I am finishing up our Exchange 2010 -> 2013 migration, and one of the items to do is to carry the receive connectors over to our new front-ends from the old hub transport servers. We have a receive connector for Client SMTP (with ssl), and when I created that receive connector on the 2013 front end, some Thunderbird clients started to get untrusted cert errors when sending emails.
When I run Get-ExchangeCertificate, I clearly see that the public mail.<companyname.com> cert is assigned to SMTP on this particular 2013 front end. There were other certs enabled for SMTP as well, but I made sure to run Enable-ExchangeCertificate for the public cert's thumbprint and it said it was overriding the old self-signed cert for SMTP and assigning the new, good one. Then I go to enable the Receive Connector and then I start seeing the error on the clients.
What steps am I missing to get this new front end to actually use the good public trusted cert for SMTP traffic? It seems to be hung up using the self signed one, which my Thunderbird clients don't trust. Does some service need to be restarted to really kick it into gear? Is there some other config that I'm missing?