If the emails remain on the Exchange server and cannot be forwarded to the smarthost for sending, it may be because the certificate bound to the corresponding connector no longer exists or has been expired. Of course, it is also possible that the expected subject alternate name (SAN) is missing or incorrect. In that case you may receive an error stating:
454 4.7.5 The certificate specified in TlsCertificateName of the SendConnector could not be found
You can verify whether you have such an issue by checking the mail queue:
In case you have a lot of mails stuck in one of your mail queues you can further investigate the affected queue by running:
Get-Queue <queue name>
Having a look at the LastError property reveals the aforementioned error.
In my case the outbound Office 365 Send Connector was involved. In order to fix this I had to issue the following commands:
$TLSCert = Get-ExchangeCertificate -Thumbprint <thumbprint of valid certificate>
$TLSCertName = “$($TLSCert.Issuer)$($TLSCert.Subject)”
Get-SendConnector -identity “<send connector name>” | Set-SendConnector -TlsCertificateName $TLSCertName
You have to replace the thumbprint accordingly, i.e. matching your own certificate's thumbprint.
The procedure would be the same for all other Send Connectors or Receive Connectors.
By the time you go back to Queue viewer the queues should have started to empty.