eop-NAM04.prod.protection.outlook.com],
2018-12-06T08:18:44.093Z,My company to Office 365,08D65B4DD9C4222D,46,10.0.10.8:8324,104.47.44.36:25,>,QUIT,
2018-12-06T08:18:44.202Z,My company to Office 365,08D65B4DD9C4222D,47,10.0.10.8:8324,104.47.44.36:25,<,221 2.0.0 Service closing transmission channel,
2018-12-06T08:18:44.202Z,My company to Office 365,08D65B4DD9C4222D,48,10.0.10.8:8324,104.47.44.36:25,-,,Local

The FQDN may need to match that name.