We generated public cert and attached to IMAP, POP, IIS, SMTP. There is still a self-signed Exchange cert attached to SMTP.
Is the self-signed cert still needed by Exchange? It is using sha1 and I'm suspecting the large amount of random event 36888, 36874 with TLS 1.2 reject and falat alert was genereated: 40 is caused by this self-signed cert.