So we have a single 2013 CAS. It has a real cert called mymail.domain.com applied to the IIS, SMTP IMAP, and POP roles. Our split DNS resolves internally for mymail.domain.com and externally to the public ip for mymail.domain.com. Very basic setup.
Now this cas array has a local computer name i.e. server1. The cas, server1, will somehow take it upon itself to register with the internal local CA on the domain as server1.domain.com and will again take it upon itself to apply this cert to the SMTP role. This means that any user who doesn't trust the local CA gets errors when trying to send mail through this CAS. These include MAC and linux thunderbird users. And we have a lot of them.
I can fix the issue by going to ECP -servers-certificates and removing the local CA cert from the list of certs. but in 8 hours or so, it has again re-registered and applied it to the local SMTP.
This can't be normal behaviour.... I want the real 3rd party cert on mymail to service both internal and external requests.
Why is the CAS doing this? How can I stop it from assigning the SMTP role to the local CA cert?