Exchange 2010 TLS is not an option on this server
Hi All,
One of my client is getting bounced back email, whenever he tried to send emails to my domain. Below are the bounced back message,
Email was not delivered to:
zeeshan@example.com<mailto:zeeshan@example.com>
because:
This is a delivery status notification, automatically generated by MTA 19.mail.hsbc.co.uk<http://19.mail.hsbc.co.uk/> on Tue, 04 Sep 2012 12:33:54 +0100 Regarding recipient(s) :
zeeshan@example.com<mailto:zeeshan@example.com>
Delivery status : Failed. Message could not be delivered to domain <example.com<http://example.com/>> .Your mail administrator requires that all email addressed to this domain <example.com<http://example.com/>>
is delivered over a secure channel using SSL. The recipient server does not currently support TLS. Contact your mail administrator to verify that mail to this domain <example.com<http://example.com/>> must
be delivered over a secure channel.
MTA Response :None
The original message headers are included as attachment.
Also when i run SMTP test against my domain. I am getting
"Warning - Does not support TLS." Can anyone please help me solve this problem.
September 7th, 2012 6:38am
On Fri, 7 Sep 2012 10:38:15 +0000, Zeeshan Butt wrote:
>
>
>Hi All,
>
>One of my client is getting bounced back email, whenever he tried to send emails to my domain. Below are the bounced back message,
>
>Email was not delivered to:
>
>zeeshan@example.com<mailto:zeeshan@example.com>
>
>because:
>
>This is a delivery status notification, automatically generated by MTA 19.mail.hsbc.co.uk<http://19.mail.hsbc.co.uk/> on Tue, 04 Sep 2012 12:33:54 +0100 Regarding recipient(s) : zeeshan@example.com<mailto:zeeshan@example.com>
>
>Delivery status : Failed. Message could not be delivered to domain <example.com<http://example.com/>> .Your mail administrator requires that all email addressed to this domain <example.com<http://example.com/>> is delivered over a secure channel using
SSL. The recipient server does not currently support TLS. Contact your mail administrator to verify that mail to this domain <example.com<http://example.com/>> must be delivered over a secure channel.
>
>MTA Response :None
>
>The original message headers are included as attachment.
>
>Also when i run SMTP test against my domain. I am getting "Warning - Does not support TLS." Can anyone please help me solve this problem.
Run "Get-ReceiveConnector <name> | fl name,fqdn" to get the FQDN used
by the receive connector. Use it to see if the name appears in any of
the certificates below.
When you run "Get-ExchangeCertificate | fl
thumbprint,certificatedomains,services" does your FQDN appear in any
of the "certificatedomains", and does the "services" for that
certificate include "SMTP"?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2012 12:09pm
Hi,
Any more suggestion ?
Thanks & Regards,
September 8th, 2012 2:51am
On Sat, 8 Sep 2012 06:51:17 +0000, Zeeshan Butt wrote:
>
>Any more suggestion ?
Any more information?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2012 1:09pm
Hi,
Thanks for your help. I will check those settings which you suggest me. Can you please elaborate me how TLS will work in exchange 2010 is there any dependency on exchange certificates. Do i need to do any modifications in my exchange server.
Waiting for your reply anxiously.
Thanks & Regards,
Zeeshan Butt
September 8th, 2012 2:12pm
On Sat, 8 Sep 2012 18:12:19 +0000, Zeeshan Butt wrote:
>Thanks for your help. I will check those settings which you suggest me. Can you please elaborate me how TLS will work in exchange 2010 is there any dependency on exchange certificates. Do i need to do any modifications in my exchange server.
>
>Waiting for your reply anxiously.
Exchange creates a self-signed certificate during installation and
uses that to enable the HT server to add STARTTLS to the set of ESMTP
keywords.
Since you haven't said what you've done to cause Exchange to *not*
offer STARTTLS I was waiting for the results of the two cmdlets before
offering any advice. I don't know if you added a 3rd-party certificate
to the server or just removed the self-signed certificate. Neither do
I know if this is just a problem casued by some device between your
Exchange server and the Internet.
From the Exchange server, try this:
telnet server-name 25
Then, after the 220 banner is displayed, enter "EHLO" and hit the
"enter" key. In the list of keywords that are displayed do you see
STARTTLS?
I'm also assuming that your domain is "example.com" in the original
posted data.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2012 11:10pm
On Sun, 9 Sep 2012 07:06:49 +0000, Zeeshan Butt wrote:
>Please find below the snapshots,
But what about the results of the "telnet"? Do you, or don't you, see
the STARTTLS in the advertised keywords?
>First Thumbprint is for Internal Certificate, Second thumbprint is third party certificate and the last one comes by default after installing exchange 2010.
>
>Waiting for your advice and thanks alot for your support.
The certificates look okay -- provided that they haven't expired.
Try this:
Enable-ExchangeCertificate 2D48D...... -Services IMAP,POP,SMTP
You can also see what your server is getting from, and sending to, the
other server by looking at the SMTP Receive protocol logs. Do you see
your server sending the STARTTLS keyword after receiving the EHLO
command from that other company's server? How about other servers that
send you e-mail, if they send the EHLO command your server shold send
the STARTTLS keyword if there's a valid certificate on your server.
If you advertise the STARTTLS keyword and the other server (or
servers) never use it it may be that you have some device (e.g. a
Cisco firewall) that prevents the STARTTLS from reaching them, or from
reaching your server.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
September 9th, 2012 11:06am
Hi Rich,
I have run the above command. After that i run smtp test from mxtoolbox site and below is the result,
EHLO please-read-policy.mxtoolbox.com
250-NEXUSDUAPPBDA01.nexusadvice.com Hello mxtb-pws3.mxtoolbox.com [64.20.227.133], pleased to meet you
250-SIZE 20000000
250-PIPELINING
250-8BITMIME
250 HELP [250 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 Sender <supertool@mxtoolbox.com> OK [265 ms]
RCPT TO: <test@example.com>
550 No such domain at this location [265 ms]
QUIT
221 NEXUSDUAPPBDA01.nexusadvice.com Goodbye mxtb-pws3.mxtoolbox.com, closing connection [250 ms]
Please note the when i run telnet from my exchange server it shows STARTTLS ok but from external it is not showing STARTTLS you can also try to telnet my smtp server "mail.nexusadvice.com"
waiting for your reply.
Thanks & Regards,
ZB
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2012 11:50am
Yes you are right we are using firewall device for exchange server. All incoming and outgoing emails are going through that firewall device.
Many thanks for your support.
September 9th, 2012 4:10pm