Do I need to use an Edge Transport to implement Opportunistic TLS or is that functionality included in the hub transport role?

you can do it with HT

Dear customer: Thanks for knightlys reply. He is right. You dont need Edge transport to implement opportunistic TLS. The Hub transport also supports the feature. Exchange Server 2007 supports opportunistic TLS. This means that any time a remote SMTP Server advertises STARTTLS, it will attempt to negotiate TLS and encrypt the session. This behavior is controlled by the IgnoreSTARTTLS parameter on the connector. This value is set to false, by default. If set to true, Exchange will ignore the STARTTLS verb and will simply transmit the message in an unencrypted fashion. When Opportunistic TLS is utilized without BasicAuthRequireTLS enabled as an authentication mechanism, certificate validation does not occur. In this instance the negotiated TLS session is used to just encrypt the session and the receiving server is not validated against the certificate, nor is the certificate checked for revocation. You can run the following command to check the IgnoreSTARTTLS parameter on Hub transport: get-sendconnector "sendconnector_name" | fl Hope it helps. If anything is unclear, please feel free to let me know. Rock Wang - MSFT