My exchange 2013 server uses a 3rd party service to archive and do spam filtering on incoming email. Consequently, the MX records point to the 3rd party, and the exchange server receives everything from the 3rd party. Theres a receive connector where TLS is required, and the scope is set to only the IP address of the 3rd party servers. All inbound email from the internet flows through this receive connector.

Every 15 minutes, this event gets logged:

<Provider Name="MSExchangeFrontEndTransport" />
<EventID Qualifiers="49156">1032</EventID>
  <Level>2</Level>
  <Task>1</Task>
  <Keywords>0x80000000000000</Keywords>
  <Channel>Application</Channel>
Receive connector SecureReceive123 requires Transport Layer Security (TLS) before the MailFrom command can be run, but the server can't achieve it. Check this connector's authentication setting

Verbose logging is enabled on the Receive Connector. The FrontEnd\ProtocolLog\SmtpReceive logs show receive events from only the 3rd partys IP addresses, and no errors at the 15 minute intervals specified in the application log.

How do I find out what IP addresses is attempting to send email to my Receive Connector without TLS?

If the 3rd party is trying to connect without TLS every 15 minutes, in the interest of keeping errors out of the Application Log, is there a way to stop logging these 1032 Events?

• Edited by EdMVP 13 hours 34 minutes ago

Hi,

We can create a custom view of event log to exclude this 1032 event log. For example:

Best Regards.

Verbose logging is enabled, and I'm viewing logs in
%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

If there are other log files I should check, let me know.

Thanks, but I'm looking for a fix, not a filter.

That is the correct location.  The logs should show the IP addresses of hosts that are trying to connect.  Make sure that all receive connectors have verbose logging in case that Exchange might be using the wrong connector for this traffic.