SQL Server 发送邮件到 Exchange 2016 DAG 出现证书错误

我们有一个 SQL Server 2008R2 安装，它正在向我们现已停用的 Exchange 2010 服务器发送电子邮件。我们现在正在运行一个 Exchange 2016 DAG，它有 2 个主机（mailserver1.example.com 和 mailserver2.example.com），DNS 指针称为 mail.example.com，它引用这两个服务器。因此，当我们关闭旧服务器时，我们将使用实际主机名（severname.example.com）更改为 mail.example.com。当我们这样做时，我们收到以下错误：

The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2017-02-14T15:41:00). Exception Message: Cannot send mails to mail server. (The remote certificate is invalid according to the validation procedure.).

如果我将数据库邮件配置更改为指向 DAG 中的单个服务器（mailserver1.example.com），那么一切都可以正常工作。

我们在邮件服务器上使用通配符证书（* .example.com），所以我不确定这是否是问题所在。

我想修复这个问题，以便保持弹性。有人能告诉我它不喜欢什么吗？

编辑：因此我更深入地研究了安装/正在使用的证书：

Get-ExchangeCertificate -server mailserver2.example.com

Thumbprint                          Services   Subject
----------                          --------   -------
133914D76770DE347949C1FF771A64B7B6  IP.....    CN=mailserver2.example.com
4D2582DA78719BCC1B1CB8F33B3FAC2E54  IP..S..    CN=mailserver2
B39C5DED40D1C926A1ABDA2CA5B30FE305  ....S..    CN=Microsoft Exchange Server Auth Certificate
AD3C61F290199AB908ECB976A0C8341351  .......    CN=WMSvc-mailserver2
E6F14092B221239F51A62420FD74F2FA63  IP.WS..    CN=mailserver2.example.com
D1215C7C1E5D674E7C204FCB776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...


Get-ExchangeCertificate -server mailserver1.example.com

Thumbprint                          Services   Subject
----------                          --------   -------
4C560FF28A576F814DFAD198C81912C3BE  IP.....    CN=mailserver1.example.com
B39C5DED40D1C926A1A8DA2CA5B30FE305  ....S..    CN=Microsoft Exchange Server Auth Certificate
A29DA1FA4C800AB5EAD22B0BFA39D7BC5B  IP..S..    CN=mailserver1
184B109C120633C33711E26C40F4FAFFC6  .......    CN=WMSvc-mailserver1
22C69182932BE55A2F01B20C10FADBE359  IP.WS..    CN=mailserver1.example.com
D1215C7C1E5D674E7C244FCB776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...

Get-ExchangeCertificate -domainname example.com

Thumbprint                          Services   Subject
----------                          --------   -------
D1215C7C1E5D674E7C644FCB776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...

Get-ExchangeCertificate -domainname mail.example.com

Thumbprint                          Services   Subject
----------                          --------   -------
D1215C7C1E5D674E7C20D9FF776D60F93E  ...WS..    CN=*.example.com, OU=PremiumSSL Wildcard, O=Example Company...

当我使用 OPENSSL（按照下面的答案 1）时，我得到的是我们的内部分管 CA 证书（CN=mailserver2.example.com）而不是通配符证书。

编辑 2：这是 OpenSSL 命令的输出：openssl s_client -connect mailserver1.example.com:25 -starttls smtp

Loading 'screen' into random state - done
CONNECTED(000001F4)
depth=1 /DC=com/DC=example/CN=example-Issuing-CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=mailserver1.example.com
   i:/DC=com/DC=example/CN=example-Issuing-CA
 1 s:/DC=com/DC=example/CN=example-Issuing-CA
   i:/CN=example-Root-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
< certificate info here >
-----END CERTIFICATE-----
subject=/CN=mailserver1.example.com
issuer=/DC=com/DC=example/CN=example-Issuing-CA
---
No client certificate CA names sent
---
SSL handshake has read 3875 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: < session ID >
    Session-ID-ctx:
    Master-Key: < master key >
    Key-Arg   : None
    Start Time: 1487248994
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 XRDST
QUIT
DONE