Opportunic TLS does not work

Hello community,

our Exchange2013-server can not handle opportunistic TLS and I really don’t know why…everything I’ve found so far seems to be fine. Please help…thank you very much!

Exchange Version: 15.0 Build 1210.3

Our Firewall is configured as the Mailgateway.

Get-SendConnector * | Ft Identity,IgnoreSTARTTLS

gives one SendConnector back listed with FALSE.

Get-ExchangeCertificate | ft subject,services

Gives back two certificates for SMTP. One internal and our public wildcard-certificate – is it a problem that two certificates are enabled for SMTP?

The TLSCertificateName attribute was empty on Sendconnectors. I’ve changed this to the thumbprint of our public certificate - but no change.

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend:

 ...

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,10,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-STARTTLS,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,11,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-X-ANONYMOUSTLS,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,12,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-AUTH
NTLM,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,13,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-X-EXPS
GSSAPI NTLM,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send Connector,08D4143AB830A2B0,14,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-8BITMIME,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,15,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-BINARYMIME,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send Connector,08D4143AB830A2B0,16,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-CHUNKING,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,17,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-XEXCH50,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,18,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-XRDST,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,19,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250
XSHADOWREQUEST,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,20,*InternalExchIP*:26966,*InternalExchIP*:2525,>,X-ANONYMOUSTLS,

2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,21,*InternalExchIP*:26966,*InternalExchIP*:2525,<,220
2.0.0 SMTP server ready,

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,22,*InternalExchIP*:26966,*InternalExchIP*:2525,*,,Remote
certificate

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,23,*InternalExchIP*:26966,*InternalExchIP*:2525,*,"CN=*.company.xx,
O=company AG, OU=IT, L=nirvana, S=neverland, C=xx",Certificate subject

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,24,*InternalExchIP*:26966,*InternalExchIP*:2525,*,"CN=XXX
CA - SHA256 - G2, O=CertAuth nv-sa, C=BE",Certificate issuer name

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,25,*InternalExchIP*:26966,*InternalExchIP*:2525,*,179765A42F6A43A80097A459,Certificate
serial number

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,26,*InternalExchIP*:26966,*InternalExchIP*:2525,*,2DBA3C3C149C146A6DXXXXXXXX92187A0954,Certificate
thumbprint

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,27,*InternalExchIP*:26966,*InternalExchIP*:2525,*,*.company.xx;autodiscover.company.xx;mail.company.xx;owa.company.xx;company.xx,Certificate
alternate names

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,28,*InternalExchIP*:26966,*InternalExchIP*:2525,*,,"TLS
protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption
algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384
with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384
bits"

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,29,*InternalExchIP*:26966,*InternalExchIP*:2525,*,,Received
certificate

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,30,*InternalExchIP*:26966,*InternalExchIP*:2525,*,2DBA3C3C149C146A6DXXXXXXXX92187A0954,Certificate
thumbprint

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,31,*InternalExchIP*:26966,*InternalExchIP*:2525,>,EHLO
*internalExchDNS*,

2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
Connector,08D4143AB830A2B0,32,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-*internalExchDNS*
Hello [*InternalExchIP*],....

The Output of "Get-AuthConfig | Format-List " gives me a "CurrentCertificateThumbprint" I can't identify,
so I guess it does not exist anymore.
I was not able to change it to the current internal certificate as it is said:
"has a private key that is not exporable". -not sure if this is a problem.
Maybe I did more I can't remember right now...but I think this is all mentionable so far.