Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Enable TLS on a Send Connector 2

Status
Not open for further replies.
JoshuaThompson

JoshuaThompson

Technical User
Aug 7, 2008
50
US
We use a third party service (Mimecast) for Spam Filtering as well as email archive. We are rolling out a new Exchange 2010 server and are needing assistance configure TLS on the send connector to this third party provider.

ALL external email (outbound) routes to this connector.

I can find plenty of documentation for enabling TLS between two domains but nothing for routing to a Smart Host with TLS. For example setting up a secure link between domain-a.com and domain-b.com.
But nothing for routing ALL emails to a smart host.

Can anybody provide some assistance with this? I can provide more information if needed.



 
Sort by date Sort by votes
Once you have the 3rd party certificate installed, and assigned to the SMTP service, Exchange will use TLS as long as the remote side supports it. If you telnet to the remote side and do a "ehlo [your SMTP domain]", do you see a "250-STARTTLS" in the list?

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.
 
Upvote 0 Downvote
Thank you for the reply. I did not have the Exchange Certificate assigned to the SMTP service, only IIS. So I added it.

When I remote to my Smart Host and issue the ehlo (my SMTP Domain) I receive:
500 Syntax Error, command unrecognized

However when I then enter helo (my SMTP Domain) I receive:
250 Requested mail action okay, completed.

I will reach out to my Smart Host now as it looks like they are not setup for TLS connections. Is that a correct assumption?




 
Upvote 0 Downvote
In order for Mimecast to archive our internal messages via an encrypted channel they require that we Enable TLS on our Send Connector.




 
Upvote 0 Downvote
So my Telnet test is showing this:

telnet (smart home domain) 25
EHLO (my mail domain)
250-Requested mail action okay, completed
250-AUTH LOGIN
250-AUTH=LOGIN
250 OK

No reference to START TLS. Does this mean they are not setup to handle TLS connections?
 
Upvote 0 Downvote
Make sure that your Send and Receive Connector FQDNs are configured with a name that is also on your certificate, since that's required for TLS. If it's not, then TLS won't be an option that your server offers when you connect to it like you did in your test.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Thanks ShackDaddy. I have confirmed the FQDN is in place on the send connector.

My telnet test was to my Smart Host not my local Exchange Server though.

I have also checked my SMTP logs and see an entry whenever I connect to my SmartHost, "Connector is configured to send mail only over TLS connections and remote doesn't support TLS" Now if my connector wasnt set up correctly for some reason but I had requireTLS would I still see this message in my SMTP logs?

I am trying to rule out that something isnt configured properly with my Send Connector.

I have my certificate installed. I have it assigned to the SMTP service. I have requireTLS enabled on the send connector. Is there anything I am missing?
 
Upvote 0 Downvote
In addition to my setup mentioned above I added EncryptionOnly to the TLSAuthLevel. Doing so did not resolve the issue but I wanted to provide as much information as possible for any future Tek-Tips users who are experiencing this issue.

I then ran a telnet test to my smart host from OUTSIDE of my network and I received back different response from when the test was ran INSIDE my network.

While outside my network the Smart Host does offer STARTTLS. This pointed me at my firewall which then I found the below article explaining the issue.


Following the advice in the article resolved the issue for me.

I have opened a ticket with my firewall provider to discuss Proxy vs Packet Filter.

Thank you all for your assistance.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
2K
DrB0b
DrB0b
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
2K
Brent Fletcher
Brent Fletcher
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
2K
PatrickRoggers
PatrickRoggers
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
2K
Wesaf
Wesaf
ponoodle
  • Locked
  • Question
Disabling OWA for on prem Exchange while in a hybrid envirenment.
Replies
0
Views
2K
ponoodle
ponoodle

Part and Inventory Search

Sponsor

Back
Top